求助 - 電腦中毒殺不掉,請各位大大幫忙

lwj00 · 2007-07-02, 06:05 PM

最近每次開機,卡巴就顯示中了木馬C:/windows/system32/upxdnd.dll,點選刪除,訊息顯示必須重新開機,始能解毒,但是一直掃不掉,請各位大大幫忙,另外問一下,於/system32裡的.dll檔都是病毒嗎?:請各位大大多多幫忙,謝謝 on_72:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 下午 05:54:34, on 2007/7/2
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\AVG_Anti-Spyware\AVG Anti-Spyware\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\9a321.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\alg.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RavMonD.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Winamp\Winampa.exe
C:\AVG_Anti-Spyware\AVG Anti-Spyware\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\HiJackThis_v2.exe

R3 - URLSearchHook: 捇誥翑忒 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo!Photo - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: 捇誥翑忒 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll (file missing)
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: ff Class - {FAAAC0F6-94BE-4466-934B-7C53666A2F41} - C:\WINDOWS\system32\69a1.dll (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: 捇誥翑忒 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\AVG_Anti-Spyware\AVG Anti-Spyware\avgas.exe" /minimized
O4 - HKLM\..\Run: [Microsoft Autorun10] C:\WINDOWS\system32\nwizwmgjs.exe
O4 - HKLM\..\Run: [System] C:\Program Files\Common Files\system\Updaterun.exe
O4 - HKLM\..\Run: [Microsoft Autorun9] C:\WINDOWS\system32\Ravasktao.exe
O4 - HKLM\..\Run: [TIMHost] C:\WINDOWS\TIMHost.exe
O4 - HKLM\..\Run: [Microsoft Autorun7] C:\WINDOWS\system32\nwizqjsj.exe
O4 - HKLM\..\Run: [Microsoft Autorun1] C:\WINDOWS\system32\nwizdh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [r8dm5fyr8] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iexplorer.exe
O4 - HKLM\..\Policies\Explorer\Run: [RavMon] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RavMonD.exe
O4 - HKLM\..\Policies\Explorer\Run: [visin] C:\WINDOWS\system32\ctfnom.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 氝樓善捇誥隆堐(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O9 - Extra button: 網頁病毒防護統計 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\SCIEPlgn.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: 眢劃昜 - {DE607145-AC19-425e-868A-8D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing)
O9 - Extra 'Tools' menuitem: 眢劃昜 - {DE607145-AC19-425e-868A-8D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing)
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{89FBF104-292A-4FE0-9006-EFE6E6DC3EFF}: NameServer = 168.95.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{89FBF104-292A-4FE0-9006-EFE6E6DC3EFF}: NameServer = 168.95.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{89FBF104-292A-4FE0-9006-EFE6E6DC3EFF}: NameServer = 168.95.1.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\AVG_Anti-Spyware\AVG Anti-Spyware\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\9a321.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

--
End of file - 7156 bytes

plunderer · 2007-07-02, 07:59 PM

O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll

O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe

O4 - HKLM\..\Run: [Microsoft Autorun10] C:\WINDOWS\system32\nwizwmgjs.exe

O4 - HKLM\..\Run: [System] C:\Program Files\Common Files\system\Updaterun.exe

O4 - HKLM\..\Run: [Microsoft Autorun9] C:\WINDOWS\system32\Ravasktao.exe

O4 - HKLM\..\Run: [TIMHost] C:\WINDOWS\TIMHost.exe

O4 - HKLM\..\Run: [Microsoft Autorun7] C:\WINDOWS\system32\nwizqjsj.exe

O4 - HKLM\..\Run: [Microsoft Autorun1] C:\WINDOWS\system32\nwizdh.exe

O4 - HKCU\..\Run: [r8dm5fyr8] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iexplorer.exe

O4 - HKLM\..\Policies\Explorer\Run: [RavMon] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RavMonD.exe

O4 - HKLM\..\Policies\Explorer\Run: [visin] C:\WINDOWS\system32\ctfnom.exe

O9 - Extra button: 眢劃昜 - {DE607145-AC19-425e-868A-8D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing)

O9 - Extra 'Tools' menuitem: 眢劃昜 - {DE607145-AC19-425e-868A-8D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing)

O9 - Extra 'Tools' menuitem: 眢劃昜 - {DE607145-AC19-425e-868A-8D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing)

勾選並修復上述項目, 重新開機, 以安全模式登入windows, 刪除下列檔案:
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\system32\nwizwmgjs.exe
C:\Program Files\Common Files\system\Updaterun.exe
C:\WINDOWS\system32\Ravasktao.exe
C:\WINDOWS\TIMHost.exe
C:\WINDOWS\system32\nwizqjsj.exe
C:\WINDOWS\system32\nwizdh.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iexplorer.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RavMonD.exe
C:\WINDOWS\system32\ctfnom.exe (ctfmon.exe 是正常檔案, 注意別刪錯)
C:\WINDOWS\system32\9a321.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\(刪除目錄)
在所有磁碟搜尋 RUNDLLFOROUR.EXE, 找到就全部刪除
在所有磁碟搜尋 Autorun.inf, 找到就全部刪除

P.S
1. 完成上述動作後, 可能還是留有部分衍生檔案及相關的殘餘登錄機碼, 再用防毒軟體掃描一次

2. 建議卸載 Yahoo 助手

3. KAV6 的 proactive 前攝防禦功能可監控可疑的行為, 但若用戶看不懂, 反而容易讓病毒入侵, 若你對proactive 前攝防禦功能不了解, 建議還是換別的防毒軟體吧

不飛 · 2007-07-02, 08:03 PM

真心感謝 plunderer 版大一直無怨無私的幫忙需要幫助的版眾，

不飛在此獻上最真誠的謝意。

史版論壇有您，

真好 !

2007-07-02, 06:05 PM	#1
lwj00 註冊會員榮譽勳章勳章總數1 UID - 25722 在線等級: 註冊日期: 2003-01-14 VIP期限: 2008-05 文章: 9 精華: 0 現金: 5511 金幣資產: 5511 金幣	求助 - 電腦中毒殺不掉,請各位大大幫忙最近每次開機,卡巴就顯示中了木馬C:/windows/system32/upxdnd.dll,點選刪除,訊息顯示必須重新開機,始能解毒,但是一直掃不掉,請各位大大幫忙,另外問一下,於/system32裡的.dll檔都是病毒嗎?:請各位大大多多幫忙,謝謝 on_72: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 下午 05:54:34, on 2007/7/2 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\AVG_Anti-Spyware\AVG Anti-Spyware\guard.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\system32\9a321.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\WINDOWS\System32\alg.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RavMonD.exe C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\Winamp\Winampa.exe C:\AVG_Anti-Spyware\AVG Anti-Spyware\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\conime.exe C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE C:\WINDOWS\system32\wbem\wmiprvse.exe C:\HiJackThis_v2.exe R3 - URLSearchHook: 捇誥翑忒 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll (file missing) O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo!Photo - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll O2 - BHO: 捇誥翑忒 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll (file missing) O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll O2 - BHO: ff Class - {FAAAC0F6-94BE-4466-934B-7C53666A2F41} - C:\WINDOWS\system32\69a1.dll (file missing) O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: 捇誥翑忒 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\AVG_Anti-Spyware\AVG Anti-Spyware\avgas.exe" /minimized O4 - HKLM\..\Run: [Microsoft Autorun10] C:\WINDOWS\system32\nwizwmgjs.exe O4 - HKLM\..\Run: [System] C:\Program Files\Common Files\system\Updaterun.exe O4 - HKLM\..\Run: [Microsoft Autorun9] C:\WINDOWS\system32\Ravasktao.exe O4 - HKLM\..\Run: [TIMHost] C:\WINDOWS\TIMHost.exe O4 - HKLM\..\Run: [Microsoft Autorun7] C:\WINDOWS\system32\nwizqjsj.exe O4 - HKLM\..\Run: [Microsoft Autorun1] C:\WINDOWS\system32\nwizdh.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [r8dm5fyr8] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iexplorer.exe O4 - HKLM\..\Policies\Explorer\Run: [RavMon] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RavMonD.exe O4 - HKLM\..\Policies\Explorer\Run: [visin] C:\WINDOWS\system32\ctfnom.exe O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user') O8 - Extra context menu item: 使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: 氝樓善捇誥隆堐(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246 O9 - Extra button: 網頁病毒防護統計 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\SCIEPlgn.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: 眢劃昜 - {DE607145-AC19-425e-868A-8D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing) O9 - Extra 'Tools' menuitem: 眢劃昜 - {DE607145-AC19-425e-868A-8D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing) O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com O17 - HKLM\System\CCS\Services\Tcpip\..\{89FBF104-292A-4FE0-9006-EFE6E6DC3EFF}: NameServer = 168.95.1.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{89FBF104-292A-4FE0-9006-EFE6E6DC3EFF}: NameServer = 168.95.1.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{89FBF104-292A-4FE0-9006-EFE6E6DC3EFF}: NameServer = 168.95.1.1 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\AVG_Anti-Spyware\AVG Anti-Spyware\guard.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\9a321.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe -- End of file - 7156 bytes

	送花文章: 9, 收花文章: 0 篇, 收花: 0 次

2007-07-02, 07:59 PM	#2 (permalink)
plunderer 長老會員榮譽勳章勳章總數8 UID - 74024 在線等級: 註冊日期: 2003-05-31 文章: 1399 精華: 0 現金: 507220 金幣資產: 608580 金幣	O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe O4 - HKLM\..\Run: [Microsoft Autorun10] C:\WINDOWS\system32\nwizwmgjs.exe O4 - HKLM\..\Run: [System] C:\Program Files\Common Files\system\Updaterun.exe O4 - HKLM\..\Run: [Microsoft Autorun9] C:\WINDOWS\system32\Ravasktao.exe O4 - HKLM\..\Run: [TIMHost] C:\WINDOWS\TIMHost.exe O4 - HKLM\..\Run: [Microsoft Autorun7] C:\WINDOWS\system32\nwizqjsj.exe O4 - HKLM\..\Run: [Microsoft Autorun1] C:\WINDOWS\system32\nwizdh.exe O4 - HKCU\..\Run: [r8dm5fyr8] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iexplorer.exe O4 - HKLM\..\Policies\Explorer\Run: [RavMon] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RavMonD.exe O4 - HKLM\..\Policies\Explorer\Run: [visin] C:\WINDOWS\system32\ctfnom.exe O9 - Extra button: 眢劃昜 - {DE607145-AC19-425e-868A-8D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing) O9 - Extra 'Tools' menuitem: 眢劃昜 - {DE607145-AC19-425e-868A-8D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing) O9 - Extra 'Tools' menuitem: 眢劃昜 - {DE607145-AC19-425e-868A-8D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing) 勾選並修復上述項目, 重新開機, 以安全模式登入windows, 刪除下列檔案: C:\WINDOWS\upxdnd.exe C:\WINDOWS\system32\nwizwmgjs.exe C:\Program Files\Common Files\system\Updaterun.exe C:\WINDOWS\system32\Ravasktao.exe C:\WINDOWS\TIMHost.exe C:\WINDOWS\system32\nwizqjsj.exe C:\WINDOWS\system32\nwizdh.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iexplorer.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RavMonD.exe C:\WINDOWS\system32\ctfnom.exe (ctfmon.exe 是正常檔案, 注意別刪錯) C:\WINDOWS\system32\9a321.exe C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\(刪除目錄) 在所有磁碟搜尋 RUNDLLFOROUR.EXE, 找到就全部刪除在所有磁碟搜尋 Autorun.inf, 找到就全部刪除 P.S 1. 完成上述動作後, 可能還是留有部分衍生檔案及相關的殘餘登錄機碼, 再用防毒軟體掃描一次 2. 建議卸載 Yahoo 助手 3. KAV6 的 proactive 前攝防禦功能可監控可疑的行為, 但若用戶看不懂, 反而容易讓病毒入侵, 若你對proactive 前攝防禦功能不了解, 建議還是換別的防毒軟體吧
	__________________ 刑天舞干戚
	送花文章: 6, 收花文章: 575 篇, 收花: 1747 次 +5 金幣

2007-07-02, 08:03 PM	#3 (permalink)
不飛論壇主管榮譽勳章勳章總數19 UID - 236817 在線等級: 註冊日期: 2002-12-05 VIP期限: 無限期住址: 鄭燮之板橋文章: 14345 精華: 5 現金: 13161 金幣資產: 2914062 金幣	真心感謝 plunderer 版大一直無怨無私的幫忙需要幫助的版眾，不飛在此獻上最真誠的謝意。史版論壇有您，真好 !
	__________________ 不飛的不飛 ... 因為曾經端座在雲霄之上 ... 所以不飛，因為期待您能與不飛抬頭共列翱翔天昊 ... 所以更是不飛 ! 不飛不想飛 ... 畢竟殘破雙翼在苔階沾濕 ... 所以低頭，只好安靜地蹲在這練習 ... 學習要如何才能飛的更高更遠 ! 不飛不曾飛 ... 終於知道青澀期代表蒼狗 ... 所以情殤，一甲子的意境等於六十年的期盼的凝固 ... 所以就此棲巢 !
	送花文章: 959, 收花文章: 7607 篇, 收花: 52999 次

Google 提供的廣告