查看完整版本: 懷疑IE 中毒

武•士•道 2009-4-9 09:22 PM

懷疑IE 中毒

利用工作管理員看到iexplore.exe不斷重覆及自動開啟,不斷佔用ram的容量
不時彈出Project1既視窗,內容是Run time error "53"
開IE 時自動開啟十多個廣告視窗

Hijackthis :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:22:15, on 9/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Mouse Driver\KMWDSrv.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - E:\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - E:\Thunder\ComDlls\xunleiBHO_Now.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\EPU-6 Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ver] C:\WINDOWS\system32\b3076\bon.exe
O4 - HKLM\..\Run: [she] c:\WINDOWS\system32\b2052\b2052.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe  /start
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 使用迅雷下載 - E:\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - E:\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - E:\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - E:\Thunder\Thunder.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [url]http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab[/url]
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: CDPforFilesSrv (FilePathsrv) - IBM Corporation - C:\WINDOWS\system32\FilePathsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Mouse Driver\KMWDSrv.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - [url]http://libusb-win32.sourceforge.net[/url] - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6169 bytes

[[i] 本帖最後由 武•士•道 於 2009-4-9 09:32 PM 編輯 [/i]]

無恥之徒 2009-4-9 09:30 PM

關閉「系統還原」的步驟

   1. 按一下 [開始],用滑鼠右鍵按一下 [我的電腦],然後按一下 [內容]。
   2. 在 [系統內容] 對話方塊中,按一下 [系統還原] 索引標籤。
   3. 按一下以選取 [關閉系統還原] 核取方塊。或者,按一下以選取 [關閉所有磁碟上的系統還原] 核取方塊。
   4. 按一下 [確定]。

下載ATF-Cleaner
[url]http://www.atribune.org/[/url]
執行ATF-Cleaner.exe
勾選全部,按Empty Selected.

1.關閉Internet Explorer及已開啟的檔案資料夾視窗.
2.執行Hijackthis,
3.按Do a system scan only,稍等一下直至  "Scan" 變成 "Save log"
4.勾選以下項目(左方方格),按 "Fix checked",hijackthis會提示你重啟,如在此一步驟後,可重新啟動電腦。

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ver] C:\WINDOWS\system32\b3076\bon.exe
O4 - HKLM\..\Run: [she] c:\WINDOWS\system32\b2052\b2052.exe

下載 ComboFix 至桌面

[url]http://download.bleepingcomputer.com/sUBs/ComboFix.exe[/url]

    * 執行 ComboFix

      注意: 為防止保安軟件將 ComboFix 錯誤列為危險檔案. 執行 ComboFix 之前請將防毒軟件及反間諜軟件暫時關閉. 另外,ComboFix 運作其間請勿執行任何程式或用滑鼠點擊 ComboFix 視窗.

    * ComboFix 會彈出視窗,按是 (Y)
    * 假如需要安裝恢復控制台,按是 (Y) 進行安裝. 完成安裝後按是 (Y) 繼續.
    * 程式會進行掃描,其間桌面可能會暫時消失. 完成掃描後,程式會自動關閉.
    * 之後 ComboFix 記錄會彈出,記錄會自動儲存於 C:\ComboFix.txt
    * 重新啟動電腦.
    * 貼上 ComboFix 記錄.

如果報告太長,可以上傳到 這裡 [url]http://www.box.net[/url]

武•士•道 2009-4-9 10:09 PM

[url]http://www.sendspace.com/file/j9wzyb[/url]
頁: [1]
查看完整版本: 懷疑IE 中毒