6,850
社区成员
发帖
与我相关
我的任务
分享非常难缠的恶意网站程序:普通IE修复和注册表修改行不通
IE现在可以改主页但改掉之后仍回到恶意网站主页
---------------------------------------------
现用首页绑架克星 - HijackThis分析如下:
Logfile of HijackThis v1.97.6
Scan saved at 7:36:23, on 2003-2-21
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\3721\assistse.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\IeOptm.exe
D:\酷月钟\clock.exe
D:\Program Files\GoSuRF\gsfbwsr.exe
D:\WINDOWS\System32\mdm.exe
D:\Program Files\FlashGet\flashget.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\hijackthis\HijackThis.exe
R3 - URLSearchHook: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - D:\WINDOWS\downlo~1\CnsHook.dll
R3 - URLSearchHook:
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO:
O2 - BHO: (no name) - {6231D512-E4A4-4DF2-BE62-5B8F0EE348EF} - D:\PROGRA~1\3721\Ces\cesweb.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - D:\WINDOWS\downlo~1\CnsHook.dll
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: ????? - {1B0E7716-898E-48cc-9690-4E338E8DE1D3} - D:\Program Files\3721\assist\assist.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe D:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [cesmain.dll] D:\WINDOWS\system32\rundll32.exe D:\PROGRA~1\3721\Ces\cmail.dll,Rundll32
O4 - HKLM\..\Run: [helper.dll] D:\WINDOWS\system32\rundll32.exe D:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IeOptm] D:\WINDOWS\System32\IeOptm.exe
O4 - HKLM\..\Run: [assistse] "D:\PROGRA~1\3721\assistse.exe"
O4 - HKLM\..\RunServices: [IeOptm] D:\WINDOWS\System32\IeOptm.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IeOptm] D:\WINDOWS\System32\IeOptm.exe
O4 - HKLM\..\RunOnce: [3721D:\PROGRA~1\3721\assist\adfilter.dll100214] regsvr32 /s D:\PROGRA~1\3721\assist\adfilter.dll
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Global Startup: ntuser.pol
O8 - Extra context menu item: Bookmark With Visual Favorites - D:\Program Files\Vanilla Software\Visual Favorites\html\addvf.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Start Assistant - D:\Program Files\Vanilla Software\Visual Favorites\html\start.htm
O8 - Extra context menu item: ▼使用旋风下载 - d:\Program Files\Tencent\TT\cg_link.htm
O8 - Extra context menu item: 使用影音传送带下载 - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 保存表单(&[) - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: 图片→八哥网摘 - c:\Program Files\
O8 - Extra context menu item: 填写表单(&]) - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: 网页→八哥网摘 - c:\Program Files\
O8 - Extra context menu item: 自定义菜单 &M - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: 选定→八哥网摘 - c:\Program Files\
O9 - Extra button: RoboForm (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: QQ (HKLM)
O9 - Extra button: Assistant (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O11 - Options group: [!CNS]
O16 - DPF: {733652F9-53EF-4BF1-B391-375980675D6F} (V3PROXL Control) - http://download.3721.com/download/myv3/plugin/myv3light.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-555443540000} - http://vsnet.nease.net/iehome.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{992FEFBC-DFB2-4910-9B56-5FCDD4551322}: NameServer = 192.168.1.1
-----------------------------------------
请分析上面LOG帮忙找出恶意程序,普通查看进程和系统启动项未奏效
---------------------------------------------
现用首页绑架克星 - HijackThis分析如下:
Logfile of HijackThis v1.97.6
Scan saved at 7:36:23, on 2003-2-21
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\3721\assistse.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\IeOptm.exe
D:\酷月钟\clock.exe
D:\Program Files\GoSuRF\gsfbwsr.exe
D:\WINDOWS\System32\mdm.exe
D:\Program Files\FlashGet\flashget.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\hijackthis\HijackThis.exe
R3 - URLSearchHook: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - D:\WINDOWS\downlo~1\CnsHook.dll
R3 - URLSearchHook:
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO:
O2 - BHO: (no name) - {6231D512-E4A4-4DF2-BE62-5B8F0EE348EF} - D:\PROGRA~1\3721\Ces\cesweb.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - D:\WINDOWS\downlo~1\CnsHook.dll
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: ????? - {1B0E7716-898E-48cc-9690-4E338E8DE1D3} - D:\Program Files\3721\assist\assist.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe D:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [cesmain.dll] D:\WINDOWS\system32\rundll32.exe D:\PROGRA~1\3721\Ces\cmail.dll,Rundll32
O4 - HKLM\..\Run: [helper.dll] D:\WINDOWS\system32\rundll32.exe D:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IeOptm] D:\WINDOWS\System32\IeOptm.exe
O4 - HKLM\..\Run: [assistse] "D:\PROGRA~1\3721\assistse.exe"
O4 - HKLM\..\RunServices: [IeOptm] D:\WINDOWS\System32\IeOptm.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IeOptm] D:\WINDOWS\System32\IeOptm.exe
O4 - HKLM\..\RunOnce: [3721D:\PROGRA~1\3721\assist\adfilter.dll100214] regsvr32 /s D:\PROGRA~1\3721\assist\adfilter.dll
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Global Startup: ntuser.pol
O8 - Extra context menu item: Bookmark With Visual Favorites - D:\Program Files\Vanilla Software\Visual Favorites\html\addvf.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Start Assistant - D:\Program Files\Vanilla Software\Visual Favorites\html\start.htm
O8 - Extra context menu item: ▼使用旋风下载 - d:\Program Files\Tencent\TT\cg_link.htm
O8 - Extra context menu item: 使用影音传送带下载 - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 保存表单(&[) - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: 图片→八哥网摘 - c:\Program Files\
O8 - Extra context menu item: 填写表单(&]) - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: 网页→八哥网摘 - c:\Program Files\
O8 - Extra context menu item: 自定义菜单 &M - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: 选定→八哥网摘 - c:\Program Files\
O9 - Extra button: RoboForm (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: QQ (HKLM)
O9 - Extra button: Assistant (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O11 - Options group: [!CNS]
O16 - DPF: {733652F9-53EF-4BF1-B391-375980675D6F} (V3PROXL Control) - http://download.3721.com/download/myv3/plugin/myv3light.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-555443540000} - http://vsnet.nease.net/iehome.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{992FEFBC-DFB2-4910-9B56-5FCDD4551322}: NameServer = 192.168.1.1
-----------------------------------------
请分析上面LOG帮忙找出恶意程序,普通查看进程和系统启动项未奏效
...全文
请发表友善的回复…
发表回复
