瑞星卡卡安全论坛
thbhy - 2005-11-29 17:17:00
现在公司好几台电脑中了这样的现象,如果不开IE,或者其他浏览器,则没有什么事情.一旦开了IE,就会每隔一段时间弹出3到4个国外的网站广告,每次弹出的不一样,但是都是从
http://www.searc-h.com/normal/yyy34.html 连接过去的.请问如何解决啊,杀毒,IE修复都没有用,注册表也找不到这个网址的信息.谢谢!
BlackStone - 2005-11-29 17:19:00
用Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点
工具栏的刷新按钮)
工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038第14楼
thbhy - 2005-11-29 17:42:00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ ccApp Common Client User Session Symantec Corporation c:\program files\common files\symantec shared\ccapp.exe
+ vptray Symantec AntiVirus Symantec Corporation c:\program files\symantec antivirus\vptray.exe
+ yassistse AssistSetting Yahoo! c:\program files\yahoo!\assistant\yassistse.exe
+ YLive.exe YLive c:\program files\yahoo!\assistant\ylive.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ Adobe.Acrobat.ContextMenu Adobe Acrobat Elements Adobe Systems Inc. c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ hA23msp.dll File not found: C:\WINNT\system32\hA23msp.dll
+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\winnt\system32\hticons.dll
+ KodakShellExtension Shell Extension Resource DLL Eastman Kodak Company c:\program files\common files\kodak\ifscore\kodakshx.dll
+ LDVP Shell Extensions Symantec AntiVirus Symantec Corporation c:\program files\common files\symantec shared\ssc\vpshell2.dll
+ mphtmler.dll c:\winnt\system32\mphtmler.dll
+ ScriptDropShellExt RoboEnhancer ScriptDropShellExt Module c:\program files\acd systems\roboenhancer\scriptdropshellext.dll
+ WinRAR shell extension c:\program files\winrar\rarext.dll
+ Yahoo!Photo yPhtb Yahoo! China c:\program files\yahoo!\assistant\assist\yphtb.dll
+ 粉碎文件 Wiper 动态链接库 c:\program files\yahoo!\assistant\assist\ywiper.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ Web 文件夹 c:\program files\common files\microsoft shared\web folders\msonsext.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
+ coolbar ToolBar Yahoo! c:\program files\yahoo!\assistant\assist\yasbar.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ 雅虎助手 ToolBar Yahoo! c:\program files\yahoo!\assistant\assist\yasbar.dll
Task Scheduler
+ BMMTask.job c:\program files\thinkpad\utilities\bmmtask.exe
+ Symantec NetDetect.job Symantec NetDetect Symantec Corporation c:\program files\symantec\liveupdate\ndetect.exe
HKLM\System\CurrentControlSet\Services
+ Ati HotKey Poller c:\winnt\system32\ati2evxx.exe
+ ccEvtMgr Symantec Event Manager Symantec Corporation c:\program files\common files\symantec shared\ccevtmgr.exe
+ ccSetMgr Symantec Settings Manager Symantec Corporation c:\program files\common files\symantec shared\ccsetmgr.exe
+ DefWatch Monitors and maintains virus definitions. Symantec Corporation c:\program files\symantec antivirus\defwatch.exe
+ Symantec AntiVirus Provides real-time virus scanning, reporting, and management functionality for Symantec AntiVirus. Symantec Corporation c:\program files\symantec antivirus\rtvscan.exe
HKLM\System\CurrentControlSet\Services
+ AgereSoftModem SoftModem Device Driver Agere Systems c:\winnt\system32\drivers\agrsm.sys
+ ati2mtag ATI RAGE 6 Miniport Driver ATI Technologies Inc. c:\winnt\system32\drivers\ati2mtag.sys
+ cs429x Crystal AC9x WDM Driver Cirrus Logic, Inc. c:\winnt\system32\drivers\cwawdm.sys
+ dmio NT Disk Manager I/O Driver VERITAS Software Corp. c:\winnt\system32\drivers\dmio.sys
+ E100B NDIS 5 driver Intel Corporation c:\winnt\system32\drivers\e100bnt5.sys
+ EGATHDRV c:\winnt\system32\egathdrv.sys
+ IBMPMDRV c:\winnt\system32\drivers\ibmpmdrv.sys
+ IBMTPCHK c:\winnt\system32\drivers\ibmbldid.sys
+ Klick Kaspersky Anti-Hacker NDIS Interceptor Kaspersky Labs c:\winnt\system32\drivers\klick.sys
+ Klif spuper-ptor Kaspersky Labs c:\winnt\system32\drivers\klif.sys
+ Klin Kaspersky Anti-Hacker TDI Interceptor Kaspersky Labs c:\winnt\system32\drivers\klin.sys
+ Klmc Kaspersky Anti-Virus Mail Checker Proxy Kaspersky Lab c:\winnt\system32\drivers\klmc.sys
+ ltmodem5 LT Windows Modem LT c:\winnt\system32\drivers\ltmdmnt.sys
+ NAVENG AV Engine Symantec Corporation c:\program files\common files\symantec shared\virusdefs\20051123.019\naveng.sys
+ NAVEX15 AV Engine Symantec Corporation c:\program files\common files\symantec shared\virusdefs\20051123.019\navex15.sys
+ NSCIRDA NSC Fast Infrared Driver. National Semiconductor Corporation c:\winnt\system32\drivers\nscirda.sys
+ PcdrNt PC-Doctor NT Support Driver PC-Doctor Inc. c:\winnt\system32\drivers\pcdrnt.sys
+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\winnt\system32\drivers\ptilink.sys
+ PxHelp20 Px Engine Device Driver for Windows 2000/XP Sonic Solutions c:\winnt\system32\drivers\pxhelp20.sys
+ S3SSavage S3 Graphics SuperSavage Miniport S3 Graphics, Inc. c:\winnt\system32\drivers\s3ssavm.sys
+ SAVRT AutoProtect Symantec Corporation c:\program files\symantec antivirus\savrt.sys
+ SAVRTPEL SAVRTPEL Symantec Corporation c:\program files\symantec antivirus\savrtpel.sys
+ smwdm SoundMAX Integrated Digital Audio Analog Devices, Inc. c:\winnt\system32\drivers\smwdm.sys
+ SymEvent Symantec Event Library Symantec Corporation c:\program files\symantec\symevent.sys
+ SYMREDRV Redirector Filter Driver Symantec Corporation c:\winnt\system32\drivers\symredrv.sys
+ SYMTDI Network Dispatch Driver Symantec Corporation c:\winnt\system32\drivers\symtdi.sys
+ SynTP Synaptics Touchpad Driver Synaptics, Inc. c:\winnt\system32\drivers\syntp.sys
+ TDSMAPI c:\winnt\system32\drivers\tdsmapi.sys
+ TPPWR IBM ThinkPad Power Management Device Driver IBM Corp. c:\winnt\system32\drivers\tppwr.sys
+ TSMAPIP c:\winnt\system32\drivers\tsmapip.sys
+ TSP spuper-ptor Kaspersky Labs c:\winnt\system32\drivers\klif.sys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ StillImage c:\winnt\system32\g4jole131h.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ Adobe PDF Port Acrobat ? PDF Port Adobe Systems Incorporated. c:\winnt\system32\adobepdf.dll
影子110 - 2005-11-29 17:50:00
清空下临时文件夹后,再用HijackThis 扫个日志上来看看~~
IE》属性》删除文件(包括脱机文件)》确定
HijackThis V1.99.1汉化版下载及英文原版下载地址(二楼)
http://forum.ikaka.com/topic.asp?board=67&artid=5188931
thbhy - 2005-11-29 17:52:00
对不起,刚才发错了. 我编辑了一下,请再看看.随后发HijackThis日志
thbhy - 2005-11-29 17:54:00
Logfile of HijackThis v1.99.1
Scan saved at 17:53:55, on 2005-11-29
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\conime.exe
\192.168.0.240\officeshare\HijackThis.exe
R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: 雅虎搜索 - res://C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll/246
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O20 - Winlogon Notify: StillImage - C:\WINNT\system32\g4jole131h.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
建能 - 2005-11-29 18:01:00
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
修复这几项。修复hosts文件
hosts文件里保存有WINDOWS系统记录的IP地址与域名的对应关系。
有些网页恶意代码会修改这个文件迫使我们访问恶意网页/网站。
检修方法和步骤是:
1。关闭所有浏览器窗口
2。开始--》运行...
如果你使用的是win 98,请输入(建议复制/粘贴过去):attrib %SystemRoot%\hosts -h -r -s
如果你使用的是win 2000/xp,请输入(建议复制/粘贴过去):attrib %SystemRoot%\system32\drivers\etc\hosts -h -r -s
点[确定]按钮。
3。开始--》运行...
如果你使用的是win 98,请输入(建议复制/粘贴过去):notepad %SystemRoot%\hosts
如果你使用的是win 2000/xp,请输入(建议复制/粘贴过去):notepad %SystemRoot%\system32\drivers\etc\hosts
点[确定]按钮。
4。hosts文件的内容将显示在记事本中,请保留包含127.0.0.1的行,把其它行全部删除。
保存修改后,重新启动计算机看看。
注:hosts文件不是系统必须的,有些电脑中可能没有这个文件。
影子110 - 2005-11-29 18:08:00
日志没看出什么问题 ~~~
你是在安全模式下扫的吗~~~
thbhy - 2005-11-30 13:26:00
感谢楼上的帮助.host文件我看了,里面被加入了很多127.0.0.1的对应其他的网站.但是无法清除.在安全模式下删除,重新启动后又自动生成了.
BlackStone - 2005-11-30 13:40:00
+ mphtmler.dll c:\winnt\system32\mphtmler.dll
删除c:\winnt\system32\mphtmler.dll
若删除不掉用Unlocker试试
工具下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7471002
thbhy - 2005-11-30 14:05:00
没有找到这个dll.好像每次扫描结果都不一样,我又扫描了一遍
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ ccAppCommon Client User SessionSymantec Corporationc:\program files\common files\symantec shared\ccapp.exe
+ vptraySymantec AntiVirusSymantec Corporationc:\program files\symantec antivirus\vptray.exe
+ yassistseAssistSettingYahoo!c:\program files\yahoo!\assistant\yassistse.exe
+ YLive.exeYLive c:\program files\yahoo!\assistant\ylive.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ Adobe.Acrobat.ContextMenuAdobe Acrobat ElementsAdobe Systems Inc.c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll
+ Display Panning CPL ExtensionFile not found: deskpan.dll
+ hA23msp.dllFile not found: C:\WINNT\system32\hA23msp.dll
+ HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\winnt\system32\hticons.dll
+ KodakShellExtensionShell Extension Resource DLLEastman Kodak Companyc:\program files\common files\kodak\ifscore\kodakshx.dll
+ LDVP Shell ExtensionsSymantec AntiVirusSymantec Corporationc:\program files\common files\symantec shared\ssc\vpshell2.dll
+ ScriptDropShellExtRoboEnhancer ScriptDropShellExt Modulec:\program files\acd systems\roboenhancer\scriptdropshellext.dll
+ sscpack.dllc:\winnt\system32\sscpack.dll
+ WinRAR shell extensionc:\program files\winrar\rarext.dll
+ Yahoo!PhotoyPhtbYahoo! Chinac:\program files\yahoo!\assistant\assist\yphtb.dll
+ 粉碎文件Wiper 动态链接库c:\program files\yahoo!\assistant\assist\ywiper.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ Web 文件夹c:\program files\common files\microsoft shared\web folders\msonsext.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
+ coolbarToolBarYahoo!c:\program files\yahoo!\assistant\assist\yasbar.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ 雅虎助手ToolBarYahoo!c:\program files\yahoo!\assistant\assist\yasbar.dll
Task Scheduler
+ BMMTask.jobc:\program files\thinkpad\utilities\bmmtask.exe
+ Symantec NetDetect.jobSymantec NetDetectSymantec Corporationc:\program files\symantec\liveupdate\ndetect.exe
HKLM\System\CurrentControlSet\Services
+ Ati HotKey Pollerc:\winnt\system32\ati2evxx.exe
+ ccEvtMgrSymantec Event ManagerSymantec Corporationc:\program files\common files\symantec shared\ccevtmgr.exe
+ ccSetMgrSymantec Settings ManagerSymantec Corporationc:\program files\common files\symantec shared\ccsetmgr.exe
+ DefWatchMonitors and maintains virus definitions.Symantec Corporationc:\program files\symantec antivirus\defwatch.exe
+ Symantec AntiVirusProvides real-time virus scanning, reporting, and management functionality for Symantec AntiVirus.Symantec Corporationc:\program files\symantec antivirus\rtvscan.exe
HKLM\System\CurrentControlSet\Services
+ AgereSoftModemSoftModem Device DriverAgere Systemsc:\winnt\system32\drivers\agrsm.sys
+ ati2mtagATI RAGE 6 Miniport DriverATI Technologies Inc.c:\winnt\system32\drivers\ati2mtag.sys
+ cs429xCrystal AC9x WDM DriverCirrus Logic, Inc.c:\winnt\system32\drivers\cwawdm.sys
+ dmioNT Disk Manager I/O DriverVERITAS Software Corp.c:\winnt\system32\drivers\dmio.sys
+ E100BNDIS 5 driverIntel Corporationc:\winnt\system32\drivers\e100bnt5.sys
+ EGATHDRVc:\winnt\system32\egathdrv.sys
+ IBMPMDRVc:\winnt\system32\drivers\ibmpmdrv.sys
+ IBMTPCHKc:\winnt\system32\drivers\ibmbldid.sys
+ KlickKaspersky Anti-Hacker NDIS InterceptorKaspersky Labsc:\winnt\system32\drivers\klick.sys
+ Klifspuper-ptorKaspersky Labsc:\winnt\system32\drivers\klif.sys
+ KlinKaspersky Anti-Hacker TDI InterceptorKaspersky Labsc:\winnt\system32\drivers\klin.sys
+ KlmcKaspersky Anti-Virus Mail Checker ProxyKaspersky Labc:\winnt\system32\drivers\klmc.sys
+ ltmodem5LT Windows ModemLTc:\winnt\system32\drivers\ltmdmnt.sys
+ NAVENGAV EngineSymantec Corporationc:\program files\common files\symantec shared\virusdefs\20051123.019\naveng.sys
+ NAVEX15AV EngineSymantec Corporationc:\program files\common files\symantec shared\virusdefs\20051123.019\navex15.sys
+ NSCIRDANSC Fast Infrared Driver.National Semiconductor Corporationc:\winnt\system32\drivers\nscirda.sys
+ PcdrNtPC-Doctor NT Support DriverPC-Doctor Inc.c:\winnt\system32\drivers\pcdrnt.sys
+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\winnt\system32\drivers\ptilink.sys
+ PxHelp20Px Engine Device Driver for Windows 2000/XPSonic Solutionsc:\winnt\system32\drivers\pxhelp20.sys
+ S3SSavageS3 Graphics SuperSavage MiniportS3 Graphics, Inc.c:\winnt\system32\drivers\s3ssavm.sys
+ SAVRTAutoProtectSymantec Corporationc:\program files\symantec antivirus\savrt.sys
+ SAVRTPELSAVRTPELSymantec Corporationc:\program files\symantec antivirus\savrtpel.sys
+ smwdmSoundMAX Integrated Digital Audio Analog Devices, Inc.c:\winnt\system32\drivers\smwdm.sys
+ SymEventSymantec Event LibrarySymantec Corporationc:\program files\symantec\symevent.sys
+ SYMREDRVRedirector Filter DriverSymantec Corporationc:\winnt\system32\drivers\symredrv.sys
+ SYMTDINetwork Dispatch DriverSymantec Corporationc:\winnt\system32\drivers\symtdi.sys
+ SynTPSynaptics Touchpad DriverSynaptics, Inc.c:\winnt\system32\drivers\syntp.sys
+ TDSMAPIc:\winnt\system32\drivers\tdsmapi.sys
+ TPPWRIBM ThinkPad Power Management Device DriverIBM Corp.c:\winnt\system32\drivers\tppwr.sys
+ TSMAPIPc:\winnt\system32\drivers\tsmapip.sys
+ TSPspuper-ptorKaspersky Labsc:\winnt\system32\drivers\klif.sys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ Extensionsc:\winnt\system32\fp8603lse.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ Adobe PDF PortAcrobat ? PDF PortAdobe Systems Incorporated.c:\winnt\system32\adobepdf.dll
BlackStone - 2005-11-30 14:12:00
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ sscpack.dllc:\winnt\system32\sscpack.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ Extensionsc:\winnt\system32\fp8603lse.dll
删除启动项
重启
删除c:\winnt\system32\fp8603lse.dll
c:\winnt\system32\sscpack.dll
注意文件夹选项
附件:
58878120051130141212.JPG
thbhy - 2005-11-30 19:15:00
经过无数次删除启动机器后,还是失败了.原因是这些dll文件是自动生成的.这次扫描出来的dll文件在安全模式下删除后,下次启动又生成新的dll文件,文件名随机生成的.而且host文件也照样被修改,加入了30过个网址和127.0.0.1对应,实在没有办法了,只能重新安装系统了.不知道还有没有其他有效的方法
1
© 2000 - 2026 Rising Corp. Ltd.