1   1  /  1  页   跳转

求救,分析HijackThis恶意代码

求救,分析HijackThis恶意代码

Logfile of HijackThis v1.99.1
Scan saved at 19:34:02, on 2005-7-7
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\temp\salm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
c:\program files\rising\rfw\RfwMain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\My Documents\新建文件夹 (2)\HijackThis.exe

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: Wbho Class - {40E3A34A-3282-41F8-AD2C-051BAB96AD4A} - C:\WINDOWS\System32\Usign.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 卡卡安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\Program Files\Rising\KaKaToolBar\kakatool.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KAVRUN] F:\金山毒霸\Duba4UBak\KAV4U\KAVRUN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ExFilter] Rundll32.exe "C:\PROGRA~1\CNNIC\Cdn\cdnspie.dll,ExecFilter solo"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: 腾讯QQ.LNK = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: 导出到 Microsoft Excel(&x) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: 访问瑞星网站 - {FF2DE7A6-ECB1-4CBC-9C0E-D92A9E66E444} - http://www.rising.com.cn (file missing)
O9 - Extra button: 访问卡卡社区 - {FF2DE7A6-ECB1-4CBC-9C0E-D92A9E66E445} - http://www.ikaka.com (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.tongfangpc.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/014bd7eaf9db2911a305/netzip/RdxIE601_cn.cab
O16 - DPF: {56A7DC70-E102-4408-A34A-AE06FEF01586} (天下搜索) - http://iebar.t2t2.com/iebar.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O16 - DPF: {DA984A6D-508E-11D6-AA49-0050FF3C628D} (Ravonline) - http://download.rising.com.cn/ravkill/rsonline.cab
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/Ver2005/OL2005.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26C4A5EF-4B12-42D3-8F44-21D9254A5A37}: NameServer = 61.177.7.1 221.228.255.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{871D0F52-C48E-4604-9B03-80F7EEF82D3E}: NameServer = 61.177.7.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{26C4A5EF-4B12-42D3-8F44-21D9254A5A37}: NameServer = 61.177.7.1 221.228.255.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{26C4A5EF-4B12-42D3-8F44-21D9254A5A37}: NameServer = 61.177.7.1 221.228.255.1
O18 - Protocol hijack: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SYSTEMROOT%\SYSTEM32\MSHTML.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
最后编辑2005-07-07 19:49:30
分享到:
gototop
 

C:\temp\salm.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
这项很可疑
gototop
 

重新启动到安全模式(进入安全模式的方法:重新启动电脑, 开机自动检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式(Safe Mode)进入Windows。)

先终止下面的进程(关闭所有窗口,同时按下CTRL+ALT+DELETE,在打开的窗口中选中要终止的进程,然后按下“结束任务”或者“结束进程”,最后关闭该窗口。无法终止的话,建议使用第三方进程管理软件,比如HijackThis自带的进程管理器来终止其进程>
——打开HijackThis——配置——混合工具箱——打开简易进程管理器——选中要终止的进程——点终止进程)
C:\temp\salm.exe

请关闭所有IE界面,重新使用HijackThis扫描一次,选中下面建议修复的项目,让HijackThis修复,修复前请允许HijackThis保留备份。(如果楼主知道是安全的可以不必勾选)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: Wbho Class - {40E3A34A-3282-41F8-AD2C-051BAB96AD4A} - C:\WINDOWS\System32\Usign.dll
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O16 - DPF: {56A7DC70-E102-4408-A34A-AE06FEF01586} (天下搜索) - http://iebar.t2t2.com/iebar.cab

然后打开我的电脑。。再点工具。。打开文件夹选项。。。查看。。。把隐藏受保护的系统文件(推荐)和隐藏已知文件类型的扩展名的勾去掉。再显示所有文件。 用WINDOWS的查找功能进行查找并删除:
C:\WINDOWS\nem220.dll
C:\WINDOWS\System32\Usign.dll
c:\temp\salm.exe

gototop
 

Running processes:
C:\temp\salm.exe
C:\WINDOWS\system32\slserv.exe

O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{26C4A5EF-4B12-42D3-8F44-21D9254A5A37}: NameServer = 61.177.7.1 221.228.255.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{871D0F52-C48E-4604-9B03-80F7EEF82D3E}: NameServer = 61.177.7.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{26C4A5EF-4B12-42D3-8F44-21D9254A5A37}: NameServer = 61.177.7.1 221.228.255.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{26C4A5EF-4B12-42D3-8F44-21D9254A5A37}: NameServer = 61.177.7.1 221.228.255.1

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
------------------------
找到这几项,蓝色字可不修复
gototop
 

【接3楼】
进入 C:\temp 文件夹,删除所有文件。
如果还出来,就快一些,再次删除,并把该文件夹设上只读属性
——勿删!
gototop
 
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT