收到花版主的参考,有入段感觉,非常感谢!
问题来了:
1.HiJacThiS的"设置"里IE内容不是想要的,(之前注册表下修改了默认主页的键值为HTTP://WWW.Microsoft.com/China/,使桌面上IE图标的属性下"使用默认页"恢复正常,但日志扫描的IE与O14项基本相同),如何修?
2.3721早已卸载且注册表也清理,WIN9X自带搜索没有发现Rundll32.exe,可"自启动列表"文件却露出尾巴,请支招.
3.所有文件均不隐藏,"自启动列表"文件却还有,可疑,咋办?
附自启动列表
启动项报告: 05-12-9, 11:22:26
启动项扫描器版本: 1.52.2
开始于: D:\KAKA2005\HIJACKTHIS1991ZWW.EXE
系统检测: Windows 98 SE (Win9x 4.10.2222A)
系统检测: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* 使用默认选项
* 选择“列出主要的部分(标准)”方式
==================================================
当前运行的进程:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
D:\KAKA2005\HIJACKTHIS1991ZWW.EXE
--------------------------------------------------
注册表中的启动项:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RavMon = C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
--------------------------------------------------
注册表中的启动项:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
RavMon = C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
RsCcenter = C:\PROGRA~1\RISING\RAV\CCENTER.EXE
RavMond = C:\PROGRA~1\RISING\RAV\RAVMOND.EXE
--------------------------------------------------
文件打开方式关联 for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(黙认) = system\notepad.exe %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}
[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}
[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[{88899C21-D2E2-455f-9E89-17F3C3E7362A}] *
StubPath = C:\WINDOWS\RunDll32.exe C:\WINDOWS\SYSTEM\RONVIDIAT.DLL,EntryPoint
[{88899C22-D2E2-455f-9E89-17F3C3E7362A}] *
StubPath = C:\WINDOWS\RunDll32.exe C:\WINDOWS\SYSTEM\NVWRSKOS.DLL,EntryPoint
[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exeadvpack.dll
--------------------------------------------------
外壳扩展和屏幕保护程序的键值 从 C:\WINDOWS\SYSTEM.INI:
Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
C:\WINDOWS\WININIT.BAK listing:
(Created 5/12/2005, 9:36:56)
[rename]
NUL=C:\WINDOWS\DOWNLO~1\CNSHOOK.DLL
NUL=C:\WINDOWS\DOWNLO~1\CNSMIN.DLL
NUL=C:\WINDOWS\DOWNLO~1\CNSMINIO.DLL
NUL=C:\WINDOWS\DOWNLO~1\CNSIO.DLL
DIRNUL=C:\WINDOWS\DOWNLOADED PROGRAM FILES\3721
--------------------------------------------------
C:\AUTOEXEC.BAT listing:
SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;%PATH%
SET PATH=%PATH%;C:\PROGRA~1\COMMON~1\AUTODE~1
--------------------------------------------------
C:\CONFIG.SYS listing:
DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE
--------------------------------------------------
C:\WINDOWS\DOSSTART.BAT listing:
C:\SBPCI\SBINIT
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.
vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.
js: not hidden
.jse: not hidden
--------------------------------------------------
列举“计划任务”服务:
启用 Application Start.job
Windows 重要更新通知.job
--------------------------------------------------
列举下载的程序文件:
[Shockwave Flash
Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH8.OCX
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
--------------------------------------------------
列举 ShellService
ObjectDelayLoad 项目:
WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
--------------------------------------------------
报告完毕,共 5,568 字节
报告生成用时:0.175秒
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
