大蜘蛛最近用来不错~~
只会格盘的DOS盲人路过~~~ 不是吧 有没有试过dos杀毒? 如果你急用电脑,而且C盘里面的程序不是很重要的话,还是建议你重装……
我上次第一次中了橙色八月,忙了两天研究,最后都搞不定,还是重装……
后来第二次中,5分钟之内就决定重装了……
不过如果你有时间想研究一下非重装途径下怎么彻底消灭橙色八月的话,这样玩玩也没问题…… http://218.246.35.193/forum/thread-117498-1-1.html好像有解决方法 电脑不在这里,明天去弄
不理了睡觉先 原帖由 2002070344 于 2006-12-6 02:12 发表
http://218.246.35.193/forum/thread-117498-1-1.html好像有解决方法
看一下进程里有没有sxs.exe或svohost.exe
有得话用你找到解决方法应该就可以删了..
meiyou
启动项报告: 2006-12-6, 9:42:47启动项扫描器版本: 1.52.2
开始于: F:\HijackThis1991.EXE
系统检测: Windows XP SP2 (WinNT 5.01.2600)
系统检测: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* 使用默认选项
* 选择“列出主要的部分(标准)”方式
==================================================
当前运行的进程:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
F:\HijackThis1991.exe
--------------------------------------------------
Checking Windows NT UserInit:
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
注册表中的启动项:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CnsMin = Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
kis = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
(Default) =
helper.dll = C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
--------------------------------------------------
注册表中的启动项:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
cnshint.dll = regsvr32 /s C:\WINDOWS\downlo~1\cnshint.dll
CnsHook.dll = regsvr32 /s C:\WINDOWS\downlo~1\CnsHook.dll
CnsMinEx.dll = regsvr32.exe /s
--------------------------------------------------
注册表中的启动项:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
--------------------------------------------------
文件打开方式关联 for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(黙认) = notepad.exe %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=* 未找到INI相关项目值 *
run=* 未找到INI相关项目值 *
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=* 未找到相关注册表键值 *
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=* 未找到相关注册表键值 *
HKLM\..\Windows\CurrentVersion\WinLogon: load=* 未找到相关注册表键值 *
HKLM\..\Windows\CurrentVersion\WinLogon: run=* 未找到相关注册表键值 *
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=* 未找到相关注册表键值 *
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=* 未找到相关注册表键值 *
HKCU\..\Windows\CurrentVersion\WinLogon: load=* 未找到相关注册表键值 *
HKCU\..\Windows\CurrentVersion\WinLogon: run=* 未找到相关注册表键值 *
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=* 未找到相关注册表键值 *
HKLM\..\Windows NT\CurrentVersion\Windows: run=* 未找到相关注册表键值 *
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
--------------------------------------------------
外壳扩展和屏幕保护程序的键值从 C:\WINDOWS\SYSTEM.INI:
Shell=* 未找到INI相关项目值 *
SCRNSAVE.EXE=* 未找到INI相关项目值 *
drivers=* 未找到INI相关项目值 *
外壳扩展和屏幕保护程序的键值从 注册表
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssmypics.scr
drivers=* 未找到相关注册表键值 *
Policies Shell key:
HKCU\..\Policies: Shell=* 未找到相关注册表键值 *
HKLM\..\Policies: Shell=* 未找到相关注册表键值 *
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: NO!)
.pif: HIDDEN! (arrow overlay: NO!)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
列举IE浏览器辅助对象(BHO模块):
IE - C:\WINDOWS\downlo~1\CnsHook.dll - {D157330A-9EF3-49F8-9A67-4141AC41ADD4}
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
卡巴斯基互联网安全套装 6.0: "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (autostart)
Rising TDI Base Driver: System32\DRIVERS\BaseTDI.SYS (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
EPSON Printer Status Agent2: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
ExpScaner: \??\C:\Program Files\Rising\Rav\ExpScan.sys (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HOOKAPI: \??\C:\PROGRAM FILES\RISING\RAV\HOOKAPI.SYS (autostart)
HookCont: \??\C:\Program Files\Rising\Rav\HOOKCONT.sys (autostart)
HookReg: \??\C:\Program Files\Rising\Rav\HookReg.sys (autostart)
HookSys: \??\C:\Program Files\Rising\Rav\HookSys.sys (autostart)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
MEMSCAN: \??\C:\Program Files\Rising\Rav\MEMSCAN.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
MSSQLSERVER: C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Rising Process Communication Center: "C:\Program Files\Rising\Rav\CCenter.exe" (autostart)
RSPPSYS: \??\C:\Program Files\rising\Rav\RSPPSYS.sys (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\DOWNLO~1\3721\CNSPLUS.DLL => C:\WINDOWS\downlo~1\cnsplus.dll|C:\WINDOWS\DOWNLO~1\3721\CNSHINT.DLL => C:\WINDOWS\downlo~1\cnshint.dll|C:\WINDOWS\DOWNLO~1\3721\CNSHOOK.DLL => C:\WINDOWS\downlo~1\CnsHook.dll|C:\WINDOWS\DOWNLO~1\CNSDTU.DLL||C:\WINDOWS\downlo~1\3721\CnsMinEx.dll => C:\WINDOWS\downlo~1\CnsMinEx.dll|C:\WINDOWS\downlo~1\autolive.dll||C:\WINDOWS\downlo~1\autolive.dll||C:\PROGRA~1\3721\3721||C:\PROGRA~1\3721|||C
--------------------------------------------------
列举 ShellServiceObjectDelayLoad 项目:
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
--------------------------------------------------
报告完毕,共 11,670 字节
报告生成用时:1.222秒
Command line options:
/verbose- to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x- to include Win9x-only startups even if running on WinNT
/forcent- to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history- to list version history only 解决了,用卡巴杀了90多个木马,都是QQpass
基本上都是在c://system volme store这个文件下(具体名字我忘记了,要改文件夹的隐藏属性、系统保护属性才能看见)
和我用橙色八月提取器提取的病毒文件名一样
靠,橙色八月不是专杀来的
只是告诉你病毒样本
要自己去找,我注册表只找到一个--.dll
其他--.exe找不到
在c盘内逐个搜索,也没找到
有没高手指点下,要是自己弄怎么弄
虽然卡巴代劳是省事,不过耗时长
ps:瑞星真的不行,卡巴一上就解决
要不是指定要用瑞星
直接留着卡巴早完事了
[ 本帖最后由 2002070344 于 2006-12-6 11:42 编辑 ]
页:
1
[2]