endurer 原创
2006-09-22 第1版
有位网友的电脑不定期地弹出广告窗口。
下载 HijackThis 扫描log。
在 log 中发现如下可疑项目:
/---------
Logfile of HijackThis v1.99.1
Scan saved at 9:08:50, on 2006-9-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:/Program Files/SystemInspect/SVCHAST.exe
c:/windows/system32/inetsrv/csrss.exe
C:/WINDOWS/system32/softbox.exe
C:/WINDOWS/TEMP/setup.exe
C:/WINDOWS/system32/windowoutnew.exe
C:/WINDOWS/svchost.exe
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/windowoutnew.exe
R3 - URLSearchHook: SearchCar - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - C:/Program Files/SearchCar/SearchCar.dll (file missing)
F2 - REG:system.ini: UserInit=C:/WINDOWS/system32/Userinit.exe
O1 - Hosts: 125.91.1.20 localhost
O1 - Hosts: 125.91.1.20 www.7939.com
O1 - Hosts: 125.91.1.20 www.hao123.com
O1 - Hosts: 125.91.1.20 www.9991.com
O1 - Hosts: 125.91.1.20 www.5566.net
O1 - Hosts: 125.91.1.20 www.gjj.cc
O1 - Hosts: 125.91.1.20 www.265.com
O1 - Hosts: 125.91.1.20 www.v111.com
O1 - Hosts: 125.91.1.20 www.7322.com
O2 - BHO: MonitorURL Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:/PROGRA~1/DESKAD~1/deskipn.dll
O2 - BHO: MyIEHelper Class - {16B770A0-0E87-4278-B748-2460D64A8386} - C:/Documents and Settings/All Users/Application Data/Microsoft/IEHelper/IEHelper_5107.dll
O2 - BHO: (no name) - {3D898C55-74CC-4B7C-B5F1-45913F368388} - C:/WINDOWS/system32/SecurityC1.dll
O2 - BHO: Spoolsv Class - {9C363D55-07D7-433d-A13E-D9C105202F6F} - C:/WINDOWS/system32/drivers/spoolsv.dll
O2 - BHO: XBTP03129 - {B07D1F6B-6B8C-4904-8EE8-5E5A2B4624B3} - C:/PROGRA~1/SEARCH~1/SEARCH~1.DLL (file missing)
O2 - BHO: Macromedia. Flash8 Object - {C61A70F3-505E-4B90-916F-627A8706B4BC} - c:/WINDOWS/system32/FlashPlayer8OCX.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:/WINDOWS/system32/ms.dll
O2 - BHO: Webacc - {CAC068F3-A608-406B-8581-458788A67694} - C:/WINDOWS/system32/svchost.dll
O2 - BHO: Microsoft Solo Browser Helper Object - {E3DB85B5-C559-4894-B474-42E89FAA1EFD} - C:/WINDOWS/system32/winmsd.dll (file missing)
O3 - Toolbar: SearchCar - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - C:/Program Files/SearchCar/SearchCar.dll (file missing)
O3 - Toolbar: 系统标准按钮(&E) - {6B2455FD-3669-4555-8DF8-69FD5BC846F8} - C:/WINDOWS/system32/SystemToolbar.dll (file missing)
O4 - HKLM/../Run: [softbox] C:/WINDOWS/system32/softbox.exe
O4 - HKLM/../Run: [System] C:/WINDOWS/TEMP/setup.exe
O4 - HKLM/../Run: [WindowOutNew] C:/WINDOWS/system32/windowoutnew.exe
O4 - HKLM/../Run: [svc] C:/WINDOWS/svchost.exe
O4 - HKLM/../Run: [Desktop] C:/WINDOWS/system32/rundll32.exe "C:/Program Files/DeskAdTop/Run.dll" ,Rundll
O4 - HKCU/../Run: [svc] C:/WINDOWS/svchost.exe
O4 - Global Startup: IE-Bar.lnk = C:/Program Files/Common Files/IE-Bar/iebar.exe
O6 - HKCU/Software/Policies/Microsoft/Internet Explorer/Control Panel present
O9 - Extra button: 名品折扣 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http:///main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1&sid=5042&show=ignore&url=http:///vertical/mall/pro.php?allyesPara=816 (file missing)
O10 - Unknown file in Winsock LSP: c:/windows/system32/msplus.dll
O10 - Unknown file in Winsock LSP: c:/windows/system32/msplus.dll
O23 - Service: SVCHAST (SystemInspect) - Unknown owner - C:/Program Files/SystemInspect/SVCHAST.exe
---------/
卸载:IE-Bar,SearchCar,中文上网,桌面媒体
停止并禁用服务:SVCHAST (SystemInspect)
到 http:// 下载 并 运行 procview,终止下列进程:
/---------
C:/Program Files/SystemInspect/SVCHAST.exe
c:/windows/system32/inetsrv/csrss.exe
C:/WINDOWS/system32/softbox.exe
C:/WINDOWS/TEMP/setup.exe
C:/WINDOWS/system32/windowoutnew.exe
C:/WINDOWS/svchost.exe
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/windowoutnew.exe
---------/
用WinRAR寻找如下文件:
/---------
C:/Program Files/SystemInspect/SVCHAST.exe
C:/Documents and Settings/user/1018.exe(Kaspersky 报为 Trojan-Downloader.Win32.Agent.aww)
C:/Documents and Settings/user/dmshell.dll(Kaspersky 报为 not-a-virus:AdWare.Win32.Dm.d)
C:/Documents and Settings/user/Skymmstp234.exe(Kaspersky 报为 not-a-virus:AdWare.Win32.ADMoke.n)
C:/WINDOWS/svchost.exe
C:/WINDOWS/system32/softbox.exe
C:/WINDOWS/system32/windowoutnew.exe(Kaspersky 报为 Trojan-Downloader.Win32.VB.akp)
C:/WINDOWS/system32/FlashPlayer8OCX.dll
C:/WINDOWS/system32/ms.dll
C:/WINDOWS/system32/SecurityC1.dll
C:/WINDOWS/system32/svchost.dll
C:/WINDOWS/system32/drivers/spoolsv.dll
c:/windows/system32/inetsrv/csrss.exe(Kaspersky 报为 Backdoor.Win32.Delf.auu)
C:/WINDOWS/TEMP/setup.exe(Kaspersky 报为 Trojan-Downloader.Win32.Small.duh)
C:/WINDOWS/TEMP/Setup4.exe.rar(Kaspersky 报为 not-avirus:AdWare.Win32.BHO.ag)
C:/WINDOWS/TEMP/setup175.exe
---------/
打包备份后删除。
关闭所有浏览器和文件夹窗口,用HijackThis扫描并修复上面所列项目。
下载 并 运行 lspfix.exe,选定“I Know What I'm Doing”,然后把左面窗口里的 msplus.dll 文件移到右面窗口里,然后选“Finish”。
清空IE临时文件夹
清空 c:/Documents and Settings/user/Local Settings/temp(其中 user 为用户名)
清空 c:/windows/temp