打印

中左廣告病毒......

火都黎

二星fun會員

Rank: 3 Rank: 3

1^# 大中小發表於 2009-1-31 17:22 只看該作者

中左廣告病毒......

中左廣告病毒.....隔一段時間...彈一個廣告出來
用左TREND MICRO 線上掃毒

JAVA_BYTEVER.BW
JAVA_BYTEVER.DK
JAVA_BYTEVER.BJ
JAVA_BYTEVER.DL
JAVA_BYTEVER.BX
ADW_IEBAR.U

按左Clean

ADW_IEBAR.U 清除唔到 ( 按左Clean 沒反應)

TOP

火都黎

二星fun會員

Rank: 3 Rank: 3

2^# 大中小發表於 2009-1-31 18:12 只看該作者

用埋HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at PM 04:42:04, on 2009/1/31
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\ZH-TW\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\XP-D3DB6423.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN3\YT.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN3\YT.DLL
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\PROGRAM FILES\XI\NETTRANSPORT 2\NTIEHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.5000.1021\ZH-TW\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: DwHlper Class(3.0) - {78A11A73-6D8A-11db-A78B-000BCDB692DB} - C:\WINDOWS\SYSTEM\DWMGR3.DLL
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.5000.1021\ZH-TW\MSNTB.DLL
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN3\YT.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\zh-tw\msnappau.exe"
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O5 "LPT1:" /M "Stylus C41"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [XP-D3DB6423] C:\WINDOWS\SYSTEM\XP-D3DB6423.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\WINDOWS\DESKTOP\ADAWARESEPROFESSIONALV1[1].06\AD-AWARE SE PROFESSIONAL_V1.06\AD-WATCH.EXE"
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AWMON] "C:\WINDOWS\DESKTOP\ADAWARESEPROFESSIONALV1[1].06\AD-AWARE SE PROFESSIONAL_V1.06\AD-WATCH.EXE" (User 'Default user')
O4 - .DEFAULT Startup: ﹛﹛﹛.lnk = C:\WINDOWS\SYSTEM\XP-D3DB6423.EXE (User 'Default user')
O4 - Startup: ﹛﹛﹛.lnk = C:\WINDOWS\SYSTEM\XP-D3DB6423.EXE
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_09\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_09\BIN\SSV.DLL
O15 - Trusted Zone: http://picasaweb.google.com
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! 工具列) - http://us.dl1.yimg.com/download. ... r/yiebio5_1_6_0.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spgame.com.tw/xml_web_setup/msxml4.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int12.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/contr ... kPhotoUploader5.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

--
End of file - 5512 bytes

TOP

勁化學

二星fun會員

Rank: 3 Rank: 3

3^# 大中小發表於 2009-2-7 12:19 只看該作者

去控制台 > 新增或移除程式睇下有冇天下搜索呢個軟件或一o的亂碼程式.

有就移除.

之後去 http://www.virustotal.com/ 掃描呢個檔案:

C:\WINDOWS\system32\XP-D3DB6423.exe

然後貼上掃描記錄.

TOP

火都黎

二星fun會員

Rank: 3 Rank: 3

4^# 大中小發表於 2009-2-8 00:40 只看該作者

新增或移除程式果到...沒天下搜索....得一個亂碼程式 (係一個下載歌ge 軟件但係果軟件是好耐之前裝的,未中毒前裝的)

http://www.virustotal.com/ 果到搵唔到你講果個XP-D3DB6423.exe
但按ALT + CTRL + AEL 會見到果個XP-D3DB6423

TOP

勁化學

二星fun會員

Rank: 3 Rank: 3

5^# 大中小發表於 2009-2-9 07:36 只看該作者

OK.

執行 HijackThis 掃描電腦. 然後勾選以下項目左面的方格. 關閉所有視窗及瀏覽器，按 Fix checked，然後關閉 HijackThis

O4 - HKLM\..\Run: [XP-D3DB6423] C:\WINDOWS\SYSTEM\XP-D3DB6423.EXE

O4 - .DEFAULT Startup: ﹛﹛﹛.lnk = C:\WINDOWS\SYSTEM\XP-D3DB6423.EXE (User 'Default user')

O4 - Startup: ﹛﹛﹛.lnk = C:\WINDOWS\SYSTEM\XP-D3DB6423.EXE

下載 OTMoveIt3 至桌面

http://oldtimer.geekstogo.com/OTMoveIt3.exe

執行 OTMoveIt3
用滑鼠複製以下粗黑色文字，於 OTMoveIt3 視窗 Paste Instructions for Items to be Moved 貼上以下內容:

:files
C:\WINDOWS\System\XP-D3DB6423.EXE
C:\WINDOWS\Downloaded Program Files\barhelp24.0.dl
之後按 MoveIt! (假如程式要求重新啓動電腦，按 Yes)關閉 OTMoveIt3