endurer
2006-04-16 第2版 网友回复说问题已经解决,并把文件INTasks.exe和svchest.exe发了过来
2006-04-03 第1版
刚才收到一个网友转发来的HijackThis的log文件,该网友的网友电脑定期弹出hxxp://www.71791.com的网页。
在log中发现如下可疑的项目:
F2 - REG:system.ini: UserInit=userinit.exe,
O4 - HKLM/../Run: [Service] svchest.exe
O4 - HKLM/../Run: [MSService] svchest.exe
O6 - HKCU/Software/Policies/Microsoft/Internet Explorer/Restrictions present
O6 - HKCU/Software/Policies/Microsoft/Internet Explorer/Control Panel present
O6 - HKLM/Software/Policies/Microsoft/Internet Explorer/Restrictions present
O23 - Service: Remote Internet Service (Msisvr) - Unknown owner - C:/WINDOWS/System32/INTasks.exe
给他的修复建议为:
以安全模式启动计算机
关闭系统还原功能
停止并禁用服务:Remote Internet Service (Msisvr)
设置系统显示所有文件和文件夹,不隐藏已知文件类型扩展名
寻找如下文件:
C:/WINDOWS/System32/INTasks.exe
svchest.exe(用开始菜单的搜索功能查找)
把找到的文件用压缩软件(如winrar, winzip)打包备份,然后删除。
待全部修复工作完成后,把压缩包作为email附件发到[email protected]。
请关闭所有浏览器窗口和文件夹窗口,重新使用HijackThis扫描,在上面所列的项目前打上勾,然后点[修复](Fix)。
清空IE临时文件夹
svchest.exe 好像是用Borland的Delphi写的。
会通过regedit把winpub.reg导入注册表,
从hxxp://xingz.3322.org下载guest.exe,并保存为INTasks.exe,作为系统服务启动项
强制IE打开hxxp://www.71791.com、hxxp://www.71791.com/news、hxxp://www.71791.com/goodvip、hxxp://www.71791.com/mm等网页。
File: | svchest.exe |
Status: | INFECTED/MALWARE |
MD5 | 800f9cd970666a684d4b7eb3dfce1b31 |
Packers detected: | - |
Scanner results | |
AntiVir | Found Trojan/Drop.Delf.PT |
ArcaVir | Found Trojan.Spy.Delf.Pt |
Avast | Found nothing |
AVG Antivirus | Found nothing |
BitDefender | Found Trojan.Agent.Delf.A |
ClamAV | Found nothing |
Dr.Web | Found nothing |
F-Prot Antivirus | Found nothing |
Fortinet | Found nothing |
Kaspersky Anti-Virus | Found nothing |
NOD32 | Found probably a variant of Win32/TrojanDownloader.Delf.NDQ (probable variant) |
Norman Virus Control | Found Sandbox: W32/Malware; [ General information ] * **Locates window "NULL [class Shell_TrayWnd]" on desktop. * File length: 15872 bytes. [ Process/window information ] * Modifies other process memory. * Creates a remote thread. |
UNA | Found nothing |
VirusBuster | Found nothing |
VBA32 | Found nothing |
File: | INTasks.exe |
Status: | INFECTED/MALWARE |
MD5 | 4d99311d87ff634b0c0fa361208c9e7f |
Packers detected: | NSPACK |
Scanner results | |
AntiVir | Found Trojan/Agent.Delf.A |
ArcaVir | Found nothing |
Avast | Found nothing |
AVG Antivirus | Found nothing |
BitDefender | Found Trojan.Agent.Delf.A |
ClamAV | Found nothing |
Dr.Web | FoundTrojan.MulDrop.3582 |
F-Prot Antivirus | Found nothing |
Fortinet | Found nothing |
Kaspersky Anti-Virus | Found nothing |
NOD32 | Found probably unknown NewHeur_PE (probable variant) |
Norman Virus Control | Found W32/Agent.ZIZ |
UNA | Found nothing |
VirusBuster | Found nothing |
VBA32 | Found nothing |