endurer
2006-11-06 第1版
有位网友的电脑开机老弹出腾讯网迷你网首页,关闭后又弹出www.37ss.com。并把HijackThis扫描的log发了过来。
在log中发现如下可疑项目:
/---------
O1 - Hosts: 134.224.52.77 oa.jxtele.com
O1 - Hosts: 134.224.52.79 oa2.jxtele.com
O1 - Hosts: 134.224.52.81 mail.jxtele.com
O1 - Hosts: 134.224.52.83 mail2.jxtele.com
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O6 - HKCU/Software/Policies/Microsoft/Internet Explorer/Restrictions present
O6 - HKCU/Software/Policies/Microsoft/Internet Explorer/Control Panel present
O15 - Trusted Zone: hxxp://oa.jxtele.com
O15 - Trusted Zone: hxxp://oa2.jxtele.com
O16 - DPF: {098A3F72-3110-4004-B954-2F9DC44934B4} (AddSHCARoot Control) - http://134.224.26.47/xinem8ui/AddSHCARootCert.cab
O23 - Service: Indexing Service (IndexingService) - Unknown owner - C:/WINDOWS/system32/cisrv.exe (file missing)
O23 - Service: NetMeeting Remote - Unknown owner - C:/WINDOWS/svchost.exe (file missing)
O23 - Service: Socks_Management_Instrumentati (SocksManagement) - Unknown owner - C:/WINDOWS/Socks_Management.exe (file missing)
---------/
修复建议如下:
重新启动到安全模式
如果开启了系统还原功能,请关闭此功能。
停止并禁用服务:
Indexing Service (IndexingService)
NetMeeting Remote
Socks_Management_Instrumentati (SocksManagement)
打开任务管理器,如果有以下进程则中终它们:
C:/WINDOWS/system32/ad1.exe
C:/WINDOWS/system32/PYINTAU.EXE
用WinRAR寻找下列文件:
/---------
C:/WINDOWS/system32/ad1.exe
C:/WINDOWS/system32/PYINTAU.EXE
C:/WINDOWS/system32/cisrv.exe
C:/WINDOWS/svchost.exe
C:/WINDOWS/Socks_Management.exe
---------/
打包备份后删除。把找到的文件用压缩软件(如winrar, winzip)打包备份,待全部修复工作完成后作为email附件发到[email protected]。
请关闭所有浏览器窗口和文件夹窗口,重新使用HijackThis扫描,在上列可疑项目前打上勾,然后点[修复](Fix)(如果你清楚某项是安全的,可以不处理):
清空IE临时文件夹
重启电脑,把先前打包备份的文件发到[email protected]
标签:Service,ss,134.224,system32,www.37,WINDOWS,老弹,---------,jxtele From: https://blog.51cto.com/endurer/5921725