瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » iexplore.exe隐藏进程(不像是普通灰鸽子)望高手指点
thlautumn - 2006-11-4 9:54:00
我的电脑开机后,他弹出一个出错对话框,写着 <iexplore.exe遇到问题需要关闭,我们对此引起的不便表示抱歉>,有关闭和调试两个选项,点击关闭就系统自动重启。估计是病毒,用最新的瑞星查杀,当查内存查到iexplore.exe时就重启了。用Icesword发现两个隐藏的IEXPLORE.EXE进程,但我根本就没有打开ie。在安全模式,没有这两个进程,用瑞星杀毒没查到病毒。用HijackThis发现

Logfile of HijackThis v1.99.1
Scan saved at 15:40:19, on 2006-11-2
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
D:\software\rav\HijackThis首页绑架克星汉化版\HijackThis首页绑架克星汉化版.exe
C:\WINDOWS\regedit.exe

R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll
R3 - URLSearchHook: SrchHook Class - {EED92A43-CFCE-4548-BD73-B0A405470ED5} - C:\PROGRA~1\CNNIC\Cdn\iesrch.dll (file missing)
O2 - BHO: Yahoo!Photo - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\Program Files\Yahoo!\Assistant\Assist\yphtb.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yangling.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: AdSwpr - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\PROGRA~1\IE修复~1\IERBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll
O3 - Toolbar: &IE修复专家 - {123249EB-F891-44C4-946F-450064F9080E} - C:\PROGRA~1\IE修复~1\IERBar.dll
O4 - HKLM\..\RunOnce: [RavStub] "C:\Program Files\Rising\Rav\ravstub.exe" /RUNONCE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 使用网际快车下载 - C:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\PROGRA~1\FLASHGET\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACC6D880-78D3-434A-B5CF-7E366C72034D}: NameServer = 192.168.0.1
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Fast User Swltcheng Competibll - Unknown owner - C:\WINDOWS\ChaggeDlspley.com
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\System32\System
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

发现:
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: Fast User Swltcheng Competibll - Unknown owner - C:\WINDOWS\ChaggeDlspley.com

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\System32\System

三个服务不正常,我在安全模式删除了注册表相关项和他们的相关文件。重启后没有了弹出的<iexplore.exe遇到问题需要关闭,我们对此引起的不便表示抱歉>对话框,但隐藏的iexplore.exe进程还有一个,这个进程我怎样都不能解决,用icesword结束它系统不重启。
就算我在icesword结束了所有的服务,重启后还是有iexplore.exe这个隐藏进程。但在安全模式就没有。
newcenturymoon - 2006-11-4 10:58:00
23 - Service: Fast User Swltcheng Competibll - Unknown owner - C:\WINDOWS\ChaggeDlspley.com

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\System32\System
修复
重其后删除对应文件
thlautumn - 2006-11-4 13:51:00
已经删了,就是剩下一个ie的隐藏进程啊,怎么都删除不了剩下的那个。注册表和它的文件都删除了
叶·幽思 - 2006-11-4 14:00:00
你的问题解决了吗?

iexplore.exe隐藏进程的路径呢?

还有问题扫SREng日志
thlautumn - 2006-11-4 14:14:00
没解决啊,iexplore。exe就是c:\Program Files\Internet Explorer

newcenturymoon - 2006-11-4 14:51:00
引用:
【thlautumn的贴子】已经删了,就是剩下一个ie的隐藏进程啊,怎么都删除不了剩下的那个。注册表和它的文件都删除了
………………

哪个 IE隐藏进程
thlautumn - 2006-11-4 15:05:00
在icesword里进程里可以看到一个 iexplore.exe的隐藏进程,指向
c:\Program Files\Internet Explorer\iexplore.exe
thlautumn - 2006-11-4 15:07:00
2006-11-04,14:32:58

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><; C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Corporation]
    <MemoryZipperPlus><; >  [N/A]
    <Xplus><; "D:\Xplus_Wait.exe" /min>  [N/A]
    <Xplus_spy><; "D:\xvcclip.exe" /min>  [N/A]
    <xvcclip><; D:\xvcclip.exe>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <BIE><; Rundll32 C:\WINDOWS\DOWNLO~1\BDPlugin.dll,Rundll32>  [N/A]
    <CaAvTray><; "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe">  [(Verified)Computer Associates International, Inc.]
    <CAVRID><; "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe">  [(Verified)Computer Associates International, Inc.]
    <EngQQ><; C:\Program Files\engqq\EngQQ.exe>  [N/A]
    <IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Corporation]
    <IMSCMig><; C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload>  [(Verified)Microsoft Corporation]
    <KernelFaultCheck><; %systemroot%\system32\dumprep 0 -k>  [N/A]
    <Launch LCDMon><; "C:\Program Files\Logitech\G-series Software\LCDMon.exe">  [N/A]
    <Ljx><; C:\WINDOWS\inf\rundll32.exe>  [N/A]
    <PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Corporation]
    <PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Corporation]
    <QuickTime Task><; "C:\Program Files\QuickTime\qttask.exe" -atboottime>  [N/A]
    <RavTask><; "C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <RfwMain><; "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup>  [Beijing Rising Technology Co., Ltd.]
    <StormCodec_Helper><; "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti>  [N/A]
    <SysExplr><; C:\HEROSOFT\HERO2001\SYSEXPLR.EXE>  [N/A]
    <systime><; C:\Program Files\zxhclock\clock.exe>  [N/A]
    <yassistse><; "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe">  [Yahoo!]
    <YLive.exe><; C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe>  [Yahoo! China]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><APIHookDll.dll>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{4BAB150F-DD97-476D-9C1E-41B6CDC0CA7A}><C:\PROGRA~1\Yahoo!\ASSIST~1\yclickon.dll>  [YAHOO Corporation Limited]
    <{E568441B-9EF3-49F8-9A67-4141AC41ADD4}><C:\PROGRA~1\Yahoo!\ASSIST~1\assist\ypatch.dll>  [Yahoo! China]
thlautumn - 2006-11-4 15:08:00
==================================
启动文件夹
N/A

==================================
服务
[CAISafe / CAISafe]
  <C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe><Computer Associates International, Inc.>
[Human Interface Device Access / HidServ]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT]
  <"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"><Macrovision Corporation>
[Network Location / Network Location]
  <C:\Program Files\Common Files\Microsoft Shared\MSINFO\msinfos.exe><Microsoft Corporation>
[对等网络组身份验证 / p2pgasvc]
  <C:\WINDOWS\system32\svchost.exe -k p2psvc-->%SystemRoot%\system32\p2pgasvc.dll><N/A>
[对等网络标识管理器 / p2pimsvc]
  <C:\WINDOWS\system32\svchost.exe -k p2psvc-->%SystemRoot%\system32\p2psvc.dll><N/A>
[对等网络 / p2psvc]
  <C:\WINDOWS\system32\svchost.exe -k p2psvc-->%SystemRoot%\system32\p2psvc.dll><N/A>
[对等名解析协议 / PNRPSvc]
  <C:\WINDOWS\system32\svchost.exe -k p2psvc-->%SystemRoot%\system32\p2psvc.dll><N/A>
[Rising Personal Firewall Service / RfwService]
  <c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Servicel / Servicel]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\jetspeed.dll><N/A>
[VET Message Service / VETMSGNT]
  <C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe><Computer Associates International, Inc.>
[Visual Studio Analyzer RPC bridge / Visual Studio Analyzer RPC bridge]
  <C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe><Microsoft Corporation>

==================================
驱动程序
[Intel(r) 82801 Audio Driver Install Service (WDM) / ac97intc]
  <system32\drivers\ac97intc.sys><Intel Corporation>
[Rising TDI Base Driver / BaseTDI]
  <System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[10Moons A.DV3000XP, WDM Video Captures / Cap7134]
  <system32\DRIVERS\Cap7134.sys><Philips Semiconductors>
[ExpScaner / ExpScaner]
  <\??\C:\Program Files\Rising\Rav\ExpScan.sys><>
[HookCont / HookCont]
  <\??\C:\Program Files\Rising\Rav\HOOKCONT.sys><Rising tech Co. ltd>
[HookReg / HookReg]
  <\??\C:\Program Files\Rising\Rav\HookReg.sys><>
[HookSys / HookSys]
  <\??\C:\Program Files\Rising\Rav\HookSys.sys><Rising>
[i81x / i81x]
  <system32\DRIVERS\i81xnt5.sys><Intel(R) Corporation>
[iAimFP0 / iAimFP0]
  <system32\DRIVERS\wADV01nt.sys><Intel(R) Corporation>
[iAimFP1 / iAimFP1]
  <system32\DRIVERS\wADV02NT.sys><Intel(R) Corporation>
[iAimFP2 / iAimFP2]
  <system32\DRIVERS\wADV05NT.sys><Intel(R) Corporation>
[iAimFP3 / iAimFP3]
  <system32\DRIVERS\wSiINTxx.sys><Intel(R) Corporation>
[iAimFP4 / iAimFP4]
  <system32\DRIVERS\wVchNTxx.sys><Intel(R) Corporation>
[iAimFP5 / iAimFP5]
  <system32\DRIVERS\wADV07nt.sys><Intel(R) Corporation>
[iAimFP6 / iAimFP6]
  <system32\DRIVERS\wADV08nt.sys><Intel(R) Corporation>
[iAimFP7 / iAimFP7]
  <system32\DRIVERS\wADV09nt.sys><Intel(R) Corporation>
[iAimTV0 / iAimTV0]
  <system32\DRIVERS\wATV01nt.sys><Intel(R) Corporation>
[iAimTV1 / iAimTV1]
  <system32\DRIVERS\wATV02NT.sys><Intel(R) Corporation>
[iAimTV3 / iAimTV3]
  <system32\DRIVERS\wATV04nt.sys><Intel(R) Corporation>
[iAimTV4 / iAimTV4]
  <system32\DRIVERS\wCh7xxNT.sys><Intel(R) Corporation>
[iAimTV5 / iAimTV5]
  <system32\DRIVERS\wATV10nt.sys><Intel(R) Corporation>
[iAimTV6 / iAimTV6]
  <system32\DRIVERS\wATV06nt.sys><Intel(R) Corporation>
[Intel(R) 536EP V.92 Modem / Intels51]
  <system32\DRIVERS\Intels51.sys><Intel Corporation>
[MEMSCAN / MEMSCAN]
  <\??\C:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件有限公司>
[mProcRs / mProcRs]
  <\??\c:\program files\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[NetGroup Packet Filter Driver / NPF]
  <system32\drivers\npf.sys><Politecnico di Torino>
[npkcrypt / npkcrypt]
  <\??\C:\Program Files\Tencent\QQ\npkcrypt.sys><N/A>
[PNP20181 / PNP20181]
  <system32\Drivers\pnp20181.sys><N/A>
[Direct Parallel Link Driver / Ptilink]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsFwDrv / RsFwDrv]
  <\??\C:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv]
  <system32\DRIVERS\secdrv.sys><N/A>
[Sony USB Filter Driver (SONYPVU1) / SONYPVU1]
  <system32\DRIVERS\SONYPVU1.SYS><Sony Corporation>
[VET File System Filter / VET-FILT]
  <C:\WINDOWS\SYSTEM32\DRIVERS\VET-FILT.SYS><Computer Associates International, Inc.>
[VET File System Recognizer / VET-REC]
  <C:\WINDOWS\SYSTEM32\DRIVERS\VET-REC.SYS><Computer Associates International, Inc.>
[VET Boot Scan Engine / VETEBOOT]
  <C:\WINDOWS\SYSTEM32\DRIVERS\VETEBOOT.SYS><Computer Associates International, Inc.>
[VET File Scan Engine / VETEFILE]
  <C:\WINDOWS\SYSTEM32\DRIVERS\VETEFILE.SYS><Computer Associates International, Inc.>
[VET Floppy Boot Sector Monitor / VETFDDNT]
  <C:\WINDOWS\SYSTEM32\DRIVERS\VETFDDNT.SYS><Computer Associates International, Inc.>
[VET File Monitor / VETMONNT]
  <C:\WINDOWS\SYSTEM32\DRIVERS\VETMONNT.SYS><Computer Associates International, Inc.>
[WinDriver6 / WinDriver6]
  <system32\drivers\windrvr6.sys><Jungo>
thlautumn - 2006-11-4 15:08:00
==================================
浏览器加载项
[Yahoo!Photo]
  {33BBE430-0E42-4f12-B075-8D21ACB10DCB} <, N/A>
[雅虎助手]
  {406F94F0-504F-4a40-8DFD-58B0666ABEBD} <, N/A>
[FlashGet]
  {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <C:\PROGRA~1\FLASHGET\flashget.exe, Amaze Soft>
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <C:\PROGRA~1\FLASHGET\fgiebar.dll, Amaze Soft>
[雅虎助手]
  {406F94F0-504F-4a40-8DFD-58B0666ABEBD} <, N/A>
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\Mshtml.dll, N/A>
[Yahoo!Photo]
  {33BBE430-0E42-4F12-B075-8D21ACB10DCB} <, N/A>
[雅虎助手]
  {406F94F0-504F-4A40-8DFD-58B0666ABEBD} <, N/A>
[Shell Name Space]
  {55136805-B2DE-11D1-B9F2-00A0C98BC547} <%SystemRoot%\system32\shdocvw.dll, N/A>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[BandIE Class]
  {77FEF28E-EB96-44FF-B511-3185DEA48697} <C:\Progra~1\Baidu\bar\BaiDuBar.dll, N/A>
[Microsoft Web 浏览器]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[Microsoft DirectAnimation Control]
  {B6FFC24C-7E13-11D0-9B47-00C04FC2F51D} <C:\WINDOWS\system32\danim.dll, Microsoft Corporation>
[AUDIO__MP3 Moniker Class]
  {CD3AFA76-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__X_MS_WMA Moniker Class]
  {CD3AFA84-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <C:\PROGRA~1\FLASHGET\fgiebar.dll, Amaze Soft>
[Flash Object Class]
  {FBBCF512-3DD7-4017-9CFA-892761F77751} <C:\WINDOWS\system32\FlashObject.dll, Macromedia, Inc.>
[使用网际快车下载]
  <C:\PROGRA~1\FLASHGET\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <C:\PROGRA~1\FLASHGET\jc_all.htm, N/A>

==================================
正在运行的进程
[PID: 444][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 984][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1972][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1144][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1204][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 168][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 688][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 928][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1036][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1216][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 204][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[PID: 256][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\assist\ypatch.dll]  [Yahoo! China, 2, 0, 4, 1007]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\yclickon.dll]  [YAHOO Corporation Limited, 2, 0, 0, 1001]
[PID: 1556][C:\WINDOWS\system32\netdde.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1648][C:\WINDOWS\system32\clipsrv.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1708][C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE]  [Microsoft Corporation, 7.00.9466]
[PID: 832][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 276][C:\WINDOWS\system32\wuauclt.exe]  [Microsoft Corporation, 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 192][E:\SREng\SREng.exe]  [Smallfrogs Studio, 2.2.6.605]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
N/A

==================================
影子110 - 2006-11-4 15:24:00
<Ljx><; C:\WINDOWS\inf\rundll32.exe> [N/A]
先查看下这个文件的属性,(如果确认有问题~,)
清在安全模式下修复~并删除相关文件~
轩辕小聪 - 2006-11-4 15:43:00
补充:
删除以下服务:
[Servicel / Servicel]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\jetspeed.dll><N/A>
重启后删除
C:\WINDOWS\system32\jetspeed.dll


[Network Location / Network Location]
<C:\Program Files\Common Files\Microsoft Shared\MSINFO\msinfos.exe><Microsoft Corporation>
这一项相当可疑,因为对应的文件的位置于上兴远程控制服务端相似,而且我的电脑里也没有这个项目和文件。特别是写着微软签名却通不过认证(但是一般上兴是不会有签名的)。先把它的启动类型改为disabled,如果重启后隐藏的IE进程不再出现,那么确认是它的问题,则删除此服务项并删除文件,文件删除前请用WINRAR压缩打包,加密码virus,发到我的邮箱(见签名)。
thlautumn - 2006-11-4 15:43:00
已经删除了,还有
thlautumn - 2006-11-4 15:49:00
我已经试过在icesword里禁止所有的服务重启,都还是有一个iexplore.exe隐藏进程存在,上面是我重新打开这些服务后的日志
轩辕小聪 - 2006-11-4 16:05:00
引用:
【thlautumn的贴子】我已经试过在icesword里禁止所有的服务重启,都还是有一个iexplore.exe隐藏进程存在,上面是我重新打开这些服务后的日志
………………

你所谓的“禁止所有的服务”指的是什么?
thlautumn - 2006-11-4 16:14:00
就是在icesword的服务里将所有的 自动 改成 禁止
thlautumn - 2006-11-4 16:16:00
没有删除注册表项,进入安全模式是没有这个iexplore。exe隐藏进程的
taylor05771 - 2006-11-4 16:26:00
呵呵  pcshare 木马
thlautumn - 2006-11-4 16:36:00
哪里看到?
1
查看完整版本: iexplore.exe隐藏进程(不像是普通灰鸽子)望高手指点
© 2000 - 2026 Rising Corp. Ltd.