瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 浏览器被http://www.6781.com劫持,救命啊!有日志

12   2  /  2  页   跳转

浏览器被http://www.6781.com劫持,救命啊!有日志

收藏
☆达达☆
头像
拙长孩提狮
  • 帖子:101
  • 注册: 2004-12-27
  • 来自:
发表于: 2006-11-30 16:31 | 只看楼主 短消息 资料
字号: 11楼

==================================
正在运行的进程
[PID: 460][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 516][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 540][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 584][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 596][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 744][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 792][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 884][d:\Rising\Rav\CCenter.exe]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 916][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 1012][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 1088][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
gototop
 
☆达达☆
头像
拙长孩提狮
  • 帖子:101
  • 注册: 2004-12-27
  • 来自:
发表于: 2006-11-30 16:32 | 只看楼主 短消息 资料
字号: 12楼

[PID: 1100][d:\Rising\Rav\Ravmond.exe]  [Beijing Rising Technology Co., Ltd., 18, 0, 1, 47]
    [d:\Rising\Rav\BWList.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 20]
    [d:\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
    [d:\Rising\Rav\RsPPsys.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
    [d:\Rising\Rav\RSAPPMGR.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
    [d:\Rising\Rav\CfgDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 11]
    [d:\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [d:\Rising\Rav\RsLog.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 20]
    [d:\Rising\Rav\HOOKSYS.dll]  [Beijing Rising Technology Co., Ltd., 18, 1, 0, 12]
    [d:\Rising\Rav\Scanner.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 33]
    [d:\Rising\Rav\libload.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 10]
    [d:\Rising\Rav\VirusLib.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
    [d:\Rising\Rav\regmon.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 6]
    [d:\Rising\Rav\HookWeb.dll]  [rising, 18, 0, 0, 2]
    [d:\Rising\Rav\MemMon.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 12]
    [d:\Rising\Rav\expscan.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [d:\Rising\Rav\mPorts.dll]  [Beijing Rising Technology Co., Ltd., 4, 0, 0, 3]
    [d:\Rising\Rav\MailMon.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
    [d:\Rising\Rav\SpamEng.dll]  [N/A, 18, 0, 0, 6]
    [d:\Rising\Rav\engine.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 35]
    [d:\Rising\Rav\PostTrt.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 18]
    [d:\Rising\Rav\UnExe.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 11]
    [d:\Rising\Rav\ScanExec.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 16]
    [d:\Rising\Rav\ScanEx.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 33]
    [d:\Rising\Rav\RSUnpack.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 21]
    [d:\Rising\Rav\ExtFile.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 24]
    [d:\Rising\Rav\NvFile.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 7]
    [d:\Rising\Rav\ScanMac.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 10]
    [d:\Rising\Rav\ScanSct.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 20]
    [d:\Rising\Rav\Unpacker.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
    [d:\Rising\Rav\ExtOLE.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 6]
[PID: 1240][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
    [F:\BitComet_0.77_PConline\tools\BitCometBHO.dll]  [BitComet, 20061116]
[PID: 1376][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 1472][d:\Rising\Rav\RavStub.exe]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 16]
    [d:\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
    [d:\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 1648][C:\WINDOWS\VM_STI.EXE]  [Vimicro, 4, 2, 1124, 6]
    [C:\WINDOWS\system32\msdmo.dll]  [N/A, N/A]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 1656][D:\Rising\Rav\RavTask.exe]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 22]
    [D:\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [D:\Rising\Rav\RSAPPMGR.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
    [D:\Rising\Rav\CfgDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 11]
    [D:\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
[PID: 1668][D:\Rising\Rav\Ravmon.exe]  [Beijing Rising Technology Co., Ltd., 18, 0, 1, 39]
    [D:\Rising\Rav\RsGuiLib.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 26]
    [D:\Rising\Rav\BWList.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 20]
    [D:\Rising\Rav\RSAPPMGR.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
    [D:\Rising\Rav\CfgDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 11]
    [D:\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [D:\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
    [D:\Rising\Rav\PngDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
gototop
 
☆达达☆
头像
拙长孩提狮
  • 帖子:101
  • 注册: 2004-12-27
  • 来自:
发表于: 2006-11-30 16:33 | 只看楼主 短消息 资料
字号: 13楼

[PID: 1748][D:\ftc\Trojanwall.exe]  [风云谷, 5.8.0.2118]
    [D:\ftc\ftcapi.dll]  [fygsoft, 1.1.0.0]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 1764][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 1052][C:\WINDOWS\system32\nvsvc32.exe]  [NVIDIA Corporation, 6.14.10.8195]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 1160][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 1216][C:\WINDOWS\system32\wdfmgr.exe]  [Microsoft Corporation, 5.2.3790.1230 built by: dnsrv(bld4act)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 172][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 1000][D:\Tencent\TT\TCPlus.exe]  [腾讯公司, 1, 0, 0, 5]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
    [D:\Tencent\TT\QQDownload.dll]  [Tencent Technology (Shenzhen) Company Limited, 1, 0, 101, 28]
    [D:\Tencent\TT\TNProxy.dll]  [Tencent Technology(Shenzhen) Company Limited, 2, 1, 101, 60]
[PID: 2892][D:\拼音加加\jj4\jjsvr4.exe]  [加加开发组, 4.0.0.20]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 3876][D:\Tencent\TT\TTraveler.exe]  [腾讯公司, 3.1.0.261]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
    [C:\WINDOWS\system32\kakatool.dll]  [Beijing Rising Technology Co., Ltd., 2, 0, 2, 1]
    [D:\Tencent\TT\Plugins\QQFloatBar\QQFloatBar4TT2.dll]  [腾讯公司, 1, 1, 0, 5]
    [D:\Tencent\TT\Plugins\TWeather\TWeather.dll]  [, 1, 0, 0, 3]
    [d:\Rising\Rav\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [D:\Tencent\TT\PersonalDesktop.dll]  [深圳市腾讯计算机系统公司QQ工作小组, 1, 0, 0, 4]
    [C:\WINDOWS\system32\PYJJ4.IME]  [加加工作组, 4.0.0.21]
    [C:\WINDOWS\system32\macromed\flash\Flash85.ocx]  [Macromedia, Inc., 8,5,0,133]
[PID: 2388][C:\WINDOWS\system32\conime.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
[PID: 224][F:\tools\HijackThis\sreng2\SREng\SREng.exe]  [Smallfrogs Studio, 2.2.6.605]
    [D:\ftc\ProcessHook.dll]  [Fygsoft and Microsoft, 1.1.0.67]
    [D:\ftc\Filehook.dll]  [Fygsoft and Microsoft, 2.1.0.0]
    [D:\ftc\SocketMon.dll]  [Fygsoft and Microsoft, 1.1.1.0]
gototop
 
☆达达☆
头像
拙长孩提狮
  • 帖子:101
  • 注册: 2004-12-27
  • 来自:
发表于: 2006-11-30 16:33 | 只看楼主 短消息 资料
字号: 14楼

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
gototop
 
红夜鬼1
头像
横据古稀狮
  • 帖子:8602
  • 注册: 2006-10-18
  • 来自:
发表于: 2006-11-30 17:38 | 短消息 资料
字号: 15楼


运行(双击)SRENG2,点“启动项目,服务,点“Win32服务应用程序”
勾选“隐藏微软服务”选中病毒服务
Local Connection Manager
Remote Route Service
,选择“删除服务”
点“设置”选择“否”
重启按F8进入安全模式下
显示隐藏文件
删除:       
C:\WINDOWS\SYSTEM32\WBEM\TOJYXM24.DLL
C:\WINDOWS\system32\snugvt62.dll
gototop
 
☆达达☆
头像
拙长孩提狮
  • 帖子:101
  • 注册: 2004-12-27
  • 来自:
发表于: 2006-11-30 18:14 | 只看楼主 短消息 资料
字号: 16楼

【回复“红夜鬼1”的帖子】全部照作了,没用啊老大
gototop
 
红夜鬼1
头像
横据古稀狮
  • 帖子:8602
  • 注册: 2006-10-18
  • 来自:
发表于: 2006-11-30 18:20 | 短消息 资料
字号: 17楼

运行(双击)SRENG2,点“启动项目,服务,点“驱动程序”
勾选“隐藏微软服务”选中病毒服务
bootdrv
gaehjeef
,选择“删除服务”
点“设置”选择“否”
重启按F8进入安全模式下
显示隐藏文件
删除:         
\SystemRoot\System32\Drivers\bootdrv.sys
\SystemRoot\system32\drivers\gaehjeef.sys
gototop
 
☆达达☆
头像
拙长孩提狮
  • 帖子:101
  • 注册: 2004-12-27
  • 来自:
发表于: 2006-11-30 20:32 | 只看楼主 短消息 资料
字号: 18楼

\SystemRoot\System32\Drivers\bootdrv.sys
能找到bootdrv.sys,但不在老大您说的路径里
\SystemRoot\system32\drivers\gaehjeef.sys这个完全找不到,已经打开隐藏,不过IE恢复正常了
gototop
 
红夜鬼1
头像
横据古稀狮
  • 帖子:8602
  • 注册: 2006-10-18
  • 来自:
发表于: 2006-11-30 20:34 | 短消息 资料
字号: 19楼

我的电脑---文件夹选项----查看----隐藏已知受系统保护的文件勾去掉,显示所有文件勾上,隐藏已知文件类型的扩展名这个勾去掉
gototop
 
<<上一主题|下一主题>>
12   2  /  2  页   跳转
页面顶部
Powered by Discuz!NT