endurer 原创
2006-04-16 第2版 网友回复说问题已经解决,并把文件INTasks.exe和svchest.exe发了过来
2006-04-03 第1版
刚才收到一个网友转发来的HijackThis的log文件,该网友的网友电脑定期弹出hxxp://www.71791.com的网页。
在log中发现如下可疑的项目:
F2 - REG:system.ini: UserInit=userinit.exe,
O4 - HKLM/../Run: [Service] svchest.exe
O4 - HKLM/../Run: [MSService] svchest.exe
O6 - HKCU/Software/Policies/Microsoft/Internet Explorer/Restrictions present
O6 - HKCU/Software/Policies/Microsoft/Internet Explorer/Control Panel present
O6 - HKLM/Software/Policies/Microsoft/Internet Explorer/Restrictions present
O23 - Service: Remote Internet Service (Msisvr) - Unknown owner - C:/WINDOWS/System32/INTasks.exe
给他的修复建议为:
以安全模式启动计算机
关闭系统还原功能
停止并禁用服务:Remote Internet Service (Msisvr)
设置系统显示所有文件和文件夹,不隐藏已知文件类型扩展名
寻找如下文件:
C:/WINDOWS/System32/INTasks.exe
svchest.exe(用开始菜单的搜索功能查找)
把找到的文件用压缩软件(如winrar, winzip)打包备份,然后删除。
待全部修复工作完成后,把压缩包作为email附件发到endurer@163.com。
请关闭所有浏览器窗口和文件夹窗口,重新使用HijackThis扫描,在上面所列的项目前打上勾,然后点[修复](Fix)。
清空IE临时文件夹
svchest.exe 好像是用Borland的Delphi写的。
会通过regedit把winpub.reg导入注册表,
从hxxp://xingz.3322.org下载guest.exe,并保存为INTasks.exe,作为系统服务启动项
强制IE打开hxxp://www.71791.com、hxxp://www.71791.com/news、hxxp://www.71791.com/goodvip、hxxp://www.71791.com/mm等网页。
| File: | svchest.exe |
| Status: |
INFECTED/MALWARE
|
| MD5 | 800f9cd970666a684d4b7eb3dfce1b31 |
| Packers detected: | - |
| Scanner results | |
| AntiVir | Found Trojan/Drop.Delf.PT |
| ArcaVir | Found Trojan.Spy.Delf.Pt |
| Avast | Found nothing |
| AVG Antivirus | Found nothing |
| BitDefender | Found Trojan.Agent.Delf.A |
| ClamAV | Found nothing |
| Dr.Web | Found nothing |
| F-Prot Antivirus | Found nothing |
| Fortinet | Found nothing |
| Kaspersky Anti-Virus | Found nothing |
| NOD32 | Found probably a variant of Win32/TrojanDownloader.Delf.NDQ (probable variant) |
| Norman Virus Control | Found Sandbox: W32/Malware; [ General information ]
* **Locates window "NULL [class Shell_TrayWnd]" on desktop. [ Process/window information ] |
| UNA | Found nothing |
| VirusBuster | Found nothing |
| VBA32 | Found nothing |
| File: | INTasks.exe |
| Status: | INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) |
| MD5 | 4d99311d87ff634b0c0fa361208c9e7f |
| Packers detected: | NSPACK |
|
Scanner results
|
|
| AntiVir | Found Trojan/Agent.Delf.A |
| ArcaVir | Found nothing |
| Avast |
Found nothing
|
| AVG Antivirus | Found nothing |
| BitDefender | Found Trojan.Agent.Delf.A |
| ClamAV | Found nothing |
| Dr.Web | FoundTrojan.MulDrop.3582 |
| F-Prot Antivirus | Found nothing |
| Fortinet | Found nothing |
| Kaspersky Anti-Virus | Found nothing |
| NOD32 | Found probably unknown NewHeur_PE (probable variant) |
| Norman Virus Control | Found W32/Agent.ZIZ |
| UNA | Found nothing |
| VirusBuster | Found nothing |
| VBA32 | Found nothing |