遭遇internet.exe,new.sys,hcalway.sys,mspcidrv.sys,msprosys.sys等

简介: 遭遇internet.exe,new.sys,hcalway.sys,mspcidrv.sys,msprosys.sys等

昨晚一位网友说他的电脑中了病毒,不定期弹广告窗口,有时会倒计时关机,让偶通过QQ远程协助检修。

下载 pe_xscan 扫描 log 并分析,发现如下可疑项:

/---
pe_xscan 07-08-30 by Purple Endurer
2007-11-20 21:07:25
Windows XP Service Pack 1(5.1.2600)
管理员用户组 
[System Process] * 0
    C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 |  | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT |  | SPlus.dll | SPlus.dll
C:/WINDOWS/system32/svchost.exe * 796 | 2002-10-7 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.0 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.0 (xpclient.010817-1148) | Microsoft Corporation| ? | svchost.exe | svchost.exe
    C:/WINDOWS/System32/nsp.dll | 2003-9-19 9:33:24
C:/WINDOWS/System32/svchost.exe * 1156 | 2002-10-7 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.0 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.0 (xpclient.010817-1148) | Microsoft Corporation| ? | svchost.exe | svchost.exe
    C:/WINDOWS/System32/nsp.dll | 2003-9-19 9:33:24
C:/WINDOWS/System32/ctfmon.exe * 532 | 2002-10-7 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.1106 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.1106 (xpsp1.020828-1920) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE    C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 |  | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT |  | SPlus.dll | SPlus.dll
C:/Program Files/Tencent/qq/QQ.exe * 3244 | 2007-10-11 18:26:42 | QQ | 7,1,518,1751 | QQ | Copyright (C) 1998 - 2007 TENCENT Inc. All Rights Reserved | 7,1,518,1751 | TENCENT |  | COMQQD | QQ.exe
    C:/WINDOWS/System32/nsp.dll | 2003-9-19 9:33:24
    C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 |  | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT |  | SPlus.dll | SPlus.dll
C:/Program Files/Tencent/QQ/TIMPlatform.exe * 3272 | 2007-10-11 17:43:48 | QQ | 7,1,518,1751 | TIMPlatform | Copyright ? 2005 ━ 2007 TENCENT Inc. All Rights Reserved | 7,1,518,1751 | TENCENT |  | TIMPlatform | TIMPlatform.exe
    C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 |  | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT |  | SPlus.dll | SPlus.dll
C:/WINDOWS/System32/rundll32.exe * 1376 | 2002-10-7 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.0 | Run a DLL as an App | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.0 (xpclient.010817-1148) | Microsoft Corporation| ? | rundll | RUNDLL.EXE
    C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 |  | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT |  | SPlus.dll | SPlus.dll
C:/Program Files/Internet Explorer/iexplore.exe * 2268 | 2002-10-7 20:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2800.1106 | Internet Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2800.1106 (xpsp1.020828-1920) | Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 |  | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT |  | SPlus.dll | SPlus.dll
    C:/Program Files/TENCENT/SSPlus/SAddr.dll | 2007-11-6 9:22:28 | SAddr Module | 5, 0, 2, 10 |  |  | 5, 0, 2, 10 | Tencent |  | SAddr.dll | 
    C:/Program Files/DeskAdTop/deskipn.dll | 2006-6-13 14:22:34 | bho Module | 1, 0, 0, 1 | bho Module | Copyright 2006 | 1, 0, 0, 1 | | ? | bho | bho.DLL
    C:/WINDOWS/System32/nsp.dll | 2003-9-19 9:33:24
C:/WINDOWS/explorer.exe * 3788 | 2002-10-7 12:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2800.1106 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2800.1106 (xpsp1.020828-1920) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
    C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 |  | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT |  | SPlus.dll | SPlus.dll
    C:/Program Files/TENCENT/SSPlus/SAddr.dll | 2007-11-6 9:22:28 | SAddr Module | 5, 0, 2, 10 |  |  | 5, 0, 2, 10 | Tencent |  | SAddr.dll | 
O2 - BHO IEMonitor Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:/Program Files/DeskAdTop/deskipn.dll
O2 - BHO Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:/Program Files/TENCENT/SSPlus/SAddr.dll
O2 - BHO CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:/WINDOWS/System32/CdnIEHlp.dll
O2 - BHO Advance Helper - {8E25AC4A-B129-451B-BEE2-3B510BB751DA} - C:/WINDOWS/System32/NTDLL32.dll
O2 - BHO IE Browser Helper - {D0903A3B-F0EA-434a-9742-98C5335C7946} - C:/WINDOWS/System32/IEHelper.dll
O2 - BHO  - {F6CD3E64-61D4-4cb1-982C-DAE3271B6D85} - 
O3 - IE工具栏: whatever.. - {40987A5C-6AB8-4977-8BE9-A8889DE2EDCC} - C:/Program Files/Copyso/CopysoIE.dll
O4 - HKLM/../Run: [NMGameX_AutoRun] C:/WINDOWS/System32/Rundll32.exe NMGameX.dll,LiveProcess /aa
O4 - HKLM/../Run: [CdnCtr] 
O4 - HKLM/../Run: [Desktop] "C:/WINDOWS/System32/internet.exe"
O4 - HKLM/../Run: [Internet] "C:/WINDOWS/system32/internet.exe"
O4 - HKLM/../Run: [stup.exe] Rundll32.exe C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll,Rundll32 R
O9 - IE工具栏扩展按钮HKLM:中文域名 - {35980F6E-A137-4E50-953D-813BB8556899} - C:/WINDOWS/System32/CdnIEHlp.dll
O9 - IE工具菜单扩展项HKLM:中文域名 - {35980F6E-A137-4E50-953D-813BB8556899} - C:/WINDOWS/System32/CdnIEHlp.dll
O9 - IE工具栏扩展按钮HKLM:易趣购物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - hxxp://adfarm.mediaplex.com/ad/ck/4080-23171-9517-195?cn=song;icon;hp&mpro=hxxp://www.ebay.com.cn
O9 - IE工具菜单扩展项HKLM:易趣购物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - hxxp://adfarm.mediaplex.com/ad/ck/4080-23171-9517-195?cn=song;icon;hp&mpro=hxxp://www.e
O11 - IE扩展选项组:TBH (中文搜搜) =
O23 - 服务: abhcop (abhcop) - system32/drivers/abhcop.sys(系统)
O23 - 服务: AHOOK (AHOOK) - C:/WINDOWS/System32/drivers/ahook.sys(自动)
O23 - 服务: CdnHook (CDNHOOK) - System32/drivers/cdnhook.sys(系统)
O23 - 服务: hcalway (hcalway) - System32/DRIVERS/hcalway.sys(系统)
O23 - 服务: Internet Connection Manager (Internet Connection Manager) - "C:/WINDOWS/System32/internet.exe"(自动)
O23 - 服务: mspcidrv (mspcidrv) - system32/DRIVERS/mspcidrv.sys(系统)
O23 - 服务: msprosys (msprosys) - System32/DRIVERS/msprosys.sys(系统)
O23 - 服务: New0 (New0) - C:/WINDOWS/System32/new.sys | 2004-12-4 11:17:36(自动)
O26 - IFEO: cdnup.exe -> C:/WINDOWS/system32/rundll32.exe
---/

居然还是 win xp sp1……难怪会中这么多流氓软件和恶意软件

 

下载安装 卡卡安全助手,先在[基本功能]—>[查杀恶意及流氓软件],扫描并清理流氓软件

然后在[高级功能]—>[系统启用项管理]里,在左边点击[登录项],在右边找到 O4 项对应的项目,右击,从弹出的菜单里选择删除。

接着在[高级功能]—>[系统启用项管理]里,在左边点击[服务项]和[驱动],在右边找到 O23 项对应的项目,右击,从弹出的菜单里选择删除;在左边点击[应用程序劫持项],在右边找到 O26 项对应的项目,右击,从弹出的菜单里选择删除。

接下来要处理文件:

C:/WINDOWS/System32/internet.exe

C:/WINDOWS/System32/new.sys

C:/WINDOWS/system32/drivers/abhcop.sys

C:/WINDOWS/System32/drivers/ahook.sys

C:/WINDOWS/System32/drivers/cdnhook.sys

C:/WINDOWS/System32/DRIVERS/hcalway.sys

C:/WINDOWS/system32/DRIVERS/mspcidrv.sys

C:/WINDOWS/System32/DRIVERS/msprosys.sys

http://purpleendurer.ys168.com 下载 bat_do 和FileInfo。

用 FileInfo 提取文件信息,用 bat_do 打包备份,延时删除,生成去除属性,删除,改名命令,下次启动时执行。

用 WinRAR 删除 Windows临时文件夹,IE临时文件夹,d:/windows/prefetch 中可以删除的文件。

重启电脑~  


相关文章
|
2月前
|
Windows
再打机器狗comint32.sys,fat32.sys,tk71ov01.sys等1
再打机器狗comint32.sys,fat32.sys,tk71ov01.sys等1
|
6月前
|
Windows
windows调整pagefile.sys,hiberfil.sys 大小
windows调整pagefile.sys,hiberfil.sys 大小
209 1
|
2月前
|
安全 Windows
dwshd.sys,EASYDOWNS.sys,HBKernel32.sys,QQPlatform.exe,RDPWD.sys,easy2.exe等
dwshd.sys,EASYDOWNS.sys,HBKernel32.sys,QQPlatform.exe,RDPWD.sys,easy2.exe等
system.dll,Nskhelper2.sys,oapejg.sys,991b0345.dat,NsPass0.sys等1
system.dll,Nskhelper2.sys,oapejg.sys,991b0345.dat,NsPass0.sys等1
遭遇vchelp.exe,videodevice.dll,swchost.exe,IEXPLORE32.Sys等1
遭遇vchelp.exe,videodevice.dll,swchost.exe,IEXPLORE32.Sys等1
|
2月前
crash命令 —— sys
crash命令 —— sys
|
固态存储 Windows
Windows10 如何禁用或删除大的Hiberfil.sys和Pagefile.sys文件
如果您的电脑在运行时内存不充足,并且这时候又需要有更多的内存来保证系统运行的效率,那么Windows就会用硬盘空间来模拟系统的内存。这就叫做虚拟内存,通常称为页面文件。也就是由于虚拟内存的设定在对应的系统目录下产生了pagefile.sys文件。如果是SSD ,建议大家还是保留虚拟内存
385 0
|
Oracle 关系型数据库
解决sys用户不能登录ORA-01017 orapwd
在oracle的配置文件…/network/admin/sqlnet.ora 从增加了一行 sqlnet.authentication_services=() 后,sys用户就不能登录了。
|
前端开发 rax Linux
Linux关于sys_call_table的使用
Linux关于sys_call_table的使用
248 0
Linux关于sys_call_table的使用