位网友的电脑,一打开IE就弹广告窗口和什么工作联系之类的消息框,让偶帮忙看看。
到 http://endurer.ys168.com 下载 HijackThis 扫描log,发现如下可疑项:
/---------- Logfile of HijackThis v1.99.1 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:/WINDOWS/pop.exe O2 - BHO: raObject Class - {46F194EB-B7DB-4B7A-BD42-5FF39FD17664} - C:/PROGRA~1/pcast/hbcast.dll O2 - BHO: BHOImp Class - {70AFF2CB-9DA2-499C-8D15-900729FCE83D} - C:/WINDOWS/system32/YHBO.dll (file missing) O2 - BHO: (no name) - {B3D16F27-E86C-4A68-9E74-D09147C8D929} - C:/WINDOWS/system32/apphelper.dll O2 - BHO: System Helper - {B88DBC3F-41FB-40AE-AFB0-4220E842B710} - C:/WINDOWS/system32/flash9.dll (file missing) O2 - BHO: Subconscious Intruder - {EBBC6E6D-7B65-46be-B509-86CED2D17876} - C:/WINDOWS/system32/Inte32.dll (file missing) O4 - HKLM/../Run: [Update] C:/Program Files/Common Files/updat/Update.exe O4 - HKLM/../Run: [RichMedia] C:/WINDOWS/system32/Rundll32.exe "C:/PROGRA~1/pcast/hbcast.dll",WaitWindows O4 - HKLM/../Run: [realtpsk] C:/WINDOWS/system/realsched.exe O4 - HKCU/../Run: [msnnt] C:/WINDOWS/winampf.exe ----------/
卸载:桌面媒体/RichMedia、雅虎助手、中文上网
用WinRAR检查c:/,c:/windows,c:/windows/system32,发现如下可疑文件:
/---------- 1001live.exe(Kaspersky 报为 Trojan-Dropper.Win32.Agent.awb) 7075cafi.exe(Kaspersky 报为 Trojan-Dropper.Win32.Agent.awb) 01394067.exe ACSs.dll(LINKMEDIA Tech出的东东) 199019002.exe(Kaspersky 报为 not-a-virus:AdWareWin32.Hengbang.t) apphelper.dll(Kaspersky 报为 Trojan-ClickerWin32.BHO.f) Downloads cert.exe(Kaspersky 报为 Trojan-Dropper.Win32.Delf.zg) IE.exe(Kaspersky 报为 Trojan-Spy.Win32.Agent.ct) drsmartload.exe pop.exe nbvgj.exe(Kaspersky 报为 Trojan-Clocker.Win32.costrat.n) realsched.exe SafeHelper12.dll sdmagent.exe tl.dll setup147.exe winampf.exe(Kaspersky 报为 Trojan-Downloader.Win32.Small.dts) vtglx.exe zhang02.exe(Kaspersky 报为 Trojan-Downloader.Win32.Adload.fu) acss.exe vp_VM.dll ss10213.exe ----------/
打包备份后删除。
关闭所有文件夹窗口,用HijackThis扫描并修复上面所列项目。
清空IE临时文件夹
