未解決呀= ="

uhthn2002

你想問咩=-=~~~ sreng???

影月＊

The Avenger 彈出來個記事簿我關左,,係邊搵得返,唔係我點比你呀- -"""""

uhthn2002

C:\avenger.txt

影月＊

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cetulbkd

*******************

Script file located at: \??\C:\WINDOWS\system32\xebjarlb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.sys not found!
Deletion of file C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.sys failed!

Could not process line:
C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.sys
Status: 0xc0000034



File C:\Documents and Settings\All Users\Application Data\upload bits 16 2\Trust itch.exe not found!
Deletion of file C:\Documents and Settings\All Users\Application Data\upload bits 16 2\Trust itch.exe failed!

Could not process line:
C:\Documents and Settings\All Users\Application Data\upload bits 16 2\Trust itch.exe
Status: 0xc0000034

File C:\WINDOWS\mstcenter.exe deleted successfully.


Could not open file C:\DOCUME~1\gersang\APPLIC~1\16once\fork third.exe for deletion
Deletion of file C:\DOCUME~1\gersang\APPLIC~1\16once\fork third.exe failed!

Could not process line:
C:\DOCUME~1\gersang\APPLIC~1\16once\fork third.exe
Status: 0xc000003a



File C:\WINDOWS\DOWNLO~1\CnsMin.dll not found!
Deletion of file C:\WINDOWS\DOWNLO~1\CnsMin.dll failed!

Could not process line:
C:\WINDOWS\DOWNLO~1\CnsMin.dll
Status: 0xc0000034



File C:\WINDOWS\system32\ieupsvc.exe not found!
Deletion of file C:\WINDOWS\system32\ieupsvc.exe failed!

Could not process line:
C:\WINDOWS\system32\ieupsvc.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\EagleNT.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\EagleNT.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\EagleNT.sys
Status: 0xc0000034



Could not open file C:\Program Files\ICQToolbar\toolbaru.dll for deletion
Deletion of file C:\Program Files\ICQToolbar\toolbaru.dll failed!

Could not process line:
C:\Program Files\ICQToolbar\toolbaru.dll
Status: 0xc000003a

Folder C:\Program Files\ADScan deleted successfully.
Folder C:\Program Files\ezurl deleted successfully.


Folder C:\Program Files\G2 not found!
Deletion of folder C:\Program Files\G2 failed!

Could not process line:
C:\Program Files\G2
Status: 0xc0000034



Folder C:\Program Files\Little Fighter 2 Toolbar not found!
Deletion of folder C:\Program Files\Little Fighter 2 Toolbar failed!

Could not process line:
C:\Program Files\Little Fighter 2 Toolbar
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.

maxmaxddr

佢四點鐘度返來
你出去行陣街或打陣機食下野休息下先
02版大四點回來解答你

影月＊

仲未返來/.\...............

uhthn2002

刪除
C:\Avenger

情況如何

影月＊

E家要刪左佢?
沒有變 --

uhthn2002

我想問 係邊個程式 100%佔用

maxmaxddr

用呢個看看有咩程式有問題吧～

Icesword
對岸號稱斬殺木馬的利器，在國外也是很有名的一款軟體。主要功用為結束進程、查找後門、Rookit、強制刪除登錄機碼。建議使用英文版。

下載頁面

使用木馬樣本測試，該木馬會在C:/womdows/system/ 生成service.exe


1..      使用icesword可以查看正在執行的程序。

windows自帶的工作管理員沒有顯示程序



切換到process頁面，icesword偵測到執行中隱藏的木馬程式，以紅色標示。右鍵點選此程式，選擇Terminate process可以中止此木馬程式。



2.使用icesword 觀察隱藏中毒檔案
        
即使打開windows 隱藏檔案屬性，在C:/womdows/system/，仍然沒有辦法看到service.exe這支木馬。



使用icesword 切換到File，在C:/womdows/system/，找到service.exe這支隱藏木馬，右鍵點選delete即可刪除。



3.        強制刪除登錄機碼。切換到registry，找尋欲刪除的機碼，右鍵點選delete。



4.      Sometime,我們會碰到防毒軟體警報 *dll 文件無法清除，可以使用process explorer來找出掛鉤的程序，當然如果不是系統進程，直接結束再刪掉dll 就好了，可是process explorer 往往會告訴我們寄宿的程序為svchost.exe, explorer.exe,winlogon.exe這些系統程序，此時我們可以使用icesword來卸載 dll文件。在process頁中找到系統進程，點選右鍵"Moudle Information"，查看訊息。注意有時候卸載*dll會造成系統當機，此時就必須請出system safety monitor來禁止*dll文件的載入

選擇欲卸載的*dl，點選unload卸載或是unload(force)來強制卸載。





5.     可以i監看一些隱藏服務。隱藏服務icesword會以紅色標示。

影月＊

下載左之後亂碼- -

uhthn2002

你按 ctrl +alt+del睇下邊個佔用１００％吧

影月＊

一開機的話
就得spoolsv.exe估100

uhthn2002

試一下咁樣
複製以下粗黑文字

Files to delete:
c:\windows32\tqppmtw.fyf

Folders to delete:
c:\windows\system32\spoolsv

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors

下載 The Avenger http://swandog46.geekstogo.com/avenger.zip ,儲存到桌面並解壓出來
執行 The Avenger , 按 Input script manually 再按 放大鏡
按 Ctrl + V/右click貼上剛才複製的內容 ,按 Done ,按 綠燈 開始,當有提示彈出, 按 Yes 兩次
The Avenger 會重新啟動你的電腦大約一至兩次,如果重新啟動時有黑色視窗彈出,這是正常情況
當重新啟動後,把 C:\avenger.txt 的內容貼上來

kwan1987

我個winas.exe佔成95%....點算?
我都關左spoolsv cpu佔用都係100%

[ 本帖最後由 kwan1987 於 2006-11-4 10:05 PM 編輯 ]

kwan1987

2006-11-04,21:53:06

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf
    HOSTS File


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Corporation]
    <MsnMsgr><; "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background>  [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <avgnt><"C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min>  [Avira GmbH]
    <High Definition Audio Property Page Shortcut><HDAShCut.exe>  [(Verified)Windows (R) Server 2003 DDK provider]
    <SoundMan><SOUNDMAN.EXE>  [(Verified)Realtek Semiconductor Corp.]
    <AlcWzrd><ALCWZRD.EXE>  [(Verified)RealTek Semicoductor Corp.]
    <Alcmtr><ALCMTR.EXE>  [(Verified)Realtek Semiconductor Corp.]
    <NeroFilterCheck><C:\WINDOWS\system32\NeroCheck.exe>  [Ahead Software Gmbh]
    <DAEMON Tools><"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033>  [(Verified)DT Soft Ltd.]
    <ServiceHome><C:\Program Files\Besta\PSH2.0\PSH2.exe /startup>  [N/A]
    <ICQ Lite><; C:\Program Files\ICQLite\ICQLite.exe -minimize>  [ICQ Ltd.]
    <Winas><C:\WINDOWS\system32\Winas.exe>  [sinka]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{F93CB274-12A2-489E-9DB6-BAAF492448D0}><C:\WINDOWS\system32\msnfile.dll>  [N/A]

==================================
Startup Folders
N/A

==================================
Services
[AntiVir PersonalEdition Classic Scheduler / AntiVirScheduler]
  <C:\Program Files\AntiVir PersonalEdition Classic\sched.exe><Avira GmbH>
[AntiVir PersonalEdition Classic Guard / AntiVirService]
  <C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe><AVIRA GmbH>
[ASP.NET State Service / aspnet_state]
  <C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[Ati HotKey Poller / Ati HotKey Poller]
  <C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart]
  <C:\WINDOWS\system32\ati2sgag.exe><>
[InstallDriver Table Manager / IDriverT]
  <"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"><Macrovision Corporation>
[Winas / Winas]
  <C:\WINDOWS\system32\Was.exe><sinka>

影月＊

上面個個玩野?- -"
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\aqbxbngt

*******************

Script file located at: \??\C:\WINDOWS\oduipjbb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file c:\windows32\tqppmtw.fyf for deletion
Deletion of file c:\windows32\tqppmtw.fyf failed!

Could not process line:
c:\windows32\tqppmtw.fyf
Status: 0xc000003a



Folder c:\windows\system32\spoolsv not found!
Deletion of folder c:\windows\system32\spoolsv failed!

Could not process line:
c:\windows\system32\spoolsv
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

uhthn2002

情況如何-.-""""

影月＊

spoolsv好似沒問題了.不過iexplore好似有問題--"
又要麻煩你了xd

uhthn2002

試一下咁樣
複製以下粗黑文字


Files to delete:
C:\WINDOWS\system32\iexplore.exe
C:\WINDOWS\iexplore.exe
C:\WINDOWS\system\iexplore.exe
執行 The Avenger , 按 Input script manually 再按 放大鏡
按 Ctrl + V/右click貼上剛才複製的內容 ,按 Done ,按 綠燈 開始,當有提示彈出, 按 Yes 兩次
The Avenger 會重新啟動你的電腦大約一至兩次,如果重新啟動時有黑色視窗彈出,這是正常情況

打開記事本
貼上以下紅色字內容
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"WaitToKillServiceTimeout"="20000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=dword:00000001
"AutoShareServer"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"AutoShareWks"=dword:00000001
"AutoShareServer"=dword:00000001

檔案--->儲存-->選取所有檔案格式  檔案名為wormfix.reg  --->執行wormfix.reg

------------------------------------------

安裝以下任何一款防火牆(只裝一個)
ZoneAlarm (英文)
http://www.download.com/ZoneAlarm/3000-10435_4-10550364.html

Comodo Personal Firewall (英文)
http://www.personalfirewall.como ... ific&country=HK

安裝完成後re機

使用  Kaspersky Online Scanner :
http://www.kaspersky.com/virusscanner
1. 按 Kaspersky Online Scanner--->Accept
2. 之後 Kaspersky Online Scanner 會進行安裝及更新,完成後按 Next
3. 按 Scan Settings--->extended---> Ok
4. 按 My Computer 進行掃描.
5. 掃描結束後,按 Save Report As 儲存Kaspersky Online Scanner 掃描報告

之後貼上Kaspersky Online Scanner 掃描報告上來 及 說明當時情況