总是自动连接到62.189.194.215

tinyhe · 发表于 2006-11-15 08:50:24

总是自动连接到62.189.194.215,在tcpview中也不能断开，在hosts中加入127.0.0.1 屏蔽也没有，哪位大侠帮帮我

6618 · 发表于 2006-11-15 09:01:17

用HIJACKTHIS扫描机子，把日志粘到这里来，我们来帮你。

tinyhe · 发表于 2006-11-15 09:37:25

放上来了，谢谢

猪一头 · 发表于 2006-11-15 10:05:34

倒,你把文字贴上来吧

andyguobao · 发表于 2006-11-15 11:33:19

用防火墙禁止掉不行吗？

猪一头 · 发表于 2006-11-15 11:54:19

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Micropoint\MPSVC.exe
C:\Program Files\Micropoint\MPSVC2.exe
C:\Program Files\Micropoint\MPSVC1.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\the\LOCALS~1\Temp\Rar$EX03.469\HijackThis.exe

R3 - Default URLSearchHook is missing------修掉
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O11 - Options group: [INTERNATIONAL] International*------修掉
O14 - IERESET.INF: SEARCH_PAGE_URL=------修掉
O14 - IERESET.INF: START_PAGE_URL=------修掉
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.ms ... toSwap/PhtPkMSN.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = powerint.com------修掉
O17 - HKLM\Software\..\Telephony: DomainName = powerint.com------修掉
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = powerint.com------修掉
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll------修掉
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MPSVC Service (MPSVCService) - Micropoint Corporation - C:\Program Files\Micropoint\MPSVC.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

我把这位兄弟的日志,大家学习学习

[ 本帖最后由 6618 于 2006-11-15 12:15 PM 编辑 ]

猪一头 · 发表于 2006-11-15 11:55:19

原帖由 tinyhe 于 2006-11-15 08:50 AM 发表
总是自动连接到62.189.194.215,在tcpview中也不能断开，在hosts中加入127.0.0.1 屏蔽也没有，哪位大侠帮帮我

他的日志,如上楼

6618 · 发表于 2006-11-15 12:17:20

我略为看了一下，编辑了一下帖子，暂时先修掉上面试试。
楼主的机子装了“卖咖啡”杀毒软件和微点，但还是中招了，微点的牛皮还吹的挺响的。

tinyhe · 发表于 2006-11-15 13:06:29

微软的才装没几天

tinyhe · 发表于 2006-11-15 13:17:02

这两个弄不掉
O14 - IERESET.INF: SEARCH_PAGE_URL=------修掉
O14 - IERESET.INF: START_PAGE_URL=------修掉
这三个好像是公司的
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = powerint.com------修掉
O17 - HKLM\Software\..\Telephony: DomainName = powerint.com------修掉
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = powerint.com------修掉

6618 · 发表于 2006-11-15 15:06:19

这两个弄不掉-------有进程保护
O14 - IERESET.INF: SEARCH_PAGE_URL=------修掉
O14 - IERESET.INF: START_PAGE_URL=------修掉
这三个好像是公司的------- 原来是你们公司的，我还以为是域名劫持，那就不用修了。O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = powerint.com------修掉
O17 - HKLM\Software\..\Telephony: DomainName = powerint.com------修掉
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = powerint.com------修掉

现在还会指向那个IP吗？

xiaomayi · 发表于 2006-11-15 20:01:05

高手~~~~

tinyhe · 发表于 2006-11-16 09:08:29

还会啊，昨天下午出差了。感觉系统问题多多啊，公司用的是Mcafee，后我安装了prevx1，老是有ie非正常活动的提示。感谢6618兄及其他兄弟的关注。
在windows\inf目录下有个iereset.inf文件，内容如下
[Version]
Signature="$CHICAGO$"
AdvancedINF=2.5,"You need a new version of advpack.dll"

[RestoreHomePage]
AddReg=RestoreHomePage.reg

[RestoreBrowserSettings]
AddReg=RestoreBrowserSettings.reg
DelReg=DeleteTemplates.reg

[RestoreHomePage.reg]
HKCU,"Software\Microsoft\Internet Explorer\Main","Start Page",0,%START_PAGE_URL%

[RestoreBrowserSettings.reg]
HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Page_URL",0,%START_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Search_URL",0,%SEARCH_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","1",0,"www.%s.com"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","2",0,"www.%s.org"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","3",0,"www.%s.net"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","4",0,"www.%s.edu"
HKCU,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%
HKCU,"Software\Microsoft\Internet Explorer\SearchUrl","provider",0,""

HKLM,"Software\Microsoft\Internet Explorer\Search","SearchAssistant",0,"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
HKLM,"Software\Microsoft\Internet Explorer\Search","CustomizeSearch",0,"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\SafeSites",%SAFESITE_VALUE%,0,"http://ie.search.msn.com/*"

[DeleteTemplates.reg]
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","5"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","6"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","7"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","8"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","9"

[Strings]
START_PAGE_URL = "http://www.microsoft.com/windows/ie_intl/cn/start/"
SEARCH_PAGE_URL = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
SAFESITE_VALUE = "ie.search.msn.com"

MS_START_PAGE_URL = "http://www.microsoft.com/windows/ie_intl/cn/start/"

tinyhe · 发表于 2006-11-16 09:20:33

有时在资源管理器中，在一个文件夹上点右键，也会提示ie企图修改物理内存，被prev1阻止。有时按Wins键＋E调出资源管理器时也会提示ie被prev1阻止。唉。

pandorak · 发表于 2006-11-16 11:16:33

提示: 作者被禁止或删除内容自动屏蔽

		自动登录	找回密码
密码			注册

pandorak pandorak 当前离线积分 53999 IP卡狗仔卡	发表于 2006-11-16 11:16:33 \| 显示全部楼层 ---> 升级权限提示: 作者被禁止或删除内容自动屏蔽
pandorak pandorak 当前离线积分 53999 IP卡狗仔卡
	回复使用道具举报显身卡