那個HKCU StarPage設置倒是其次,為什麼有可疑Drivers一直冒出來才是問題。
改用CF做個處理、檢查吧,操作上可能得先關閉防毒軟件,請依程式指示操作。
一、準備安全工具●Combofix
http://reinfors.googlepag...ofix1.html二、完整複製以下文字,貼上去記事本選擇「另存新檔」、編碼確認為「ANSI」、檔案名稱為「CFScript.txt」。
確認內容無誤,並且存檔後將CFScript.txt拖曳進去Combofix,如圖所示。
複製程式
killall::
rootkit::
C:\WINDOWS\system32\drivers\lnsjvi.sys
C:\WINDOWS\system32\drivers\ifr.sys
Driver::
CFRMD
lnsjvi
ifr
reglock::
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}]
[HKEY_CLASSES_ROOT\.lnk]
[HKEY_CLASSES_ROOT\lnkfile]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
mod reg::
[-HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}]
[-HKEY_CLASSES_ROOT\.lnk]
[-HKEY_CLASSES_ROOT\lnkfile]
[-HKEY_LOCAL_MACHINE\~\Explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233}]
[-HKEY_LOCAL_MACHINE\~\Explorer\Browser Helper Objects\{2D90D33C-DE76-42D0-9040-E4466DDC24AC}]
[-HKEY_LOCAL_MACHINE\~\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}]
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}]
@="捷徑"
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32]
@="shell32.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentAddinsRegistered]
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentHandler]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\ProgID]
@="lnkfile"
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\shellex]
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\shellex\MayChangeDefaultMenu]
[HKEY_CLASSES_ROOT\lnkfile]
@="捷徑"
"EditFlags"=dword:00000001
"IsShortcut"=""
"NeverShowExt"=""
[HKEY_CLASSES_ROOT\lnkfile\CLSID]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\lnkfile\shellex]
[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers]
[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"
[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}]
[HKEY_CLASSES_ROOT\lnkfile\shellex\DropHandler]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\lnkfile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\lnkfile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile]
@="捷徑"
"EditFlags"=dword:00000001
"IsShortcut"=""
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CLSID]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
[HKEY_CLASSES_ROOT\.lnk]
@="lnkfile"
[HKEY_CLASSES_ROOT\.lnk\ShellEx]
[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\.lnk\ShellNew]
"Command"="rundll32.exe appwiz.cpl,NewLinkHere %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk]
@="lnkfile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellNew]
"Command"="rundll32.exe appwiz.cpl,NewLinkHere %1"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Local Page"="[url]http://tw.yahoo.com/"[/url]
"Start Page"="[url]http://tw.yahoo.com/"[/url]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Local Page"="[url]http://tw.yahoo.com/"[/url]
"Start Page"="[url]http://tw.yahoo.com/"[/url]
REBOOT::
.
三、自動重開之後將產生的LOG文件上傳上來。
*備註:自己把腳本裡頭最下面的這部份
[url]…
[/url]去掉,不然註冊進去怕會有問題;論壇系統一直自動加上去…
