分析HijackThis

hoss

http://www.hijackthis.de/

使用HijackThis保存日志，可到上述网站贴出，然后点击Analyze按钮，稍等片刻即有报告出炉。报告按条目（Entry）、类型（Kind）、描述（Description）和提示（Tips）列出，其中类型分为安全（Safe）、险恶（Nasty）和未知（Unknown）。由于该网站来自德国，分析中会出现德文。

以下为常见进程和注册表项，其余从略：

表头
Logfile of HijackThis v1.99.1:
--Safe.
--Shows the version of HijackThis an. The newest version is: v1.99.1!
--This should be the newest version. (v1.99.1)

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180):
--Safe.
--Shows the version of your Internet Explorer. Newest Version is: 6.00.2800.1106!
--This should be the newest version. (6.00.2900.2180)

进程
C:\WINDOWS\System32\smss.exe:
--Safe.
--running process. (smss.exe) Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und l?schen.

C:\WINDOWS\system32\winlogon.exe:
--Safe.
--running process. (winlogon.exe) Systemprozess - Windows Login Routine

C:\WINDOWS\system32\services.exe
--Safe.
--running process. (services.exe) Systemprozess - Verwaltet die Systemdienste.

C:\WINDOWS\system32\lsass.exe:
--Safe.
--running process. (lsass.exe) Systemprozess

C:\WINDOWS\system32\svchost.exe:
--Safe.
--running process. (svchost.exe) Systemprozess - Allgemeiner Hostprozessname für Dienste.

C:\WINDOWS\System32\svchost.exe:
--Safe.
--running process. (svchost.exe) Systemprozess - Allgemeiner Hostprozessname für Dienste.

C:\WINDOWS\system32\spoolsv.exe:
--Safe.
--running process. (spoolsv.exe) Systemprozess
                
C:\WINDOWS\system32\ctfmon.exe:
--Safe.
--running process. (ctfmon.exe)

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe:
--Safe.
--running process. (mdm.exe) Machine Debug Manager. Used by developers.

C:\WINDOWS\System32\igfxtray.exe:
--Safe.
--running process. (igfxtray.exe)
       
C:\WINDOWS\System32\hkcmd.exe:
--Safe.
--running process. (hkcmd.exe)
       
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe:
--Safe.
--running process. (SynTPLpr.exe)
       
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe:
--Safe.
--running process. (SynTPEnh.exe)
       
C:\WINDOWS\AGRSMMSG.exe:
--Safe.
--running process. (AGRSMMSG.exe) SoftModem Messaging Applet

C:\Program Files\ltmoh\Ltmoh.exe:
--Safe.
--running process. (Ltmoh.exe) Modem On Hold utility

C:\WINDOWS\explorer.exe:
--Safe.
--running process. (explorer.exe) Systemprozess für Desktop und Taskleiste.

C:\WINDOWS\system32\wuauclt.exe:
--Safe.
--running process. (wuauclt.exe) Windows Update AutoUpdate Client

C:\WINDOWS\system32\cmd.exe:
--Safe.
--running process. (cmd.exe) Windows Command

C:\WINDOWS\system32\conime.exe:
--Unknown
--running process. (conime.exe) This is a unknown process.

C:\Download\Antivirus\HijackThis.exe:
--Safe.
--running process. (HijackThis.exe) Tool, mit dem sie dieses Logfile erzeugt haben.
--Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!

注册表项
R3 - Default URLSearchHook is missing:
--Nasty
--Should be fixed if you do not know the application or if no application is mentioned.
--This entry should be fixed.

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx:
--Safe.
--Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked. Hit rate: 99 %

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe:
--Safe.
--Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets (ie, i810). These chipsets are often included on motherboards. Available via Start -> Settings -> Control Panel. Hit rate: 86 % (result)
--Not dangerous, but unnecessary.

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe:
--Safe.
--Application that implements the Intel Hotkey command. Hit rate: 99 % (result)

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe:
--Safe.
--Synaptics touchpad driver helper. Required for touchpad features to work. Hit rate: 82 % (result)

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe:
--Safe.
--Hit rate: 99 % (result)

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe:
--Safe.
--IBM AMR modem driver. Hit rate: 99 % (result)

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe:
--Safe.
--Modem On Hold utility - manages incoming/outgoing voice calls on a single phone line while being connected to the internet. Hit rate: 99 % (result)

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32:
--Safe.
--Part of MS Input Method Editor which is used to ease the input of Asian characters in MS Office (Chinese, Korean and this one is Japanese). Hit rate: 61 % (result)
--Not dangerous, but unnecessary.

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC:
--Safe.
--Hit rate: 99 % (result)

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC: --Safe.
--Part of Microsofts Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word. Hit rate: 82 % (result)
--Not dangerous, but unnecessary.

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName:
--Safe.
--Part of Microsofts Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word. Hit rate: 75 % (result)
--Not dangerous, but unnecessary.

O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log:
--Unknown
--Hit rate: -1 % (result)
--Unknown application.

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe:
--Safe.
--CTFMon is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don\'t need these features. For more info on ctfmon see here. CTFMON can be disabled from Control Panel, Text & Speech Services. Hit rate: 99 % (result)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE:
--Safe.
--Hit rate: 67 % (result)

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000:
--Safe.
--The entry E&xport to Microsoft Excel has been identified as safe. If the entry 'E&xport to Microsoft Excel' is not needed anymore, it should be fixed.

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe:
--Safe.
--The entry Messenger has been identified as safe.
--If the entry 'Messenger' is not needed anymore, it should be fixed.

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe:
--Safe.
--The entry Windows Messenger has been identified as safe.
--If the entry 'Windows Messenger' is not needed anymore, it should be fixed.

……

注：本机为笔记本电脑，集成显示卡和调制解调器，已安装东亚语言并更新至微软拼音2003。

[ Last edited by hoss on 31-3-2005 at 11:55 AM ]