瑞星卡卡安全论坛

Logfile of HijackThis v1.99.1
Scan saved at 13:58:23, on 2005-8-3
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
E:\金山杀毒\KWatch.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
E:\金山杀毒\KPfwSvc.EXE
C:\WINNT\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\svchoct.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-cn\msnappau.exe
E:\金山杀毒\KAVStart.exe
C:\Program Files\CNNIC\Cdn\cdnup.exe
C:\WINNT\system32\internat.exe
E:\金山杀毒\KAVPFW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
E:\金山杀毒\KMailMon.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINNT\system32\conime.exe
C:\Program Files\FlashGet\flashget.exe
C:\WINNT\explorer.exe
C:\dzh\internet\hypwise.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\14531485.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\tiang1\LOCALS~1\Temp\Rar$EX01.756\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 3466709097 auto.search.msn.com
O1 - Hosts: 3466709097 sea.search.msn.com
O1 - Hosts: 3466709097 search.msn.com
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O2 - BHO: Router Layer - {5EB7CB50-E375-4718-B4C0-9AD12EFA2F84} - C:\WINNT\System32\aclayer.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (file missing)
O2 - BHO: (no name) - {9C5875B8-93F3-429D-FF34-660B206D897A} - C:\WINNT\system32\performent002.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-cn\msntb.dll
O2 - BHO: IEMozgObj Class - {CE7C3CF0-4B15-11D1-0BED-709549C10020} - C:\WINNT\system32\1zr8rjmzr1.dll (file missing)
O2 - BHO: YiSou - {EF1D17A9-089F-40cc-8D64-7324CDEBA0DB} - C:\PROGRA~1\YiSou\yisoub.dll (file missing)
O3 - Toolbar: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - E:\XIAZAI~1\IEBand.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [assistse] "C:\PROGRA~1\3721\assistse.exe"
O4 - HKLM\..\Run: [YDTMain.exe] C:\PROGRA~1\YDT\YDTMain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-cn\msnappau.exe"
O4 - HKLM\..\Run: [KavStart] "E:\金山杀毒\KAVStart.exe" -startup
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [WinTrace Remover] C:\Program Files\bulletproofsoft.com\WinTrace Remover\wtr.exe /STARTRUN
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [KavPFW] "E:\金山杀毒\KAVPFW.EXE"
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [WinTrace Remover] C:\Program Files\bulletproofsoft.com\WinTrace Remover\wtr.exe /STARTRUN
O4 - Startup: Anti-Hijacker.lnk = E:\anti-hijacker\AntiHijacker 1.2.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 收藏此页到ViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt
O8 - Extra context menu item: 新浪搜索 - http://cha.sina.com.cn/ddt.html
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\xiazaizhongxin\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\xiazaizhongxin\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\xiazaizhongxin\SendMMS.htm
O9 - Extra button: 中文上网 - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O9 - Extra 'Tools' menuitem: 中文上网 - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdnns.dll
O11 - Options group: [CDNCLIENT]  中文上网
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.83/users/sale/web/axe/x.chm::/update.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q337751.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {2EA6D939-4445-43F1-A12B-8CB3DDA8B855} (BlueskyVideo Control) - http://www.bluesky.cn/download/v2_60.cab
O16 - DPF: {448A5F6B-8C03-4B54-A338-F00237C508AD} (WEBChatRoomOCX Control) - http://www.51uc.com/cab/WEBChatRoom_1_39.cab
O16 - DPF: {991481A7-4669-4E15-8C24-100404E1F5CB} (Blueskyvoice Control) - http://www.bluesky.cn/download/blueskyvoice_60.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://client.jogo.cn/download/cnnic/cdn.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BA0F088C-72C1-475A-92F8-42391DEF6961} (Blueskyvoice Control) - http://www.bluesky.cn/download/blueskyvoice_27.cab
O16 - DPF: {D0A29C6C-AA71-4423-8C4A-5998B774C448} (IEDown Class) - http://download.ourgame.com/IEDown4.cab
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/Ver2005/OL2005.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6D434C2-8008-4954-A9C3-752C49E94493}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.196,195.225.176.110
O20 - AppInit_DLLs: APIHookDll.dll
O21 - SSODL: FlashGet(JetCar) - {32C88C8B-D6F5-2F75-8A5D-D43EB8233021} - c:\progra~1\flashget\winzagy32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eoffice - Unknown owner - d:\eoffice\bin\apache.exe" -k runservice (file missing)
O23 - Service: Kingsoft Personal Firewall Service (KPfwSvc) - Kingsoft Corporation - E:\金山杀毒\KPfwSvc.EXE
O23 - Service: Kingsoft Antivirus KWatch Service (KWatchSvc) - Kingsoft Corporation - E:\金山杀毒\KWatch.EXE
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: MySQL - Unknown owner - D:\EOFFICE\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: svchoct.exe (yuto) - Unknown owner - C:\WINNT\svchoct.exe

【回复“新版菜鸟”的帖子】
您好！
终止进程：
C:\WINNT\svchost.exe
C:\WINNT\svchoct.exe
C:\WINNT\system32\14531485.exe
修复：
R3 - Default URLSearchHook is missing
所有的O1项
O2 - BHO: Router Layer - {5EB7CB50-E375-4718-B4C0-9AD12EFA2F84} - C:\WINNT\System32\aclayer.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (file missing)
O2 - BHO: (no name) - {9C5875B8-93F3-429D-FF34-660B206D897A} - C:\WINNT\system32\performent002.dll
O2 - BHO: IEMozgObj Class - {CE7C3CF0-4B15-11D1-0BED-709549C10020} - C:\WINNT\system32\1zr8rjmzr1.dll (file missing)
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.83/users/sale/web/axe/x.chm::/update.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q337751.exe
O23 - Service: eoffice - Unknown owner - d:\eoffice\bin\apache.exe" -k runservice (file missing)
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINNT\svchost.exe（疑似灰鸽子）
O23 - Service: MySQL - Unknown owner - D:\EOFFICE\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: svchoct.exe (yuto) - Unknown owner - C:\WINNT\svchoct.exe（疑似灰鸽子）
删除：
以上提及的所有文件。
关于灰鸽子，请参考：
http://forum.ikaka.com/topic.asp?board=28&artid=5666824。