瑞星卡卡安全论坛

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\FireWall\PFW.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
D:\QQ\QQ.exe
D:\QQ\TIMPlatform.exe
D:\Maxthon\Maxthon.exe
D:\Winamp\Winamp.exe
D:\杂软件\HijackThis\HijackThis.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F57} - C:\WINDOWS\system32\THUNDE~1.DLL
O3 - Toolbar: BitCometBar - {3F1ABCDB-A875-46c1-8345-B72A4567E486} - D:\BitComet\BitCometBar\BitCometBar0.1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SKYNET Personal FireWall] D:\FireWall\PFW.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ADSL.lnk = ?
O8 - Extra context menu item: &使用迅雷下载 - D:\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\Thunder\getAllurl.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&x) - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\QQ\SendMMS.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Unknown - D:\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler - Unknown - D:\PerfectDisk\PDSched.exe

在不打开浏览器的前提下,经常跳出恶意网页~~ 希望高手斑竹支招 谢谢~~~~

【回复“遗忘心灵”的帖子】您好，此份日志看不出什么问题.

请运行hijackthis--打开混合工具箱--生成启动日志

把启动日志发上来

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\FireWall\PFW.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
D:\QQ\QQ.exe
D:\QQ\TIMPlatform.exe
D:\Maxthon\Maxthon.exe
D:\Winamp\Winamp.exe
C:\WINDOWS\system32\conime.exe
D:\杂软件\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\leehom\「开始」菜单\程序\启动]
ADSL.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\system32\xunleibho_v8.dll - {0005A87D-D626-4B3A-84F9-1D9571695F55}
(no name) - C:\WINDOWS\system32\THUNDE~1.DLL - {0005A87D-D626-4B3A-84F9-1D9571695F57}

--------------------------------------------------

Enumerating Task Scheduler jobs:

DDD_Install_Program.job

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 3,165 bytes
Report generated in 0.016 seconds

Command line options:
  /verbose  - to add additional info on each section
  /complete - to include empty sections and unsuspicious data
  /full    - to include several rarely-important sections
  /force9x  - to include Win9x-only startups even if running on WinNT
  /forcent  - to include WinNT-only startups even if running on Win9x
  /forceall - to include all Win9x and WinNT startups, regardless of platform
  /history  - to list version history only

多谢斑竹~

【回复“遗忘心灵”的帖子】请问一下D:\Spybot - Search & Destroy\TeaTimer.exe
这个是您装的什么软件?

弹出的网页地址是什么.

【回复“花落花又开”的帖子】是一个反间谍软件

【回复“遗忘心灵”的帖子】log和进程都没问题...请问弹出的非法网页的地址是什么?

O17 - HKLM\System\CCS\Services\Tcpip\..\{D0D10064-6C38-4864-B9F5-5BCDEEED7FD8}: NameServer = 202.101.172.46 202.101.172.47

这是我重启后扫描到的~~好像有点可疑~~

网址我没记下来~~ 我刚刚重启过~希望会再跳出来

这是我 删除的 一些~~不知道 是不是 可疑的那什么~~~(专业术语 8太懂 呵呵)

附件: 2584512005916115309.jpg

http://u5.8522.com/3.htm?spid=852200221

这个网址 , 会弹出来

【回复“遗忘心灵”的帖子】
清空一下hosts文件:

在win 98里是: C:\Windows\hosts
在win 2000/xp是: C:\Windows\system32\drivers\etc\hosts

HOSTS文件里保存有WINDOWS系统记录的IP地址与域名的对应关系。

有些网页恶意代码会修改这个文件迫使我们访问恶意网页/网站。

删除127.0.0.1 localhost以外的其他所有多余内容

===================

用记事本打开 C:\WINNT\system32\drivers\etc\hosts 文件
最后加入
202.232.140.12 auto.search.msn.com
这么一行(作用是把微软默认搜索解析到正确的地址)

最好再加行 127.0.0.0 http://u5.8522.com/3.htm?spid=852200221

127.0.0.0 http://18ol.21vod.cn/quanpin5.htm?id18=1831

格式:<<127.0.0.0 非法网址>>

http://18ol.21vod.cn/quanpin5.htm?id18=1831

这个网址也会跳出来~

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97    rhino.acme.com          # source server
#      38.25.63.10    x.acme.com              # x client host

127.0.0.1      localhost




文件打开后 , 就这些东西~~请问斑竹  那些是该删除的 谢谢

看看下面的连接是否可以帮到您：
http://forum.ikaka.com/topic.asp?board=67&artid=7121110

好~~我看看 谢谢斑竹~~

呃~~但是 我的文件夹里面没有msinfo.dll 这个文件... 这可怎么办呢?

显示隐藏文件寻找看看...