各位叔叔　阿姨　哥哥　姐姐　救救我的电脑呀．．．【讨论】 bbs.ikaka.com

小边边边 - 2005-9-20 16:32:00

我按那个方法还是找不到病毒的来源就像网上一位朋友说:1、用HijackThis1.99.1（本帖附件中的一个小工具）扫系统日志，在O23项中寻找灰鸽子2005注册的系统服务名（例：WindowsPowerServer）。如果自己看不懂HijackThis日志，可以将日志贴在帖子中，请别人帮助辨认。
2、确认灰鸽子2005注册的系统服务名后，打开注册表编辑器，定位到HKEY_LOCAL_MACHINE\ SYSTEM \ CURRENTCONTROLSET \ SERVICES分支，删除左栏中的病毒服务名（例： WindowsPowerServer）。
3、重启系统，在“文件夹选项”的“查看”面板中勾选“显示系统文件”、“显示所有的文件和文件夹”两项，点击“确定”按钮。然后在%windows%下寻找病毒文件名（例： D:\WINDOWS\spoolvs.exe），找到后删除之。需要注意的是：灰鸽子2005生成的病毒文件为一组，3－4个。病毒文件命名有一定规律，即：X.exe、X.dll、X_hook.dll以及XKey.dll，其中“X”指病毒文件名的可变部分。例如，你的系统感染灰鸽子2005后，在HijackThis1.99.1日志中看到“O23 - Service: RSVPS (QoS RSVPS) - Unknown owner - D:\WINDOWS\spoolvs.exe”这样的信息，那么，这个日志提示：这个灰鸽子2005服务端注册的系统服务名是“ RSVPS ”；生成的病毒文件是spoolvs.exe、spoolvs.dll、spoolvs_hook.dll，可能还有一个spoolvsKey.dll。这一组3－4个病毒文件位于D:\WINDOWS\文件夹中。
附：HijackThis日志中见到的灰鸽子2005注册的系统服务名与病毒文件名（供手工杀毒参考）
O23 - Service: WINL0G0N - Unknown - C:\WINDOWS\WINL0G0N.EXE

O23 - Service: Windows_Helper - Unknown - C:\WINDOWS\3721.exe

O23 - Service: ray-pigeon-sorver-unknwn-c:/windows/lerver.exe

O23 - Service: Remotee - Unknown - C:\WINNT\explercr.exe

O23 - Service: Gerver - Unknown - C:\WINDOWS\smcsc.exe

O23 - Service: Intelnet - Unknown - C:\WINDOWS\system.exe

O23 - Service: ssvn - Unknown - C:\WINNT\Servers.exe

O23 - Service: Distributed Coordi - Unknown - C:\WINNT\cmmon32.com

O23 - Service: Contact Information - Unknown - C:\WINDOWS\svchost.exe

O23 - Service: DNS Pigeon Server - Unknown - C:\WINDOWS\Rver.exe

O23 - Service: system Management Instrumenta - Unknown - C:\WINDOWS\comines.exe

O23 - Service: Plug and Play . - Unknown - C:\WINDOWS\crsss.exe

023- Service: Pigeon_Server-Unknown-C:\WINDOWS\Server.exe

O23 - Service: Windows Update Servers - Unknown - C:\WINDOWS\winupdate.exe

O23 - Service: Windows Management Player - Unknown - C:\WINNT\system.exe

O23 - Service: Application Performance Explor - Unknown - C:\WINDOWS\svchost.exe

O23 - Service: Windows Management Drivers - Unknown - C:\WINNT\win32help.exe

O23 - Service: WindowsPowerServer - Unknown - C:\WINNT\Server.exe

O23 - Service: RSVPS (QoS RSVPS) - Unknown owner - D:\WINDOWS\spoolvs.exe
我把附件给你们传上来我找不到..请各位帮帮我谢谢了

附件: 5847672005920163212.jpg

小边边边 - 2005-9-20 16:40:00

刚才上边那个图没发清楚看这个图我按那个方法还是找不到病毒的来源就像网上一位朋友说:1、用HijackThis1.99.1（本帖附件中的一个小工具）扫系统日志，在O23项中寻找灰鸽子2005注册的系统服务名（例：WindowsPowerServer）。如果自己看不懂HijackThis日志，可以将日志贴在帖子中，请别人帮助辨认。
2、确认灰鸽子2005注册的系统服务名后，打开注册表编辑器，定位到HKEY_LOCAL_MACHINE\ SYSTEM \ CURRENTCONTROLSET \ SERVICES分支，删除左栏中的病毒服务名（例： WindowsPowerServer）。
3、重启系统，在“文件夹选项”的“查看”面板中勾选“显示系统文件”、“显示所有的文件和文件夹”两项，点击“确定”按钮。然后在%windows%下寻找病毒文件名（例： D:\WINDOWS\spoolvs.exe），找到后删除之。需要注意的是：灰鸽子2005生成的病毒文件为一组，3－4个。病毒文件命名有一定规律，即：X.exe、X.dll、X_hook.dll以及XKey.dll，其中“X”指病毒文件名的可变部分。例如，你的系统感染灰鸽子2005后，在HijackThis1.99.1日志中看到“O23 - Service: RSVPS (QoS RSVPS) - Unknown owner - D:\WINDOWS\spoolvs.exe”这样的信息，那么，这个日志提示：这个灰鸽子2005服务端注册的系统服务名是“ RSVPS ”；生成的病毒文件是spoolvs.exe、spoolvs.dll、spoolvs_hook.dll，可能还有一个spoolvsKey.dll。这一组3－4个病毒文件位于D:\WINDOWS\文件夹中。
附：HijackThis日志中见到的灰鸽子2005注册的系统服务名与病毒文件名（供手工杀毒参考）
O23 - Service: WINL0G0N - Unknown - C:\WINDOWS\WINL0G0N.EXE

O23 - Service: Windows_Helper - Unknown - C:\WINDOWS\3721.exe

O23 - Service: ray-pigeon-sorver-unknwn-c:/windows/lerver.exe

O23 - Service: Remotee - Unknown - C:\WINNT\explercr.exe

O23 - Service: Gerver - Unknown - C:\WINDOWS\smcsc.exe

O23 - Service: Intelnet - Unknown - C:\WINDOWS\system.exe

O23 - Service: ssvn - Unknown - C:\WINNT\Servers.exe

O23 - Service: Distributed Coordi - Unknown - C:\WINNT\cmmon32.com

O23 - Service: Contact Information - Unknown - C:\WINDOWS\svchost.exe

O23 - Service: DNS Pigeon Server - Unknown - C:\WINDOWS\Rver.exe

O23 - Service: system Management Instrumenta - Unknown - C:\WINDOWS\comines.exe

O23 - Service: Plug and Play . - Unknown - C:\WINDOWS\crsss.exe

023- Service: Pigeon_Server-Unknown-C:\WINDOWS\Server.exe

O23 - Service: Windows Update Servers - Unknown - C:\WINDOWS\winupdate.exe

O23 - Service: Windows Management Player - Unknown - C:\WINNT\system.exe

O23 - Service: Application Performance Explor - Unknown - C:\WINDOWS\svchost.exe

O23 - Service: Windows Management Drivers - Unknown - C:\WINNT\win32help.exe

O23 - Service: WindowsPowerServer - Unknown - C:\WINNT\Server.exe

O23 - Service: RSVPS (QoS RSVPS) - Unknown owner - D:\WINDOWS\spoolvs.exe
我把附件给你们传上来我找不到..请各位帮帮我谢谢了

附件: 5847672005920164043.jpg

小边边边 - 2005-9-20 16:45:00

注册表编辑器是什么? 怎么才能找到?告诉我谢谢

baohe - 2005-9-20 16:48:00

【回复“小边边边”的帖子】

你那图中的最后一项就是灰鸽子。

查杀方法：

1、打开注册表编辑器，展开HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES，删除左栏中的systemserver.exe。
2、重启电脑。
3、显示隐藏文件、显示系统文件夹。删除C:\WINDOWS\文件夹中server.exe以及文件名中包含server的所有.DLL文件。

小边边边 - 2005-9-20 16:49:00

Logfile of HijackThis v1.99.1
Scan saved at 16:49:03, on 2005-9-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
f:\rising\rfw\rfwsrv.exe
C:\windows\system32\spoolsv.exe
F:\RISING\RAV\CCENTER.EXE
F:\RISING\RAV\Ravmond.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\windows\system32\svchost.exe
F:\RISING\RAV\RavStub.exe
f:\rising\rfw\RfwMain.exe
C:\windows\explorer.exe
F:\QQ\TIMPlatform.exe
C:\windows\system32\ctfmon.exe
F:\QQ\QQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\桌面\HijackThis.exe
C:\windows\system32\NOTEPAD.EXE

R3 - URLSearchHook: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\windows\system32\xunleibho_v6.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\3721\Assist\Angling.dll (file missing)
O2 - BHO: NaviHelperObj Class - {3E422F49-1566-40D3-B43D-077EF739AC32} - C:\windows\system32\NaviHelper.dll (file missing)
O2 - BHO: ShowBarObject Class - {850B69E4-90DB-4F45-8621-891BF35A5B53} - c:\windows\system32\alitb\__new\bar.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: AssistII - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\windows\downlo~1\CnsHook.dll
O3 - Toolbar: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\天堂2单机版\天堂2\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [helper.dll] C:\windows\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\windows\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] F:\winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\daemon.exe" -lang 1033
O4 - HKLM\..\RunOnce: [RavStub] "F:\RISING\RAV\ravstub.exe" /RUNONCE
O8 - Extra context menu item: !搜一搜 - res://C:\windows\downlo~1\CnsMinEx.dll/1003
O8 - Extra context menu item: &使用迅雷下载 - F:\迅雷4\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - F:\迅雷4\getAllurl.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - F:\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - F:\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - F:\QQ\SendMMS.htm
O9 - Extra button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\windows\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\windows\system32\shdocvw.dll
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - D:\浩方\浩方对战平台\GameClient.exe
O9 - Extra button: 商机直通车 - {13b0c05c-ef05-4bf6-b0ea-f6111af25544} - c:\windows\system32\alitb\__new\bar.dll
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.rd.yahoo.com/auct/promo/3721/200508/ielogo-wcfashion/*http://cn.promo.auctions.yahoo.com/200507/fashion/index.html?refcode=3721200508ielogo-wcfashion (file missing)
O9 - Extra button: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O11 - Options group: [!CNS] 上网助手-地址栏搜索
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/Ver2005/OL2005.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B68CD37-5C54-47C5-8F09-F9A602F85FCF}: NameServer = 202.106.46.151 202.106.0.20
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\windows\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\windows\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O20 - AppInit_DLLs: APIHookDll.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - f:\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - F:\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - F:\RISING\RAV\Ravmond.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

看这个是日志上打出来的

baohe - 2005-9-20 16:53:00

【回复“小边边边”的帖子】

看14楼的回复（针对你12楼那张图说的）。

15楼的日志与12楼的图有所不同。那个日志是你的呀？晕死！！！

小边边边 - 2005-9-20 16:54:00

注册表编辑器在哪里...我对电脑不太懂.....麻烦斑竹了

baohe - 2005-9-20 16:58:00

引用:

【小边边边的贴子】注册表编辑器在哪里...我对电脑不太懂.....麻烦斑竹了
...........................

点击“开始、运行。键入regedit，按回车。

小边边边 - 2005-9-20 16:59:00

是我的呀我只是又扫描了一遍...就那样了.. 我重新打下斑竹麻烦你了还有编辑器是什么?怎么找??
Logfile of HijackThis v1.99.1
Scan saved at 16:57:36, on 2005-9-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
f:\rising\rfw\rfwsrv.exe
C:\windows\system32\spoolsv.exe
F:\RISING\RAV\CCENTER.EXE
F:\RISING\RAV\Ravmond.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\windows\system32\svchost.exe
F:\RISING\RAV\RavStub.exe
f:\rising\rfw\RfwMain.exe
C:\windows\explorer.exe
F:\QQ\TIMPlatform.exe
C:\windows\system32\ctfmon.exe
F:\QQ\QQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\桌面\HijackThis.exe

R3 - URLSearchHook: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\windows\system32\xunleibho_v6.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\3721\Assist\Angling.dll (file missing)
O2 - BHO: NaviHelperObj Class - {3E422F49-1566-40D3-B43D-077EF739AC32} - C:\windows\system32\NaviHelper.dll (file missing)
O2 - BHO: ShowBarObject Class - {850B69E4-90DB-4F45-8621-891BF35A5B53} - c:\windows\system32\alitb\__new\bar.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: AssistII - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\windows\downlo~1\CnsHook.dll
O3 - Toolbar: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\天堂2单机版\天堂2\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [helper.dll] C:\windows\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\windows\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] F:\winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\daemon.exe" -lang 1033
O4 - HKLM\..\RunOnce: [RavStub] "F:\RISING\RAV\ravstub.exe" /RUNONCE
O8 - Extra context menu item: !搜一搜 - res://C:\windows\downlo~1\CnsMinEx.dll/1003
O8 - Extra context menu item: &使用迅雷下载 - F:\迅雷4\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - F:\迅雷4\getAllurl.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - F:\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - F:\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - F:\QQ\SendMMS.htm
O9 - Extra button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\windows\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\windows\system32\shdocvw.dll
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - D:\浩方\浩方对战平台\GameClient.exe
O9 - Extra button: 商机直通车 - {13b0c05c-ef05-4bf6-b0ea-f6111af25544} - c:\windows\system32\alitb\__new\bar.dll
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.rd.yahoo.com/auct/promo/3721/200508/ielogo-wcfashion/*http://cn.promo.auctions.yahoo.com/200507/fashion/index.html?refcode=3721200508ielogo-wcfashion (file missing)
O9 - Extra button: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O11 - Options group: [!CNS] 上网助手-地址栏搜索
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/Ver2005/OL2005.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B68CD37-5C54-47C5-8F09-F9A602F85FCF}: NameServer = 202.106.46.151 202.106.0.20
O20 - AppInit_DLLs: APIHookDll.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - f:\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - F:\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - F:\RISING\RAV\Ravmond.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

baohe - 2005-9-20 17:08:00

【回复“小边边边”的帖子】

19楼的日志中已经没有那只灰鸽子了

小边边边 - 2005-9-20 20:42:00

Logfile of HijackThis v1.99.1
Scan saved at 20:41:53, on 2005-9-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
f:\rising\rfw\rfwsrv.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
f:\rising\rfw\RfwMain.exe
C:\windows\system32\nvsvc32.exe
F:\RISING\RAV\CCENTER.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\windows\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\rundll32.exe
F:\winamp\winampa.exe
C:\windows\system32\ctfmon.exe
F:\QQ\TIMPlatform.exe
F:\QQ\QQ.exe
C:\windows\system32\conime.exe
F:\RISING\RAV\Ravmond.exe
F:\RISING\RAV\RavStub.exe
F:\real\RealPlay.exe
F:\迅雷4\thunder.exe
F:\迅雷4\MediaIssue\Issue.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\桌面\HijackThis.exe

R3 - URLSearchHook: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\windows\system32\xunleibho_v6.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\3721\Assist\Angling.dll (file missing)
O2 - BHO: NaviHelperObj Class - {3E422F49-1566-40D3-B43D-077EF739AC32} - C:\windows\system32\NaviHelper.dll (file missing)
O2 - BHO: ShowBarObject Class - {850B69E4-90DB-4F45-8621-891BF35A5B53} - c:\windows\system32\alitb\__new\bar.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: AssistII - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\windows\downlo~1\CnsHook.dll
O3 - Toolbar: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\天堂2单机版\天堂2\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [helper.dll] C:\windows\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\windows\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] F:\winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RavTimer] F:\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] F:\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\RunOnce: [RavStub] "F:\RISING\RAV\ravstub.exe" /RUNONCE
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O8 - Extra context menu item: !搜一搜 - res://C:\windows\downlo~1\CnsMinEx.dll/1003
O8 - Extra context menu item: &使用迅雷下载 - F:\迅雷4\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - F:\迅雷4\getAllurl.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - F:\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - F:\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - F:\QQ\SendMMS.htm
O9 - Extra button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\windows\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\windows\system32\shdocvw.dll
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - D:\浩方\浩方对战平台\GameClient.exe
O9 - Extra button: 商机直通车 - {13b0c05c-ef05-4bf6-b0ea-f6111af25544} - c:\windows\system32\alitb\__new\bar.dll
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.rd.yahoo.com/auct/promo/3721/200508/ielogo-wcfashion/*http://cn.promo.auctions.yahoo.com/200507/fashion/index.html?refcode=3721200508ielogo-wcfashion (file missing)
O9 - Extra button: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O11 - Options group: [!CNS] 上网助手-地址栏搜索
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/Ver2005/OL2005.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B68CD37-5C54-47C5-8F09-F9A602F85FCF}: NameServer = 202.106.46.151 202.106.0.20
O20 - AppInit_DLLs: APIHookDll.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - f:\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - F:\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - F:\RISING\RAV\Ravmond.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

这里有后门病毒吗

瑞星卡卡安全论坛