瑞星卡卡安全论坛
endurer - 2005-12-20 22:47:00
| 引用: |
【leonlzy的贴子】06的防火墙报,我在游戏保护模式下,瑞星防火墙说发现内存里的木马详细内容2005-12-18 09:15:23, Explorer.EXE>>C:\WINDOWS\Explorer.EXE ->Worm.Mail.Fanbot
为什么用瑞星的杀毒软件里的开机扫描内存和引导区却什么也查不出阿,用杀毒也查不到这个东西,只有我在玩游戏的时候他才查出来,说一杀掉这个木马,结果下次开机后玩游戏又有了
还有楼上的那种东西是怎么扫出来的阿,用什么工具的阿,麻烦给各能连接的连接
........................... |
下载地址在楼顶贴里有说明。
你可以到
http://endurer.ys168.com的
tools\系统分析和修复
里下载HijackThis。
endurer - 2005-12-20 22:56:00
【回复“蓝木马”的帖子】
干得漂亮!
建议把“中文上网”也清理掉。
endurer - 2005-12-20 23:00:00
【回复“huangzhuobing”的帖子】
有些中了灰鸽子的机子里的可能会找不到灰鸽子的DLL文件,可能是被杀软查杀了。
昨天帮一位网友查杀病毒,灰鸽子的几个DLL文件都报,但是作为系统服务启动的那个EXE文件则没有报。
详见:
又杀了一批病毒(第1版)
http://endurer.blogchina.com/3938079.html
endurer - 2005-12-20 23:14:00
【回复“leonlzy”的帖子】
如果你的电脑工作不正常,请说明情况。
建议为Win XP打上SP2
以下修复中的操作可参考:
http://forum.ikaka.com/topic.asp?board=28&artid=7422438&page=9
第125楼里的有关链接
重新启动到安全模式
如果使用了系统还原功能, 请先关闭此功能。
设置系统显示所有文件和文件夹,不隐藏已知文件类型扩展名
寻找如下文件:
C:\WINDOWS\System32\vbsys2.dll
先用压缩软件(如WinRAR, WinZIP)打包备份,再把原文件删除。并在全部修复工作完成后,请把打包备份的文件发到endurer@163.com。
关闭所有文件夹和浏览器窗口,用HijackThis修复下列项目(如果你知道某项是安全的,可以不修复它):
R3 - 默认的URLSearchHook丢失。用HijackThis修复
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B}? - (no file)
O4 - 启动项HKLM\\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe(这一项需要你自己确认)
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll
清空IE临时文件夹
endurer - 2005-12-20 23:17:00
| 引用: |
【dahai2005的贴子】我快被灰鸽子搞死了,每次只有上搜狐网是时他才发作,登陆别的网站没事,瑞星的灰鸽子专杀,每次查杀均显示成功删除,可每次开机还在,实在是拿他没办法
........................... |
请把瑞星的杀毒记录导出来,并使用HijackThis扫描LOG,一起贴上来,方便大家讨论分析。
endurer - 2005-12-20 23:22:00
【回复“saddam”的帖子】
建议为Win XP打上SP2
以下修复中的操作可参考:
http://forum.ikaka.com/topic.asp?board=28&artid=7422438&page=9
第125楼里的有关链接
重新启动到安全模式
如果使用了系统还原功能, 请先关闭此功能。
停止并禁用服务:Spplication Layer Gateway Serv
卸载i&Bar搜索引擎,一搜,MMSAssist、 i&Bar搜索引擎
设置系统显示所有文件和文件夹,不隐藏已知文件类型扩展名
寻找如下文件:
C:\WINDOWS\BDC.exe
C:\WINDOWS\BDC.dll
C:\WINDOWS\BDC_dll.dll
先用压缩软件(如WinRAR, WinZIP)打包备份,再把原文件删除。并在全部修复工作完成后,请把打包备份的文件发到endurer@163.com。
关闭所有文件夹和浏览器窗口,用HijackThis修复下列项目(如果你知道某项是安全的,可以不修复它):
R3 - URLSearchHook: (no name) - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - (no file)
O2 - BHO: i&Bar搜索引擎 - {2E7D3330-EB94-4518-B0FE-E05379A5C1DA} - C:\PROGRA~1\iBar\10002\iBar.dll
O2 - BHO: MMSAssist - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - (no file)
O2 - BHO: std software - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll (file missing)
O3 - Toolbar: i&Bar搜索引擎 - {2E7D3330-EB94-4518-B0FE-E05379A5C1DA} - C:\PROGRA~1\iBar\10002\iBar.dll
O3 - Toolbar: (no name) - {115F6E46-FCBC-41ed-B3B5-3BDDD4AAB5E5} - (no file)
O8 - Extra context menu item: >> 彩信发送 << - res://C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL/mms.htm
O8 - Extra context menu item: !搜一搜 - res://C:\Program Files\yisou\yisou.dll/232
O23 - Service: Spplication Layer Gateway Serv - Unknown owner - C:\WINDOWS\BDC.exe
清空IE临时文件夹
leniz - 2005-12-21 13:47:00
用卡卡查,日志没有不可识的服务,但是防火墙的系统状态中有一项,出现如下
问题,这个到底是不是病毒导致呀.
附件:
64058720051221134745.jpg
春城居士 - 2005-12-21 14:16:00
老大帮忙解决一下拉,中毒了,万分感激.
HijackThis_zww汉化版扫描日志 V1.99.1
保存于 14:14:29, 日期 2005-12-21
操作系统: Windows XP SP2 (WinNT 5.01.2600)
浏览器: Unable to get Internet Explorer version!
当前运行的进程:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
e:\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
e:\Rising\Rav\Ravmond.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
e:\Rising\Rav\RavStub.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
E:\Rising\Rav\RavTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Thunder Network\Thunder\Thunder.exe
C:\Program Files\HijackThis1991汉化版\HijackThis1991zww.exe
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL (file missing)
O2 - BHO: MacroMediapd - {B8CCDD47-38E4-4CD2-B7FA-3B4B690F74BD} - C:\WINDOWS\system32\microapmddt.dll
O3 - IE工具栏增项: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - C:\Program Files\Kingsoft\FastAIT 2006\IEBand.dll
O3 - IE工具栏增项: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\kakatool.dll
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - 启动项HKLM\\Run: [nwiz] nwiz.exe /install
O4 - 启动项HKLM\\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - 启动项HKLM\\Run: [SoundMan] SOUNDMAN.EXE
O4 - 启动项HKLM\\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - 启动项HKLM\\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\ThunderShell.exe" /s
O4 - 启动项HKLM\\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - 启动项HKLM\\Run: [DAEMON Tools-2052] "C:\Program Files\D-Tools\daemon.exe" -lang 2052
O4 - 启动项HKLM\\Run: [CSPContext] C:\WINDOWS\system32\CSPContext.exe
O4 - 启动项HKLM\\Run: [VikaClient] C:\Program Files\VIKA\vkclient.exe -iconmode
O4 - 启动项HKLM\\Run: [RavTask] "e:\Rising\Rav\RavTask.exe" -system
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O8 - IE右键菜单中的新增项目: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 导出到 Microsoft Office Excel(&X) - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - IE右键菜单中的新增项目: 用比特精灵下载(&B) - C:\Program Files\BitSpirit\bsurl.htm
O9 - 浏览器额外的按钮: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - 浏览器额外的按钮: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - 浏览器额外的“工具”菜单项: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - 浏览器额外的按钮: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6}? - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - 浏览器额外的“工具”菜单项: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6}? - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - 浏览器额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - 浏览器额外的“工具”菜单项: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF048EAD-FDEF-4046-BD9E-7D12E51B92D6}: NameServer = 10.28.1.1,10.28.1.2
O23 - NT 服务: acdsee - Unknown owner - C:\WINDOWS\asdsee.exe
O23 - NT 服务: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - NT 服务: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - NT 服务: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - e:\Rising\Rav\CCenter.exe
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - e:\Rising\Rav\Ravmond.exe
gerrywhj - 2005-12-21 15:37:00
有可以主动防御“灰鸽子”的软件,何需手工查杀灰鸽子。大家快试试微点主动防御软件吧。还等什么www.micropoint.com.cn。
gerrywhj - 2005-12-21 15:38:00
【回复“酷舞”的帖子】
有可以主动防御“灰鸽子”的软件,何需手工查杀灰鸽子。大家快试试微点主动防御软件吧。还等什么www.micropoint.com.cn。
jmyang - 2005-12-22 4:45:00
帮帮我忙看看呀,,已经郁闷了我几天了,系统变的越来越慢,有时候开了机就眼挣挣的看着那病毒出来,然后就死机,完全不能控制。。
请楼主详细点说说如何解决吧,不然系统就没救了
HijackThis_zww汉化版扫描日志 V1.99.1
保存于 4:39:30, 日期 2005-12-22
操作系统: Windows XP SP1 (WinNT 5.01.2600)
浏览器: Internet Explorer v6.00 SP1 (6.00.2800.1106)
当前运行的进程:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
C:\Program Files\Thunder Network\Thunder\ThunderShell.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\HuaCi\huaci\zsearch.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\big5_gb2312.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\P30\LOCALS~1\Temp\Rar$EX00.787\HijackThis1991zww.exe
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\System32\xunleibho_v9.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: i&Bar搜索引擎 - {2E7D3330-EB94-4518-B0FE-E05379A5C1DA} - C:\PROGRA~1\iBar\10002\iBar.dll
O2 - BHO: yPhtb - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\yphtb.dll (file missing)
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\新建文件夹 (2)\QQIEHelper.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\YDRAGS~1.DLL (file missing)
O2 - BHO: MMSAssist - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL
O2 - BHO: std software - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BrowserHAP Class - {AEF6F648-78D8-4456-BEE7-5ADE23D209FD} - C:\PROGRA~1\HBClient\hapast.dll
O3 - IE工具栏增项: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - IE工具栏增项: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - IE工具栏增项: 完美网译通 - {F43BD772-ABDD-43b7-A96A-3E9E61946EC0} - C:\WINDOWS\WORLD2\TOOLBAR\hmtoolbar.dll
O3 - IE工具栏增项: i&Bar搜索引擎 - {2E7D3330-EB94-4518-B0FE-E05379A5C1DA} - C:\PROGRA~1\iBar\10002\iBar.dll
O3 - IE工具栏增项: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - C:\Program Files\Kingsoft\FastAIT 2005\IEBand.dll
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [ATIModeChange] Ati2mdxx.exe
O4 - 启动项HKLM\\Run: [ATIPTA] rem C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - 启动项HKLM\\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - 启动项HKLM\\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - 启动项HKLM\\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - 启动项HKLM\\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - 启动项HKLM\\Run: [SAMSUNG Keydefin] C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
O4 - 启动项HKLM\\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - 启动项HKLM\\Run: [IMSCMig] rem C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - 启动项HKLM\\Run: [WinampAgent] rem "C:\Program Files\Winamp\winampa.exe"
O4 - 启动项HKLM\\Run: [AirCardEnabler] rem C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - 启动项HKLM\\Run: [DataLayer] rem C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - 启动项HKLM\\Run: [PCSuiteTrayApplication] rem C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - 启动项HKLM\\Run: [TkBellExe] rem "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - 启动项HKLM\\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\ThunderShell.exe" /s
O4 - 启动项HKLM\\Run: [hbpassport] C:\PROGRA~1\HBClient\hbast.exe
O4 - 启动项HKLM\\Run: [Update] rem C:\Program Files\Common Files\UPDATE\Update.exe
O4 - 启动项HKLM\\Run: [MoveSearch] C:\Program Files\HuaCi\huaci\zsearch.exe
O4 - 启动项HKLM\\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - 启动项HKLM\\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - 启动项HKCU\\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - 启动项HKCU\\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - 启动项HKCU\\Run: [Kugoo] rem C:\PROGRA~1\KuGoo2\KuGoo.exe
O4 - 启动项HKCU\\Run: [RegBar] regsvr32.exe /u C:\progra~1\blogmark\bocaitoolbar.dll /s /i /n
O4 - “启动”文件夹: 腾讯QQ.lnk = ?
O8 - IE右键菜单中的新增项目: >> 彩信发送 << - res://C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL/mms.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - D:\新建文件夹 (2)\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 使用Kugoo下载 - C:\PROGRA~1\KuGoo2\KugooDownX.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - IE右键菜单中的新增项目: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - D:\新建文件夹 (2)\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - D:\新建文件夹 (2)\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - D:\新建文件夹 (2)\SendMMS.htm
O9 - 浏览器额外的按钮: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - 浏览器额外的按钮: 常用网址 - {36B39F01-7B48-44AD-A165-5849CD8EF562} - C:\WINDOWS\System32\SHDOCVW.DLL
O9 - 浏览器额外的按钮: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - 浏览器额外的按钮: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - 浏览器额外的按钮: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - 浏览器额外的按钮: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL
O9 - 浏览器额外的“工具”菜单项: MMSAssist工具条设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL
O9 - 浏览器额外的按钮: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - 浏览器额外的按钮: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - 浏览器额外的“工具”菜单项: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - 浏览器额外的按钮: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\新建文件夹 (2)\QQ.EXE
O9 - 浏览器额外的“工具”菜单项: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\新建文件夹 (2)\QQ.EXE
O9 - 浏览器额外的按钮: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - 浏览器额外的“工具”菜单项: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - 浏览器额外的按钮: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (2)\QQIEHelper.dll
O9 - 浏览器额外的“工具”菜单项: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (2)\QQIEHelper.dll
O9 - 浏览器额外的按钮: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - 浏览器额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - 浏览器额外的“工具”菜单项: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {2EA6D939-4445-43F1-A12B-8CB3DDA8B855} (BlueskyVideo Control) - http://www.bluesky.cn/download/v2_60.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28d6ff2056116e745205/netzip/RdxIE601_cn.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {8135EF31-FE8C-4C6E-A18A-F59944C3A488} (Spocx Class) - http://ddddl.dudu.com/ddd/update/plugin/dddspocx.cab
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {991481A7-4669-4E15-8C24-100404E1F5CB} (Blueskyvoice Control) - http://www.bluesky.cn/download/blueskyvoice_60.cab
O16 - DPF: {EF248BC9-F17D-4024-8868-71A5D22C667C} (Hbact.HbactObject) - http://download.henbang.net/download/updatelist/hap111.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{484836D1-9DD9-4269-BB82-58ECC2B978C5}: NameServer = 202.96.128.166 202.96.128.86
O17 - HKLM\System\CS1\Services\Tcpip\..\{484836D1-9DD9-4269-BB82-58ECC2B978C5}: NameServer = 202.96.128.166 202.96.128.86
O17 - HKLM\System\CS3\Services\Tcpip\..\{484836D1-9DD9-4269-BB82-58ECC2B978C5}: NameServer = 202.96.128.166 202.96.128.86
O23 - NT 服务: .Net Boot Service - Unknown owner - C:\WINDOWS\System32\big5_gb2312.exe
O23 - NT 服务: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - NT 服务: Local Network Service - Unknown owner - C:\WINDOWS\System32\SeedServ.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - NT 服务: Server3.0 (Server) - Unknown owner - C:\WINDOWS\lasae.exe
jmyang - 2005-12-22 4:57:00
杀了后重启又跑出来了,是不是瑞星不能完全杀这个病毒,如果每个人中了这毒都要手动去杀,那瑞星就变的很没价值了。。。升级到最新版也没用。。
病毒名称处理结果发现日期扫描方式路径文件病毒来源
Adware.Clicker.YNYW.b删除成功2005-12-18 11:28手动扫描C:\Program Files\Common Files\SANDdiskman.exe本机
Trojan.DL.Agent.dyq删除成功2005-12-18 11:28手动扫描C:\Program Files\Common Files\UPDATEupdate.exe本机
Hack.QQReg删除成功2005-12-18 11:49手动扫描D:\Downloadspoptang.rar>>2004102620124748\QQReg.exe>>VEUnpackFile本机
Backdoor.Gpigeon.ufu重新启动计算机后删除文件2005-12-22 00:30手动扫描C:\WINDOWSlasae_HOOk.DLL本机
Backdoor.Gpigeon.ufu重新启动计算机后删除文件2005-12-22 02:28手动扫描C:\WINDOWSlasae_HOOk.DLL本机
Backdoor.Gpigeon.ufu重新启动计算机后删除文件2005-12-22 02:36手动扫描C:\WINDOWSlasae_HOOk.DLL本机
Backdoor.Gpigeon.ufu重新启动计算机后删除文件2005-12-22 02:36手动扫描C:\WINDOWSlasae_HOOk.DLL本机
Backdoor.Gpigeon.ufu重新启动计算机后删除文件2005-12-22 02:36手动扫描C:\WINDOWSlasae_HOOk.DLL本机
Backdoor.Gpigeon.ufu重新启动计算机后删除文件2005-12-22 02:37手动扫描C:\WINDOWSlasae_HOOk.DLL本机
Backdoor.Gpigeon.ufu重新启动计算机后删除文件2005-12-22 02:37手动扫描C:\WINDOWSlasae_HOOk.DLL本机
Backdoor.Gpigeon.ufu重新启动计算机后删除文件2005-12-22 02:37手动扫描C:\WINDOWSlasae_HOOk.DLL本机
鸦片战争 - 2005-12-22 9:44:00
楼主受累,帮我看一下
Logfile of Kaka v2. 0. 0. 3 Scan Module v2. 0. 0. 1
Scan saved at 09:42:52, on 2005-12-21
Platform: Microsoft Windows XP Professional Service Pack 2 (Build 2600)
MSIE: Internet Explorer v6.00 SP2; (6.00.2900.2180 (xpsp_sp2_rtm.040803-2158))
Running processes:
[smss.exe]
CommandLine =
[csrss.exe]
CommandLine = C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
[winlogon.exe]
CommandLine = winlogon.exe
[services.exe]
CommandLine = C:\WINDOWS\system32\services.exe
[lsass.exe]
CommandLine = C:\WINDOWS\system32\lsass.exe
[svchost.exe]
CommandLine = C:\WINDOWS\system32\svchost -k DcomLaunch
[svchost.exe]
CommandLine = C:\WINDOWS\system32\svchost -k rpcss
[svchost.exe]
CommandLine = C:\WINDOWS\System32\svchost.exe -k netsvcs
[svchost.exe]
CommandLine = C:\WINDOWS\system32\svchost.exe -k NetworkService
[svchost.exe]
CommandLine = C:\WINDOWS\system32\svchost.exe -k LocalService
[rfwsrv.exe]
CommandLine = "d:\新建文件夹 (6)\rising\rfw\rfwsrv.exe"
[explorer.exe]
CommandLine = C:\WINDOWS\Explorer.EXE
[spoolsv.exe]
CommandLine = C:\WINDOWS\system32\spoolsv.exe
[rundll32.exe]
CommandLine = Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
[RFWMAIN.EXE]
CommandLine = -StartUp
[CCenter.exe]
CommandLine = "D:\新建文件夹 (6)\RISING\RAV\CCENTER.EXE"
[wdfmgr.exe]
CommandLine = C:\WINDOWS\system32\wdfmgr.exe
[SOUNDMAN.EXE]
CommandLine = "C:\WINDOWS\SOUNDMAN.EXE"
[rundll32.exe]
CommandLine = "C:\WINDOWS\system32\RunDll32.exe" cmicnfg.cpl,CMICtrlWnd
[alg.exe]
CommandLine = C:\WINDOWS\System32\alg.exe
[rundll32.exe]
CommandLine = "C:\WINDOWS\system32\rundll32.exe" C:\PROGRA~1\3721\helper.dll,Rundll32
[RavTask.exe]
CommandLine = "D:\新建文件夹 (6)\RISING\RAV\RAVTASK.EXE" -SYSTEM
[realsched.exe]
CommandLine = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[ylive.exe]
CommandLine = "C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe"
[yassistse.exe]
CommandLine = "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
[ctfmon.exe]
CommandLine = "C:\WINDOWS\system32\ctfmon.exe"
[RavMon.exe]
CommandLine = "D:\新建文件夹 (6)\Rising\Rav\Ravmon.exe" -SYSTEM
[QQ.EXE]
CommandLine = "D:\新建文件夹 (5)\QQ.exe"
[TIMPlatform.exe]
CommandLine = "D:\新建文件夹 (5)\TIMPlatform.exe" -Embedding
[QQ.EXE]
CommandLine = "D:\新建文件夹 (5)\QQ.exe"
[QQ.EXE]
CommandLine = "D:\新建文件夹 (5)\QQ.exe"
[IEXPLORE.EXE]
CommandLine = "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
[Thunder.exe]
CommandLine = "F:\龚斥遒\新建文件夹 (2)\Thunder.exe"
[IEXPLORE.EXE]
CommandLine = "C:\Program Files\Internet Explorer\iexplore.exe"
[IEXPLORE.EXE]
CommandLine = "C:\Program Files\Internet Explorer\iexplore.exe"
[KkScan.exe]
CommandLine = "D:\新建文件夹 (10)\KkScan.exe"
R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\yasbar.dll
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O2 - BHO: IDDTInitObj Class - {15DDE989-CD45-4561-BF99-D22C0D5C2B74} - D:\PROGRA~1\sina\UC\UCddt\ddtinit.dll (file missing)
O2 - BHO: Yahoo!Photo - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\yphtb.dll
O2 - BHO: AntiFish Class - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\yangling.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\yasbar.dll
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\新建文件夹 (5)\QQIEHelper.dll
O2 - BHO: DragSearch BHO - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\YDRAGS~1.DLL
O2 - BHO: KillObj Class - {66C28884-4E5D-494B-80C9-CAA27528FD6D} - D:\PROGRA~1\sina\UC\UCddt\ddtkillw.ocx
O2 - BHO: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O3 - Toolbar: 新浪点点通 - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - D:\PROGRA~1\sina\UC\UCddt\DDTONG~1.DLL
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\yasbar.dll
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\kakatool.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RfwMain] "D:\新建文件夹 (6)\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [RavTask] "D:\新建文件夹 (6)\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NMGameX_AutoRun] C:\WINDOWS\system32\Rundll32.exe nmgamex.dll,LiveProcess /aa
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - Startup: desktop.ini =
O4 - Startup: 新浪UC.lnk = D:\Program Files\sina\UC\uc.exe
O4 - Global Startup: desktop.ini =
O8 - Extra context menu item: &使用迅雷下载 - F:\龚斥遒\新建文件夹 (2)\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - F:\龚斥遒\新建文件夹 (2)\getallurl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\新建文件夹 (5)\AddToNetDisk.htm
O8 - Extra context menu item: 使用新浪下载助手下载 - D:\PROGRA~1\sina\UC\UCddt\sinadl.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\新建文件夹 (5)\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\新建文件夹 (5)\AddEmotion.htm
O9 - Extra Button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289}? - http://sms.3721.com/ie/index.htm?pid=206671_1006 (file missing)
O9 - Extra Button: 新浪UC - {2253922F-1B26-4C74-8B57-E3AEE748DBB8} - D:\Program Files\sina\UC\UC.exe
O9 - Extra Button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra Button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26}? - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1&sid=5042&show=ignore&url=?allyesPara=816 (file missing)
O9 - Extra Button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/?source=Cns (file missing)
O9 - Extra Button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\新建文件夹 (5)\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\新建文件夹 (5)\QQ.EXE
O9 - Extra Button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (5)\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (5)\QQIEHelper.dll
O9 - Extra Button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra Button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra Button: 新浪点点通 - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra Button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O11 - Options group: [!CNS] 网络实名
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O16 - DPF: {BA0F088C-72C1-475A-92F8-42391DEF6961} (BlueskyAudio Class) - http://www.bliao.com/vchat/blueskyvoice.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D9BB7D0-332B-4436-9AE1-5741223B0EB9}: NameServer = 202.106.46.151 202.106.0.20
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: Human Interface Device Access (HidServ) - - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - d:\新建文件夹 (6)\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - D:\新建文件夹 (6)\RISING\RAV\CCENTER.EXE
O23 - Service: 強姦少女 (強姦少女) - - C:\WINDOWS\window.exe
endurer - 2005-12-22 13:32:00
| 引用: |
【leniz的贴子】用卡卡查,日志没有不可识的服务,但是防火墙的系统状态中有一项,出现如下
问题,这个到底是不是病毒导致呀.
........................... |
目前还不好下结论.
请使用HijackThis扫描一个启动项列表发上来,方便大家分析。
endurer - 2005-12-22 13:34:00
【回复“春城居士”的帖子】
不知你的电脑中了什么病毒?
以下修复中的操作可参考:
http://forum.ikaka.com/topic.asp?board=28&artid=7422438&page=9
第125楼里的有关链接
重新启动到安全模式
如果使用了系统还原功能, 请先关闭此功能。
停止并禁用服务acdsee
设置系统显示所有文件和文件夹,不隐藏已知文件类型扩展名
寻找如下文件:
C:\WINDOWS\asdsee.exe
C:\WINDOWS\asdsee.dll
C:\WINDOWS\asdsee_dll.dll
C:\WINDOWS\asdsee_hook.dll
C:\WINDOWS\system32\microapmddt.dll
先用压缩软件(如WinRAR, WinZIP)打包备份,再把原文件删除。并在全部修复工作完成后,请把打包备份的文件发到endurer@163.com。
关闭所有文件夹和浏览器窗口,用HijackThis修复下列项目(如果你知道某项是安全的,可以不修复它):
O2 - BHO: MacroMediapd - {B8CCDD47-38E4-4CD2-B7FA-3B4B690F74BD} - C:\WINDOWS\system32\microapmddt.dll
O4 - 启动项HKLM\\Run: [CSPContext] C:\WINDOWS\system32\CSPContext.exe(这个是中文之星智能狂拼的项目吗?)
O4 - 启动项HKLM\\Run: [VikaClient] C:\Program Files\VIKA\vkclient.exe -iconmode(这项需要你自己确认)
O23 - NT 服务: acdsee - Unknown owner - C:\WINDOWS\asdsee.exe
清空IE临时文件夹
endurer - 2005-12-22 13:50:00
【回复“jmyang”的帖子】
不知你的电脑中了什么病毒?
建议为Win XP打上SP2
以下修复中的操作可参考:
http://forum.ikaka.com/topic.asp?board=28&artid=7422438&page=9
第125楼里的有关链接
重新启动到安全模式
如果使用了系统还原功能, 请先关闭此功能。
卸载:i&Bar搜索引擎,MMSAssist,stdup,划词搜索(MoveSearch),RegBar,BrowserHAP,完美网译通
停止并禁用服务:
.Net Boot Service
Local Network Service
Server3.0 (Server)
设置系统显示所有文件和文件夹,不隐藏已知文件类型扩展名
寻找如下文件:
C:\WINDOWS\System32\big5_gb2312.exe
C:\WINDOWS\System32\big5_gb2312.dll
C:\WINDOWS\System32\big5_gb2312_dll.dll
C:\WINDOWS\System32\big5_gb2312_hook.dll
C:\WINDOWS\System32\SeedServ.exe
C:\WINDOWS\System32\SeedServ.dll
C:\WINDOWS\System32\SeedServ_dll.dll
C:\WINDOWS\System32\SeedServ_hook.dll
C:\WINDOWS\lasae.exe
C:\WINDOWS\lasae.dll
C:\WINDOWS\lasae_dll.dll
C:\WINDOWS\lasae_hook.dll
先用压缩软件(如WinRAR, WinZIP)打包备份,再把原文件删除。并在全部修复工作完成后,请把打包备份的文件发到endurer@163.com。
关闭所有文件夹和浏览器窗口,用HijackThis修复下列项目(如果你知道某项是安全的,可以不修复它):
O2 - BHO: i&Bar搜索引擎 - {2E7D3330-EB94-4518-B0FE-E05379A5C1DA} - C:\PROGRA~1\iBar\10002\iBar.dll
O2 - BHO: MMSAssist - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL
O2 - BHO: std software - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll
O2 - BHO: BrowserHAP Class - {AEF6F648-78D8-4456-BEE7-5ADE23D209FD} - C:\PROGRA~1\HBClient\hapast.dll
O3 - IE工具栏增项: 完美网译通 - {F43BD772-ABDD-43b7-A96A-3E9E61946EC0} - C:\WINDOWS\WORLD2\TOOLBAR\hmtoolbar.dll
O3 - IE工具栏增项: i&Bar搜索引擎 - {2E7D3330-EB94-4518-B0FE-E05379A5C1DA} - C:\PROGRA~1\iBar\10002\iBar.dll
O4 - 启动项HKLM\\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - 启动项HKLM\\Run: [hbpassport] C:\PROGRA~1\HBClient\hbast.exe
O4 - 启动项HKLM\\Run: [Update] rem C:\Program Files\Common Files\UPDATE\Update.exe
O4 - 启动项HKLM\\Run: [MoveSearch] C:\Program Files\HuaCi\huaci\zsearch.exe
O4 - 启动项HKCU\\Run: [RegBar] regsvr32.exe /u C:\progra~1\blogmark\bocaitoolbar.dll /s /i /n
O8 - IE右键菜单中的新增项目: >> 彩信发送 << - res://C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL/mms.htm
O9 - 浏览器额外的按钮: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL
O9 - 浏览器额外的“工具”菜单项: MMSAssist工具条设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL
O16 - DPF: {8135EF31-FE8C-4C6E-A18A-F59944C3A488} (Spocx Class) - http://ddddl.dudu.com/ddd/update/plugin/dddspocx.cab
O16 - DPF: {EF248BC9-F17D-4024-8868-71A5D22C667C} (Hbact.HbactObject) - http://download.henbang.net/download/updatelist/hap111.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab
O23 - NT 服务: .Net Boot Service - Unknown owner - C:\WINDOWS\System32\big5_gb2312.exe
O23 - NT 服务: Local Network Service - Unknown owner - C:\WINDOWS\System32\SeedServ.exe
O23 - NT 服务: Server3.0 (Server) - Unknown owner - C:\WINDOWS\lasae.exe
清空IE临时文件夹
endurer - 2005-12-22 13:54:00
【回复“鸦片战争”的帖子】
以下修复中的操作可参考:
http://forum.ikaka.com/topic.asp?board=28&artid=7422438&page=9
第125楼里的有关链接
重新启动到安全模式
如果使用了系统还原功能, 请先关闭此功能。
停止并禁用服务:強姦少女 (強姦少女)
设置系统显示所有文件和文件夹,不隐藏已知文件类型扩展名
寻找如下文件:
C:\WINDOWS\window.exe
C:\WINDOWS\window.dll
C:\WINDOWS\window_dll.dll
C:\WINDOWS\window_hook.dll
先用压缩软件(如WinRAR, WinZIP)打包备份,再把原文件删除。并在全部修复工作完成后,请把打包备份的文件发到endurer@163.com。
关闭所有文件夹和浏览器窗口,用HijackThis修复下列项目(如果你知道某项是安全的,可以不修复它):
O4 - Startup: desktop.ini =
O4 - Global Startup: desktop.ini =
O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll
O23 - Service: 強姦少女 (強姦少女) - - C:\WINDOWS\window.exe
清空IE临时文件夹
leniz - 2005-12-22 18:19:00
扫描日志:
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - I:\WINNT\system32\kakatool.dll
O4 - HKLM\..\Run: [RfwMain] "G:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTask] "g:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RavScanBD] "G:\Program Files\Rising\Rav\ScanBD.exe" /INST
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 上传到QQ网络硬盘 - E:\soft\softBak\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用影音传送带下载 - G:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - G:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 导出到 Microsoft Excel(&x) - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\soft\softBak\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\soft\softBak\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\soft\softBak\QQ\SendMMS.htm
O8 - Extra context menu item: 转换为 Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/aliedit.cab
O16 - DPF: {52DF16E3-6C4F-4B22-8BAF-09263E463B48} - http://zs.kingsoft.com/KOSInit.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/Ver2005/OL2005.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF6F6018-8474-471F-91B1-F8FB8FA91F34}: NameServer = 202.96.128.86
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - I:\WINNT\system32\mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - I:\WINNT\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - I:\WINNT\system32\mshtml.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - I:\WINNT\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - I:\WINNT\system32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - I:\WINNT\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - I:\WINNT\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - I:\WINNT\system32\mshtml.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - I:\WINNT\system32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - I:\WINNT\system32\msdxm.ocx
O20 - Winlogon Notify: wzcnotif
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - I:\WINNT\system32\dmadmin.exe /com
O23 - Service: Macromedia Licensing Service (Macromedia Licensing Service) - - "I:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"
O23 - Service: MGABGEXE (MGABGEXE) - Matrox Graphics Inc. - I:\WINNT\system32\mgabg.exe
O23 - Service: NetWorker Backup and Recover Server (nsrd) - - C:\win32app\nsr\bin\nsrd
O23 - Service: NetWorker Remote Exec Service (nsrexecd) - - C:\win32app\nsr\bin\nsrexecd
O23 - Service: OracleAgent80 (OracleAgent80) - oracle - G:\oracle\agentbin\DBSNMP.EXE
O23 - Service: OracleClientCache80 (OracleClientCache80) - - G:\oracle\BIN\ONRSD80.EXE
O23 - Service: OracleDataGatherer (OracleDataGatherer) - - G:\oracle\bin\vppdc.exe
O23 - Service: OracleExtprocAgent (OracleExtprocAgent) - - G:\oracle\BIN\EXTPROCT.EXE extproc
O23 - Service: OracleNamesService (OracleNamesService) - - G:\oracle\BIN\NAMES.EXE
O23 - Service: OracleNamesService80 (OracleNamesService80) - - G:\oracle\BIN\NAMES80.EXE
O23 - Service: OracleServiceORCL (OracleServiceORCL) - Oracle Corporation - g:\oracle\bin\oracle80.exe ORCL
O23 - Service: OracleSNMPPeerEncapsulator (OracleSNMPPeerEncapsulator) - - G:\oracle\BIN\ENCSVC.EXE
O23 - Service: OracleSNMPPeerMasterAgent (OracleSNMPPeerMasterAgent) - - G:\oracle\BIN\AGNTSVC.EXE
O23 - Service: OracleStartORCL (OracleStartORCL) - - G:\oracle\BIN\strtdb80.exe
O23 - Service: OracleTNSListener (OracleTNSListener) - - G:\oracle\BIN\TNSLSNR.EXE
O23 - Service: OracleTNSListener80 (OracleTNSListener80) - - G:\oracle\BIN\TNSLSNR80.EXE
O23 - Service: OracleWebAssistant (OracleWebAssistant) - Oracle Corporation - G:\oracle\bin\OWASTsvr.exe
O23 - Service: Storage Management Portmapper (portmap) - - C:\win32app\nsr\bin\portmap
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - g:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - "g:\Program Files\Rising\Rav\CCenter.exe"
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - "g:\Program Files\Rising\Rav\Ravmond.exe"
ff0527 - 2005-12-23 12:20:00
谢谢帮我看一下,我的好象也中毒了,瑞星软件清除后,开机又有了。
Logfile of HijackThis v1.99.1
Scan saved at 12:17:42, on 2005-12-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Tencent\qq\QQ.exe
C:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\Program Files\Rising\Rav\RsAgent.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.MS-48F2201CCA42\My Documents\新建\新建文件夹\155847200541134207\HijackThis.exe
O2 - BHO: (no name) - {0C7C23EF-A848-485B-873C-0ED954731014} - (no file)
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\qq\QQIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [AddrPlus2] RUNDLL32.EXE C:\PROGRA~1\TENCENT\AddrPlus\QAHook.dll,Rundll32
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\qq\QQ.exe
O4 - Startup: 行政事业软件控制台.LNK = D:\GENERSOFT\MYGS_PSERIES\KZT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\qq\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\qq\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\qq\QQIEHelper.dll
O11 - Options group: [TBH] QQ地址栏搜索插件
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {2354A44B-3CEB-4829-9940-545B03103538} (PowerPlr Control) - http://bbsky.wuhan.net.cn/xintv/plugin/PowerPlr.ocx
O16 - DPF: {DF6FE46D-1D23-4668-AD3A-CDEA1262B282} (PowerDld Control) - http://bbsky.wuhan.net.cn/plugin/PowerDld.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9B83047-5BD5-4A40-B1E3-347F42EF6F77}: NameServer = 10.107.252.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\G_Server.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
影子110 - 2005-12-23 12:41:00
| 引用: |
【ff0527的贴子】谢谢帮我看一下,我的好象也中毒了,瑞星软件清除后,开机又有了。
........................... |
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\G_Server.exe鸽子~~
请参考本帖主帖的查杀办法~~
ff0527 - 2005-12-23 13:36:00
| 引用: |
【影子110的贴子】
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\G_Server.exe鸽子~~
请参考本帖主帖的查杀办法~~
........................... |
前面介绍的方法好象都不一样,我还是不太清楚,到底是哪一个,谢谢指点
0o斩月o0 - 2005-12-23 20:40:00
帮我看看,我“中奖”了
Logfile of HijackThis v1.99.1
Scan saved at 20:35:44, on 2005-12-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\Program Files\Rising\Rav\Ravmond.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\RavStub.exe
c:\program files\rising\rfw\RfwMain.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\daemon tools\daemon.exe
C:\WINDOWS\system32\8ledm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
D:\qq\TIMPlatform.exe
D:\qq\QQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\酷狗\KuGoo3\KuGoo.exe
D:\winRAR\WinRAR.exe
C:\DOCUME~1\zhangpei\LOCALS~1\Temp\Rar$EX00.140\HijackThis.exe
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v9.dll
O2 - BHO: yPhtb - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\yphtb.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\yangling.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\yasbar.dll
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\qq\QQIEHelper.dll
O2 - BHO: Router Layer - {5EB7CB50-E375-4718-B4C0-9AD12EFA2F84} - C:\WINDOWS\System32\aclayer.dll (file missing)
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\YDRAGS~1.DLL
O2 - BHO: MMSAssist - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL
O2 - BHO: std software - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll
O2 - BHO: Helper Class - {6E28339B-7A2A-47B6-AEB2-197004272379} - C:\WINDOWS\vchelper.dll
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - D:\酷狗\KuGoo3\KuGoo3DownXControl.ocx
O2 - BHO: CAP Class - {B8CCDD47-38E4-4CD2-B7FA-3B4B690F74BD} - C:\WINDOWS\system32\dtap.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\cnshook.dll
O3 - Toolbar: (no name) - {B580CF65-E151-49C3-B73F-70B13FCA8E86}? - (no file)
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\kakatool.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\yasbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] rem "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] rem C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] rem C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] rem HDAShCut.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StormCodec_Helper] rem "D:\realone player\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [DAEMON Tools-2052] "D:\daemon tools\daemon.exe" -lang 2052
O4 - HKLM\..\Run: [Thunder] rem "D:\迅雷\ThunderShell.exe" /s
O4 - HKLM\..\Run: [SEDMAD] C:\WINDOWS\system32\8ledm.exe "-sedmreg"
O4 - HKLM\..\Run: [Update] rem C:\Program Files\Common Files\Upd\Update.exe
O4 - HKLM\..\Run: [KuGoo3] D:\酷狗\KuGoo3\KuGoo.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [sysupate] rem C:\WINDOWS\system32\NtSysUpdate.exe
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [YLive.exe] rem C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] rem "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [CnsMin] rem Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] rem "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [KuGoo3] rem "D:\酷狗\KuGoo3\KuGoo.exe"
O4 - HKCU\..\Run: [升级程序] rem C:\Program Files\Internet Explorer\2052\aupdate.exe
O4 - HKCU\..\Run: [update] rem C:\Program Files\Internet Explorer\IE Uninstall\aupdate.exe
O4 - HKCU\..\Run: [updata] c:\Program Files\Internet Explorer\IE Uninstall\aupdate.exe
O8 - Extra context menu item: >> 彩信发送 << - res://C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL/mms.htm
O8 - Extra context menu item: &使用迅雷下载 - D:\迅雷\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\迅雷\getallurl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\qq\AddToNetDisk.htm
O8 - Extra context menu item: 使用KuGoo3下载(&K) - D:\酷狗\KuGoo3\KuGoo3DownX.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\qq\SendMMS.htm
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\Assistant\Assist\yasbar.dll/246
O9 - Extra button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - D:\游戏\浩方\浩方对战平台\GameClient.exe
O9 - Extra button: (no name) - {3FFD59AA-280D-4AB3-B420-0CFF2B332316} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1&sid=5042&show=ignore&url=?allyesPara=816 (file missing)
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/?source=Cns (file missing)
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL
O9 - Extra 'Tools' menuitem: MMSAssist工具条设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\qq\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\qq\QQIEHelper.dll
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O11 - Options group: [!CNS] 网络实名
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://www.ppstream.com/bin/powerplayer.cab
O16 - DPF: {AC3A36A8-9BFF-410A-A33D-2279FFEB69D2} (QQPlayer Control) - http://imgcache.qq.com/music/QQMusicSetup.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E787FD25-8D7C-4693-AE67-9406BC6E22DF} (CPasswordEditCtrl Object) - https://www.tenpay.com/download/qqedit.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{051EC677-085E-4660-BC1B-9D9EF7E15274}: NameServer = 202.96.209.133 202.109.116.116
O17 - HKLM\System\CS1\Services\Tcpip\..\{051EC677-085E-4660-BC1B-9D9EF7E15274}: NameServer = 202.96.209.133 202.109.116.116
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\Systeme.exe (file missing)
O23 - Service: Windows Management Network Log (Msinlog) - Unknown owner - C:\WINDOWS\Msinfo32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
影子110 - 2005-12-23 23:27:00
| 引用: |
【0o斩月o0的贴子】帮我看看,我“中奖”了
........................... |
大奖,,小奖,,都有了~~~
建 议你卸去IE上的那些没用的插件~~
用杀间谍的软件查杀一下~~~(如下面的链接 中的这两个~~~有中文版的)
http://forum.ikaka.com/topic.asp?board=67&artid=7421183
【教程】Ad-Aware SE图文介绍
【教程】Spybot - Search & Destroy图文介绍
另,
C:\WINDOWS\system32\8ledm.exe
O2 - BHO: CAP Class - {B8CCDD47-38E4-4CD2-B7FA-3B4B690F74BD} - C:\WINDOWS\system32\dtap.dll
O2 - BHO: std software - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll
O2 - BHO: Helper Class - {6E28339B-7A2A-47B6-AEB2-197004272379} - C:\WINDOWS\vchelper.dll
O4 - HKLM\..\Run: [sysupate] rem C:\WINDOWS\system32\NtSysUpdate.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [升级程序] rem C:\Program Files\Internet Explorer\2052\aupdate.exe
O4 - HKCU\..\Run: [update] rem C:\Program Files\Internet Explorer\IE Uninstall\aupdate.exe
O4 - HKCU\..\Run: [updata] c:\Program Files\Internet Explorer\IE Uninstall\aupdate.exe
上面的几个,,,好像都有问题~~~
下面的疑似鸽子~~~
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\Systeme.exe (file missing)
O23 - Service: Windows Management Network Log (Msinlog) - Unknown owner - C:\WINDOWS\Msinfo32.exe
bobone - 2005-12-24 7:51:00
我中的鸽子好奇怪!
开机后诺顿监控查出在c:\WINDOWS\.DLL文件是灰鸽子病毒,已经删除。然后再怎么查也查不出病毒,由于没有文件名所以在安全模式下也找不到,瑞星也查不出该病毒。请大侠帮忙看看!!
jmyang - 2005-12-24 19:29:00
再帮我多看一下,,瑞星杀不了了,用瑞星查是灰鸽子, 每次杀了重启就又出来,,
在进程里看,services.exe lasae.exe 这两个程序使用CPU率经常都是100%的,导致启动电脑后3分钟就死机自动重启。。
HijackThis_zww汉化版扫描日志 V1.99.1
保存于 19:23:29, 日期 2005-12-24
操作系统: Windows XP SP1 (WinNT 5.01.2600)
浏览器: Internet Explorer v6.00 SP1 (6.00.2800.1106)
当前运行的进程:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Thunder Network\Thunder\Thunder.exe
C:\Program Files\rising\Rav\RsAgent.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\P30\LOCALS~1\Temp\Rar$EX00.853\HijackThis1991zww.exe
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\System32\xunleibho_v9.dll
O2 - BHO: yPhtb - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\yphtb.dll (file missing)
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\新建文件夹 (2)\QQIEHelper.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\YDRAGS~1.DLL (file missing)
O2 - BHO: std software - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - IE工具栏增项: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - IE工具栏增项: (no name) - {2E7D3330-EB94-4518-B0FE-E05379A5C1DA} - (no file)
O3 - IE工具栏增项: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - C:\Program Files\Kingsoft\FastAIT 2005\IEBand.dll
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [ATIModeChange] Ati2mdxx.exe
O4 - 启动项HKLM\\Run: [ATIPTA] rem C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - 启动项HKLM\\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - 启动项HKLM\\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - 启动项HKLM\\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - 启动项HKLM\\Run: [SAMSUNG Keydefin] C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
O4 - 启动项HKLM\\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - 启动项HKLM\\Run: [IMSCMig] rem C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - 启动项HKLM\\Run: [WinampAgent] rem "C:\Program Files\Winamp\winampa.exe"
O4 - 启动项HKLM\\Run: [AirCardEnabler] rem C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - 启动项HKLM\\Run: [DataLayer] rem C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - 启动项HKLM\\Run: [PCSuiteTrayApplication] rem C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - 启动项HKLM\\Run: [TkBellExe] rem "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - 启动项HKLM\\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\ThunderShell.exe" /s
O4 - 启动项HKLM\\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - 启动项HKLM\\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - 启动项HKCU\\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - 启动项HKCU\\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - 启动项HKCU\\Run: [Kugoo] rem C:\PROGRA~1\KuGoo2\KuGoo.exe
O4 - 启动项HKCU\\Run: [RegBar] regsvr32.exe /u C:\progra~1\blogmark\bocaitoolbar.dll /s /i /n
O4 - “启动”文件夹: 腾讯QQ.lnk = ?
O8 - IE右键菜单中的新增项目: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - D:\新建文件夹 (2)\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 使用Kugoo下载 - C:\PROGRA~1\KuGoo2\KugooDownX.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - IE右键菜单中的新增项目: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - D:\新建文件夹 (2)\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - D:\新建文件夹 (2)\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - D:\新建文件夹 (2)\SendMMS.htm
O9 - 浏览器额外的按钮: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - 浏览器额外的按钮: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - 浏览器额外的按钮: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - 浏览器额外的“工具”菜单项: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - 浏览器额外的按钮: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\新建文件夹 (2)\QQ.EXE
O9 - 浏览器额外的“工具”菜单项: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\新建文件夹 (2)\QQ.EXE
O9 - 浏览器额外的按钮: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - 浏览器额外的“工具”菜单项: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - 浏览器额外的按钮: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (2)\QQIEHelper.dll
O9 - 浏览器额外的“工具”菜单项: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (2)\QQIEHelper.dll
O9 - 浏览器额外的按钮: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - 浏览器额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - 浏览器额外的“工具”菜单项: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2EA6D939-4445-43F1-A12B-8CB3DDA8B855} (BlueskyVideo Control) - http://www.bluesky.cn/download/v2_60.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28d6ff2056116e745205/netzip/RdxIE601_cn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135422900731
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {991481A7-4669-4E15-8C24-100404E1F5CB} (Blueskyvoice Control) - http://www.bluesky.cn/download/blueskyvoice_60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{484836D1-9DD9-4269-BB82-58ECC2B978C5}: NameServer = 202.96.128.166 202.96.128.86
O23 - NT 服务: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - NT 服务: Server3.0 (Server) - Unknown owner - C:\WINDOWS\lasae.exe
dreamru - 2005-12-24 20:43:00
我也中了,不过安全删除
阿墨 - 2005-12-24 21:13:00
快帮小弟看看阿!!!!
Logfile of HijackThis v1.99.1
Scan saved at 19:49:37, on 2005-12-24
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\瑞星\防火墙\Rising\Rising\Rfw\rfwsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\瑞星\防火墙\Rising\Rising\Rfw\RfwMain.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\iexplore.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Ringz Studio\Storm Codec\realplay.exe
D:\WinRAR\WinRAR.exe
C:\Program Files\Tencent\QQ\157804708\MyRecvFiles\155847200541134207\155847200541134207\HijackThis.exe
C:\Program Files\Tencent\QQ\QQexternal.exe
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\System32\xunleibho_v5.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCIT Memory Manager - {2CE7166E-8BBA-4E76-BA7E-02AB3C573011} - C:\WINDOWS\DOWNLO~1\cytdcli.dll
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\System32\CdnIEHlp.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 百度超级搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O3 - Toolbar: (no name) - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CApp] C:\WINDOWS\System32\capp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StormCodec_Helper] "D:\暴风影音\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [RfwMain] "D:\瑞星\防火墙\Rising\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [迅雷4] D:\安装程序\新建文件夹 (3)\TDUpdate.exe
O4 - HKLM\..\Run: [Microsoft] C:\WINDOWS\System32\iexplore.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Kugoo] D:\下载软件\KuGoo2\KuGoo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &使用迅雷下载 - D:\安装程序\新建文件夹 (3)\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\安装程序\新建文件夹 (3)\getAllurl.htm
O8 - Extra context menu item: 使用Kugoo下载 - D:\下载软件\KuGoo2\KugooDownX.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&x) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 收藏此页到新浪ViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt
O8 - Extra context menu item: 新浪搜索 - http://cha.sina.com.cn/ddt.html
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 百度-搜索MP3 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度-搜索图片 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度-搜索新闻 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUNEWS.HTM
O8 - Extra context menu item: 百度-搜索歌词 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDULYRIC.HTM
O8 - Extra context menu item: 百度-搜索网页 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度-搜索贴吧 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUPOST.HTM
O8 - Extra context menu item: 百度-词典搜索 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDU_DIC.HTM
O9 - Extra button: 中文域名 - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\System32\CdnIEHlp.dll
O9 - Extra 'Tools' menuitem: 中文域名 - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\System32\CdnIEHlp.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: 易趣购物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: 易趣购物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F381FC65-D92D-4410-B865-E4E9713994E8} (Cytd Encipherment Memory) - http://202.99.42.177/sso/ccitpay.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DD79A9C-09A7-4E48-A5E8-135ACE00618F}: NameServer = 202.106.46.151 202.106.0.20
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - D:\瑞星\防火墙\Rising\Rising\Rfw\rfwsrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
ljf258 - 2005-12-25 10:19:00
我的扫描日志,高手帮帮忙!
Logfile of HijackThis v1.99.1
Scan saved at 10:18:08, on 2005-12-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\Ravmond.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\RavStub.exe
c:\program files\rising\rfw\RfwMain.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\VnetClient1.6\VnetClient.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\liaojinfeng\My Documents\ravgpk.exe
D:\Downloads\hijackthis\HijackThis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - D:\KuGoo3\KuGoo3DownXControl.ocx
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\KakaTool.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] ; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] ; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] ; RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] ; nwiz.exe /install
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [Super Rabbit SRRestore] C:\Program Files\Super Rabbit\MagicSet\srrest.exe /autosave
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\ABBYYNewsReader.exe"
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\超级BT下载软件\Shareaza.exe" -tray
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Tencent\qq\AddToNetDisk.htm
O8 - Extra context menu item: 使用KuGoo3下载(&K) - D:\KuGoo3\KuGoo3DownX.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Tencent\qq\SendMMS.htm
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/Ver2005/OL2005.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35677C34-1854-4915-8D5A-8DD4F0C5C32A}: NameServer = 202.96.128.166 202.96.128.86
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: Smarytcer RSVPE (RSVPE) - Unknown owner - C:\WINDOWS\RSVPE.exe
追星一族 - 2005-12-25 11:17:00
“街头篮球”游戏有灰鸽子病毒。每次玩后,在瑞星监控日记中均有记录(Backdoor.Gpigeon)。按楼主提示,将system.exe、system.dll、system_dll.dll、system_HOOK.DLL四项进行搜索,其中system.exe、system_dll.dll、system_HOOK.DLL未找到,system.dll在c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322和v2.0.50727里,不会是灰鸽子病毒吧。为了安全,我已把“街头篮球”游戏卸载了。
leniz - 2005-12-25 13:35:00
帮我看看。
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - I:\WINNT\system32\kakatool.dll
O4 - HKLM\..\Run: [RfwMain] "G:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTask] "g:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RavScanBD] "G:\Program Files\Rising\Rav\ScanBD.exe" /INST
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 上传到QQ网络硬盘 - E:\soft\softBak\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用影音传送带下载 - G:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - G:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 导出到 Microsoft Excel(&x) - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\soft\softBak\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\soft\softBak\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\soft\softBak\QQ\SendMMS.htm
O8 - Extra context menu item: 转换为 Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/aliedit.cab
O16 - DPF: {52DF16E3-6C4F-4B22-8BAF-09263E463B48} - http://zs.kingsoft.com/KOSInit.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/Ver2005/OL2005.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF6F6018-8474-471F-91B1-F8FB8FA91F34}: NameServer = 202.96.128.86
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - I:\WINNT\system32\mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - I:\WINNT\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - I:\WINNT\system32\mshtml.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - I:\WINNT\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - I:\WINNT\system32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - I:\WINNT\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - I:\WINNT\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - I:\WINNT\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - I:\WINNT\system32\mshtml.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - I:\WINNT\system32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - I:\WINNT\system32\msdxm.ocx
O20 - Winlogon Notify: wzcnotif
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - I:\WINNT\system32\dmadmin.exe /com
O23 - Service: Macromedia Licensing Service (Macromedia Licensing Service) - - "I:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"
O23 - Service: MGABGEXE (MGABGEXE) - Matrox Graphics Inc. - I:\WINNT\system32\mgabg.exe
O23 - Service: NetWorker Backup and Recover Server (nsrd) - - C:\win32app\nsr\bin\nsrd
O23 - Service: NetWorker Remote Exec Service (nsrexecd) - - C:\win32app\nsr\bin\nsrexecd
O23 - Service: OracleAgent80 (OracleAgent80) - oracle - G:\oracle\agentbin\DBSNMP.EXE
O23 - Service: OracleClientCache80 (OracleClientCache80) - - G:\oracle\BIN\ONRSD80.EXE
O23 - Service: OracleDataGatherer (OracleDataGatherer) - - G:\oracle\bin\vppdc.exe
O23 - Service: OracleExtprocAgent (OracleExtprocAgent) - - G:\oracle\BIN\EXTPROCT.EXE extproc
O23 - Service: OracleNamesService (OracleNamesService) - - G:\oracle\BIN\NAMES.EXE
O23 - Service: OracleNamesService80 (OracleNamesService80) - - G:\oracle\BIN\NAMES80.EXE
O23 - Service: OracleServiceORCL (OracleServiceORCL) - Oracle Corporation - g:\oracle\bin\oracle80.exe ORCL
O23 - Service: OracleSNMPPeerEncapsulator (OracleSNMPPeerEncapsulator) - - G:\oracle\BIN\ENCSVC.EXE
O23 - Service: OracleSNMPPeerMasterAgent (OracleSNMPPeerMasterAgent) - - G:\oracle\BIN\AGNTSVC.EXE
O23 - Service: OracleStartORCL (OracleStartORCL) - - G:\oracle\BIN\strtdb80.exe
O23 - Service: OracleTNSListener (OracleTNSListener) - - G:\oracle\BIN\TNSLSNR.EXE
O23 - Service: OracleTNSListener80 (OracleTNSListener80) - - G:\oracle\BIN\TNSLSNR80.EXE
O23 - Service: OracleWebAssistant (OracleWebAssistant) - Oracle Corporation - G:\oracle\bin\OWASTsvr.exe
O23 - Service: Storage Management Portmapper (portmap) - - C:\win32app\nsr\bin\portmap
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - g:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - "g:\Program Files\Rising\Rav\CCenter.exe"
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - "g:\Program Files\Rising\Rav\Ravmond.exe"
© 2000 - 2026 Rising Corp. Ltd.