瑞星卡卡安全论坛

如图，每次开机后都会自动运行，按关闭就能关掉，但不知道这是什么程序，谁来帮个忙该怎么删掉它。



扫描日志
当前运行的进程：         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\KAV2005\KWatch.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\KAV2005\KPfwSvc.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis1991汉化版\HijackThis1991zww.exe

R3 - URLSearchHook: (no name) - {C55B0F89-016E-6CA8-0E7C-615FBAB4B73F} - RtlFindVal.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\Program Files\QQ\QQIEHelper.dll
O2 - BHO: Name - {877F7C8D-53CC-4C94-9B60-2F3D2EAF9085} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\flashget\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - C:\PROGRA~1\KuGoo3\KUGOO3~1.OCX (file missing)
O2 - BHO: 百度搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
O3 - IE工具栏增项: Search - {E7D5E156-3681-4AA3-A3EE-DD94F03554FE} - (no file)
O3 - IE工具栏增项: (no name) - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
O3 - IE工具栏增项: 百度搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
O3 - IE工具栏增项: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\flashget\FLASHGET\fgiebar.dll
O3 - IE工具栏增项: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [_ctcp] syspanel.exe
O4 - HKCU\..\Run: [KeywordFinder] mozilla-text.exe
O4 - HKCU\..\Run: [br0ken] WhatsNewBot.exe
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - D:\Program Files\QQ\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载 - D:\Program Files\flashget\FlashGet\jc_link.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载全部链接 - D:\Program Files\flashget\FlashGet\jc_all.htm
O8 - IE右键菜单中的新增项目: 加入POCO网摘(&K) - http://my.poco.cn/fav/rightClick.php
O8 - IE右键菜单中的新增项目: 我的POCO网摘(&O) - http://my.poco.cn/fav/open_myfav.php
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - D:\Program Files\QQ\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - D:\Program Files\QQ\AddEmotion.htm
O9 - 浏览器额外的按钮: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - 浏览器额外的“工具”菜单项: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - 浏览器额外的按钮: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\QQ\QQ.EXE
O9 - 浏览器额外的“工具”菜单项: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\QQ\QQ.EXE
O9 - 浏览器额外的按钮: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - 浏览器额外的按钮: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\flashget\FLASHGET\flashget.exe
O9 - 浏览器额外的“工具”菜单项: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\flashget\FLASHGET\flashget.exe
O9 - 浏览器额外的按钮: 易趣购物 - {DE60714F-AC19-427e-861A-FD60ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - 浏览器额外的“工具”菜单项: 易趣购物 - {DE60714F-AC19-427e-861A-FD60ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - 浏览器额外的按钮: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Program Files\QQ\QQIEHelper.dll
O9 - 浏览器额外的“工具”菜单项: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Program Files\QQ\QQIEHelper.dll
O9 - 浏览器额外的按钮: Search - {E7D5E156-3681-4AA3-A3EE-DD94F03554FE} - C:\WINDOWS\system32\shdocvw.dll
O9 - 浏览器额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - 浏览器额外的“工具”菜单项: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt03.com/dialer/int_ver32b.CAB
O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (PowerCreator VGAPlayer Control) - file://E:\操作系统05-05-12-1\VGAPlayer.cab
O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} (VacPro.russia_ver3) - http://advnt01.com/dialer/russia.CAB
O16 - DPF: {56A7DC70-E102-4408-A34A-AE06FEF01586} - http://iebar.t2t2.com/iebar.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {9242BB35-0DB0-43AC-8DFC-8EA07E63B92A} - http://bbmedia.qq.com/media/QQLiveSetup.exe
O16 - DPF: {A2A63268-7BBE-48DC-B462-7AB5812DB159} (VDLCtrl Class) - http://qqdl.tencent.com/VDLCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37563488-1F4C-4A45-9240-A896B662CBBB}: NameServer = 85.255.113.118,85.255.112.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{8005F1A1-9320-413D-A9FE-50366E3D6E9E}: NameServer = 85.255.113.118,85.255.112.100
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{37563488-1F4C-4A45-9240-A896B662CBBB}: NameServer = 85.255.114.56,85.255.112.114
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{37563488-1F4C-4A45-9240-A896B662CBBB}: NameServer = 85.255.113.118,85.255.112.100
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS3\Services\Tcpip\..\{37563488-1F4C-4A45-9240-A896B662CBBB}: NameServer = 85.255.113.118,85.255.112.100
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O18 - 列举现有的协议: koboo - {7DEE9D05-FA0A-4416-A6F3-6537D0EAB6A6} - C:\WINDOWS\system32\mbprot.dll
O20 - AppInit_DLLs: APIHookDll.dll
O20 - Winlogon Notify: WB - C:\WINDOWS\
O23 - NT 服务: Kingsoft Personal Firewall Service (KPfwSvc) - Kingsoft Corporation - C:\KAV2005\KPfwSvc.EXE
O23 - NT 服务: Kingsoft Antivirus KWatch Service (KWatchSvc) - Kingsoft Corporation - C:\KAV2005\KWatch.EXE

附件: 62835320051128202932.JPG

O4 - HKCU\..\Run: [_ctcp] syspanel.exe
O4 - HKCU\..\Run: [KeywordFinder] mozilla-text.exe
O4 - HKCU\..\Run: [br0ken] WhatsNewBot.exe

先谢谢您哦，我来试试。

还是不行啊，杀不掉，谁来帮帮我啊。

在注册表里 RUN还有RUN SERVICE里面都没有多余的启动项，并且这个程序好像不在启动项里，不知道它隐藏在哪里。

C:\WINDOWS\system32\netdde.exe

netdde - netdde.exe - 进程信息
进程文件： netdde 或者 netdde.exe
进程名称： Microsoft Windows Network DDE server
 
描述： netdde.exe是微软Windows的网络动态数据Exchange服务。它用于帮助exchange数据在网络传输。这不是纯粹的系统程序，但是如果终止它，可能会导致不可知的问题。

你的系统是Server版本？

用Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038第14楼

您好，
    我的系统是XP 专业版。那个信息是我在网上搜到的就贴了出来，我其实并不懂怎么回事，我照你说的做了，但是上传时说我上传文件类型不对，我上传TXT，和RAR的都不行。我该怎么传。谢谢你。

直接把日志内容贴上来

保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KavStartKingsoft Security Center 2005Kingsoft Corporationc:\kav2005\kavstart.exe
yaemu.exec:\windows\system32\yaemu.exe

HKLM\System\CurrentControlSet\Services
KPfwSvcKingsoft Firewall Service for Windows 2000Kingsoft Corporationc:\kav2005\kpfwsvc.exe
KWatchSvc金山毒霸文件实时防毒服务程序Kingsoft Corporationc:\kav2005\kwatch.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
金山毒霸2005Kingsoft Antivirus Explorer IntegrationKingsoft Corporationc:\kav2005\kavext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

IeCatch2 Classjccatch ModuleAmaze Softd:\program files\flashget\flashget\jccatch.dll
QQBrowserHelperObject ClassQQIEHelper Module深圳市腾讯计算机系统有限公司d:\program files\qq\qqiehelper.dll
百度搜霸BaiduBar Modulec:\windows\downloaded program files\baidubar.dll

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
wormexeFile not found: RtlFindVal.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar

BaiduBarBaiduBar Modulec:\windows\downloaded program files\baidubar.dll
FlashGet BarFlashGet IE BarAmaze Softd:\program files\flashget\flashget\fgiebar.dll
SearchToolbar\

HKLM\Software\Microsoft\Internet Explorer\Extensions
&FlashGetFlashGetAmaze Softd:\program files\flashget\flashget\flashget.exe

kele8File not found: http://www.kele8.com/
腾讯QQQQTENCENTd:\program files\qq\qq.exe
易趣购物File not found: http://click2.ad4all.net/url2/urlmanage/url.asp?id=1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
APIHookDll.dllFile not found: APIHookDll.dll

yaemu.exec:\windows\system32\yaemu.exe

请问，是这个的问题吗？如果是这个的问题是不是用Autoruns选中这项右键DELETE即可，谢谢您。

晕了，我把yaemu.exe删了还是不行，谁来帮帮我啊。。。。。

用卡卡安全助手试试看。

您好，用了卡卡安全助手的启动项管理时，有两个项，一个是Kavstart,另一个是desktop.ini 应该删掉desktop.ini吗？谢谢。。

desktop.ini这个东东不敢删，不知道跟桌面图标有没有联系。。。郁闷中。。。。

用procexp看看是那个进程弹出的
http://forum.ikaka.com/topic.asp?board=28&artid=7318038&page=1第六楼

查的时候，弹出了一个对话框：Unable to find the window's owning process in the current process list。 确定

desktop.ini内容是什么

启动项目： desktop.ini
命令：C：\Documents and Settings\all users\[开始]菜单\程序\启动\desktop.ini (但我按照路径去寻找，启动项里为空）
位置：Common Starup

另外我下了个卡巴斯基，扫描了一下扫到了一个称为“存在危险的程序”c:\windows\desktop.html删除后，重启了还是不行，但在这个文件夹中，我看到了一个desktop带齿轮的记事本文件，里面内容为空，还有一个control的齿轮记事本文件，同样记录为空，光标在第二行停留。不知道这些有没有用。

把认为有问题的desktop.ini删除试试

我把卡卡助手中查找到启动项里的desktop.ini项删了，还是不行，这个东东真难弄。。。
想问一下注删中能找到这个程序吗？

再用Autoruns保存一个日志发上来

保存日志时注意选择Options->Hide Microsoft Entries菜单项和Options->Verify Code signatures(设置了这项后点工具栏的刷新按钮)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KAVPersonal50Kaspersky Anti-Virus GUI PartKaspersky Labc:\program files\kaspersky lab\kaspersky anti-virus personal\kav.exe

HKLM\System\CurrentControlSet\Services
kavsvcKaspersky Anti-Virus ServiceKaspersky Labc:\program files\kaspersky lab\kaspersky anti-virus personal\kavsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
金山毒霸2005\
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
IeCatch2 Classjccatch ModuleAmaze Softd:\program files\flashget\flashget\jccatch.dll
QQBrowserHelperObject ClassQQIEHelper Module深圳市腾讯计算机系统有限公司d:\program files\qq\qqiehelper.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
FlashGet BarFlashGet IE BarAmaze Softd:\program files\flashget\flashget\fgiebar.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions&FlashGetFlashGetAmaze Softd:\program files\flashget\flashget\flashget.exe
访问卡卡社区File not found: http://www.ikaka.com
访问瑞星网站File not found: http://www.rising.com.cn
腾讯QQQQTENCENTd:\program files\qq\qq.exe

奇怪了，没有可疑的启动项

把procexp的日志贴上一份上来看看

保存日志时注意不要关闭那个启动显示的窗口。

ProcessPIDCPUDescriptionCompany Name
System Idle Process088.99
Interruptsn/aHardware Interrupts
DPCsn/aDeferred Procedure Calls
System40.92
  smss.exe436Windows NT Session ManagerMicrosoft Corporation
  csrss.exe492Client Server Runtime ProcessMicrosoft Corporation
  winlogon.exe516Windows NT Logon ApplicationMicrosoft Corporation
    SERVICES.EXE5603.67Services and Controller appMicrosoft Corporation
    SVCHOST.EXE768Generic Host Process for Win32 ServicesMicrosoft Corporation
    SVCHOST.EXE820Generic Host Process for Win32 ServicesMicrosoft Corporation
    SVCHOST.EXE888Generic Host Process for Win32 ServicesMicrosoft Corporation
      wscntfy.exe1224Windows Security Center Notification AppMicrosoft Corporation
    SVCHOST.EXE1004Generic Host Process for Win32 ServicesMicrosoft Corporation
    SVCHOST.EXE1120Generic Host Process for Win32 ServicesMicrosoft Corporation
    netdde.exe1576Network DDE - DDE CommunicationMicrosoft Corporation
    clipsrv.exe1692Windows NT DDE ServerMicrosoft Corporation
    kavsvc.exe1736
    SVCHOST.EXE1792Generic Host Process for Win32 ServicesMicrosoft Corporation
    alg.exe1216Application Layer Gateway ServiceMicrosoft Corporation
    LSASS.EXE572LSA Shell (Export Version)Microsoft Corporation
explorer.exe16002.75Windows ExplorerMicrosoft Corporation
kav.exe1996
iexplore.exe1132Internet ExplorerMicrosoft Corporation
WinRAR.exe3168
  procexp.exe35243.67Sysinternals Process ExplorerSysinternals

Process: System Idle Process Pid: 0

TypeName

再发一个关掉那个窗口的日志上来

ProcessPIDCPUDescriptionCompany Name
System Idle Process050.45
Interruptsn/a0.90Hardware Interrupts
DPCsn/a1.80Deferred Procedure Calls
System40.90
  smss.exe436Windows NT Session ManagerMicrosoft Corporation
  csrss.exe4922.70Client Server Runtime ProcessMicrosoft Corporation
  winlogon.exe516Windows NT Logon ApplicationMicrosoft Corporation
    SERVICES.EXE5604.50Services and Controller appMicrosoft Corporation
    SVCHOST.EXE768Generic Host Process for Win32 ServicesMicrosoft Corporation
    SVCHOST.EXE820Generic Host Process for Win32 ServicesMicrosoft Corporation
    SVCHOST.EXE8880.90Generic Host Process for Win32 ServicesMicrosoft Corporation
      wscntfy.exe1224Windows Security Center Notification AppMicrosoft Corporation
    SVCHOST.EXE1004Generic Host Process for Win32 ServicesMicrosoft Corporation
    SVCHOST.EXE1120Generic Host Process for Win32 ServicesMicrosoft Corporation
    netdde.exe1576Network DDE - DDE CommunicationMicrosoft Corporation
    clipsrv.exe1692Windows NT DDE ServerMicrosoft Corporation
    kavsvc.exe17361.80
    SVCHOST.EXE17920.90Generic Host Process for Win32 ServicesMicrosoft Corporation
    alg.exe1216Application Layer Gateway ServiceMicrosoft Corporation
    LSASS.EXE5721.80LSA Shell (Export Version)Microsoft Corporation
explorer.exe16001.80Windows ExplorerMicrosoft Corporation
kav.exe1996
iexplore.exe1132Internet ExplorerMicrosoft Corporation
WinRAR.exe3168
  procexp.exe342431.53Sysinternals Process ExplorerSysinternals
NOTEPAD.EXE1268记事本Microsoft Corporation

Process: Procexp Pid: -2

TypeName

真是奇怪看不出来

再发个procexp日志上来
保存时选择Options->Verify Image Signatures菜单项，再刷新

1）再桌面上右键单击选择属性
2）切换到桌面页签，单击自定义桌面按钮
3）切换到Web页看看图中两项是什么？


附件: 58878120051129160959.JPG