瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 最近中了灰鸽子,哪位大虾帮我看下日志?谢谢好心人!
蓝色的邂逅 - 2006-2-10 11:15:00
HijackThis_zww汉化版扫描日志 V1.99.1
保存于      11:15:48, 日期 2006-2-10
操作系统:  Windows 2000 SP1 (WinNT 5.00.2195)
浏览器:    Internet Explorer v6.00 (6.00.2800.1106)

当前运行的进程:         
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
d:\oracle\ora81\bin\ORACLE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\termsrv.exe
C:\Program Files\Common Files\COMM\Network.exe
C:\WINNT\SYSTEM32\RUNDLL32.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\RUNDLL32.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Rising\Rav\Rav.exe
C:\PROGRA~1\INTERN~1\IEXPLO~1.EXE
C:\Program Files\Thunder Network\Thunder\Thunder.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1.LPD\LOCALS~1\Temp\Rar$EX00.219\HijackThis1991zww.exe

R3 - URLSearchHook: (no name) - {BB936323-19FA-4521-BA29-ECA6A121BC78} - (no file)
R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
R3 - URLSearchHook: BdSearchHook Class - {02496EBD-8455-48db-B3C7-5DAC97D9F5A7} - C:\PROGRA~1\baidu\iexp\BDSrHook.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 8.8.8.8 skypetools.tom.com
O2 - BHO: ThunderIEHelper - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINNT\System32\xunleibho_v13.dll
O2 - BHO: BdSearch - {02496EBD-8455-48db-B3C7-5DAC97D9F5A7} - C:\PROGRA~1\baidu\iexp\BDSrHook.dll
O2 - BHO: wmpdrm - {0E674588-66B7-4E19-9D0E-2053B800F69F} - C:\WINNT\System32\wmpdrm.dll
O2 - BHO: MyIEHelper Class - {16A770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\IEHelper\IEHelper_8191.dll
O2 - BHO: yPhtb - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\qq\QQIEHelper.dll
O2 - BHO: BHelper - {8A4280AD-9B37-4922-A51D-73F3C3A32AF7} - C:\WINNT\System32\msibm\cfsbho.dll
O2 - BHO: MacroMediapd - {B8CCDD47-38E4-4CD2-B7FA-3B4B690F74BD} - C:\WINNT\System32\microapmddt.dll
O3 - IE工具栏增项: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - IE工具栏增项: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - 启动项HKLM\\Run: [BIE] RUNDLL32.EXE C:\PROGRA~1\baidu\iexp\BDSrHook.dll,Rundll32
O4 - 启动项HKLM\\Run: [mscfs] RUNDLL32 C:\WINNT\System32\msibm\cfsys.dll,cfs
O4 - 启动项HKLM\\Run: [Update] C:\Program Files\Common Files\UPDATE\Update.exe
O4 - 启动项HKLM\\Run: [spoolsv] C:\WINNT\System32\spoolsv\spoolsv.exe -printer
O4 - 启动项HKLM\\Run: [] regedit -s C:\$NtUninstallQ5926809$\sp4custom.dll
O4 - 启动项HKLM\\Run: [3721] C:\$NtUninstallQ5926809$\3721.bat
O4 - 启动项HKLM\\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
O4 - 启动项HKLM\\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - IE右键菜单中的新增项目: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - D:\qq\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - D:\qq\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - D:\qq\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - D:\qq\SendMMS.htm
O8 - IE右键菜单中的新增项目: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O9 - 浏览器额外的按钮: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - 浏览器额外的按钮: 百度首页 - {02496EBD-8455-48db-B3C7-5DAC97D9F5A7} - http://baidu.com/index.php?tn=laserfoxdg (file missing)
O9 - 浏览器额外的按钮: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - 浏览器额外的按钮: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/?source=Cns (file missing)
O9 - 浏览器额外的按钮: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - 浏览器额外的“工具”菜单项: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - 浏览器额外的按钮: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\qq\QQ.EXE
O9 - 浏览器额外的“工具”菜单项: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\qq\QQ.EXE
O9 - 浏览器额外的按钮: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\qq\QQIEHelper.dll
O9 - 浏览器额外的“工具”菜单项: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\qq\QQIEHelper.dll
O9 - 浏览器额外的按钮: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O11 - Options group: [!IESearch] 百度搜索伴侣
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/aliedit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {ACFE8232-03C5-4AEC-AF5E-42B806724096} (KSHScan Control) - http://safe.qq.com/scan/KAllScan.CAB
O16 - DPF: {D0A29C6C-AA71-4423-8C4A-5998B774C448} (IEDown Class) - http://download.ourgame.com/IEDown4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07B86556-1B2B-431D-8150-723BEEA5F77D}: NameServer = 202.98.192.168,202.98.192.68
O17 - HKLM\System\CS1\Services\Tcpip\..\{07B86556-1B2B-431D-8150-723BEEA5F77D}: NameServer = 202.98.192.168,202.98.192.68
O17 - HKLM\System\CS2\Services\Tcpip\..\{07B86556-1B2B-431D-8150-723BEEA5F77D}: NameServer = 202.98.192.168,202.98.192.68
O23 - NT 服务: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - NT 服务: OracleOraHome81Agent - Oracle Corporation - D:\oracle\ora81\bin\dbsnmp.exe
O23 - NT 服务: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - NT 服务: OracleOraHome81CMAdmin - Unknown owner - D:\oracle\ora81\BIN\CMADMIN.EXE
O23 - NT 服务: OracleOraHome81CMan - Unknown owner - D:\oracle\ora81\BIN\CMGW.EXE
O23 - NT 服务: OracleOraHome81DataGatherer - Oracle Corporation - D:\oracle\ora81\bin\vppdc.exe
O23 - NT 服务: OracleOraHome81PagingServer - Unknown owner - D:\oracle\ora81/bin/pagntsrv.exe
O23 - NT 服务: OracleOraHome81TNSListener - Unknown owner - D:\oracle\ora81\BIN\TNSLSNR.exe
O23 - NT 服务: OracleServiceQDNLPDB - Oracle Corporation - d:\oracle\ora81\bin\ORACLE.EXE
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - NT 服务: Network System (Universal Disk Manager) - COMENET TECHNOLOGY - C:\Program Files\Common Files\COMM\Network.exe

不言放弃 - 2006-2-10 12:17:00
结束C:\Program Files\Common Files\COMM\Network.exe进程

修复
O1 - Hosts: 8.8.8.8 skypetools.tom.com
O2 - BHO: wmpdrm - {0E674588-66B7-4E19-9D0E-2053B800F69F} - C:\WINNT\System32\wmpdrm.dll
O2 - BHO: MyIEHelper Class - {16A770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\IEHelper\IEHelper_8191.dll
O2 - BHO: BHelper - {8A4280AD-9B37-4922-A51D-73F3C3A32AF7} - C:\WINNT\System32\msibm\cfsbho.dll
O2 - BHO: MacroMediapd - {B8CCDD47-38E4-4CD2-B7FA-3B4B690F74BD} - C:\WINNT\System32\microapmddt.dll
O4 - 启动项HKLM\\Run: [mscfs] RUNDLL32 C:\WINNT\System32\msibm\cfsys.dll,cfs
O4 - 启动项HKLM\\Run: [Update] C:\Program Files\Common Files\UPDATE\Update.exe
O4 - 启动项HKLM\\Run: [spoolsv] C:\WINNT\System32\spoolsv\spoolsv.exe -printer
O4 - 启动项HKLM\\Run: [] regedit -s C:\$NtUninstallQ5926809$\sp4custom.dll
O4 - 启动项HKLM\\Run: [3721] C:\$NtUninstallQ5926809$\3721.bat
O4 - 启动项HKLM\\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - NT 服务: Network System (Universal Disk Manager) - COMENET TECHNOLOGY - C:\Program Files\Common Files\COMM\Network.exe

进入注册表
搜索WINSYS.cer
找到后全部删除

双击C:\WINNT\System32\msibm下的uninstall程序
卸载移除C:\WINNT\System32\msibm文件夹

重启后删除
C:\WINNT\System32\wmpdrm.dll
C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\IEHelper\IEHelper_8191.dll
C:\WINNT\System32\microapmddt.dll
C:\WINNT\System32\msibm
C:\Program Files\Common Files\UPDATE
C:\WINNT\System32\spoolsv
C:\$NtUninstallQ5926809$
C:\$NtUninstallQ887678$
C:\Program Files\Common Files\COMM

附件: 3640522006210121710.JPG
1
查看完整版本: 最近中了灰鸽子,哪位大虾帮我看下日志?谢谢好心人!
© 2000 - 2026 Rising Corp. Ltd.