瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » =【求助】系统坏的吓人!请班竹和高手来帮帮忙哇!
机灵小飞 - 2006-2-23 0:44:00
这是我的日志,自己看都知道又不伤的病毒,不过就是不知道怎么解决,喜欢朋友们解决我的疑难!3Q了!

Logfile of HijackThis v1.99.1
Scan saved at 1:06:21, on 2006-2-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\rising\Rav\Ravmond.exe
C:\Program Files\Rising\Rfw\rfwsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\rising\Rav\RavStub.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\rising\Rav\RavTask.exe
C:\Program Files\rising\Rav\Ravmon.exe
C:\Program Files\Rising\Rfw\RfwMain.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\COMM\Network.exe
C:\WINDOWS\system32\conime.exe
E:\QQ\QQ.exe
E:\QQ\TIMPlatform.exe
D:\瑞星\日志\HijackThis.exe

R3 - URLSearchHook: VeryCD Search Class - {88351CEF-BAC0-4A9B-8380-31A173E2926F} - C:\Program Files\YOK.com\SuperSearch\YOK_SuperSearch.dll
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v4.dll
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\AdPlus\IEHelp1.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - E:\QQ\QQIEHelper.dll
O2 - BHO: VeryCD超级搜索 - {75FE2B5A-D3A4-4EFA-AC11-ADC9C9459688} - C:\Program Files\YOK.com\SuperSearch\YOK_SuperSearch.dll
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - D:\bak\KuGoo3\KuGoo3DownXControl.ocx
O3 - Toolbar: 百度超级搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O3 - Toolbar: VeryCD超级搜索 - {F869BB38-FFEF-4589-B986-610B7AD0ADA2} - C:\Program Files\YOK.com\SuperSearch\YOK_SuperSearch.dll
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [AddrPlus3] C:\PROGRA~1\TENCENT\AdPlus\Runner.exe C:\PROGRA~1\TENCENT\AdPlus\QAHook1.dll Rundll32
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE 微软-中星微联合实验室提供
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 腾讯QQ.lnk = E:\QQ\QQ.exe
O8 - Extra context menu item: YOK搜索 - C:\Program Files\YOK.com\SuperSearch\yoksch.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - E:\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用KuGoo3下载(&K) - D:\bak\KuGoo3\KuGoo3DownX.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\QQ\SendMMS.htm
O8 - Extra context menu item: 百度-搜索MP3 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度-搜索图片 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度-搜索新闻 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUNEWS.HTM
O8 - Extra context menu item: 百度-搜索歌词 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDULYRIC.HTM
O8 - Extra context menu item: 百度-搜索网页 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度-搜索贴吧 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUPOST.HTM
O8 - Extra context menu item: 百度-词典搜索 - res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDU_DIC.HTM
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\QQ\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - E:\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - E:\QQ\QQIEHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [TBH]  QQ地址栏搜索插件
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/pcver2006new/OL2006.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9BC1E29-5030-45DF-B707-AA1FB4C7DD15}: NameServer = 202.103.0.68 202.103.24.68
O23 - Service: Internet Connection Firewall - Unknown owner - C:\WINDOWS\TASKMAM.EXE
O23 - Service: Rising Proxy  Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\rising\Rav\Ravmond.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Network System (Universal Disk Manager) - COMENET TECHNOLOGY - C:\Program Files\Common Files\COMM\Network.exe

情以相忘 - 2006-2-23 1:35:00
第一步
结束
C:\WINDOWS\VM_STI.EXE(可能是摄相头驱动 也可能是木马靠你自己判断了)
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\COMM\Network.exe
第二步
开始->运行->msconfig 回车->启动
去掉下面的
O4 - HKLM\..\Run: [AddrPlus3] C:\PROGRA~1\TENCENT\AdPlus\Runner.exe C:\PROGRA~1\TENCENT\AdPlus\QAHook1.dll Rundll32
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE 微软-中星微联合实验室提供
第四步
我的电脑->右键->管理->服务和应用程序->服务
禁用下边两个程序
O23 - Service: Internet Connection Firewall - Unknown owner - C:\WINDOWS\TASKMAM.EXE
O23 - Service: Network System (Universal Disk Manager) - COMENET TECHNOLOGY - C:\Program Files\Common Files\COMM\Network.exe
第五步
删除第四步里的两个exe文件,可以先备份一下,建议压缩备份.
重启再扫日志看看.
不言放弃 - 2006-2-23 8:37:00
【回复“情以相忘”的帖子】
这位朋友为什么总是让机器有问题的朋友结束C:\WINDOWS\system32\RUNDLL32.EXE进程呢?
不明白

O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE 微软-中星微联合实验室提供
从这一项应该可以看出C:\WINDOWS\VM_STI.EXE 就是摄像头驱动程序了

晕死

不言放弃 - 2006-2-23 8:41:00
【回复“机灵小飞”的帖子】
结束C:\Program Files\Common Files\COMM\Network.exe进程

修复
R3 - URLSearchHook: VeryCD Search Class - {88351CEF-BAC0-4A9B-8380-31A173E2926F} - C:\Program Files\YOK.com\SuperSearch\YOK_SuperSearch.dll
O2 - BHO: VeryCD超级搜索 - {75FE2B5A-D3A4-4EFA-AC11-ADC9C9459688} - C:\Program Files\YOK.com\SuperSearch\YOK_SuperSearch.dll
O3 - Toolbar: VeryCD超级搜索 - {F869BB38-FFEF-4589-B986-610B7AD0ADA2} - C:\Program Files\YOK.com\SuperSearch\YOK_SuperSearch.dll
O8 - Extra context menu item: YOK搜索 - C:\Program Files\YOK.com\SuperSearch\yoksch.htm
O23 - Service: Internet Connection Firewall - Unknown owner - C:\WINDOWS\TASKMAM.EXE
O23 - Service: Network System (Universal Disk Manager) - COMENET TECHNOLOGY - C:\Program Files\Common Files\COMM\Network.exe

卸载
C:\Program Files\YOK.com

删除
C:\Program Files\YOK.com文件夹
C:\Program Files\Common Files\COMM文件夹
C:\WINDOWS\TASKMAM.EXE

另外
O23 - Service: Internet Connection Firewall - Unknown owner - C:\WINDOWS\TASKMAM.EXE
这一项若是灰鸽子
请参考http://forum.ikaka.com/topic.asp?board=28&artid=7713905
机灵小飞 - 2006-2-23 17:01:00
我现在的系统还又病毒和疏漏吗?
Logfile of HijackThis v1.99.1
Scan saved at 16:58:36, on 2006-2-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\rising\Rav\Ravmond.exe
C:\Program Files\Rising\Rfw\rfwsrv.exe
C:\Program Files\rising\Rav\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\rising\Rav\RavTask.exe
C:\Program Files\rising\Rav\Ravmon.exe
C:\Program Files\Rising\Rfw\RfwMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\瑞星\日志\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v4.dll
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\AdPlus\IEHelp1.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - E:\QQ\QQIEHelper.dll
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O3 - Toolbar: 百度超级搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [AddrPlus3] C:\PROGRA~1\TENCENT\AdPlus\Runner.exe C:\PROGRA~1\TENCENT\AdPlus\QAHook1.dll Rundll32
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 腾讯QQ.lnk = E:\QQ\QQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9BC1E29-5030-45DF-B707-AA1FB4C7DD15}: NameServer = 202.103.0.68 202.103.24.68
O23 - Service: Rising Proxy  Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\rising\Rav\Ravmond.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Network System (Universal Disk Manager) - Unknown owner - C:\Program Files\Common Files\COMM\Network.exe (file missing)

精致油970427 - 2006-2-23 17:03:00
把这一项修复一下:
O23 - Service: Network System (Universal Disk Manager) - Unknown owner - C:\Program Files\Common Files\COMM\Network.exe (file missing)
机灵小飞 - 2006-2-23 21:25:00
解决了电脑的毛病又出新的毛病!杀除了鸽子又后患吗?为什么又些东西打开不了?咧如:劲舞团,QQ游戏,瑞星杀毒软件!日志为:
Logfile of HijackThis v1.99.1
Scan saved at 21:22:42, on 2006-2-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rfw\rfwsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NTdhcp.exe
C:\Program Files\Rising\Rfw\RfwMain.exe
E:\QQ\TIMPlatform.exe
E:\QQ\QQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\瑞星\日志\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\AdPlus\IEHelp.dll
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O3 - Toolbar: 百度超级搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O4 - HKLM\..\Run: [AddrPlus3] C:\PROGRA~1\TENCENT\AdPlus\Runner.exe C:\PROGRA~1\TENCENT\AdPlus\QAHook1.dll Rundll32
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9BC1E29-5030-45DF-B707-AA1FB4C7DD15}: NameServer = 202.103.0.68 202.103.24.68
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: Rising Proxy  Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rfw\rfwsrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Network System (Universal Disk Manager) - Unknown owner - C:\Program Files\Common Files\COMM\Network.exe (file missing)
“O23 - Service: Network System (Universal Disk Manager) - Unknown owner - C:\Program Files\Common Files\COMM\Network.exe (file missing)”修复N次没修复掉!~
真伤脑筋咧!
精致油970427 - 2006-2-23 21:31:00
C:\WINDOWS\system32\NTdhcp.exe
ntdhcp.exe
病毒名称:Trojan/PSW.QQpass.br
中 文 名:“QQ大盗”
病毒类型:木马

建议在进程中禁止此项程序,查找并删除此文件。
机灵小飞 - 2006-2-23 22:23:00
今天才解决灰鸽子又来个木马真吧人逼疯不可!
情以相忘 - 2006-2-23 22:30:00
我并不是说rundll32.exe是病毒,但结束以后就减少了排查对象
情以相忘 - 2006-2-23 22:34:00
rundll32.exe对于系统来说不是必须存在,何必留.
至于那个摄相头驱动,我没有用过,在网上的资料有说是木马伪装的,所以我想先结束,确实影响摄相头使用,启用就ok.既然要查,为什么不能先当作假想敌人呢?
天天泡泡 - 2006-2-23 23:06:00
引用:
【情以相忘的贴子】rundll32.exe对于系统来说不是必须存在,何必留.
至于那个摄相头驱动,我没有用过,在网上的资料有说是木马伪装的,所以我想先结束,确实影响摄相头使用,启用就ok.既然要查,为什么不能先当作假想敌人呢?
...........................


rundll32.exe用于在内存中运行DLL文件,用于需要调用DLLs的程序,它们会在应用程序中被使用。这个程序对系统的正常运行是非常重要的。

所以一般在日志中如果没有看到调用Rundll32.exe的可疑内容,我一般不建议终止Rundll32.exe。
机灵小飞 - 2006-2-23 23:31:00
积极发言讨论是个好事,但是最主要的目的责是解决我的问题!谢谢你们怎么帮我!我扫描的新的日志你们参祥下吧!
Logfile of HijackThis v1.99.1
Scan saved at 23:29:13, on 2006-2-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rfw\rfwsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rfw\RfwMain.exe
C:\Program Files\rising\Rav\RavMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
D:\瑞星\日志\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\AdPlus\IEHelp.dll
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O3 - Toolbar: 百度超级搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O4 - HKLM\..\Run: [AddrPlus3] C:\PROGRA~1\TENCENT\AdPlus\Runner.exe C:\PROGRA~1\TENCENT\AdPlus\QAHook1.dll Rundll32
O4 - Startup: 腾讯QQ.lnk = E:\QQ\QQ.exe
O8 - Extra context menu item: 上传到QQ网络硬盘 - E:\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\QQ\SendMMS.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9BC1E29-5030-45DF-B707-AA1FB4C7DD15}: NameServer = 202.103.0.68 202.103.24.68
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: Rising Proxy  Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rfw\rfwsrv.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\rising\Rav\Ravmond.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

找你们做的不过不知道为什么我的瑞星监控器全部禁止了,无法启动了!
baohe - 2006-2-23 23:36:00
引用:
【机灵小飞的贴子】找你们做的不过不知道为什么我的瑞星监控器全部禁止了,无法启动了!
...........................

打开注册表编辑器检查下面两个注册表项的键值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsRavMon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsCCenter

正常情况下右栏中的"Start"=dword:00000002

我估计你的这对键值变成"Start"=dword:00000004了。
机灵小飞 - 2006-2-23 23:56:00
你所说的现象没发生啊!你看看我日志是不是因为又病毒和系统没设置好之内的问题吧!怎么可以设置让黑客木马不攻击家用机子啊?
looooo - 2006-2-24 1:28:00
重装系统吧,
情以相忘 - 2006-2-24 3:03:00
首先感谢不言放弃和天天泡泡两位,我只是就我个人而言,不代表普遍性,我的机器就没有运行Rundll32.exe这个程序,只是在出现23 - Service: Network System (Universal Disk Manager) - Unknown owner - C:\Program Files\Common Files\COMM\Network.exe这个病毒的时候我的机器才有了Rundll32.exe这一项,我只是根据亲身体会来说,纯属个人意见,以后我会考虑两位所说,再次表示感谢。
读来毒网 - 2006-2-24 5:27:00
23 - Service: Network System (Universal Disk Manager) - Unknown owner - C:\Program Files\Common Files\COMM\Network.exe
可以这样修复
开始→控制面板→性能和维护→管理工具→服务→查找Network System →右击→属性→启动类型→禁止→应用→停止→确定。

重新启动电脑, 开机检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式进入Windows

显示隐藏文件

双击我的电脑--工具---文件夹选项--查看选项卡--单击选取"显示隐藏文件或文件夹"--清除"隐藏受保护的操作系统文件(推荐)"复选框。在提示您确定更改时,单击“是”--单击“确定”。

然后找到如下文件并删除(如果有的话)。

C:\Program Files\Common Files\COMM\整个目录
机灵小飞 - 2006-2-24 17:17:00
QAHOOK1.dll 44% 未知木马 C:\PROGRA~1\TENCENT\Adplus\QAHOOK1.dll 这个怎么解决!?  还有我把电脑上的病毒清楚后就不能玩劲舞了,从新下载了一次也不能玩这是怎么回事啊?
谢谢大家啦!!!!!!!
1
查看完整版本: =【求助】系统坏的吓人!请班竹和高手来帮帮忙哇!
© 2000 - 2026 Rising Corp. Ltd.