瑞星卡卡安全论坛

谁帮分析下电脑?谢谢!!
Logfile of HijackThis v1.99.1
Scan saved at 15:02:23, on 2006-4-5
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
D:\RISING\RISING\RAV\Ravmond.exe
D:\RISING\RISING\RAV\RavStub.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
D:\RISING\RISING\RAV\CCENTER.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe
D:\RISING\RISING\RAV\RAVTIMER.EXE
D:\RISING\RISING\RAV\RAVMON.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\ylive.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\zh-cn\msnappau.exe
D:\软件安装\OFFICE\Office\WINWORD.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\cnmsm3y.exe
D:\软件安装\新建文件夹\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX01.318\HijackThis.exe

R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINNT\system32\xunleibho_v6.dll
O2 - BHO: 搜索助手 - {04844102-FC0B-4f44-9E93-0C4293BB5E80} - C:\Program Files\ydt\ydt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: yPhtb - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yangling.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\软件安装\oicq\qq\QQIEHelper.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\ydragsearch.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\zh-cn\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\zh-cn\msntb.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] rem C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [helper.dll] C:\WINNT\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [YDTMain.exe] rem C:\PROGRA~1\ydt\YDTMain.exe
O4 - HKLM\..\Run: [dl_accel] rem C:\Program Files\3721\Dlaccel\YDownloader.exe
O4 - HKLM\..\Run: [TkBellExe] rem "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [LoadQM] rem loadqm.exe
O4 - HKLM\..\Run: [msnappau] rem "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\zh-cn\msnappau.exe"
O4 - HKLM\..\Run: [YLive.exe] rem C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [BHDCRegC] rem C:\WINNT\system32\BHDCRegC.exe
O4 - HKLM\..\Run: [RavTimer] D:\RISING\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] D:\RISING\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [CnsMin] rem Rundll32.exe C:\WINNT\DOWNLO~1\CONFLICT.4\CnsMin.dll,Rundll32
O4 - HKCU\..\Run: [msnmsgr] rem "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] rem "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: 腾讯QQ.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &使用下载加速专家下载 - C:\Program Files\3721\Dlaccel\geturl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\软件安装\oicq\qq\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 推荐给朋友，收藏到亿友响客 - http://x.yeeyoo.com/MouseAdd/
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\软件安装\oicq\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\软件安装\oicq\qq\AddEmotion.htm
O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\软件安装\oicq\qq\SendMMS.htm
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\软件安装\oicq\qq\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\软件安装\oicq\qq\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\软件安装\oicq\qq\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\软件安装\oicq\qq\QQIEHelper.dll
O11 - Options group: [!CNS]  上网助手-地址栏搜索
O16 - DPF: _{0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {0400AC1C-EEF0-4638-A501-31D5A0DC2002} (VTPlug3 Class) - http://61.129.90.99:1995/VTrans.cab
O16 - DPF: {1F831FA1-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {448A5F6B-8C03-4B54-A338-F00237C508AD} (WEBChatRoomOCX Control) - http://www.51uc.com/cab/WEBChatRoom_1_46.cab
O16 - DPF: {62B938C4-4190-4F37-8CF0-A92B0A91CC77} (InfoSecNetSign Class) - https://corporbank.icbc.com.cn/icbc/NetSign.dll
O16 - DPF: {6EC14D77-72E0-436D-8C04-3BEE5D75B2F1} (VideoOcx Control) - http://www.hcliao.com/room/roomui/videoocx.ocx
O16 - DPF: {7253A666-8D4A-11D7-A4DC-00E04C504779} (BDC Control) - http://chunliao.com/BDC.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/normalbank/AxSafeControls.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday 控件) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {88734439-46D0-42C0-A13F-7E881EE550CF} (Filetran Control) - http://www.bluesky.cn/download/filetran.cab
O16 - DPF: {9242BB35-0DB0-43AC-8DFC-8EA07E63B92A} (LiveMediaOcx Control) - http://dl_dir.qq.com/qqtv/QQLiveOcxSetup.exe
O16 - DPF: {AE563722-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {C8BD9ACB-F7EC-48E6-BB2F-DAADC6789E9A} (Kingsoft DUBA OnlineScan) - http://zs.kingsoft.com/duba/OCX/KAVClean.CAB
O16 - DPF: {E689D735-1487-420D-9049-16ED198FE411} (vc Control) - http://www.viruschina.com/free/vco.cab
O16 - DPF: {E9707834-5BF7-4CFF-A639-398427DE1991} (IcbcSslCacheCleanerCtrl Class) - http://www.95588.com.cn/left/IcbcSslCacheCleaner.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview 控件) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {FA7D78BA-3EA7-4E52-B0E2-0772F577E6CC} (VideoOcx Control) - http://u2.hd118.com/chat/roomui/videoocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{05BAB891-84A4-41E0-B916-76D813B2FF09}: NameServer = 69.50.184.85,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FBAC216-1691-4BB0-9C3C-CA8958B66737}: NameServer = 69.50.184.85,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{41F95B3C-CD71-409C-A80E-3101E93BF631}: NameServer = 69.50.184.85,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{D810B61E-19C3-4AB2-BE82-16CC7682D24E}: NameServer = 211.148.126.2,211.98.2.4
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.197,195.225.176.31
O21 - SSODL: DLMon - {590498A3-4131-4D8F-BA4B-36791A0803B1} - C:\WINNT\system32\DLMain.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Gray - Unknown owner - C:\WINNT\lasss.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - D:\RISING\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\RISING\RISING\RAV\Ravmond.exe
O23 - Service: Spplication Layer Gateway Serv - Unknown owner - C:\WINNT\bdc.exe

O23 - Service: Gray - Unknown owner - C:\WINNT\lasss.exe
O23 - Service: Spplication Layer Gateway Serv - Unknown owner - C:\WINNT\bdc.exe
在注册表中找到着2项 删除 重起 在系统中删除这2项

【回复“zq77”的帖子】
不好意思!怎么找注册表删除呀?/不会弄呀/谢谢!!

运行---regedit---编辑查找----lasss.exe和bdc.exe(表打错）---删除

【回复“zq77”的帖子】
是否查找出来的项全部删除还是只删除C:\WINNT\lasss.exe和C:\WINNT\bdc.exe

【回复“zq77”的帖子】
是否查找出来的项全部删除还是只删除C:\WINNT\lasss.exe和C:\WINNT\bdc.exe谢谢

下边是我用雅虎分析的进程,怎么有两个项为木马呀?究竟怎么回事呀/用智能杀毒伴侣好像也不行,谢谢!!
进程名6  文件大小  类型  发行公司  描述


CCENTER.EXE  96k  未知  rising 
CDAC11BA.EXE  53k  应用程序  Macrovision  来自MacroVis..
csrss.exe  5k  未知  Microsoft Corporation  客户端服务子系统，用..
dllhost.exe  5k  未知  Microsoft Corporation 
Explorer.EXE  237k  未知  Microsoft Corporation 
HijackThis.exe  213k  未知  Soeperman Enterprises Ltd. 
iexplore.exe  89k  木马  Microsoft Corporation  怀疑为恶意程序或病毒..
lsass.exe  32k  应用程序  Microsoft Corporation  本地安全权限服务控制..
msdtc.exe  6k  应用程序  Microsoft Corporation  Microsoft ..
msnappau.exe  84k  未知  Microsoft Corporation 
MSTask.exe  116k  系统程序  Microsoft Corporation  Windows计划任..
RAVMON.EXE  468k  应用程序  Beijing Rising Technology Co., Ltd.  瑞星杀毒软件防火墙。
Ravmond.exe  148k  应用程序  Beijing Rising Technology Co., Ltd.  瑞星杀毒软件的一部分..
RavStub.exe  596k  未知  Beijing Rising Technology Co., Ltd. 
RAVTIMER.EXE  124k  应用程序  Beijing Rising Technology Co., Ltd.  瑞星杀毒软件的一部分..
regedit.exe  70k  未知  Microsoft Corporation 
regsvc.exe  65k  未知  Microsoft Corporation 
rundll32.exe  9k  未知  Microsoft Corporation 
SCardSvr.exe  96k  未知  Microsoft Corporation 
services.exe  86k  未知  Microsoft Corporation 
smss.exe  44k  未知  Microsoft Corporation 
spoolsv.exe  43k  木马  Microsoft Corporation 
svchost.exe  7k  应用程序  Microsoft Corporation  Service Ho..
svchost.exe  7k  应用程序  Microsoft Corporation  Service Ho..
SysIdleProcess  0k  系统程序    标识系统空闲的进程。
winlogon.exe  177k  应用程序  Microsoft Corporation  Windows NT..
WinMgmt.exe  192k  未知  Microsoft Corporation 
WinRAR.exe  827k  未知   
yassistse.exe  64k  未知  Yahoo! 
YDownloader.exe  756k  未知  北京三七二一科技有限公司 
ylive.exe  20k  未知    雅虎中国之雅虎助手软

怎么没人理我了?/

【回复“德国99”的帖子】
修复
O21 - SSODL: DLMon - {590498A3-4131-4D8F-BA4B-36791A0803B1} - C:\WINNT\system32\DLMain.dll
O23 - Service: Gray - Unknown owner - C:\WINNT\lasss.exe
O23 - Service: Spplication Layer Gateway Serv - Unknown owner - C:\WINNT\bdc.exe

重启后删除
C:\WINNT\system32\DLMain.dll
C:\WINNT\lasss.exe
C:\WINNT\bdc.exe

其中
O23 - Service: Gray - Unknown owner - C:\WINNT\lasss.exe
O23 - Service: Spplication Layer Gateway Serv - Unknown owner - C:\WINNT\bdc.exe
这两项按灰鸽子来处理
具体操作参考
http://forum.ikaka.com/topic.asp?board=28&artid=7713905

【回复“不言放弃”的帖子】
谢谢！已处理好。还有个问题请教下：我的IE进程老分析为木马，现在还老是自动关机，究竟是怎么回事？谢谢！！

谁帮帮忙呀.?谢谢

谁帮帮忙呀.?谢谢