【求助】不能上网,请大虾帮看看 bbs.ikaka.com

浪迹芳草地 - 2007-7-19 23:16:00

WIN2K
冰点还原调出主界面后死机
原备份的克隆.GHO文件被删除.
hijackthis后的日志如下，请各位大虾帮看看，该如何杀毒

Logfile of HijackThis v1.99.1
Scan saved at 21:45:56, on 2007-07-19
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\winnt\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\JFJ061\LOCALS~1\Temp\Rar$EX00.178\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [runeip] "C:\Program Files\Rising\AntiSpyware\runiep.exe" /startup
O4 - HKLM\..\Run: [mppds] C:\WINNT\mppds.exe
O4 - HKLM\..\Run: [RAV00AE] C:\WINNT\system32\RAV00AE.exe
O4 - HKLM\..\Run: [Microsoft Autorun11] C:\WINNT\system32\nwizwlwzs.exe
O4 - HKLM\..\Run: [TIMHost] C:\WINNT\TIMHost.exe
O4 - HKLM\..\Run: [RAV00A0] C:\WINNT\system32\RAV00A0.exe
O4 - HKLM\..\Run: [MsIMMs32] C:\WINNT\MsIMMs32.exe
O4 - HKLM\..\Run: [RAV008C] C:\WINNT\system32\RAV008C.exe
O4 - HKLM\..\Run: [RAV00B2] C:\WINNT\system32\RAV00B2.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [svc] C:\DOCUME~1\JFJ061\LOCALS~1\Temp\sysphong.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra 'Tools' menuitem: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B031F3E-58A2-4753-8342-3A7678CE30B8}: NameServer = 202.96.128.86,202.96.134.133
O20 - AppInit_DLLs: qhbpri.dll
O20 - Winlogon Notify: RsAutorunsDisabled - C:\WINNT\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

sanjingshou - 2007-7-20 0:16:00

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [mppds] C:\WINNT\mppds.exe
O4 - HKLM\..\Run: [RAV00AE] C:\WINNT\system32\RAV00AE.exe
O4 - HKLM\..\Run: [Microsoft Autorun11] C:\WINNT\system32\nwizwlwzs.exe
O4 - HKLM\..\Run: [TIMHost] C:\WINNT\TIMHost.exe
O4 - HKLM\..\Run: [RAV00A0] C:\WINNT\system32\RAV00A0.exe
O4 - HKLM\..\Run: [MsIMMs32] C:\WINNT\MsIMMs32.exe
O4 - HKLM\..\Run: [RAV008C] C:\WINNT\system32\RAV008C.exe
O4 - HKLM\..\Run: [RAV00B2] C:\WINNT\system32\RAV00B2.exe
O4 - HKCU\..\Run: [svc] C:\DOCUME~1\JFJ061\LOCALS~1\Temp\sysphong.exe

你的启动项基本都是毒~~~
O20 - AppInit_DLLs: qhbpri.dll
O20 - Winlogon Notify: RsAutorunsDisabled - C:\WINNT\

下载SRENG扫描详细的日志

下载SRENG或者卡卡助手或者360
使用LSP修复

超级游戏迷 - 2007-7-20 2:42:00

你的机修复起来已很困难，个人建议先找个带冰刃这个绿色软件的干净的U盘备着，然后断开网络，关闭所有驱动器上的系统还原，清空所有IE缓存，然后直接重装系统；重装系统后，直接进入安全模式，安全模式下不要用任何方式打开任何硬盘驱动器，插入U盘，先用冰刃删除每个驱动器根目录下所有可疑的隐藏文件（注：以下是可能的病毒隐藏文件：AUTORUN.INF、AUTORUN.EXE、AUTO.EXE、SYSAUTO.EXE、PAGEFILE.PIF这些隐藏文件，用冰刃全部删除，注意每个驱动器都要检查，包括你的U盘！），然后全盘杀毒；杀毒结束后，删除c:\documentm and settings\当前用户名\local settings\temp下的所有文件（有些文件可能删除不了，实在删除不了就放那吧），最后再启动进入正常模式。

重装系统虽然比较耗时间，但估计你的机已成毒窝，手工杀毒寻找的时间甚至超过重装系统的时间，比较而言重装系统还是最有效率的方法。

最后，再瑞星可能已经被病毒摧残得不行了，卸载它，重装。

菜菜瓜瓜 - 2007-7-20 8:28:00

这么惨...

浪迹芳草地 - 2007-7-20 10:01:00

谢谢1楼2楼。
要命的是冰点还原无法打开，无法重装系统。

Enao2005 - 2007-7-20 10:09:00

【回复“浪迹芳草地”的帖子】
XP安装盘---BIOS设置光驱引导---按提示进行

不排除exe被感染的可能.....

浪迹芳草地 - 2007-7-23 14:28:00

用卡卡查和EWIDO 7.5查杀后，还有病毒。
不时提示“网络没插好”
经检测网线正常。但就是不能上网。

查看插件，发现 c:\winnt\system32\
下的agent.dll 和 qhbpri.dll 互为钩子。删除不了。

请哪位帮帮忙查看。

附：日志。

附件: 3729462007725125720.txt

shjarthur - 2007-7-23 14:43:00

中毒的确很严重……
我也推荐你重装…………（惭愧……在这里说重装应该拖出去打一顿……）

上面的日志打不开……提示出错……找不到文件……

扫个SREng的日志比较好

有毒必问 - 2007-7-23 15:18:00

回5楼,用冰刃强制删除文件看看

有点卡啦 - 2007-7-23 15:52:00

冰刃有的都就是强制删除也删不了啊 ,郁闷

浪迹芳草地 - 2007-7-25 13:10:00

重发日志

附件: 3729462007725130017.txt

浪迹芳草地 - 2007-7-25 13:12:00

求教,怎么附件都发不上。才10K的TXT文件耶！

浪迹芳草地 - 2007-7-25 13:13:00

只好分块发了。

瑞星卡卡电脑诊断日志 v1.30 (2007-7-23 10:51:28) 北京瑞星科技股份有限公司

注释:[A]表示该文件存在自启动关联;
[M]表示该文件在内存中;

+ 注册表自运行项目
+ 系统服务
+ HKLM\System\CurrentControlSet\Services
AVG Anti-Spyware Guard
[A ] 1. c:\program files\grisoft\avg anti-spyware 7.5\guard.exe

DF5Serv
[A ] 2. c:\program files\faronics\deep freeze\install c-0\df5serv.exe

MSSQLServerADHelper
[A ] 3. c:\program files\microsoft sql server\80\tools\binn\sqladhlp.exe

ose
[A ] 4. c:\program files\common files\microsoft shared\source engine\ose.exe

+ 内核驱动
+ HKLM\System\CurrentControlSet\Services
AVG Anti-Spyware Driver
[A ] 5. c:\program files\grisoft\avg anti-spyware 7.5\guard.sys

AvgAsCln
[A ] 6. c:\winnt\system32\drivers\avgascln.sys

DeepFrz
[A ] 7. c:\winnt\system32\drivers\deepfrz.sys

ewido anti-spyware 4.0 driver
[A ] 8. d:\program files\ewido\guard.sys

HookCont
[A ] 9. c:\program files\rising\rav\hookcont.sys

HookReg
[A ] 10. c:\program files\rising\rav\hookreg.sys

HookSys
[A ] 11. c:\program files\rising\rav\hooksys.sys

MEMSCAN
[A ] 12. c:\program files\rising\rav\memscan.sys

NPF
[A ] 13. c:\winnt\system32\drivers\npf.sys

RsAntiSpyware
[A ] 14. c:\winnt\system32\drivers\rsboot.sys

+ IE浏览器加载模块
+ HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C}
[A ] 15. c:\winnt\system32\kakatool.dll

浪迹芳草地 - 2007-7-25 13:13:00

+ 资源管理器加载模块
+ HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
text/xml
[A ] 16. c:\program files\common files\microsoft shared\office11\msoxmlmf.dll

+ HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
mso-offdap11
[A ] 17. c:\program files\common files\microsoft shared\web components\11\owc11.dll

+ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
[A ] 18. c:\winnt\system32\updcrl.exe

[A ] 19. c:\winnt\system32\verisignpub1.crl

+ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Multimedia File Property Sheet
[A ] 20. c:\winnt\system32\mmsys.cpl

HyperTerminal Icon Ext
[A ] 21. c:\winnt\system32\hticons.dll

Shell Application Manager
[A ] 22. c:\winnt\system32\appwiz.cpl

Installed Apps Enumerator
[A ] 22. c:\winnt\system32\appwiz.cpl

Darwin App Publisher
[A ] 22. c:\winnt\system32\appwiz.cpl

WinRAR shell extension
[AM] 23. c:\program files\winrar\rarext.dll

Web Folders
[A ] 24. c:\program files\common files\microsoft shared\web folders\msonsext.dll

Microsoft Office HTML Icon Handler
[AM] 25. c:\program files\microsoft office\office11\msohev.dll

+ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8}
[AM] 26. c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

{A6011F8F-A7F8-49AA-9ADA-49127D43138F}
[AM] 27. c:\program files\common files\microsoft shared\msinfo\newinfo.bmt

{754FB7D8-B8FE-4810-B363-A788CD060F1F}
[AM] 28. c:\program files\internet explorer\plugins\system64.sys

{AC2DC2EF-5165-40A3-8CDF-41DCA1B0901A}
[AM] 29. c:\winnt\system32\shlhook.dll

{26368135-64FA-BC34-DA32-DCF4FD431C92}
[AM] 30. c:\winnt\system32\qhbpri.dll

{D8E0E3BA-D55F-4A08-8EE4-0A59E0284124}
[AM] 31. c:\winnt\system32\agent.dll

+ 用户登陆自运行项目
+ HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
[AM] 32. c:\winnt\system32\ctfmon.exe

+ HKLM\Software\Microsoft\Windows\CurrentVersion\Run
runeip
[AM] 33. c:\program files\rising\antispyware\runiep.exe

+ 映像劫持
+ HKCR\.html
htmlfile\Edit\Command
[A ] 34. c:\program files\microsoft office\office11\msohtmed.exe

htmlfile\Print\Command
[A ] 34. c:\program files\microsoft office\office11\msohtmed.exe

+ HKCR\.htm
htmlfile\Edit\Command
[A ] 34. c:\program files\microsoft office\office11\msohtmed.exe

htmlfile\Print\Command
[A ] 34. c:\program files\microsoft office\office11\msohtmed.exe

+ 程序初始化和已知动态连接库
+ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
[AM] 30. c:\winnt\system32\qhbpri.dll

+ 打印机监控
+ HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
Microsoft Document Imaging Writer Monitor
[A ] 35. c:\winnt\system32\mdimon.dll

+ 正在运行的进程
+ 0000039c(924) ctfmon.exe
00400000[00005000]
[AM] 32. c:\winnt\system32\ctfmon.exe

60000000[0004B000]
[ M] 36. c:\winnt\system32\msctf.dll

60200000[0002B000]
[ M] 37. c:\winnt\system32\msutb.dll

00730000[0000A000]
[AM] 30. c:\winnt\system32\qhbpri.dll

10070000[00010000]
[ M] 38. c:\winnt\system32\wmiapisrv.dll

00D50000[00010000]
[AM] 28. c:\program files\internet explorer\plugins\system64.sys

10000000[00005000]
[ M] 39. c:\winnt\mui\fallback\0804\msutb.dll.mui

00E70000[00003000]
[ M] 40. c:\winnt\mui\fallback\0804\msctf.dll.mui

浪迹芳草地 - 2007-7-25 13:14:00

00E80000[0001B000]
[ M] 41. c:\program files\rising\antispyware\ieprot.dll

00FB0000[0001F000]
[ M] 42. c:\winnt\system32\zeqax.dll

00FD0000[0001F000]
[ M] 43. c:\winnt\system32\wiytd.dll

00FF0000[0001F000]
[ M] 44. c:\winnt\system32\wljhj.dll

01010000[0001F000]
[ M] 45. c:\winnt\system32\hytsx.dll

01030000[0001F000]
[ M] 46. c:\winnt\system32\wlkhm.dll

01050000[0001F000]
[ M] 47. c:\winnt\system32\wkjhl.dll

01070000[0001F000]
[ M] 48. c:\winnt\system32\adapi32.dll

+ 000003b8(952) runiep.exe
00400000[00012000]
[AM] 33. c:\program files\rising\antispyware\runiep.exe

10070000[00010000]
[ M] 38. c:\winnt\system32\wmiapisrv.dll

00B10000[00010000]
[AM] 28. c:\program files\internet explorer\plugins\system64.sys

60000000[0004B000]
[ M] 36. c:\winnt\system32\msctf.dll

011B0000[0001B000]
[ M] 41. c:\program files\rising\antispyware\ieprot.dll

01300000[0001F000]
[ M] 42. c:\winnt\system32\zeqax.dll

01320000[0001F000]
[ M] 43. c:\winnt\system32\wiytd.dll

01340000[0001F000]
[ M] 44. c:\winnt\system32\wljhj.dll

01360000[0001F000]
[ M] 45. c:\winnt\system32\hytsx.dll

01380000[0001F000]
[ M] 46. c:\winnt\system32\wlkhm.dll

013A0000[0001F000]
[ M] 47. c:\winnt\system32\wkjhl.dll

013C0000[0001F000]
[ M] 48. c:\winnt\system32\adapi32.dll

+ 00000400(1024) Explorer.EXE
23000000[00056000]
[ M] 49. c:\winnt\apppatch\aclayers.dll

10070000[00010000]
[ M] 38. c:\winnt\system32\wmiapisrv.dll

00F60000[0000C000]
[AM] 27. c:\program files\common files\microsoft shared\msinfo\newinfo.bmt

010B0000[00010000]
[AM] 28. c:\program files\internet explorer\plugins\system64.sys

01270000[0000A000]
[AM] 30. c:\winnt\system32\qhbpri.dll

01690000[0001F000]
[ M] 48. c:\winnt\system32\adapi32.dll

016B0000[0001F000]
[ M] 50. c:\winnt\system32\aetpksw.dll

016E0000[0001F000]
[ M] 47. c:\winnt\system32\wkjhl.dll

01700000[0001F000]
[ M] 46. c:\winnt\system32\wlkhm.dll

01720000[0001F000]
[ M] 45. c:\winnt\system32\hytsx.dll

01740000[0001F000]
[ M] 44. c:\winnt\system32\wljhj.dll

01760000[0001F000]
[ M] 43. c:\winnt\system32\wiytd.dll

01780000[0001F000]
[ M] 42. c:\winnt\system32\zeqax.dll

77520000[00008000]
[ M] 51. c:\winnt\system32\wdmaud.drv

773C0000[00008000]
[ M] 52. c:\winnt\system32\msacm32.drv

60000000[0004B000]
[ M] 36. c:\winnt\system32\msctf.dll

01D80000[0001B000]
[ M] 41. c:\program files\rising\antispyware\ieprot.dll

01E00000[00003000]
[ M] 40. c:\winnt\mui\fallback\0804\msctf.dll.mui

10000000[00013000]
[AM] 26. c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

022C0000[00011000]
[AM] 29. c:\winnt\system32\shlhook.dll

022F0000[0001F000]
[AM] 31. c:\winnt\system32\agent.dll

73900000[0002D000]
[ M] 53. c:\winnt\system32\jpwb.ime

60280000[0002D000]
[ M] 54. c:\winnt\system32\msimtf.dll

325C0000[00012000]
[AM] 25. c:\program files\microsoft office\office11\msohev.dll

75CE0000[00006000]
[ M] 55. c:\winnt\system32\msadp32.acm

03C20000[0002C000]
[AM] 23. c:\program files\winrar\rarext.dll

+ 00000444(1092) Ras.exe
00400000[0013F000]
[ M] 56. c:\program files\rising\antispyware\ras.exe

780C0000[00061000]
[ M] 57. c:\winnt\system32\msvcp60.dll

00990000[0000A000]
[AM] 30. c:\winnt\system32\qhbpri.dll

10070000[00010000]
[ M] 38. c:\winnt\system32\wmiapisrv.dll

60000000[0004B000]
[ M] 36. c:\winnt\system32\msctf.dll

011D0000[00010000]
[AM] 28. c:\program files\internet explorer\plugins\system64.sys

012E0000[000A3000]
[ M] 58. c:\program files\rising\antispyware\rasgui.dll

73900000[0002D000]
[ M] 53. c:\winnt\system32\jpwb.ime

10000000[00013000]
[AM] 26. c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

01B90000[0000C000]
[AM] 27. c:\program files\common files\microsoft shared\msinfo\newinfo.bmt

01CA0000[00011000]
[AM] 29. c:\winnt\system32\shlhook.dll

01D10000[0001F000]
[AM] 31. c:\winnt\system32\agent.dll

01FD0000[00003000]
[ M] 40. c:\winnt\mui\fallback\0804\msctf.dll.mui

02000000[0001B000]
[ M] 41. c:\program files\rising\antispyware\ieprot.dll

02130000[0001F000]
[ M] 42. c:\winnt\system32\zeqax.dll

02160000[0001F000]
[ M] 43. c:\winnt\system32\wiytd.dll

02180000[0001F000]
[ M] 44. c:\winnt\system32\wljhj.dll

021A0000[0001F000]
[ M] 45. c:\winnt\system32\hytsx.dll

021C0000[0001F000]
[ M] 46. c:\winnt\system32\wlkhm.dll

021E0000[0001F000]
[ M] 47. c:\winnt\system32\wkjhl.dll

02200000[0001F000]
[ M] 48. c:\winnt\system32\adapi32.dll

瑞星卡卡安全论坛