Logfile of HijackThis v1.99.1
Scan saved at 12:12:20 上午, on 2005-10-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\Program Files\Common Files\SAN\diskman.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Rising\Rfw\rfwmain.exe
C:\WINDOWS.0\Mixer.exe
C:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\WINDOWS.0\system32\rundll32.exe
C:\WINDOWS.0\system32\srddt.exe
C:\WINDOWS.0\System32\Rundll32.exe
F:\down\248783200522382732\HijackThis.com

R3 - URLSearchHook: SrchHook Class - {EED92A43-CFCE-4548-BD73-B0A405470ED5} - C:\PROGRA~1\CNNIC\Cdn\iesrch.dll
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS.0\System32\xunleibho_v4.dll
O2 - BHO: YiSou - {EF1D17A9-089F-40cc-8D64-7324CDEBA0DB} - C:\PROGRA~1\yisou\yisoub.dll (file missing)
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.0\System32\msdxm.ocx
O3 - Toolbar: 一搜工具条 - {115F6E46-FCBC-41ed-B3B5-3BDDD4AAB5E5} - C:\Program Files\yisou\yisou.dll (file missing)
O4 - HKLM\..\Run: [RfwMain] C:\Program Files\Rising\Rfw\rfwmain.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS.0\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [srddt] C:\WINDOWS.0\system32\srddt.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS.0\System32\WindowsUpdate.exe
O4 - HKLM\..\Run: [Update] C:\WINDOWS.0\System32\Update.exe
O4 - HKLM\..\Run: [ExFilter] Rundll32.exe "C:\PROGRA~1\CNNIC\Cdn\cdnspie.dll",ExecFilter solo
O8 - Extra context menu item: &Download by NetAnts - F:\rj2\netants\NETANTS\NAGet.htm
O8 - Extra context menu item: Download &All by NetAnts - F:\rj2\netants\NETANTS\NAGetAll.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - F:\rj2\qq2\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - F:\rj2\KUAICH~1\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - F:\rj2\KUAICH~1\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - F:\rj2\QQ3\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - F:\rj2\QQ3\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - F:\rj2\QQ3\SendMMS.htm
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - F:\rj2\netants\NETANTS\NetAnts.exe
O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - F:\rj2\netants\NETANTS\NetAnts.exe
O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.0\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.0\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - F:\新建文件夹\rj\qq\QQ.exe
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - F:\新建文件夹\rj\qq\QQ.exe
O9 - Extra button: 易趣购物 - {DE60714F-AC19-427e-861A-FD60ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: 易趣购物 - {DE60714F-AC19-427e-861A-FD60ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/aliedit.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://218.244.110.115/interfaceasp/mwf/mgaxctrl.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {98A62E3F-A8C5-4EF0-8A00-C70CF9D18A89} (LoaderCore Class) - http://tb.sogou.com/DLLoader.cab
O16 - DPF: {C14D003A-DA41-4FEE-8204-62A94EAA29D1} (GLWebAvt Control) - http://bbs.ourgame.com/image/GLWebAvt.cab
O16 - DPF: {D0A29C6C-AA71-4423-8C4A-5998B774C448} (IEDown Class) - http://download.ourgame.com/IEDown4.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS.0\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS.0\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS.0\System32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS.0\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS.0\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS.0\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS.0\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS.0\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS.0\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS.0\System32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS.0\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS.0\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS.0\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS.0\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS.0\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS.0\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS.0\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS.0\System32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS.0\System32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS.0\System32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS.0\System32\wiascr.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS.0\System32\Ati2evxx.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: Universal Disk Manager - Unknown owner - C:\Program Files\Common Files\SAN\diskman.exe
RegClean
我的IE被www.9991.com的网站劫持了多天了,今天用RegClean修复了一下,不知道还有没有问题,请版主瞧瞧
谢谢

重新启动到安全模式（进入安全模式的方法:重新启动电脑, 开机自动检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式(Safe Mode)进入Windows。）

开始→控制面板→性能和维护→管理工具→服务→查找Universal Disk Manager→右击→属性→启动类型→禁止→应用→停止→确定。

请关闭所有IE界面，重新使用HijackThis扫描一次，选中下面建议修复的项目，让HijackThis修复，修复前请允许HijackThis保留备份。（如果楼主知道是安全的可以不必勾选）
O4 - HKLM\..\Run: [srddt] C:\WINDOWS.0\system32\srddt.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS.0\System32\WindowsUpdate.exe
O4 - HKLM\..\Run: [Update] C:\WINDOWS.0\System32\Update.exe
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/aliedit.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://218.244.110.115/interfaceasp/mwf/mgaxctrl.cab
O23 - Service: Universal Disk Manager - Unknown owner - C:\Program Files\Common Files\SAN\diskman.exe

然后打开我的电脑→再点工具→打开文件夹选项→查看→把隐藏受保护的系统文件（推荐）和隐藏已知文件类型的扩展名的勾去掉→再显示所有文件→找到以下文件并删除：(如果有的话)
C:\WINDOWS.0\system32\srddt.exe
C:\WINDOWS.0\System32\WindowsUpdate.exe
C:\WINDOWS.0\System32\Update.exe
C:\Program Files\Common Files\SAN\diskman.exe

处理中---------

谢谢楼主!

版主：麻烦你万忙之中抽空看看我的日志，一起机老弹瑞星防火墙拦截的自启动连接网络的警告窗口HijackThis_815汉化版扫描日志 V1.99.1
保存于      13:40:02, 日期 2005-11-6
操作系统：  Windows XP SP2 (WinNT 5.01.2600)
浏览器：    Internet Explorer v6.00 SP2 (6.00.2900.2180)

当前运行的进程：         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
e:\瑞星防火墙\rising\rfw\rfwsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LHotkey.exe
C:\Program Files\Lenovo\联想键盘驱动\LCC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MINIPP\MINIPP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\KPContext.exe
C:\Program Files\Common Files\Upd\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
G:\腾迅\qq\QQ.exe
e:\瑞星防火墙\rising\rfw\RfwMain.exe
C:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
C:\Program Files\AMD\Cool'n'Quiet\gemback.exe
G:\腾迅\qq\TIMPlatform.exe
C:\Program Files\Common Files\SAN\diskman.exe
E:\KuGoo3\KuGoo3\KuGoo.exe
E:\GB\GreenBrowser.exe
E:\进程扫瞄\HB_Hijackthis1991zww8152.exe
E:\进程扫瞄\HijackThis1991汉化版\HijackThis1991zww.exe

R3 - 默认的URLSearchHook丢失。用HijackThis修复
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E7505F8-8F30-41E0-9D1E-D9DEABD36D38} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\间谍清理\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - G:\腾迅\qq\QQIEHelper.dll
O2 - BHO: EyeOnIE Class - {82925498-364E-4419-B3BF-CD12FC7A8815} - E:\脱兔\xDownDll2.dll
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - E:\KuGoo3\KuGoo3\KuGoo3DownXControl.ocx
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [LHotkey] LHotkey.exe
O4 - 启动项HKLM\\Run: [Lcc] C:\Program Files\Lenovo\联想键盘驱动\LCC.exe
O4 - 启动项HKLM\\Run: [SoundMan] SOUNDMAN.EXE
O4 - 启动项HKLM\\Run: [模式转换] C:\Program Files\联想\模式转换\QuakeII.exe
O4 - 启动项HKLM\\Run: [MINI_MINIPP] C:\Program Files\MINIPP\MINIPP.exe
O4 - 启动项HKLM\\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - 启动项HKLM\\Run: [KPContext] C:\WINDOWS\system32\KPContext.exe
O4 - 启动项HKLM\\Run: [Update] C:\Program Files\Common Files\Upd\Update.exe
O4 - 启动项HKLM\\Run: [KAVPersonal50] "D:\卡巴斯基\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - 启动项HKLM\\Run: [RfwMain] "E:\瑞星防火墙\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: 腾讯QQ.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - IE右键菜单中的新增项目: &使用迅雷下载 - E:\讯雷5\THUNDER5\geturl.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载全部链接 - E:\讯雷5\THUNDER5\getAllurl.htm
O8 - IE右键菜单中的新增项目: &使用迷你PP下载 - C:\Program Files\MINIPP\geturl.htm
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - G:\腾迅\qq\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 使用KuGoo3下载(&K) - E:\KuGoo3\KuGoo3\KuGoo3DownX.htm
O8 - IE右键菜单中的新增项目: 使用脱兔下载 - E:\脱兔\xdownGeturl.htm
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - G:\腾迅\qq\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - G:\腾迅\qq\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - G:\腾迅\qq\SendMMS.htm
O9 - 浏览器额外的按钮: 联想 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.legend.com (file missing)
O9 - 浏览器额外的按钮: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - G:\腾迅\qq\QQ.EXE
O9 - 浏览器额外的“工具”菜单项: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - G:\腾迅\qq\QQ.EXE
O9 - 浏览器额外的按钮: 脱兔最强最快的下载工具 - {D5C1CCC2-811B-4bf2-BF22-0D3B89600F5B} - E:\脱兔\TuoTu.exe
O9 - 浏览器额外的“工具”菜单项: &TuoTu - {D5C1CCC2-811B-4bf2-BF22-0D3B89600F5B} - E:\脱兔\TuoTu.exe
O9 - 浏览器额外的按钮: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - G:\腾迅\qq\QQIEHelper.dll
O9 - 浏览器额外的“工具”菜单项: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - G:\腾迅\qq\QQIEHelper.dll
O9 - 浏览器额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - 浏览器额外的“工具”菜单项: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.legend.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{64603722-7C97-4B91-A547-C907947F01DB}: NameServer = 211.98.4.1,211.98.2.4
O23 - NT 服务: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - NT 服务: AMD PowerNow! (tm) Technology Service (GemServ) - Advanced Micro Devices - C:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
O23 - NT 服务: kavsvc - Kaspersky Lab - D:\卡巴斯基\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - NT 服务: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - e:\瑞星防火墙\rising\rfw\rfwsrv.exe
O23 - NT 服务: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - NT 服务: Universal Disk Manager - Unknown owner - C:\Program Files\Common Files\SAN\diskman.exe

重新启动到安全模式（进入安全模式的方法:重新启动电脑, 开机自动检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式(Safe Mode)进入Windows。）

开始→控制面板→性能和维护→管理工具→服务→查找Universal Disk Manager→右击→属性→启动类型→禁止→应用→停止→确定。

请关闭所有IE界面，重新使用HijackThis扫描一次，选中下面建议修复的项目，让HijackThis修复，修复前请允许HijackThis保留备份。（如果楼主知道是安全的可以不必勾选）
R3 - 默认的URLSearchHook丢失。用HijackThis修复
O2 - BHO: (no name) - {0E7505F8-8F30-41E0-9D1E-D9DEABD36D38} - (no file)
O4 - 启动项HKLM\\Run: [Update] C:\Program Files\Common Files\Upd\Update.exe

删除文件夹C:\Program Files\Common Files\Upd
删除文件夹C:\Program Files\Common Files\SAN

正在处理中，谢谢版主