Logfile of HijackThis v1.99.0
Scan saved at 8:37:31, on 2006-3-14
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dmadmin.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Rundll32.exe
C:\Program Files\rising\Rav\RavTask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\yy\HijackThis1.99.exe

R3 - URLSearchHook: (no name) - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - (no file)
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\downlo~1\CnsHook.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CAP3ON] C:\WINNT\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\downlo~1\CnsMin.dll,Rundll32
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: 使用网际快车下载 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&x) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O11 - Options group: [!CNS] 网络实名
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0FFFF7A-961F-4528-9D92-4111E8EE16DA}: NameServer = 202.96.134.133,202.96.128.166
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINNT\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\System32\msdxm.ocx
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: RsRavMon Service - Beijing Rising Technology Co., Ltd. - C:\Program Files\rising\Rav\Ravmond.exe


朋友帮忙看看了
刚在病毒区转过来~~~~~~
一开机..或重启.注销就会弹出6~7个网页~~~关了.上网什么的都正常~~~

【回复“yia126”的帖子】
http://forum.ikaka.com/topic.asp?board=67&artid=5188931
下载System Repair Engineer 2.0.12.350 RC1版
导出全部日志

2006-03-14,10:35:38

System Repair Engineer 2.0.12.350 (2.0 RC 1)
    Windows 2000 Professional Service Pack 4 - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <ctfmon.exe><ctfmon.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <load><>
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <run><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <CAP3ON><C:\WINNT\system32\spool\drivers\w32x86\3\CAP3ONN.EXE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <RavTask><"C:\Program Files\rising\Rav\RavTask.exe" -system>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <Synchronization Manager><mobsync.exe /logon>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <shell><Explorer.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <Userinit><C:\WINNT\system32\userinit.exe,>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <AppInit_DLLs><>

==================================
启动文件夹
[Adobe Gamma Loader]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Adobe Gamma Loader.lnk><N>
[Service Manager]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Service Manager.lnk><N>

==================================
服务
[Logical Disk Manager Administrative Service / dmadmin]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Indesing Agent / Indesing PolicyAgent]
  <C:\WINNT\wscmtfy.com><N/A>
[RsRavMon Service / RsRavMon]
  <"C:\Program Files\rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Network DDE Management / r_server]
  <"C:\WINNT\system32\WBEM\services.exe" /service><N/A>

==================================
浏览器加载项
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <C:\PROGRA~1\FlashGet\fgiebar.dll, Amaze Soft>
[@msdxmLC.dll,-1@2052,电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\System32\msdxm.ocx, Microsoft Corporation>
[使用网际快车下载]
  <C:\PROGRA~1\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <C:\PROGRA~1\FlashGet\jc_all.htm, N/A>
[导出到 Microsoft Excel(&x)]
  <res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000, N/A>
[添加到QQ自定义面板]
  <C:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
  <C:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <C:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

==================================
正在运行的进程
[PID: 144][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.00.2195.6601>
[PID: 168][\??\C:\WINNT\system32\csrss.exe]  <Microsoft Corporation><5.00.2195.6601>
[PID: 188][\??\C:\WINNT\system32\winlogon.exe]  <Microsoft Corporation><5.00.2195.6714>
[PID: 220][C:\WINNT\system32\services.exe]  <Microsoft Corporation><5.00.2195.6700>
    [C:\WINNT\system32\dmserver.dll]  <VERITAS Software Corp.><2195.6605.297.3>
[PID: 232][C:\WINNT\system32\lsass.exe]  <Microsoft Corporation><5.00.2195.6695>
[PID: 428][C:\WINNT\system32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
[PID: 456][C:\WINNT\system32\spoolsv.exe]  <Microsoft Corporation><5.00.2195.6659>
    [C:\WINNT\system32\spool\DRIVERS\W32X86\3\SDNT5UI.DLL]  <Zenographics, Inc.><5.50.1811.0>
    [C:\WINNT\system32\spool\DRIVERS\W32X86\3\SDDM32.DLL]  <Zenographics, Inc.><5, 52, 1023, 0>
    [C:\WINNT\system32\spool\DRIVERS\W32X86\3\ZSPOOL.dll]  <Zenographics, Inc.><5, 51, 709, 0>
    [C:\WINNT\system32\spool\DRIVERS\W32X86\3\ZGDI32.dll]  <Zenographics, Inc.><5, 51, 628, 0>
    [C:\WINNT\system32\spool\DRIVERS\W32X86\3\ZTAG32.dll]  <Zenographics, Inc.><5, 50, 1725, 0>
    [C:\WINNT\system32\spool\DRIVERS\W32X86\3\SDDMUI.DLL]  <Zenographics, Inc.><5, 51, 1211, 0>
    [C:\WINNT\system32\spool\DRIVERS\W32X86\3\ZLANG.dll]  <Zenographics, Inc.><1, 2, 1414, 0>
    [C:\WINNT\system32\spool\DRIVERS\W32X86\3\SR32.dll]  <Zenographics, Inc.><5, 54, 315, 0>
    [C:\WINNT\system32\spool\DRIVERS\W32X86\3\CNMUI6e.DLL]  <CANON INC.><1.80.2.50>
    [C:\WINNT\system32\icm32.dll]  <Microsoft Corporation><5.00>
[PID: 504][C:\WINNT\System32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
[PID: 556][C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe]  <Microsoft Corporation><7.00.9064.9150>
[PID: 600][d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe]  <Microsoft Corporation><2000.080.0194.00>
[PID: 728][C:\WINNT\system32\regsvc.exe]  <Microsoft Corporation><5.00.2195.6701>
[PID: 744][C:\WINNT\system32\WBEM\services.exe]  <N/A><N/A>
    [C:\WINNT\system32\WBEM\ADMDLL.dll]  <N/A><N/A>
[PID: 756][C:\WINNT\system32\MSTask.exe]  <Microsoft Corporation><4.71.2195.6704>
[PID: 796][d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe]  <Microsoft Corporation><2000.080.0194.00>
[PID: 840][C:\WINNT\System32\WBEM\WinMgmt.exe]  <Microsoft Corporation><1.50.1085.0100>
[PID: 852][C:\WINNT\system32\mspmspsv.exe]  <Microsoft Corporation><7.01.00.3055>
[PID: 864][C:\WINNT\system32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
[PID: 980][C:\WINNT\System32\dmadmin.exe]  <VERITAS Software Corp.><2195.6624.297.3>
    [C:\WINNT\System32\dmutil.dll]  <VERITAS Software Corp.><2195.6605.297.3>
    [C:\WINNT\System32\dmconfig.dll]  <VERITAS Software Corp.><2195.6605.297.3>
[PID: 1148][C:\WINNT\Explorer.EXE]  <Microsoft Corporation><5.00.3700.6690>
    [C:\WINNT\downlo~1\CnsMin.dll]  <北京三七二一科技有限公司><1, 5, 2, 8>
    [C:\WINNT\downlo~1\CnsHook.dll]  <北京三七二一科技有限公司><1, 0, 2, 7>
    [C:\WINNT\system32\RavExt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
    [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  <Adobe Systems, Inc.><7.0.0.0>
[PID: 1544][C:\WINNT\system32\Rundll32.exe]  <Microsoft Corporation><5.00.2134.1>
    [C:\WINNT\downlo~1\CnsMin.dll]  <北京三七二一科技有限公司><1, 5, 2, 8>
[PID: 1652][C:\Program Files\rising\Rav\RavTask.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 22>
    [C:\Program Files\rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\rising\Rav\RSAPPMGR.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
    [C:\Program Files\rising\Rav\CfgDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 6>
    [C:\Program Files\rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
    [C:\WINNT\downlo~1\CnsMin.dll]  <北京三七二一科技有限公司><1, 5, 2, 8>
[PID: 492][C:\WINNT\system32\ctfmon.exe]  <Microsoft Corporation><1.00.2409.7 built by: Lab06_N>
    [C:\WINNT\downlo~1\CnsMin.dll]  <北京三七二一科技有限公司><1, 5, 2, 8>
[PID: 1700][C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe]  <Microsoft Corporation><2000.080.0194.00>
    [C:\WINNT\downlo~1\CnsMin.dll]  <北京三七二一科技有限公司><1, 5, 2, 8>
[PID: 1472][E:\yy\System Repair Engineer 2.0.12.350 RC1版\SREng.exe]  <Smallfrogs Studio><2.0.12.350>
    [C:\WINNT\downlo~1\CnsMin.dll]  <北京三七二一科技有限公司><1, 5, 2, 8>

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

下面是载图[img][/img]

【回复“yia126”的帖子】
中了远程控制程序－－影子木马

操作参考：

结束C:\WINNT\system32\WBEM\services.exe进程
需要借助于其它能够查看进程路径的小工具来结束
C:\WINNT\system32\services.exe是正常的系统进程
＝＝＝＝＝＝＝＝＝＝＝

开始－－控制面板－－管理工具－－服务
禁用如下两个服务：
[Indesing Agent / Indesing PolicyAgent]
<C:\WINNT\wscmtfy.com><N/A>

[Network DDE Management / r_server]
<"C:\WINNT\system32\WBEM\services.exe" /service><N/A>

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
若精通注册表话
建议进入注册表
依次搜索下面这两个服务
Indesing PolicyAgent
r_server
找到后全部删除
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝


删除
C:\WINNT\system32\WBEM\services.exe
C:\WINNT\system32\WBEM\ADMDLL.dll

提示：
若正常模式下无法解决
建议进入安全模式下操作

建议安装专业防火墙
若使用的是瑞星防火墙
建议导入本论坛的瑞星防火墙规则

SORRY~~~!!没有说清楚~~~那个是我自己装的~~平时用来管理的~~

引用:

【yia126的贴子】SORRY~~~!!没有说清楚~~~那个是我自己装的~~平时用来管理的~~ ...........................

哪个是你安装的远程控制工具？

是我自己装的~~~~一直都装了的~~~~
用来管理用的~~~我们有二台电脑的啦~~~
现在就是会老弹那网页啊`~~郁闷`~~
用瑞星扫描过..没发现什么.....看来要重装了.但还想最后不用重装是最好的了~~~

吃饭先了~~~等一下再来看看吧....没有解决办法.只有封贴.重装了~~~

关贴