斑竹给看看，谢谢了，着急死了，新手就不用帮忙了，好意心领了 bbs.ikaka.com

dzhxzh - 2006-2-2 18:29:00

Logfile of HijackThis v1.99.1
Scan saved at 18:27:46, on 2006-1-29
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\rising\rfw\RfwMain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\rundll32.exe
C:\HERO2000\SysExplr.EXE
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe
C:\program files\rising\rfw\ScanBD.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Rising\Rav\Rav.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Rising\Rav\RsAgent.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Rising\Rav\RavMon.exe
C:\Program Files\Rising\Rav\Ravmond.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\use\LOCALS~1\Temp\Rar$EX03.975\HijackThis.exe

R3 - URLSearchHook: (no name) - {BB936323-19FA-4521-BA29-ECA6A121BC78} - (no file)
R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O1 - Hosts: <html>
O1 - Hosts: <head>
O1 - Hosts: <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
O1 - Hosts: <meta name="ProgId" content="FrontPage.Editor.Document">
O1 - Hosts: <meta http-equiv="Content-Type" content="text/html; charset=gb2312">
O1 - Hosts: <title>成人美少女性爱电影</title>
O1 - Hosts: <SCRIPT language=javascript src="http://12san.com/v/yule_right.js"></SCRIPT>
O1 - Hosts: <SCRIPT language=javascript src="http://12san.com/v/float_left.js"></SCRIPT>
O1 - Hosts: </head>
O1 - Hosts: <body bgcolor="#000000">
O1 - Hosts: <table cellSpacing="0" cellPadding="0" width="770" align="center" border="0" style="font-size: 12pt">
O1 - Hosts: <tr style="font-size: 12pt">
O1 - Hosts: <td style="font-size: 12px">
O1 - Hosts: <table height="20" cellSpacing="0" cellPadding="0" width="750" border="0" style="font-size: 12pt">
O1 - Hosts: <tr style="font-size: 12pt">
O1 - Hosts: <td width="748" height="1" style="font-size: 12px">
O1 - Hosts: <img height="12" src="images/vod.gif" width="750" border="0"></td>
O1 - Hosts: </tr>
O1 - Hosts: <tr style="font-size: 12pt">
O1 - Hosts: <td width="748" height="52" style="font-size: 12px">
O1 - Hosts: <div align="center">
O1 - Hosts: <center>
O1 - Hosts: <table cellSpacing="0" cellPadding="0" width="752" border="0" style="font-size: 12pt">
O1 - Hosts: <tr style="font-size: 12pt">
O1 - Hosts: <td width="125" style="font-size: 12px">
O1 - Hosts: <img src="images/n155.jpg" border="0" width="80" height="60"> </td>
O1 - Hosts: <td width="125" style="font-size: 12px">
O1 - Hosts: <img src="images/n156.jpg" border="0" width="80" height="60"> </td>
O1 - Hosts: <td width="125" style="font-size: 12px">
O1 - Hosts: <img src="images/n157.jpg" border="0" width="80" height="60"> </td>
O1 - Hosts: <td width="125" style="font-size: 12px">
O1 - Hosts: <img src="images/n158.jpg" border="0" width="80" height="60"> </td>
O1 - Hosts: <td width="125" style="font-size: 12px">
O1 - Hosts: <img src="images/n159.jpg" border="0" width="80" height="60"> </td>
O1 - Hosts: <td width="125" style="font-size: 12px">
O1 - Hosts: <img src="images/n160.jpg" border="0" width="80" height="60"> </td>
O1 - Hosts: <td width="125" style="font-size: 12px">
O1 - Hosts: <img height="60" src="images/n161.jpg" width="80" border="0"> </td>
O1 - Hosts: <td width="125" style="font-size: 12px">
O1 - Hosts: <img src="images/n162.jpg" border="0" width="80" height="60"> </td>
O1 - Hosts: <td width="125" style="font-size: 12px"><br>
O1 - Hosts: <img src="images/n163.jpg" border="0" width="80" height="60">
O1 - Hosts: <font size="2" style="font-size: 12px; font-family: 宋体; text-decoration: none" color="#ffffff">
O1 - Hosts: </font></td>
O1 - Hosts: </tr>
O1 - Hosts: </table>
O1 - Hosts: </center>
O1 - Hosts: </div>
O1 - Hosts: </td>
O1 - Hosts: </tr>
O1 - Hosts: <tr style="font-size: 12pt">
O1 - Hosts: <td width="748" height="1" style="font-size: 12px">
O1 - Hosts: <img height="12" src="images/vod.gif" width="750" border="0"></td>
O1 - Hosts: </tr>
O1 - Hosts: </table>
O1 - Hosts: </td>
O1 - Hosts: </tr>
O1 - Hosts: </table>
O1 - Hosts: <table cellSpacing="0" cellPadding="0" width="770" align="center" border="0" style="font-size: 12pt">
O1 - Hosts: <tr style="font-size: 12pt">
O1 - Hosts: <td style="font-size: 12px"><br>
O1 - Hosts: <p align="center">
O1 - Hosts: <font color="#ffff00" size="3" style="font-size: 12px; font-family: 宋体; text-decoration: none">
O1 - Hosts: 由于注册人数过多，显示不正常请刷新本页</font><img src="images/input.gif" width="700" height="80"></td>
O1 - Hosts: </tr>
O1 - Hosts: </table>
O1 - Hosts: <table cellSpacing="0" cellPadding="0" width="770" align="center" border="0" style="font-size: 12pt">
O1 - Hosts: <tr style="font-size: 12pt">
O1 - Hosts: <td vAlign="top" width="210" rowSpan="4" style="font-size: 12px">
O1 - Hosts: <table cellSpacing="0" cellPadding="0" width="100%" border="0" style="font-size: 12pt">
O1 - Hosts: <tr style="font-size: 12pt">
O1 - Hosts: <td style="font-size: 12px">
O1 - Hosts: <img src="images/l.jpg" width="198" height="457"></td>
O1 - Hosts: </tr>
O1 - Hosts: <tr style="font-size: 12pt">
O1 - Hosts: <td style="font-size: 12px">　</td>
O1 - Hosts: </tr>
O1 - Hosts: <tr style="font-size: 12pt">
O1 - Hosts: <td style="font-size: 12px">
O1 - Hosts: <div align="center">
O1 - Hosts: </div>
O1 - Hosts: </td>
O1 - Hosts: </tr>
O1 - Hosts: </table>
O1 - Hosts: </td>
O1 - Hosts: <td background="images/mobile.gif" height="50" style="font-size: 12px">　</td>
O1 - Hosts: <td vAlign="top" width="210" rowSpan="4" style="font-size: 12px">
O1 - Hosts: <table cellSpacing="0" cellPadding="0" width="100%" border="0" style="font-size: 12pt">
O1 - Hosts: <tr style="font-size: 12pt">
O1 - Hosts: <td style="font-size: 12px">
O1 - Hosts: <img src="images/r.jpg" width="198" height="457"></td>
O1 - Hosts: </tr>
O1 - Hosts: <tr style="font-size: 12pt">
O1 - Hosts: <td style="font-size: 12px">　</td>
O1 - Hosts: </tr>
O1 - Hosts: <tr style="font-size: 12pt">
O1 - Hosts: <td style="font-size: 12px">
O1 - Hosts: <div align="center">
O1 - Hosts: </div>
O1 - Hosts: </td>
O1 - Hosts: </tr>
O2 - BHO: CNav Class - {1954558D-BD14-420A-BC38-7F41F7A1DDBB} - C:\WINDOWS\System32\NAVIGA~1.DLL
O2 - BHO: yPhtb - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\Program Files\Yahoo!\Assistant\Assist\yAngling.dll
O2 - BHO: URLMonitor Class - {3ED9FFDA-79DB-4B2D-99B7-16EA3C4A3A92} - C:\WINDOWS\System32\hap.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: Wbho Class - {40E3A34A-3282-41F8-AD2C-051BAB96AD4A} - C:\WINDOWS\System32\Usign.dll
O2 - BHO: 360搜 - {472101C2-1109-43f4-9112-31F33E3F2127} - C:\PROGRA~1\360so\360so.dll (file missing)
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: DownloadValue Class - {616D4040-5712-4F0F-BCF1-5C6420A99E14} - C:\WINDOWS\System32\winhtp.dll
O2 - BHO: 3721中文邮 - {6231D512-E4A4-4DF2-BE62-5B8F0EE348EF} - C:\PROGRA~1\3721\Ces\cesweb.dll (file missing)
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O2 - BHO: YiSou - {EF1D17A9-089F-40cc-8D64-7324CDEBA0DB} - C:\PROGRA~1\YiSou\yisoub.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 一搜工具条 - {115F6E46-FCBC-41ed-B3B5-3BDDD4AAB5E5} - C:\Program Files\YiSou\yisou.dll

dzhxzh - 2006-2-2 18:30:00

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: 按钮(&B) - {00000011-04FA-11D1-B7DA-00A0C9032222} - C:\WINDOWS\System32\bhoiea.dll
O3 - Toolbar: 按钮扩展(&O) - {5F3DF275-3DAA-47DD-BA2F-5045558FA31C} - C:\WINDOWS\System32\iea.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [xkstartup] C:\WINDOWS\System32\spool\drivers\w32x86\2\ssccgo.exe Xerox WorkCentre XK Series
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [] regedit -s C:\$NtUninstallQ5926809$\sp4custom.dll
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [cesmain.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\Ces\cmail.dll,Rundll32
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [SysExplr] C:\HERO2000\SysExplr.EXE
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [assistse] "C:\PROGRA~1\3721\assistse.exe"
O4 - HKLM\..\Run: [360Main.exe] C:\PROGRA~1\360so\360Main.exe
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [3721] C:\$NtUninstallQ5926809$\3721.bat
O4 - HKLM\..\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
O4 - HKLM\..\Run: [RavScanBD] "C:\program files\rising\rfw\ScanBD.exe" /INST
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: hosts.exe
O4 - Startup: OPENEXT.lnk = C:\Program Files\OPENEXT\OPENEXT.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Startup: 方正字体映射模式.lnk = C:\FZTTFDRV\FZTTFDRV.EXE
O4 - Startup: run.bat
O8 - Extra context menu item: !搜一搜 - res://C:\Program Files\YiSou\yisou.dll/232
O8 - Extra context menu item: 使用网际快车下载 - C:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\PROGRA~1\FLASHGET\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O9 - Extra button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm?pid=U_fengqi_14879 (file missing)
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: 3721中文邮 - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O11 - Options group: [!CNS] 网络实名
O11 - Options group: [TBH] QQ地址栏搜索
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab
O16 - DPF: {E75D308D-B903-11D4-BD46-0050BA6E0CA5} (BtecKBase Class) - http://www.dadou.cn/bteckbasec.dll
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O20 - AppInit_DLLs: KB2059102.LOG
O21 - SSODL: DLMon - {590498A3-4131-4D8F-BA4B-36791A0803B1} - C:\WINDOWS\System32\DLMain.dll
O23 - Service: internet systemrundll - Unknown owner - C:\WINDOWS\systemrundll.exe
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\G_Server.exe
O23 - Service: Gray_Pigeon_Server2.0 (GrayPigeonServer2.0) - Unknown owner - C:\WINDOWS\G_Server2.0.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: SYSTEM32_Server (SYSTEM32) - Unknown owner - C:\WINDOWS\SYSYTEM32.exe

looooo - 2006-2-2 18:46:00

你家可以开养鸽场了,我是新手,所以我就不说话了!

egomoo - 2006-2-2 18:58:00

兄弟，把鸽子宰了补补身子吧。
1.host文件被修改
O4 - Startup: hosts.exe
2.2个鸽子服务
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\G_Server.exe
O23 - Service: Gray_Pigeon_Server2.0 (GrayPigeonServer2.0) - Unknown owner - C:\WINDOWS\G_Server2.0.exe

3.RADMIN远程控制客户端
O23 - Service: SYSTEM32_Server (SYSTEM32) - Unknown owner - C:\WINDOWS\SYSYTEM32.exe
4.下面这个估计也是病毒
O23 - Service: internet systemrundll - Unknown owner - C:\WINDOWS\systemrundll.exe

5.用3721伪装，浏览器被修改，一打开就是XX网页
O4 - HKLM\..\Run: [3721] C:\$NtUninstallQ5926809$\3721.bat
O4 - Startup: run.bat
O4 - HKLM\..\Run: [] regedit -s C:\$NtUninstallQ5926809$\sp4custom.dll
O4 - HKLM\..\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
7.几个恶意广告
O3 - Toolbar: 按钮(&B) - {00000011-04FA-11D1-B7DA-00A0C9032222} - C:\WINDOWS\System32\bhoiea.dll
O3 - Toolbar: 按钮扩展(&O) - {5F3DF275-3DAA-47DD-BA2F-5045558FA31C} - C:\WINDOWS\System32\iea.dll

6.

不言放弃 - 2006-2-2 18:59:00

修复
所有的01项
O2 - BHO: CNav Class - {1954558D-BD14-420A-BC38-7F41F7A1DDBB} - C:\WINDOWS\System32\NAVIGA~1.DLL
O2 - BHO: URLMonitor Class - {3ED9FFDA-79DB-4B2D-99B7-16EA3C4A3A92} - C:\WINDOWS\System32\hap.dll
O2 - BHO: Wbho Class - {40E3A34A-3282-41F8-AD2C-051BAB96AD4A} - C:\WINDOWS\System32\Usign.dll
O2 - BHO: DownloadValue Class - {616D4040-5712-4F0F-BCF1-5C6420A99E14} - C:\WINDOWS\System32\winhtp.dll
O4 - HKLM\..\Run: [] regedit -s C:\$NtUninstallQ5926809$\sp4custom.dll
O4 - HKLM\..\Run: [3721] C:\$NtUninstallQ5926809$\3721.bat
O4 - HKLM\..\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
O4 - Startup: hosts.exe
O4 - Startup: run.bat
O20 - AppInit_DLLs: KB2059102.LOG
O21 - SSODL: DLMon - {590498A3-4131-4D8F-BA4B-36791A0803B1} - C:\WINDOWS\System32\DLMain.dll
O23 - Service: internet systemrundll - Unknown owner - C:\WINDOWS\systemrundll.exe
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\G_Server.exe
O23 - Service: Gray_Pigeon_Server2.0 (GrayPigeonServer2.0) - Unknown owner - C:\WINDOWS\G_Server2.0.exe
O23 - Service: SYSTEM32_Server (SYSTEM32) - Unknown owner - C:\WINDOWS\SYSYTEM32.exe

卸载HAP

删除
C:\WINDOWS\System32\NAVIGA~1.DLL
C:\WINDOWS\System32\hap.dll
C:\WINDOWS\System32\Usign.dll
C:\WINDOWS\System32\winhtp.dll
C:\$NtUninstallQ5926809$
C:\$NtUninstallQ887678$
hosts.exe＜注意路径是开始－－程序－－运行－－hosts.exe＞
run.bat＜注意路径是开始－－程序－－运行－－run.bat＞
KB2059102.LOG
C:\WINDOWS\System32\DLMain.dll
C:\WINDOWS\systemrundll.exe
C:\WINDOWS\G_Server.exe
C:\WINDOWS\G_Server2.0.exe
C:\WINDOWS\SYSYTEM32.exe

在硬盘中搜索G_Server.dll
G_Serverkey.dll
G_Server_hook.dll
G_Server2.0.dll
G_Server2.0key.dll
G_Server2.0_hook.dll
SYSYTEM32.dll
SYSYTEM32key.dll
SYSYTEM32_hook.dll
找到后全部删除

找不到文件请参考图片设置

附件: 364052200622185910.JPG

瑞星卡卡安全论坛