救命啊,我朋友的电脑快爆炸啦!!!!!!!!!!!! bbs.ikaka.com

zhengfu - 2006-4-28 1:17:00

我朋友的电脑因为一个多月没升级杀毒软件，现在病毒多的数不清了!!!机器卡的要命而且还查不出是什么病毒!!下面我他的日志请帮忙看看哟~~~
Running processes:
[SMSS.EXE]
CommandLine =

[csrss.exe]
CommandLine = C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

[winlogon.exe]
CommandLine = winlogon.exe

[services.exe]
CommandLine = C:\WINDOWS\system32\services.exe

[lsass.exe]
CommandLine = C:\WINDOWS\system32\lsass.exe

[svchost.exe]
CommandLine = C:\WINDOWS\system32\svchost -k DcomLaunch

[svchost.exe]
CommandLine = C:\WINDOWS\system32\svchost -k rpcss

[svchost.exe]
CommandLine = C:\WINDOWS\System32\svchost.exe -k netsvcs

[svchost.exe]
CommandLine = C:\WINDOWS\system32\svchost.exe -k NetworkService

[svchost.exe]
CommandLine = C:\WINDOWS\system32\svchost.exe -k LocalService

[SOUNDMAN.EXE]
CommandLine = "C:\WINDOWS\SOUNDMAN.EXE"

[igfxtray.exe]
CommandLine = "C:\WINDOWS\system32\igfxtray.exe"

[hkcmd.exe]
CommandLine = "C:\WINDOWS\system32\hkcmd.exe"

[realsched.exe]
CommandLine = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[YLive.exe]
CommandLine = "C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe"

[ctfmon.exe]
CommandLine = "C:\WINDOWS\system32\ctfmon.exe"

[KAVSvcUI.EXE]
CommandLine = C:\KAV5\KAVSvcUI.EXE

[spoolsv.exe]
CommandLine = C:\WINDOWS\system32\spoolsv.exe

[KAVSvc.exe]
CommandLine = C:\KAV5\KAVSvc.exe

[rundll32.exe]
CommandLine = C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\WBEM\IRJIT.DLL,Export 1087

[rundll32.exe]
CommandLine = C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\STDSVER.DLL,Service

[Network.exe]
CommandLine = "C:\Program Files\Common Files\COMM\Network.exe"

[alg.exe]
CommandLine = C:\WINDOWS\System32\alg.exe

[rundll32.exe]
CommandLine = C:\WINDOWS\SYSTEM32\stdup.dll,Entry

[FSmars2.06.exe]
CommandLine = "E:\FSmarsV2.04B\FSmarsV2.06\FSmars2.06.exe"

[regsvr32.exe]
CommandLine = "C:\WINDOWS\system32\regsvr32.exe" /s /u "C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll"

[regsvr32.exe]
CommandLine = "C:\WINDOWS\system32\regsvr32.exe" /s /u "C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll"

[QQBattleZone.exe]
CommandLine = "D:\Program Files\Tencent\QQBattleZone\QQBattleZone.exe"

[Explorer.EXE]
CommandLine = C:\WINDOWS\explorer.exe

[IEXPLORE.EXE]
CommandLine = "C:\Program Files\Internet Explorer\iexplore.exe"

[KkScan.exe]
CommandLine = "C:\Program Files\Rising\KakaToolBar\KkScan.exe"

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v14.dll
O2 - BHO: wmpdrm - {0E674588-66B7-4E19-9D0E-2053B800F69F} - C:\WINDOWS\system32\wmpdrm.dll
O2 - BHO: QuickBtn - {1A199C20-DE2B-4838-AE3F-B5257ECE2B7E} - C:\Program Files\CoolWebsite\QuickLink.dll
O2 - BHO: Zhongsou Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: Yahoo!Photo - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: std software - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll
O2 - BHO: MICROQIL2 - {832C0563-0820-4fef-83D8-418261DBC233} - C:\WINDOWS\system32\RAdminl.dll
O2 - BHO: HBObject Class - {AE22AFE5-1EF4-4D25-9E23-D2825FB17DA1} - C:\PROGRA~1\HBClient\hbhelper.dll (file missing)
O3 - Toolbar: 金山毒霸 - {A9BE2902-C447-420A-BB7F-A5DE921E6138} - C:\KAV5\KAIEPlus.DLL
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\kakatool.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HNETPOLCY] rundll32.exe C:\DOCUME~1\os\LOCALS~1\Temp\RarSFX1\HNETPO~1.DLL,Start
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [RichMedia] C:\WINDOWS\system32\Rundll32.exe "C:\PROGRA~1\HBClient\hbhelper.dll",WaitWindows
O4 - HKLM\..\Run: [HNETPOLCY] rundll32.exe C:\DOCUME~1\os\LOCALS~1\Temp\RarSFX1\HNETPO~1.DLL,Start
O4 - HKLM\..\Run: [spoolsv] C:\WINDOWS\system32\spoolsv\spoolsv.exe -printer
O4 - HKLM\..\Run: [KAVRun] C:\KAV5\KAVRun.EXE
O4 - HKLM\..\Run: [Update] C:\Program Files\Common Files\UPDAT\Update.exe
O4 - Startup: desktop.ini =
O4 - Startup: 腾讯QQ.lnk = D:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: desktop.ini =
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &使用迅雷下载 - D:\Program Files\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\Program Files\getallurl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra Button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - D:\浩方对战平台\GameClient.exe
O9 - Extra Button: 金山毒霸网站 - {ede25120-9867-44ae-a56e-4f4cfc225c3d} - url:http://www.duba.net (file missing)
O9 - Extra Button: 在线查毒 - {f58d36c3-40be-4418-a786-d8fbe3eb3554} - C:\KAV5\kavie.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8F4F1A8-D6B0-4035-952F-3E7453D4F2CA}: NameServer = 61.130.254.34 61.130.254.35
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O20 - Winlogon Notify: igfxcui
O23 - Service: Human Interface Device Access (HidServ) - - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Kingsoft AntiVirus Service (KAVSvc) - kingsoft Antivirus - C:\KAV5\KAVSvc.exe
O23 - Service: DNS Cache (SOCEESe) - - C:\WINDOWS\system32\rundll32.exe c:\windows\system32\wbem\irjit.dll,export 1087
O23 - Service: StdService (StdService) - - C:\WINDOWS\system32\rundll32.exe c:\windows\system32\stdsver.dll,service
O23 - Service: Network System (Universal Disk Manager) - COMENET TECHNOLOGY - C:\Program Files\Common Files\COMM\Network.exe
O23 - Service: User Privilege Service (usprserv) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: 幻影变速 (时空游侠网络版 - 世界上最强大) - - C:\WINDOWS\幻影变速.exe

轩辕小聪 - 2006-4-28 1:36:00

楼主朋友的机子已经成了流氓软件的安乐窝了。
用HijackThis（http://forum.ikaka.com/topic.asp?board=28&artid=6979213第1楼附件中下载）修复：
O2 - BHO: wmpdrm - {0E674588-66B7-4E19-9D0E-2053B800F69F} - C:\WINDOWS\system32\wmpdrm.dll
O2 - BHO: QuickBtn - {1A199C20-DE2B-4838-AE3F-B5257ECE2B7E} - C:\Program Files\CoolWebsite\QuickLink.dll
O2 - BHO: Zhongsou Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: std software - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll
O2 - BHO: MICROQIL2 - {832C0563-0820-4fef-83D8-418261DBC233} - C:\WINDOWS\system32\RAdminl.dll
O2 - BHO: HBObject Class - {AE22AFE5-1EF4-4D25-9E23-D2825FB17DA1} - C:\PROGRA~1\HBClient\hbhelper.dll (file missing)
O4 - HKCU\..\Run: [HNETPOLCY] rundll32.exe C:\DOCUME~1\os\LOCALS~1\Temp\RarSFX1\HNETPO~1.DLL,Start
O4 - HKLM\..\Run: [RichMedia] C:\WINDOWS\system32\Rundll32.exe "C:\PROGRA~1\HBClient\hbhelper.dll",WaitWindows
O4 - HKLM\..\Run: [HNETPOLCY] rundll32.exe C:\DOCUME~1\os\LOCALS~1\Temp\RarSFX1\HNETPO~1.DLL,Start
O4 - HKLM\..\Run: [spoolsv] C:\WINDOWS\system32\spoolsv\spoolsv.exe -printer
O4 - HKLM\..\Run: [Update] C:\Program Files\Common Files\UPDAT\Update.exe
O23 - Service: Network System (Universal Disk Manager) - COMENET TECHNOLOGY - C:\Program Files\Common Files\COMM\Network.exe

卸载：
C:\Program Files\CoolWebsite\
C:\PROGRA~1\HBClient\

在注册表找到并删除Universal Disk Manager项目

重启后删除：
C:\Program Files\CoolWebsite\（表示文件夹，下同）
C:\PROGRA~1\HBClient\
C:\Program Files\Common Files\UPDAT\
清空C:\DOCUME~1\os\LOCALS~1\Temp\文件夹（最好在安全模式下）
C:\Program Files\Common Files\COMM\
另外：
O2 - BHO: wmpdrm - {0E674588-66B7-4E19-9D0E-2053B800F69F} - C:\WINDOWS\system32\wmpdrm.dll
O4 - HKLM\..\Run: [spoolsv] C:\WINDOWS\system32\spoolsv\spoolsv.exe -printer
对这两项的详细处理请务必参考http://forum.ikaka.com/topic.asp?board=28&artid=7948848

C:\PROGRA~1\HBClient\是很棒小秘书流氓软件，详细处理方法请参考http://forum.ikaka.com/topic.asp?board=28&artid=7795226

C:\Program Files\SearchNet\是中搜流氓软件，一般很难卸载，建议参考：
1、重启进入安全模式
2、在注册表中删除如下注册表项目：

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

SearchNet_Up --> ["C:\Program Files\SearchNet\ServeUp.exe"]

CdnCtr --> ["C:\Program Files\SearchNet\ServeUp.exe"]

3、重启到安全模式下运行searchnet目录中的uninstall,输入其验证码，则删除了该目录中的文件（除UNINSTALL外）

4、再删除uninstall,接着删SEARCHNET目录。

5、删除如下文件：
C:\WINNT\system32\ServeHost.exe
C:\WINNT\system32\SeedServ.exe
6、重启回到正常模式，使用防毒软件对系统进行全盘扫描。

O23 - Service: DNS Cache (SOCEESe) - - C:\WINDOWS\system32\rundll32.exe c:\windows\system32\wbem\irjit.dll,export 1087
这一项用HijackThis一般扫不出来，详细处理方法请参考http://forum.ikaka.com/topic.asp?board=28&artid=7946351

O23 - Service: 幻影变速 (时空游侠网络版 - 世界上最强大) - - C:\WINDOWS\幻影变速.exe
这个东西是自己装的吗？不能肯定它是否有问题。

说了这么多，最后请告诫你的朋友，好好爱护他/她的电脑，一个多月不升级杀毒软件，那是很危险的。

瑞星卡卡安全论坛