瑞星卡卡安全论坛
福娃欢欢 - 2006-7-2 20:48:00
Logfile of Kaka v2. 0. 0. 9 Scan Module v2. 0. 0. 1
Scan saved at 20:34:48, on 2006-07-02
Platform: Microsoft Windows XP Professional Service Pack 2 (Build 2600)
MSIE: Internet Explorer v6.00 SP2; (6.00.2900.2180 (xpsp_sp2_rtm.040803-2158))
Running processes:
[SMSS.EXE]
CommandLine =
[CSRSS.EXE]
CommandLine = C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
[WINLOGON.EXE]
CommandLine = winlogon.exe
[SERVICES.EXE]
CommandLine = C:\WINDOWS\system32\services.exe
[LSASS.EXE]
CommandLine = C:\WINDOWS\system32\lsass.exe
[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost -k DcomLaunch
[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost -k rpcss
[CCenter.exe]
CommandLine = "C:\Program Files\Rising\Rav\CCenter.exe"
[SVCHOST.EXE]
CommandLine = C:\WINDOWS\System32\svchost.exe -k netsvcs
[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost.exe -k NetworkService
[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost.exe -k LocalService
[RavMonD.exe]
CommandLine = "C:\Program Files\Rising\Rav\Ravmond.exe"
[rfwsrv.exe]
CommandLine = "c:\program files\rising\rfw\rfwsrv.exe"
[SPOOLSV.EXE]
CommandLine = C:\WINDOWS\system32\spoolsv.exe
[inetinfo.exe]
CommandLine = C:\WINDOWS\system32\inetsrv\inetinfo.exe
[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost.exe -k imgsvc
[wdfmgr.exe]
CommandLine = C:\WINDOWS\system32\wdfmgr.exe
[ALG.EXE]
CommandLine = C:\WINDOWS\System32\alg.exe
[WSCNTFY.EXE]
CommandLine = C:\WINDOWS\system32\wscntfy.exe
[EXPLORER.EXE]
CommandLine = C:\WINDOWS\Explorer.EXE
[rfwmain.exe]
CommandLine = "C:\program files\rising\rfw\rfwmain.exe" -startup
[realsched.exe]
CommandLine = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[RavTask.exe]
CommandLine = "C:\PROGRAM FILES\RISING\RAV\RAVTASK.EXE" -SYSTEM
[downs.exe]
CommandLine = "C:\WINDOWS\system32\downs.exe"
[CTFMON.EXE]
CommandLine = "C:\WINDOWS\system32\ctfmon.exe"
[QQ.exe]
CommandLine = "D:\Program Files\Tencent\QQ\QQ.exe"
[TIMPlatform.exe]
CommandLine = "D:\Program Files\Tencent\QQ\TIMPlatform.exe" -Embedding
[KkScan.exe]
CommandLine = "C:\Program Files\Rising\KakaToolBar\KkScan.exe"
[iexplore.exe]
CommandLine = "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\KakaTool.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AutoInsQyule] C:\Program Files\Qyule\QyuleInstall.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [RfwMain] "c:\program files\rising\rfw\rfwmain.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [rundll31] C:\WINDOWS\system32\IEXPLORER.exe
O4 - HKLM\..\Run: [AutoInsQyule] C:\Program Files\Qyule\QyuleInstall.exe
O4 - HKLM\..\Run: [downs] C:\WINDOWS\system32\downs.exe
O8 - Extra context menu item: &使用迅雷下载 - d:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - d:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\msplus.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\msplus.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {18226BF8-DC0B-4D81-80E9-A41AE37BB73A} - http://www.pplive.com/download/WEBInstall.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144998502421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144998479929
O16 - DPF: {7FA9F9B3-FCD6-428A-A9CA-D181A2A39822} (FTPone Control) - http://mail.kingstar-products.com/FTPClient/QuarkFTPClient.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A984ED9F-E8DA-44E5-BC18-C14B9ABEF79D} (photo_uploader Control) - http://upload.photo.163.com/photoup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F787B0DD-FB0D-416C-AD49-585E9669D535} (Encoder Control) - http://mail.kingstar-products.com/VideoMail/QuarkEncoder.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93D926B6-3F8A-4C91-9424-94AD1FCD68A2}: NameServer = 202.102.134.38,202.102.128.68
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: Human Interface Device Access (HidServ) - - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - "C:\Program Files\Rising\Rav\CCenter.exe"
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - "C:\Program Files\Rising\Rav\Ravmond.exe"
O23 - Service: win32 (win32) - - C:\WINDOWS\H.com.cn.exe
魔法学徒 - 2006-7-2 20:56:00
开始→控制面板→性能和维护→管理工具→服务→查找win32→右击→属性→启动类型→禁止→应用→停止→确定。
修复
O4 - HKCU\..\Run: [AutoInsQyule] C:\Program Files\Qyule\QyuleInstall.exe
O4 - HKLM\..\Run: [rundll31] C:\WINDOWS\system32\IEXPLORER.exe
O4 - HKLM\..\Run: [AutoInsQyule] C:\Program Files\Qyule\QyuleInstall.exe
O4 - HKLM\..\Run: [downs] C:\WINDOWS\system32\downs.exe
重启后显示隐藏文件
双击我的电脑--工具---文件夹选项--查看选项卡--单击选取"显示隐藏文件或文件夹"--清除"隐藏受保护的操作系统文件(推荐)"复选框。在提示您确定更改时,单击“是”--单击“确定”。
然后找到如下文件并删除(如果有的话)
C:\WINDOWS\system32\IEXPLORER.exe
C:\Program Files\Qyule\
C:\WINDOWS\system32\downs.exe
C:\WINDOWS\H.com.cn.exe
C:\WINDOWS\H.com.cn.dll
C:\WINDOWS\H.com.cn_hook.dll
C:\WINDOWS\H.com.cnkey.dll
轩辕小聪 - 2006-7-2 20:56:00
O23 - Service: win32 (win32) - - C:\WINDOWS\H.com.cn.exe
灰鸽子。
轩辕小聪 - 2006-7-2 20:57:00
汗,还有木马和青娱乐。魔法版主要多些过来哦,可别把我无邪累坏了,呵呵。
福娃欢欢 - 2006-7-2 21:26:00
【回复“魔法学徒”的帖子】
没有找到以下几个文件.
C:\Program Files\Qyule\
C:\WINDOWS\H.com.cn.exe
C:\WINDOWS\H.com.cn.dll
C:\WINDOWS\H.com.cn_hook.dll
C:\WINDOWS\H.com.cnkey.dll
好象没什么症状了,谢谢你!
福娃欢欢 - 2006-7-2 21:28:00
【回复“轩辕小聪”的帖子】
谢谢.人尽其才嘛,有劳了.
福娃欢欢 - 2006-7-3 7:52:00
昨晚删除后,今早一扫描,靠,又来!
附件:
63153020067374419.JPG
福娃欢欢 - 2006-7-3 7:54:00
再扫描如下
Logfile of Kaka v2. 0. 0. 9 Scan Module v2. 0. 0. 1
Scan saved at 07:44:47, on 2006-07-03
Platform: Microsoft Windows XP Professional Service Pack 2 (Build 2600)
MSIE: Internet Explorer v6.00 SP2; (6.00.2900.2180 (xpsp_sp2_rtm.040803-2158))
Running processes:
[SMSS.EXE]
CommandLine =
[CSRSS.EXE]
CommandLine = C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
[WINLOGON.EXE]
CommandLine = winlogon.exe
[SERVICES.EXE]
CommandLine = C:\WINDOWS\system32\services.exe
[LSASS.EXE]
CommandLine = C:\WINDOWS\system32\lsass.exe
[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost -k DcomLaunch
[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost -k rpcss
[CCenter.exe]
CommandLine = "C:\Program Files\Rising\Rav\CCenter.exe"
[SVCHOST.EXE]
CommandLine = C:\WINDOWS\System32\svchost.exe -k netsvcs
[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost.exe -k NetworkService
[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost.exe -k LocalService
[RavMonD.exe]
CommandLine = "C:\Program Files\Rising\Rav\Ravmond.exe"
[rfwsrv.exe]
CommandLine = "c:\program files\rising\rfw\rfwsrv.exe"
[SPOOLSV.EXE]
CommandLine = C:\WINDOWS\system32\spoolsv.exe
[inetinfo.exe]
CommandLine = C:\WINDOWS\system32\inetsrv\inetinfo.exe
[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost.exe -k imgsvc
[wdfmgr.exe]
CommandLine = C:\WINDOWS\system32\wdfmgr.exe
[ALG.EXE]
CommandLine = C:\WINDOWS\System32\alg.exe
[WSCNTFY.EXE]
CommandLine = C:\WINDOWS\system32\wscntfy.exe
[EXPLORER.EXE]
CommandLine = C:\WINDOWS\Explorer.EXE
[RfwMain.exe]
CommandLine = -StartUp
[realsched.exe]
CommandLine = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[RavTask.exe]
CommandLine = "C:\PROGRAM FILES\RISING\RAV\RAVTASK.EXE" -SYSTEM
[CTFMON.EXE]
CommandLine = "C:\WINDOWS\system32\ctfmon.exe"
[Thunder5.exe]
CommandLine = "D:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe" /192.168.1.8KEVIN7E0
[TTraveler.exe]
CommandLine = "D:\Program Files\Tencent\TT\TTraveler.exe"
[msnmsgr.exe]
CommandLine = "C:\Program Files\MSN Messenger\msnmsgr.exe"
[KkScan.exe]
CommandLine = "C:\Program Files\Rising\KakaToolBar\KkScan.exe"
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\KakaTool.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [RfwMain] "c:\program files\rising\rfw\rfwmain.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [rundll31] C:\WINDOWS\system32\IEXPLORER.exe
O8 - Extra context menu item: &使用迅雷下载 - d:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - d:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\msplus.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\msplus.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {18226BF8-DC0B-4D81-80E9-A41AE37BB73A} - http://www.pplive.com/download/WEBInstall.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144998502421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144998479929
O16 - DPF: {7FA9F9B3-FCD6-428A-A9CA-D181A2A39822} (FTPone Control) - http://mail.kingstar-products.com/FTPClient/QuarkFTPClient.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A984ED9F-E8DA-44E5-BC18-C14B9ABEF79D} (photo_uploader Control) - http://upload.photo.163.com/photoup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F787B0DD-FB0D-416C-AD49-585E9669D535} (Encoder Control) - http://mail.kingstar-products.com/VideoMail/QuarkEncoder.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93D926B6-3F8A-4C91-9424-94AD1FCD68A2}: NameServer = 202.102.134.38,202.102.128.68
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\Mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: Human Interface Device Access (HidServ) - - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - "C:\Program Files\Rising\Rav\CCenter.exe"
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - "C:\Program Files\Rising\Rav\Ravmond.exe"
O23 - Service: win32 (win32) - - C:\WINDOWS\H.com.cn.exe
mopery - 2006-7-3 7:54:00
Trojan.DL.Inject.fk?
福娃 我要样本...
发到bin59420@yahoo.com.cn
福娃欢欢 - 2006-7-3 7:56:00
| 引用: |
【mopery的贴子】Trojan.DL.Inject.fk?
福娃 我要样本...
发到bin59420@yahoo.com.cn
........................... |
就是把那文件压缩给你吧?
PS:巴西,我真,我都哭了.
mopery - 2006-7-3 7:57:00
修复
O4 - HKLM\..\Run: [rundll31] C:\WINDOWS\system32\IEXPLORER.exe
删除
C:\WINDOWS\system32\IEXPLORER.exe
O23 - Service: win32 (win32) - - C:\WINDOWS\H.com.cn.exe
鸽子怎么还在?
安全模式...打开注册表编辑器,展开:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
搜索win32删除...
删除
C:\WINDOWS\H.com.cn.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\msplus.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\msplus.dll
需要用LSPFix 来修复..
LSPFix(汉化版) 下载地址:http://forum.ikaka.com/topic.asp?board=67&artid=5188931
(8楼...)
同时下载WinsockXPFix.exe...(2楼...)
先运行LSPFix ... 勾上 我确定要进行修复操作 ...
然后将msplus.dll 移到右边...点下完成...
如果在操作之后不能上网...请用WinsockXPFix.exe 修复一下即可...
mopery - 2006-7-3 7:58:00
| 引用: |
【福娃欢欢的贴子】
就是把那文件压缩给你吧?
PS:巴西,我真,我都哭了.
........................... |
恩 ...可能需要在安全模式下压缩...
mopery - 2006-7-3 8:03:00
福娃给你一个帖子和你一样的..
昨天求助的...我和小聪没折.所以想拿样本进行研究...
http://forum.ikaka.com/topic.asp?board=28&artid=8115548
福娃欢欢 - 2006-7-3 8:06:00
先处理一下鬼子的邮件,忙完了再下载相关并逐步操作.
谢楼上~
PS:别叫我福娃,福娃有几十个呢.
mopery - 2006-7-3 8:10:00
| 引用: |
【福娃欢欢的贴子】先处理一下鬼子的邮件,忙完了再下载相关并逐步操作.
谢楼上~
PS:别叫我福娃,福娃有几十个呢.
........................... |
我杂知道叫撒...就这么叫...随便点好...
8897603 - 2006-7-3 8:29:00
我试过成功的办法
比较彻底
有点笨
第一中方法
进安全模式
先用KILLBOX结束病毒进程
并删除H.com.cn IEXPLORER.exe
然后用IceSword查找病毒服务
(注意服务名称没标示的或标示可疑的)
停用
或者运行msconfig
服务
选中“隐藏所有MICROSOFT服务”
查找可疑的服务
停用
运行REGEDIT
查找H.com.cn IEXPLORER.exe的键值(小心,不要删错)
找到一个删一个
系统目录下
取消隐藏系统文件
查找H.com.cn
删除
第二种方案 日期搜索法
重启
系统目录下查找新建的文件
新建日期为 当前日期
注意带EXE BAT DLL SCR CMD 的
记住
结束EXPLORER
ctrl+ait+del打开任务管理器
运行-》control
服务-停用可疑服务
删除当前日期新建的文件
运行REGEDIT
查找H.com.cn IEXPLORER.exe的键值(小心,不要删错)
找到一个删一个
系统目录下
取消隐藏系统文件
查找H.com.cn
删除
mopery - 2006-7-3 8:32:00
| 引用: |
【8897603的贴子】我试过成功的办法
比较彻底
进安全模式
先用KILLBOX结束病毒进程
然后查找病毒服务
停用
运行REGEDIT
查找H.com.cn IEXPLORER.exe(小心,不要删错
找到一个删一个
........................... |
暂时没试过不知道...
这病毒还有变种...
baohe - 2006-7-3 8:47:00
| 引用: |
【mopery的贴子】
暂时没试过不知道...
这病毒还有变种...
........................... |
如有样本,请发给我一个看看(baohelin@yahoo.com.cn)。
mopery - 2006-7-3 8:49:00
| 引用: |
【baohe的贴子】
如有样本,请发给我一个看看(baohelin@yahoo.com.cn)。
........................... |
]
一定一定...
福娃欢欢 - 2006-7-3 9:02:00
样本怎么传不上啊!
文件类型不对。
什么时候改的啊,我记得原来可以穿RAR啊.
mopery - 2006-7-3 9:03:00
| 引用: |
【福娃欢欢的贴子】样本怎么传不上啊!
文件类型不对。
什么时候改的啊,我记得原来可以穿RAR啊.
........................... |
只能通过邮箱发...发到我邮箱来..
bin59420@yahoo.com.cn
福娃欢欢 - 2006-7-3 9:07:00
您已经成功将信发送到: baohelin@yahoo.com.cn,bin59420@yahoo.com.cn
信件同时保存在发件箱中。
点击此处将收信人保存到通讯录
两位,去收下邮件,有劳~
独孤豪侠 - 2006-7-3 9:15:00
呵呵,mopery 转发一个给我.zkkgsg@163.com
这个有意思.
福娃贝贝 - 2006-7-3 9:17:00
无限同情ing……
福娃欢欢 - 2006-7-3 9:18:00
【回复“独孤豪侠”的帖子】
您已经成功将信直接转交到: zkkgsg@163.com
我也发给你了.
福娃欢欢 - 2006-7-3 9:19:00
| 引用: |
【福娃贝贝的贴子】无限同情ing……
........................... |
光同情是不行滴,还需要安慰,你送我点什么吧.
独孤豪侠 - 2006-7-3 9:40:00
不好意思.没收到哦.
zkkgsg@163.com 没打错吧.
跳舞的猫 - 2006-7-3 9:51:00
我试过成功的办法
比较彻底
有点笨
第一中方法
进安全模式
先用KILLBOX结束病毒进程
并删除H.com.cn IEXPLORER.exe
然后用IceSword查找病毒服务
(注意服务名称没标示的或标示可疑的)
停用
或者运行msconfig
服务
选中“隐藏所有MICROSOFT服务”
查找可疑的服务
停用
运行REGEDIT
查找H.com.cn IEXPLORER.exe的键值(小心,不要删错)
找到一个删一个
系统目录下
取消隐藏系统文件
查找H.com.cn
删除
第二种方案 日期搜索法
重启
系统目录下查找新建的文件
新建日期为 当前日期
注意带EXE BAT DLL SCR CMD 的
记住
结束EXPLORER
ctrl+ait+del打开任务管理器
运行-》control
服务-停用可疑服务
删除当前日期新建的文件
运行REGEDIT
查找H.com.cn IEXPLORER.exe的键值(小心,不要删错)
找到一个删一个
系统目录下
取消隐藏系统文件
查找H.com.cn
删除
...........................
魔法学徒 - 2006-7-3 11:57:00
问题解决了?恭喜
mopery - 2006-7-3 12:08:00
跳舞的猫 在此刷版 麻烦...
你想被禁 几次?
© 2000 - 2026 Rising Corp. Ltd.