瑞星卡卡安全论坛

Logfile of HijackThis v1.99.1
Scan saved at 9:07:10, on 2006-8-8
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\rising\Rav\RavTask.exe
C:\WINNT\LSASS.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\internat.exe
I:\QQ\TMDlls\TM.exe
I:\QQ\TMDlls\TIMPlatform.exe
I:\Adobe\Photoshop CS\Photoshop.exe
C:\Documents and Settings\Administrator\桌面\HijackThis.exe

O2 - BHO: wmpdrm - {0E674588-66B7-4E19-9D0E-2053B800F69F} - C:\WINNT\system32\wmpdrm.dll
O2 - BHO: Shockwave Flash Object - {14A21378-5BB1-4BC4-95D5-5D3F51527F6F} - C:\WINNT\system32\smflash.ocx
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O2 - BHO: bg - {7BDAF75A-0D6F-4F50-AFE9-333D08DF4005} - (no file)
O2 - BHO: BHelper Class - {F2E37336-BFDB-409B-8D0E-6F013C438B20} - C:\WINNT\system32\70co7e70.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [ToP] C:\WINNT\LSASS.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: IE-Bar.lnk = C:\Program Files\Common Files\IE-Bar\iebar.exe
O8 - Extra context menu item: >>彩信发送<< - res://C:\PROGRA~1\MMSASS~1\mmsass~1.dll/mms.htm
O9 - Extra button: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O9 - Extra 'Tools' menuitem: 彩E精灵设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O9 - Extra button: 酷热影音 - {7D73FF86-05F1-39ed-C850-A423120EC338} - www.kuree.com/index.htm?id=00011001 (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdnns.dll
O11 - Options group: [CDNCLIENT] 中文上网
O17 - HKLM\System\CCS\Services\Tcpip\..\{29619FE9-07A8-4088-BE43-CBEF4DE1AE0D}: NameServer = 210.52.149.2,210.52.207.2,61.137.94.195
O17 - HKLM\System\CS1\Services\Tcpip\..\{29619FE9-07A8-4088-BE43-CBEF4DE1AE0D}: NameServer = 210.52.149.2,210.52.207.2,61.137.94.195
O17 - HKLM\System\CS2\Services\Tcpip\..\{29619FE9-07A8-4088-BE43-CBEF4DE1AE0D}: NameServer = 210.52.149.2,210.52.207.2,61.137.94.195
O21 - SSODL: DelayRun - {5A6F2F95-3191-433B-8533-EB0B596A7BAC} - C:\WINNT\system\70cd7e70.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WebServer (GrayWebServer) - Unknown owner - C:\WINNT\service.com
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\rising\Rav\Ravmond.exe

开始→控制面板→添加或删除程序→选中→彩E精灵、中文上网、IE-Bar→卸载
开始→控制面板→性能和维护→管理工具→服务→查找→WebServer→右击→属性→启动类型→禁止→应用→停止→确定。

重新启动电脑, 开机检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式进入Windows
==================================
运行Hijackthis，扫描结束后在下列选项前打上勾，然后选修复“Fix Checked”：
O2 - BHO: wmpdrm - {0E674588-66B7-4E19-9D0E-2053B800F69F} - C:\WINNT\system32\wmpdrm.dll
O2 - BHO: Shockwave Flash Object - {14A21378-5BB1-4BC4-95D5-5D3F51527F6F} - C:\WINNT\system32\smflash.ocx
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O2 - BHO: bg - {7BDAF75A-0D6F-4F50-AFE9-333D08DF4005} - (no file)
O2 - BHO: BHelper Class - {F2E37336-BFDB-409B-8D0E-6F013C438B20} - C:\WINNT\system32\70co7e70.dll
O4 - Global Startup: IE-Bar.lnk = C:\Program Files\Common Files\IE-Bar\iebar.exe
O8 - Extra context menu item: >>彩信发送<< - res://C:\PROGRA~1\MMSASS~1\mmsass~1.dll/mms.htm
O9 - Extra button: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O9 - Extra 'Tools' menuitem: 彩E精灵设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O9 - Extra button: 酷热影音 - {7D73FF86-05F1-39ed-C850-A423120EC338} - www.kuree.com/index.htm?id=00011001 (file missing)
O11 - Options group: [CDNCLIENT] 中文上网
O21 - SSODL: DelayRun - {5A6F2F95-3191-433B-8533-EB0B596A7BAC} - C:\WINNT\system\70cd7e70.dll
O23 - Service: WebServer (GrayWebServer) - Unknown owner - C:\WINNT\service.com
显示隐藏文件

双击我的电脑--工具---文件夹选项--查看选项卡--单击选取"显示隐藏文件或文件夹"--清除"隐藏受保护的操作系统文件（推荐）"复选框。在提示您确定更改时，单击“是”--单击“确定”。

然后找到如下文件并删除（如果有的话）
C:\WINNT\system32\wmpdrm.dll
C:\WINNT\system32\smflash.ocx
C:\WINNT\system32\sql32.dll
C:\WINNT\system32\group.dll
开始→运行→输入regedit→确认→打开
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects删除这个键下面的 {14A21378-5BB1-4BC4-95D5-5D3F51527F6F}
C:\PROGRA~1\CNNIC\整个目录
C:\PROGRA~1\MMSASS~1\整个目录
C:\WINNT\system32\70co7e70.dll
C:\Program Files\Common Files\IE-Bar\整个目录
C:\WINNT\system\70cd7e70.dll
C:\WINNT\service.com
=====================================
O4 - HKLM\..\Run: [ToP] C:\WINNT\LSASS.exe（参照下面的地址进行修复）
http://forum.ikaka.com/topic.asp?board=28&artid=8137314
=============================
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdnns.dll
进去以下连接下载WinsockXPFix或者LSPFix.exe进行修复
http://forum.ikaka.com/topic.asp?board=67&artid=5188931