瑞星卡卡安全论坛

我同事的电脑最近几天总是自已跳网页，用瑞星，ewido，黄山杀完了之后，还是自已跳网页，我已经没招了，求各位帮帮忙，给个解决办法谢谢！！
Logfile of HijackThis v1.99.1
Scan saved at 10:58:18, on 2006-10-20
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
d:\rising\rfw\rfwsrv.exe
C:\WINNT\system32\svchost.exe
d:\Rising\Rav\CCenter.exe
d:\Rising\Rav\Ravmond.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\clipsvr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Rising\Rav\RavStub.exe
C:\WINNT\system32\Svchost.exe
C:\WINNT\SYSTEM32\RUNDLL.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
c:\winnt\system32\wbem\winlogon.exe
C:\WINNT\Explorer.EXE
c:\winnt\powermsgr.exe
d:\rising\rfw\RfwMain.exe
D:\Rising\Rav\RavTask.exe
D:\Rising\Rav\Ravmon.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\ylive.exe
C:\WINNT\system32\rundll32.exe
D:\Rising\Rav\Rav.exe
D:\Rising\Rav\RsAgent.exe
C:\WINNT\msagent\AgentSvr.exe
C:\WINNT\system32\zstatus.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\bak\HijackThis.exe

R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: 搜搜地址栏搜索 - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
O2 - BHO: (no name) - {29A8B48F-9AB3-43D3-8B87-7D1888197563} - C:\WINNT\system32\ATIDEMGRED.dll
O2 - BHO: (no name) - {500911F3-16C7-4120-BBEF-DF82FDCD2149} - C:\WINNT\system32\ATIDEMGRED.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - E:\刘惠琴\QQIEHelper.dll
O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:\WINNT\system32\ssup.dll
O3 - Toolbar: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4A40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINNT\system32\kakatool.dll
O4 - HKLM\..\Run: [RavTask] "d:\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: >>彩信发送<< - res://C:\PROGRA~1\MMSASS~1\mmsass~1.dll/mms.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - E:\刘惠琴\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\刘惠琴\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\刘惠琴\AddEmotion.htm
O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\刘惠琴\SendMMS.htm
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\刘惠琴\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\刘惠琴\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - E:\刘惠琴\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - E:\刘惠琴\QQIEHelper.dll
O11 - Options group: [TBH] 搜搜地址栏搜索
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A2518D4-A538-472F-B1BE-94C3244A52C8}: NameServer = 202.103.24.68,202.103.0.117
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A2518D4-A538-472F-B1BE-94C3244A52C8}: NameServer = 202.103.24.68,202.103.0.117
O17 - HKLM\System\CS2\Services\Tcpip\..\{0A2518D4-A538-472F-B1BE-94C3244A52C8}: NameServer = 202.103.24.68,202.103.0.117
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Rising Proxy  Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - d:\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - d:\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - d:\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - d:\Rising\Rav\Ravmond.exe

结束
c:\winnt\powermsgr.exe
C:\WINNT\system32\clipsvr.exe
C:\WINNT\system32\Svchost.exe
请查看C:\WINNT\system32\是否同时存在svchost.exe和Svchost.exe,存在就中止掉后者，并删掉
修复
c:\winnt\system32\wbem\winlogon.exe

参考
powermsgr.exe在系统文件夹c:\windows下
和c:\windows\system32\clipsvr.exe互为守护进程
这两个文件被标记为microsoft corporation powermsgr.exe被标记成电源管理程序
中了此“流氓”软件后上百度 Google搜索时会自动转向雅虎


清除方法：
进安全模式 
把powermsgr.exe和clipsvr.exe删除
重启
或使用 killbox 的 delete on reboot选项重启后直接删除

========Content========
请查看C:\WINNT\system32\是否同时存在svchost.exe和Svchost.exe,存在就中止掉后者，并删掉
修复
c:\winnt\system32\wbem\winlogon.exe
我在C:\WINNT\system32\目录下只找到一个svchost.exe
但是在进程里有五个svchost.exe
我用process explorer发现有一个svchost.exe有问题，但是结束不了它
进程    PID    CPU    描述    公司名
System Idle Process    0    100       
中断    N/A        硬件中断   
DPCs    N/A        缓冲处理呼叫   
System    8           
  smss.exe    148        Windows NT Session Manager    Microsoft Corporation
  csrss.exe    172           
  winlogon.exe    168        Windows NT Logon Application    Microsoft Corporation
    services.exe    220        Services and Controller app    Microsoft Corporation
    rfwsrv.exe    408        Rising Personal FireWall Service    Beijing Rising Technology Co., Ltd.
      RfwMain.exe    1416        Rising Personal FireWall Main Program    Beijing Rising Technology Co., Ltd.
    svchost.exe    420        Generic Host Process for Win32 Services    Microsoft Corporation
      iexplore.exe    1636           
      TIMPlatform.exe    1184        TIMPlatform    tencent
    CCenter.exe    500        CCenter    Beijing Rising Technology Co., Ltd.
    Ravmond.exe    516        RavMond    Beijing Rising Technology Co., Ltd.
      RavStub.exe    828        Rising RavStub    Beijing Rising Technology Co., Ltd.
    spoolsv.exe    560        Spooler SubSystem App    Microsoft Corporation
      zstatus.exe    1524        zstatus    Zenographics
    svchost.exe    596        Generic Host Process for Win32 Services    Microsoft Corporation
      rundll32.exe    1344        Run a DLL as an App    Microsoft Corporation
    ewidoctrl.exe    612        ewido control    ewido networks
    svchost.exe    672        Generic Host Process for Win32 Services    Microsoft Corporation
    RUNDLL.EXE    680        Run a DLL as an App    Microsoft Corporation
    svchost.exe    940        Generic Host Process for Win32 Services    Microsoft Corporation
    svchost.exe    1004        Generic Host Process for Win32 Services    Microsoft Corporation
      services.exe    1192        Generic Hosts for WinService    Microsoft
      iexplore.exe    1424        Internet Explorer    Microsoft Corporation
      iexplore.exe    280        Internet Explorer    Microsoft Corporation
      iexplore.exe    1576        Internet Explorer    Microsoft Corporation
      iexplore.exe    296        Internet Explorer    Microsoft Corporation
      iexplore.exe    1716        Internet Explorer    Microsoft Corporation
      iexplore.exe    1704        Internet Explorer    Microsoft Corporation
    MSTask.exe    1024        Task Scheduler Engine    Microsoft Corporation
    WinMgmt.exe    1076        Windows Management Instrumentation    Microsoft Corporation
    svchost.exe    1088        Generic Host Process for Win32 Services    Microsoft Corporation
    lsass.exe    232        LSA Executable and Server DLL (Export Version)    Microsoft Corporation
Explorer.EXE    1384        Windows Explorer    Microsoft Corporation
RavTask.exe    1480        RavTimer    Beijing Rising Technology Co., Ltd.
  Ravmon.exe    1496        RavMon    Beijing Rising Technology Co., Ltd.
ylive.exe    1548        YLive    Yahoo! China
QQ.exe    572        QQ    TENCENT
WinRAR.exe    312           
wordpad.exe    1688        WordPad MFC Application    Microsoft Corporation
procexp.exe    1680        Sysinternals Process Explorer    Sysinternals

进程： PID：1424

类型    名称

用红色标注的肯定有问题，我发现c:\winnt\system32\wbem\services.exe很可疑
所以把它删了 还删了一些我觉得相关的注册表项 我把它删了之后好了几个小时 可是系统出了问题 看不到winnt下的东西只有用资源管理器才能看到网上邻居空白等等。而且过了一段时间又开始跳网页
那个可疑的svchost.exe  运行
C:\WINNT\System32\svchost.exe -k ReIISAdmin
它下面的几个ie连着几个网站 如 "C:\Program Files\Internet Explorer\iexplore.exe" http://cg.9e3.com/register3.html等等
正是跳出的几个网页。
现在我不知道要怎么去除它