瑞星卡卡安全论坛

Logfile of HijackThis v1.99.1
Scan saved at 10:07:19, on 2006-11-20
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\SecCopy\SecCopy.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\foci\NewFoci.exe
C:\Program Files\foci\StartUp.exe
C:\Program Files\foci\order.exe
D:\Program Files\WinSql41\Winsql.exe
C:\Program Files\foci\product.exe
c:\Program Files\Microsoft Visual Studio\VB98\vb6.exe
C:\WINNT\system32\conime.exe
C:\Documents and Settings\948164\桌面\ha_hijackthis_1991\HijackThis.exe

O1 - Hosts: 207.46.217.223 zhangyixiang.spaces.live.com
O3 - Toolbar: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [FinePrint 分配器 v5] "C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\948164\桌面\msconfig.exe /auto
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Second Copy] "D:\Program Files\SecCopy\SecCopy.exe"
O8 - Extra context menu item: 导出当前页到超星阅览器(&A) - D:\Program Files\SSREADER36\ss_all.htm
O8 - Extra context menu item: 导出选中部分到超星阅览器(&S) - D:\Program Files\SSREADER36\ss_select.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Web反病毒保护 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: 金山词霸 - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\Kingsoft\XDict\IEPlugin.dll
O15 - Trusted Zone: http://terminal2.foci.com.tw
O15 - Trusted IP range: http://210.71.209.22
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.66.20/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.66.20/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.66.20/officescan/console/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://192.168.66.20/officescan/console/html/AtxEnc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://zhangyixiang.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {53AF6E02-F18F-4228-AC13-3E79773FBE50} (CMCBooter Object) - http://download.mysee.com/plugin/booter.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.66.20/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130144380187
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://192.168.66.21/tsweb/msrdp.cab
O16 - DPF: {7FC22A16-79E6-4787-9C96-B6359BB1106D} (DigitalTrafic Control) - http://www.jt.sh.cn/trafficmap/jtj.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://terminal2.foci.com.tw/tsweb/msrdp.cab
O16 - DPF: {A38A5CB5-7715-4887-8953-C51593BAC416} (CAClientModule Control) - http://biz.easipass.com/epay/CAClientModule.zip
O16 - DPF: {FC25B780-75BE-11CF-8B01-444553540000} (Chart Object) - http://61.152.213.230/sh_web/software/iechart.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5157F75D-7163-46EA-8E45-B1B22B31B87A}: NameServer = 202.96.199.133,61.152.213.225
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A7E0CE1-0699-4997-B2BA-EA0201DDDBB4}: NameServer = 202.96.209.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{760FE677-2216-40FA-83DC-2D3E595F3270}: NameServer = 202.96.209.5,61.152.213.225
O17 - HKLM\System\CS1\Services\Tcpip\..\{5157F75D-7163-46EA-8E45-B1B22B31B87A}: NameServer = 202.96.199.133,61.152.213.225
O17 - HKLM\System\CS2\Services\Tcpip\..\{5157F75D-7163-46EA-8E45-B1B22B31B87A}: NameServer = 202.96.199.133,61.152.213.225
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: 卡巴斯基反病毒6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

运行Hijackthis，把下面的选中打上钩，修复
O1 - Hosts: 207.46.217.223 zhangyixiang.spaces.live.com

哪个是个人自己的博客

这个是林一台机器的日志
2006-11-20,11:54:03

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)
- 非管理权限用户 - 受限功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <Internat.exe><Internat.exe>  [(Verified)Microsoft Corporation]
    <msnmsgr><"C:\Program Files\MSN Messenger\msnmsgr.exe" /background>  [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <Synchronization Manager><mobsync.exe /logon>  [(Verified)Microsoft Corporation]
    <MisCli><C:\MisCli.exe>  [Jack]（这2个是公司的程序
    <MisMsg><C:\MisMsg.exe>  [FOCI]）
    <OfficeScanNT Monitor><"C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow>  [Trend Micro Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINNT\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><(无)>  [N/A]

==================================
启动文件夹
[Microsoft Office]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [Microsoft Corporation]><N>

==================================
服务
[Logical Disk Manager Administrative Service / dmadmin]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[OfficeScanNT 实时扫描 / ntrtscan]
  <C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe><Trend Micro Inc.>
[OfficeScanNT 个人防火墙 / OfcPfwSvc]
  <C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe><Trend Micro Inc.>
[OfficeScanNT 侦听程序 / tmlisten]
  <C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe><Trend Micro Inc.>
[Portable Media Serial Number Service / WmdmPmSN]
  <C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>

驱动程序
[atirage3 / atirage3]
  <system32\DRIVERS\atimpab.sys><ATI Technologies Inc.>
[Cdr4_2K / Cdr4_2K]
  <C:\WINNT\SYSTEM32\DRIVERS\Cdr4_2K.SYS><Roxio>
[Cdralw2k / Cdralw2k]
  <C:\WINNT\SYSTEM32\DRIVERS\Cdralw2k.SYS><Roxio>
[Legend DFE-530TX PCI Fast Ethernet Adapter / dlkfet]
  <system32\DRIVERS\dlkfet.sys><Fast Ethernet PCI Adapter Manufacturer>
[dmboot / dmboot]
  <System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio]
  <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload]
  <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[Direct Parallel Link Driver / Ptilink]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Trend Micro Filter / TmFilter]
  <\??\C:\Program Files\Trend Micro\OfficeScan Client\TmFilter.sys><Trend Micro Inc.>
[Trend Micro VSAPI NT / VSApiNt]
  <\??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys><Trend Micro Inc.>

==================================
浏览器加载项
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx, >
[CibaCtrl Class]
  {8DE0FCD4-5EB5-11D3-AD25-00002100131B} <d:\PROGRA~1\Kingsoft\XDict\IEPlugin.dll, >
[JoyoCtrl Class]
  {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} <d:\PROGRA~1\Kingsoft\XDict\IEPlugin.dll, >
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[ObjWinNTCheck Class]
  {00134F72-5284-44F7-95A8-52A619F70751} <C:\WINNT\Downloaded Program Files\WinNTChk.dll, Trend Micro Inc.>
[OfficeScan Corp Edition Web-Deployment SetupINICtrl Class]
  {08D75BB0-D2B5-11D1-88FC-0080C859833B} <C:\WINNT\Downloaded Program Files\OfficeScanSetupINI.dll, Trend Micro Inc.>
[OfficeScan Corp Edition Web-Deployment SetupCtrl Class]
  {08D75BC1-D2B5-11D1-88FC-0080C859833B} <C:\WINNT\Downloaded Program Files\OfficeScanSetup.dll, Trend Micro Inc.>
[Encrypt Class]
  {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} <C:\WINNT\Downloaded Program Files\AtxEnc.dll, Trend Micro Inc.>
[OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class]
  {5EFE8CB1-D095-11D1-88FC-0080C859833B} <C:\WINNT\Downloaded Program Files\OfficeScanRemoveCtrl.dll, Trend Micro Inc.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>

正在运行的进程
[PID: 1048][C:\WINNT\Explorer.EXE]  [Microsoft Corporation, 5.00.3700.6690]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, N/A]
    [C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx]  [, 1, 0, 0, 1]
[PID: 1132][C:\MisCli.exe]  [Jack, 1.00]
    [C:\WINNT\system32\vb6chs.dll]  [Microsoft Corporation, 6.00.8169]
    [C:\WINNT\system32\WINSKCHS.DLL]  [Microsoft Corporation, 6.00.8163]
[PID: 1140][C:\MisMsg.exe]  [FOCI, 1.00]
    [C:\WINNT\system32\vb6chs.dll]  [Microsoft Corporation, 6.00.8169]
[PID: 1148][C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe]  [Trend Micro Inc., 6.5.0.1303]
    [C:\Program Files\Trend Micro\OfficeScan Client\loadhttp.dll]  [Trend Micro Inc., 6.5.0.1303]
    [C:\Program Files\Trend Micro\OfficeScan Client\Pwd.dll]  [Trend Micro Inc., 6.5.0.1106]
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInAPI.dll]  [Trend Micro Inc., 6.5.0.1106]
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPIPC.dll]  [N/A, N/A]
    [C:\Program Files\Trend Micro\OfficeScan Client\TimeString.dll]  [N/A, N/A]
    [C:\Program Files\Trend Micro\OfficeScan Client\ntmonres.dll]  [Trend Micro Inc., 6.5.0.1106]
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInMain.dll]  [Trend Micro Inc., 6.5.0.1106]
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInTray.dll]  [Trend Micro Inc., 6.5.0.1106]
[PID: 1156][C:\WINNT\system32\Internat.exe]  [Microsoft Corporation, 5.00.2920.0000]
[PID: 1052][C:\Program Files\wnwb\wnwb.exe]  [深圳世强软件开发部 www.wn51.com , 2006, 10, 20, 1]
    [C:\Program Files\wnwb\flyDll.dll]  [N/A, N/A]
    [C:\Program Files\wnwb\2304wnmkey.dll]  [深圳世强软件开发部 www.wnwb.com , 2005, 7, 5, 1]
[PID: 308][C:\WINNT\system32\conime.exe]  [Microsoft Corporation, 5.00.2195.6655]
[PID: 1228][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2800.1106]
    [C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx]  [, 1, 0, 0, 1]
    [C:\WINNT\system32\Macromed\Flash\Flash8.ocx]  [Macromedia, Inc., 8,0,22,0]
[PID: 1212][C:\Program Files\Foxmail\Foxmail.exe]  [Boda Network Technology Inc., 5.0]
    [C:\Program Files\Foxmail\FoxAntiSpam.dll]  [N/A, N/A]
    [C:\Program Files\Foxmail\3rdParty\punylib.dll]  [CNNIC, 1, 0, 0, 3]
[PID: 844][C:\Documents and Settings\908027\桌面\sreng2\SREng\SREng.exe]  [Smallfrogs Studio, 2.2.6.605]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
[D:\]
[autorun]
OPEN=D:\command.com

==================================
HOSTS 文件
127.0.0.1      localhost
203.191.148.73  www.eachwe.com
127.0.0.1  www.tongxunqicai.cn
127.0.0.1  www.media-china.com.cn

==================================

使用解压软件WINRAR,删除.
D:\Autorun.inf
D:\command.com



运行SREng2,使用：系统修复－－HOSTS--删除
203.191.148.73 www.eachwe.com

D:\command.com


这个修复前压缩发给我,见签名

补充一下:

在另外一个贴子里,看到这个
C:\WINNT\TEMP\UJ814B.EXE

重启按F8进入安全模式下
显示隐藏文
删除
C:\WINNT\TEMP\UJ814B.EXE


还有异常,跟贴把问题描述一下.

斑竹好，哪个文件我明天发给你，但是跳转的现象还是一样，而且出现跳转的网站也变多，出现的主机也变多。我后来把其中的一台TCP/IP协议删除了，在安装，然后在把DNS202.96.199.133和61.152.213.225中的61.152.213.225删除了，在把IE临时文件给清空了（不清空还是会跳转），试了一天这台机器没出现跳转。61.152.213.225是公司自己的DNS服务器，这样是不是说明可能是服务器有问题啊？

对于您的问题,从日志中看不出异常,不好判断,



现在问题被您解决是吧!

还没有确定，不知道是不是服务器的问题，可是服务器是NT的找不到工具可以扫描