求助：浏览器被劫持，日志贴出来，大虾们帮帮！ bbs.ikaka.com

7788945oo - 2007-1-6 16:09:00

[CODE]

2007-01-06,15:35:05

System Repair Engineer 2.3.13.690
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMSCMIG40W><C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log> [Microsoft Corporation]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Corporation]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><userinit.exe,> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Corporation]

==================================
启动文件夹
N/A

==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[kavsvc / kavsvc][Stopped/Manual Start]
<"C:\Program Files\Kaspersky\kavsvc.exe"><Kaspersky Lab>
[PCTEL Speaker Phone / Pctspk][Stopped/Disabled]
<C:\WINDOWS\system32\pctspk.exe><PCtel, Inc.>

==================================
驱动程序
[amdk5 / amdk5][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\amdk5.sys><N/A>
[C-Media PCI Audio Driver (WDM) / cmpci][Running/Manual Start]
<system32\drivers\cmaudio.sys><C-Media Inc>
[Kl1 / Kl1][Running/Boot Start]
<\SystemRoot\System32\drivers\kl1.sys><Kaspersky Lab>
[Klif / Klif][Running/System Start]
<System32\drivers\klif.sys><Kaspersky Labs>
[Klmc / Klmc][Running/System Start]
<System32\drivers\klmc.sys><Kaspersky Lab>
[lzpewpst / lzpewpst][Running/Boot Start]
<\SystemRoot\system32\drivers\lzpewpst.sys><N/A>
[npkcrypt / npkcrypt][Stopped/Auto Start]
<\??\C:\Program Files\Tencent\QQ\npkcrypt.sys><N/A>
[npkcusb / npkcusb][Running/Auto Start]
<\??\C:\Program Files\Tencent\QQ\npkcusb.sys><INCA Internet Co., Ltd.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PCTEL Serial Device Driver for PCI / Ptserlp][Running/Manual Start]
<system32\DRIVERS\ptserlp.sys><PCTEL, INC.>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
<system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[SiS300i / SiS300i][Running/Manual Start]
<system32\DRIVERS\sis300ip.sys><Silicon Integrated Systems Corporation>
[SIS AGP Bus Filter / sisagp][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\sisagp.sys><Silicon Integrated Systems Corporation>
[siside / siside][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\siside.sys><Silicon Integrated Systems Corp.>
[SKNFW / SKNFW][Running/System Start]
<\??\C:\WINDOWS\system32\Drivers\SKNFW.sys><N/A>
[SkyProcs / SkyProcs][Stopped/Manual Start]
<\??\C:\PROGRA~1\SKYNET~1\SkyProcs.sys><N/A>
[TCP/IP Protocol Driver / Tcpip][Running/System Start]
<system32\DRIVERS\tcpip.sys><Microsoft Corporation>
[VCD VNC Virtual Network Adapter / vcddev][Stopped/Manual Start]
<system32\DRIVERS\vcdvnic.sys><VNN B.J.>
[XP Vmodem / Vmodem][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\vmodem.sys><PCTEL, INC.>
[XP Vpctcom / Vpctcom][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\vpctcom.sys><PCtel, Inc.>
[XP Vvoice / Vvoice][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\vvoice.sys><PCtel, Inc.>
[xinstall / xinstall][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\xinstall.sys><N/A>

==================================
浏览器加载项
[Thunder Browser Helper]
{09BA1AA8-CAD4-4C14-BDE6-922DFF5F6F38} <C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_007.dll, Thunder Networking Technologies,LTD>
[Windows Media Player]
{22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[HTML Document]
{25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\mshtml.dll, N/A>
[Windows Media Player]
{6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Thunder Browser Helper]
{7369D359-5B70-4A5B-B789-B25FE09B4AF3} <C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_007.dll, Thunder Networking Technologies,LTD>
[Microsoft Web 浏览器]
{8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_007.dll, Thunder Networking Technologies,LTD>
[photo_uploader Control]
{A984ED9F-E8DA-44E5-BC18-C14B9ABEF79D} <C:\WINDOWS\DOWNLO~1\PHOTO_~1.OCX, N/A>
[browser Class]
{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} <C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Office\USERDATA\ygEsHi3tvb_2002.dll, Microsoft Corporation>
[AUDIO__MP3 Moniker Class]
{CD3AFA76-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[CyImgChinaCtl Class]
{EDEDED2E-A0A6-4085-BC52-A95255A96DBD} <C:\WINDOWS\Downloaded Program Files\CyImgChina.dll, N/A>
[&使用迅雷下载]
<C:\Program Files\Thunder Network\Thunder\Program\geturl.htm, N/A>
[&使用迅雷下载全部链接]
<C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm, N/A>
[上传到QQ网络硬盘]
<C:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[添加到QQ自定义面板]
<C:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
<C:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<C:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

7788945oo - 2007-1-6 16:13:00

==================================
正在运行的进程
[PID: 484][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 644][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 692][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 760][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 780][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 952][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1016][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1144][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1204][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1328][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1688][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1972][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 656][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 172][C:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky\scrchpg.dll] [Kaspersky Lab, 5.0.1.18]
[C:\Program Files\Kaspersky\scrch_ag.dll] [Kaspersky Lab, 5.0.388.1]
[C:\Program Files\Kaspersky\FSSync.dll] [Kaspersky Lab, 5.0.388.0]
[C:\Program Files\Kaspersky\pr_rmt.dll] [Kaspersky Lab, 5.0.388.0]
[C:\Program Files\Kaspersky\ccclient.dll] [Kaspersky Lab, 5.0.388.1]
[C:\Program Files\Kaspersky\klipc.dll] [Kaspersky Lab, 5.0.388.0]
[C:\Program Files\Kaspersky\KLUtil.dll] [Kaspersky Lab, 5.0.388.1]
[C:\Program Files\Kaspersky\rpt.dll] [Kaspersky Lab, 5.0.388.2]
[C:\Program Files\Kaspersky\CCIFACE.dll] [Kaspersky Lab, 5.0.388.1]
[C:\Program Files\Kaspersky\prloader.dll] [Kaspersky Lab, 5.0.388.0]
[C:\Program Files\Kaspersky\prkernel.ppl] [Kaspersky Lab, 5.0.388.0]
[c:\program files\kaspersky\prstring.ppl] [Kaspersky Lab, 5.0.388.0]
[c:\program files\kaspersky\pr_srv.ppl] [Kaspersky Lab, 5.0.388.0]
[c:\program files\kaspersky\pr_clnt.ppl] [Kaspersky Lab, 5.0.388.0]
[C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0]
[C:\Program Files\Thunder Network\Thunder\ComDlls\ThunderAgent_007.dll] [Thunder Networking Technologies,LTD, 5, 0, 1, 14]
[PID: 404][C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe] [Thunder Networking Technologies,LTD, 5, 5, 3, 264]
[C:\Program Files\Thunder Network\Thunder\Program\TaskManager.dll] [Thunder Networking Technologies,LTD, 1, 0, 2, 14]
[C:\Program Files\Thunder Network\Thunder\Program\download_interface.dll] [Thunder Networking Technologies,LTD, 2, 12, 2, 42]
[C:\Program Files\Thunder Network\Thunder\Program\asyn_dns.dll] [Thunder Networking Technologies,LTD, 2, 12, 2, 42]
[C:\Program Files\Thunder Network\Thunder\Program\BHOStub.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 8]
[C:\Program Files\Thunder Network\Thunder\Program\FloatBar.dll] [Giganology Inc., 1, 0, 0, 2]
[C:\Program Files\Thunder Network\Thunder\Program\iTargetAD.dll] [Thunder Networking Technologies,LTD, 1, 0, 2, 13]
[C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0]
[C:\Program Files\Thunder Network\Thunder\Components\DiagnoseHelper\DiagnoseHelper.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 10]
[C:\Program Files\Thunder Network\Thunder\Components\PortVerify\PortVerify.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 1]
[C:\Program Files\Thunder Network\Thunder\Components\ExplorerHelper\ExplorerHelper.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 1]
[C:\Program Files\Thunder Network\Thunder\Components\DTAG\DTAG.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 1]
[C:\Program Files\Thunder Network\Thunder\Program\LiveUpdate.dll] [, 1, 0, 1, 16]
[C:\Program Files\Thunder Network\Thunder\Components\InMedia\iEmbedShell.dll] [　, 1, 0, 0, 15]
[C:\Program Files\Thunder Network\Thunder\Components\InMedia\iEmbed08.dll] [　, 3, 2, 0, 63]
[C:\Program Files\Thunder Network\Thunder\Components\Community\XLCommunity.dll] [Thunder Networking Technologies,LTD, 1, 0, 2, 13]
[C:\Program Files\Thunder Network\Thunder\Program\RegisterDll.dll] [Thunder Networking Technologies,LTD, 2, 2, 1, 43]
[C:\Program Files\Thunder Network\Thunder\Components\Search\XLSearch.dll] [Thunder Networking Technologies,LTD, 1, 0, 1, 6]
[C:\Program Files\Thunder Network\Thunder\Components\P4PClient\P4PClient.dll] [Thunder Networking Technologies,LTD, 1, 0, 2, 13]
[C:\Program Files\Thunder Network\Thunder\Components\VPSHELL\VPSHELL.dll] [, 1, 0, 0, 1]
[C:\Program Files\Thunder Network\Thunder\Components\VPSHELL\VideoPicture.dll] [XunLei, 1, 0, 0, 1]
[C:\Program Files\Thunder Network\Thunder\Program\msgmanage.dll] [Thunder Networking Technologies,LTD, 2, 0, 0, 24]
[C:\Program Files\Thunder Network\Thunder\Plugins\BhoAdv\bho_adv.dll] [深圳市迅雷网络技术有限公司, 1.0.1.0]
[C:\Program Files\Kaspersky\scrchpg.dll] [Kaspersky Lab, 5.0.1.18]
[C:\Program Files\Kaspersky\scrch_ag.dll] [Kaspersky Lab, 5.0.388.1]
[C:\Program Files\Kaspersky\FSSync.dll] [Kaspersky Lab, 5.0.388.0]
[C:\Program Files\Kaspersky\pr_rmt.dll] [Kaspersky Lab, 5.0.388.0]
[C:\Program Files\Kaspersky\ccclient.dll] [Kaspersky Lab, 5.0.388.1]
[C:\Program Files\Kaspersky\klipc.dll] [Kaspersky Lab, 5.0.388.0]
[C:\Program Files\Kaspersky\KLUtil.dll] [Kaspersky Lab, 5.0.388.1]
[C:\Program Files\Kaspersky\rpt.dll] [Kaspersky Lab, 5.0.388.2]
[C:\Program Files\Kaspersky\CCIFACE.dll] [Kaspersky Lab, 5.0.388.1]
[C:\Program Files\Kaspersky\prloader.dll] [Kaspersky Lab, 5.0.388.0]
[C:\Program Files\Kaspersky\prkernel.ppl] [Kaspersky Lab, 5.0.388.0]
[c:\program files\kaspersky\prstring.ppl] [Kaspersky Lab, 5.0.388.0]
[c:\program files\kaspersky\pr_srv.ppl] [Kaspersky Lab, 5.0.388.0]
[c:\program files\kaspersky\pr_clnt.ppl] [Kaspersky Lab, 5.0.388.0]
[PID: 1864][C:\program files\winrar\WinRAR.exe] [N/A, N/A]
[PID: 524][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.198\SREng.EXE] [Smallfrogs Studio, 2.3.13.690]

==================================
文件关联
.TXT Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. [C:\WINDOWS\hh.exe %1]
.HLP Error. [C:\WINDOWS\winhlp32.exe %1]
.INI Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.INF Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
N/A

==================================
API HOOK
警告！System Repair Engineer 提醒
你下面的函数内容与预期值不符，他
们可能被一些恶意的软件所修改：
RVA 错误： LoadLibraryA
RVA 错误： LoadLibraryExA
RVA 错误： LoadLibraryExW
RVA 错误： LoadLibraryW

==================================

[/CODE]

主页被修改成fx120.5009.cn
而且也不能用搜索功能了~
开机速度极慢，各种杀毒软件以及IE修复都试了，都不好使~
经常在系统运行当中蓝屏，然后重启出现kernelfault...的进程

大虾们拜托了，帮帮忙给看看吧，我实在弄不明白了，研究一个礼拜了~

7788945oo - 2007-1-6 16:15:00

现在就连天网防火墙的自动启动功能都不好使了，电脑没有安全保障了，555，ToT……

求大家帮帮忙~

红夜鬼1 - 2007-1-6 18:05:00

运行(双击)SRENG2，点“启动项目，服务，点“驱动程序”
勾选“隐藏微软服务”选中病毒服务
lzpewpst
，选择“删除服务”
点“设置”选择“否”
重启按F８进入安全模式下
显示隐藏文件
删除：
SystemRoot\system32\drivers\lzpewpst.sys

运行SREng2,使用：系统修复－－文件关联－－全选－－修复

我是个老百姓 - 2007-1-6 19:08:00

按照楼上说的做了一遍，再次重启之后，主页还是
fx120.5099.cn
再打开sreng程序，那个lzpewpst确实不见了，
可是问题仍然没好~

帮帮。

7788945oo - 2007-1-6 19:21:00

楼上是我，我是楼主，大虾们快帮帮，哭……

红夜鬼1 - 2007-1-6 19:26:00

【回复“7788945oo”的帖子】
用Windows清理助手
http://www.arswp.com/download/arswp/arswp.rar
使用后删除

7788945oo - 2007-1-6 20:55:00

我下了楼上说的，确实扫描出不少东西来，全部清理、重启过了，运行速度快了一点，但是主页仍然是那个fx120.5009.cn

用卡巴再查一遍也没收获

瑞星卡卡安全论坛