瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » sky是木马还是流氓软件,帮我看一下
我是菜帮帮我啊 - 2007-3-17 13:12:00
Logfile of Kaka v2. 0. 3. 0 Scan Module v1. 0. 6. 1
Scan saved at 12:43:31, on 2007-01-06
Platform: Microsoft Windows XP Professional Service Pack 2 (Build 2600)
MSIE: Internet Explorer v6.00 SP2; (6.00.2900.2180 (xpsp_sp2_rtm.040803-2158))


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.baidu.com.cn/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,default_page_url=http://www.tomatolei.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O1 - Hosts: 127.0.0.1      localhost
O2 - BHO: Thunder Browser Helper - {77FEF28D-EB96-44FF-B511-3185DEA48697} - C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_007.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [bgswitch] C:\WINDOWS\system32\bgswitch.exe
O4 - HKCU\..\Run: [0w1ycqrj2dh4y] C:\WINDOWS\winlog0a.exe
O4 - HKCU\..\Run: [286ex] C:\WINDOWS\iexpl0ra.exe
O4 - HKCU\..\Run: [mreyiydk] C:\WINDOWS\Servera.exe
O4 - HKCU\..\Run: [3c4ufky2q2udmh] C:\WINDOWS\crasoa.exe
O4 - HKCU\..\Run: [020xl1yxmdw4q] C:\WINDOWS\rundl13a.exe
O4 - HKCU\..\Run: [1u1fqv194l] C:\WINDOWS\c0nima.exe
O4 - HKCU\..\Run: [z1fwwe08sb8] C:\WINDOWS\servicea.exe
O4 - HKCU\..\Run: [9v93992d913f7rs] C:\WINDOWS\cftmoa.exe
O4 - HKCU\..\Run: [svc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\byetmr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "G:\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [FYNEWS] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sl.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe
O4 - Startup: desktop.ini =
O4 - Global Startup: desktop.ini =
O8 - Extra context menu item: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Tencent\QQ\SendMMS.htm
O9 - Extra Button: 番茄花园 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.tomatolei.com (file missing)
O9 - Extra 'Tools' menuitem: 番茄花园 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.tomatolei.com (file missing)
O9 - Extra Button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Tencent\QQ\QQ.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tomatolei.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{70496A4B-207E-40F9-A659-B14F988FF657}: NameServer = 219.150.32.132 219.146.0.130
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: Human Interface Device Access (HidServ) -  - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - "C:\Program Files\Rising\Rav\CCenter.exe"
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Technology Co., Ltd. - "C:\Program Files\Rising\Rav\Ravmond.exe"
O23 - Service: User Privilege Service (usprserv) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe -k netsvcs
轩辕小聪 - 2007-3-18 19:26:00
汗死,怎么在站务发?!哪个大版看到就把这帖子转到反病毒版块去。

skytel并不太重要,重要的是楼主的电脑几乎是毒窝了。
用HijackThis修复(也可以装卡卡3.0来修复):
O4 - HKCU\..\Run: [0w1ycqrj2dh4y] C:\WINDOWS\winlog0a.exe
O4 - HKCU\..\Run: [286ex] C:\WINDOWS\iexpl0ra.exe
O4 - HKCU\..\Run: [mreyiydk] C:\WINDOWS\Servera.exe
O4 - HKCU\..\Run: [3c4ufky2q2udmh] C:\WINDOWS\crasoa.exe
O4 - HKCU\..\Run: [020xl1yxmdw4q] C:\WINDOWS\rundl13a.exe
O4 - HKCU\..\Run: [1u1fqv194l] C:\WINDOWS\c0nima.exe
O4 - HKCU\..\Run: [z1fwwe08sb8] C:\WINDOWS\servicea.exe
O4 - HKCU\..\Run: [9v93992d913f7rs] C:\WINDOWS\cftmoa.exe
O4 - HKCU\..\Run: [svc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\byetmr.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [FYNEWS] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sl.exe

删除以上各项的对应文件。最好再发个SREng日志。楼主看来是中了木马群了
1
查看完整版本: sky是木马还是流氓软件,帮我看一下
© 2000 - 2026 Rising Corp. Ltd.