初生襁褓狮

帖子:1
注册: 2005-04-02
来自:

发表于： 2005-04-02 17:10 | 短消息资料

字号：小中大 71楼

楼主,请您也帮助我分析一下,谢谢!

ogfile of HijackThis v1.99.1
Scan saved at 17:07:45, on 2005-4-2
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-cn\msnappau.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
D:\金山词霸\XDICT.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Tencent\qq\QQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\fml\LOCALS~1\Temp\Rar$EX00.341\HijackThis.exe

R3 - URLSearchHook: assist - {1B0E7716-898E-48cc-9690-4E338E8DE1D3} - C:\PROGRA~1\3721\assist\assist.dll
R3 - URLSearchHook: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\assist\asbar.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: AssistII - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\assist\asbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-cn\msntb.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\downlo~1\CnsHook.dll
O3 - Toolbar: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-cn\msntb.dll
O3 - Toolbar: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\assist\asbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] rem RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] rem nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [helper.dll] C:\WINNT\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [UFD Monitor] rem C:\Program Files\USB FlashDisk\UFD Utility 2003\ufdlmon.exe
O4 - HKLM\..\Run: [UFD Utility] rem C:\Program Files\USB FlashDisk\UFD Utility 2003\UFDTool.exe
O4 - HKLM\..\Run: [msnappau] rem "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-cn\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [8751bol] rem C:\Program Files\net800\net800.exe
O4 - HKLM\..\Run: [WangWang] rem "C:\Program Files\淘宝网\淘宝旺旺\WangWang.EXE"
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\RunOnce: [cnshint.dll] regsvr32 /s C:\WINNT\downlo~1\cnshint.dll
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: 金山词霸 2003.lnk = ?
O8 - Extra context menu item: !搜一搜 - res://C:\WINNT\downlo~1\CnsMinEx.dll/1003
O8 - Extra context menu item: ▼使用旋风下载 - C:\Program Files\Tencent\TT\cg_link.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 解霸实时播放 - C:\HEROSOFT\Hero3000\MPURLGET.HTM
O9 - Extra button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: 解霸 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\HEROSOFT\Hero3000\MPLAYER.EXE
O9 - Extra 'Tools' menuitem: 超级解霸 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\HEROSOFT\Hero3000\MPLAYER.EXE
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://rd.3721.com/taobao.rd?http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1&sid=5042&show=ignore&url=http://www.taobao.com/buy1.php (file missing)
O9 - Extra button: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - Extra button: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - D:\金山词霸\XDictExB.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\qq\QQ.exe
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\qq\QQ.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O11 - Options group: [!CNS] 网络实名
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (趋势科技在线扫毒程序) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C8BD9ACB-F7EC-48E6-BB2F-DAADC6789E9A} (Kingsoft DUBA OnlineScan) - http://211.152.52.102/duba/antiscan/update/OCX/KAVClean.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DF1F3AB-DBF0-498E-9DC3-24D0F30D9E0E}: NameServer = 202.101.172.46 202.101.172.47
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - D:\金山词霸\XDictExB.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: MsnServer - Unknown owner - C:\WINNT\G_Server.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE

baohe 大版主帖子:38410 注册: 2003-04-10 来自:	发表于： 2005-04-02 17:17 \| 只看楼主短消息资料字号：小中大 72楼【回复“jocky”的帖子】O23 - Service: MsnServer - Unknown owner - C:\WINNT\G_Server.exe 上面这项是灰鸽子

初生襁褓狮

帖子:12
注册: 2005-04-02
来自:

发表于： 2005-04-02 17:49 | 短消息资料

字号：小中大 73楼

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - E:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - E:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: WDelMgr20 - Unknown owner - C:\WINDOWS\system32\drivers\WDelMgr20.exe
这是我的日志，谁帮忙给看看？？
用瑞星查到灰鸽子病毒，但删不掉，瑞星以前查到毒都是提示杀掉还是删除的，现在没有提示了，在高级设置里面这一块是灰色的，不能设置！

初生襁褓狮

帖子:73
注册: 2005-03-31
来自:

发表于： 2005-04-02 19:46 | 短消息资料

字号：小中大 74楼

引用:

【baohe的贴子】【回复“米酒小汤圆”的帖子】O23 - Service: Windows Class Server (Class Server) - Unknown owner - C:\WINXP\MS_vb70.exe
项是灰鸽子
...........................

楼主这个图是我现在注册表的状态,我仔细找了一下没有以WINDOWS CLASS SERVER开头的文件夹,但是在CLASS SERVER里有如图,在这里面原来还有一项是 C:\WINXP\MS_vb70.exe的,我只是把C:\WINXP\MS_vb70.exe删掉了然后按照您说的在安全模式下全部打开看到了灰鸽子的的文件并删除重起,现在瑞星查杀显示已经没有病毒了.我没有删除WINDOWS CLASS SERVER这一项,我还不是很确定这个是不是系统自带的服务而病毒只是寄生在这里,我把启动里面有一项WINDOWS CLASS SERVER给勾掉了以后不让它启动,现在计算机没有病毒,不知道我这样算不算杀完了.劳烦楼主能给我一点提示,希望我写的您看的懂,谢谢!!

附件:

您所在的用户组无法下载或查看附件

宇智飘泊而立狮帖子:485 注册: 2005-03-08 来自:	发表于： 2005-04-02 20:33 \| 短消息资料字号：小中大 75楼看不懂，呵呵呵。我道行不够………

初生襁褓狮

帖子:7
注册: 2005-04-01
来自:

发表于： 2005-04-02 20:52 | 短消息资料

字号：小中大 76楼

O23 - Service: ctvmon32.exe - Unknown owner - C:\WINNT\system32\ctvmon32.exe" -service (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: qq update - Unknown owner - C:\WINNT\qq update.exe

O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - c:\program files\rising\rfw\rfwsrv.exe

O23 - Service: Rising Process Communication Center (RsCCenter) - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE

O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

O23 - Service: Windows Management NetWork Service Extensions - Unknown owner - NetManager.exe (file missing)

看了些灰鸽子的文章。也没搞明白自己该删除哪项，请高手来帮忙查一下。再有我是不是该在F8内将其删除呢？还是有什么其它的办法？谢谢。

baohe 大版主帖子:38410 注册: 2003-04-10 来自:	发表于： 2005-04-02 21:01 \| 只看楼主短消息资料字号：小中大 77楼【回复“obob”的帖子】O23 - Service: qq update - Unknown owner - C:\WINNT\qq update.exe 这项是灰鸽子。在注册表中应删除的键为qq update（在左栏）。

baohe 大版主帖子:38410 注册: 2003-04-10 来自:	发表于： 2005-04-02 21:06 \| 只看楼主短消息资料字号：小中大 78楼【回复“米酒小汤圆”的帖子】请在HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES分支下找WINDOWS CLASS SERVER（在注册表的左栏中）。

obob 初生襁褓狮帖子:7 注册: 2005-04-01 来自:	发表于： 2005-04-02 21:16 \| 短消息资料字号：小中大 79楼 obob谢谢楼主在百忙之中亲授教诲，万分感激澎湃ing.....

rslegend 锋芒艾服狮帖子:941 注册: 2002-12-23 来自:	发表于： 2005-04-02 21:28 \| 短消息资料字号：小中大 80楼明白

瑞星卡卡安全论坛技术交流区 反病毒/反流氓软件论坛关于查杀“灰鸽子2005”的一点建议

关于查杀“灰鸽子2005”的一点建议

附件:

您所在的用户组无法下载或查看附件

瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 关于查杀“灰鸽子2005”的一点建议

关于查杀“灰鸽子2005”的一点建议

附件:

您所在的用户组无法下载或查看附件

瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛关于查杀“灰鸽子2005”的一点建议