【回复“bluecosmic”的帖子】



下面两个控件如果楼主不认识的话请修复：
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} ({5DD731E6-D4F0-11D3-BE3F-00105A6FDA50}) - http://218.108.248.143/zvc/plugin/myv3na.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab
使用HijackThis扫描，记住与这个O20项相关的文件。调用命令提示符，去属性并反注册这个文件，然后删除。最后修复这个O20项。

请问去属性并反注册这个文件该如何操作：）

【回复“bluecosmic”的帖子】



请bluecosmic朋友参考第7楼的意见，但注意不要重新启动计算机。

修复：
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} ({5DD731E6-D4F0-11D3-BE3F-00105A6FDA50}) - http://218.108.248.143/zvc/plugin/myv3na.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab
HijackThis扫描，O20项为n86q0ij5e8o.dll
进入DOS，至c;\winnt\SYSTEM32下，每次进入dos，这个n86q0ij5e8o.dll都变名，这次居然没有，
Dir n86q0ij5e8o.dll
Attrib -r -s -h n86q0ij5e8o.dll；无法应用，提示正在运行；
Regsvr32 /u n86q0ij5e8o.dll，无法反注册，提示正在运行；
Del n86q0ij5e8o.dll，居然成功
重启，进入安全模式，没找到n86q0ij5e8o.dll，运行HijackThis修复020项。重启进入系统～～～晕倒～～～还在！！！又变名！！！（灰溜溜回家去￥＃◎……％）

【回复“bluecosmic”的帖子】



楼主的计算机中似乎存在一种称为“Look2Me”的间谍软件，手动清除它不太可能，现在借用下面这个工具L2MFix：

http://www.atribune.org/downloads/l2mfix.exe
1、保存该文件至桌面，双击l2mfix.exe；
2、按下“Install”按钮，安装该工具，双击进入新产生的L2MFix文件夹；
3、双击l2mfix.bat，选择选项1，称为Run Find Log，回车，等待一到两分钟后，会弹出一份报告，请将它贴上来。

谢天使之剑，报告如下：
——————————————
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\h62olgf3162.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read        BUILTIN\Users
(ID-IO) ALLOW  Read        BUILTIN\Users
(ID-NI) ALLOW  Read        BUILTIN\Power Users
(ID-IO) ALLOW  Read        BUILTIN\Power Users
(ID-NI) ALLOW  Full access BUILTIN\Administrators
(ID-IO) ALLOW  Full access BUILTIN\Administrators
(ID-NI) ALLOW  Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{AAECDE91-21A9-1DAA-AEDC-7FD436232186}"=""

**********************************************************************************
Shell Extension key:
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
Invalid keyboard code specified

C:\WINNT\SYSTEM32\
  wghext.dll    Wed  2005-10-26  16:36:22  ..S.R        234,272  228.78 K
  nvtman.dll    Mon  2005-10-31  15:57:18  ..S.R        234,033  228.55 K
  tvpi32.dll    Mon  2005-10-31  12:18:28  ..S.R        237,008  231.45 K
  glgiftga.dll  Tue  2005-08-23  17:15:14  A....        32,768    32.00 K
  gljpg.dll      Tue  2005-08-23  17:15:14  A....        94,208    92.00 K
  glpng.dll      Tue  2005-08-23  17:15:14  A....        94,208    92.00 K
  czrsrv.dll    Wed  2005-10-26  14:56:04  ..S.R        234,272  228.78 K
  dhcompos.dll  Thu  2005-10-27  9:02:30  ..S.R        235,569  230.05 K
  drsrslvr.dll  Wed  2005-11-02  9:01:24  .....        235,585  230.06 K
  enn8l1~1.dll  Wed  2005-10-26  16:20:44  ..S.R        234,458  228.96 K
  wvspdmod.dll  Wed  2005-10-26  16:44:02  ..S.R        234,272  228.78 K
  oaethk32.dll  Mon  2005-10-31  11:02:14  ..S.R        235,283  229.77 K
  wvpasf.dll    Mon  2005-10-31  14:28:42  ..S.R        234,033  228.55 K
  atmtd.dll      Tue  2005-10-25  9:40:56  A....        687,592  671.48 K
  nydskcc.dll    Wed  2005-10-26  16:00:06  ..S.R        234,458  228.96 K
  lv4s09~1.dll  Tue  2005-11-01  14:02:50  ..S.R        234,259  228.77 K
  glzip.dll      Tue  2005-08-23  17:15:12  A....        69,632    68.00 K
  glcards.dll    Tue  2005-08-23  17:15:12  A....        807,424  788.50 K
  glmpdll.dll    Tue  2005-08-23  17:15:12  A....        94,208    92.00 K
  glsocks.dll    Tue  2005-08-23  17:15:12  A....        10,240    10.00 K
  glmpeg.dll    Tue  2005-08-23  17:15:14  A....        57,344    56.00 K
  gliedo~1.dll  Tue  2005-08-23  17:15:14  A....        106,496  104.00 K
  glcomp~1.dll  Tue  2005-08-23  17:15:12  A....        57,344    56.00 K
  ywriin~1.dll  Wed  2005-10-26  16:18:44  ..S.R        234,458  228.96 K
  kt66l7~1.dll  Fri  2005-10-28  16:33:32  ..S.R        235,483  229.96 K
  epfpix~1.dll  Mon  2005-10-31  12:38:34  ..S.R        234,033  228.55 K
  h62olg~1.dll  Tue  2005-11-01  11:03:48  ..S.R        235,585  230.06 K

27 items found:  27 files (15 H/S), 0 directories.
  Total of file sizes:  5,868,525 bytes      5.59 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
  guard.tmp      Wed  2005-11-02  9:03:24  ..S.R        235,585  230.06 K

1 item found:  1 file (1 H/S), 0 directories.
  Total of file sizes:  235,585 bytes    230.06 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 0D25-160A

Directory of C:\WINNT\System32

2005-11-02  09:03              235,585 guard.tmp
2005-11-01  14:02              234,259 lv4s09h7e.dll
2005-11-01  11:03              235,585 h62olgf3162.dll
2005-10-31  15:57              234,033 nvtman.dll
2005-10-31  14:41              165,624 lmllm.ini
2005-10-31  14:28              234,033 wvpasf.dll
2005-10-31  12:38              234,033 epfpixpsets.dll
2005-10-31  12:18              237,008 TVPI32.DLL
2005-10-31  11:02              162,974 lmllm.bak2
2005-10-31  11:02              235,283 oaethk32.dll
2005-10-28  16:33              235,483 kt66l7js1.dll
2005-10-28  11:56              162,351 lmllm.bak1
2005-10-27  09:02              235,569 dhcompos.dll
2005-10-26  16:44              234,272 wvspdmod.dll
2005-10-26  16:36              234,272 wghext.dll
2005-10-26  16:20              234,458 enn8l15u1.dll
2005-10-26  16:18              234,458 ywriinsert.dll
2005-10-26  16:00              234,458 nydskcc.dll
2005-10-26  14:56              234,272 CZRSRV.DLL
2004-04-13  15:17      <DIR>          dllcache
              19 File(s)      4,248,010 bytes
              1 Dir(s)  6,210,830,336 bytes free
————————————————

【回复“bluecosmic”的帖子】



建议下载并使用CoolWeb粉碎机：
[必读]本版说明及常用小软件下载第3楼有教程和下载地址。

http://forum.ikaka.com/topic.asp?board=67&artid=5188931。
修复前请关闭所有不必要的窗口。
双击L2MFix文件夹中的l2mfix.bat，键入2，然后回车，进行修复。按任意键重新启动计算机。重新启动后桌面图标会出现然后消失，这是正常的现象。L2MFix会继续扫描计算机直到弹出一份报告。
使用CoolWeb粉碎机。
再次双击L2MFix文件夹中的l2mfix.bat，键入2，让L2MFix修复注册表键。
双击L2MFix文件夹中的l2mfix.bat，键入4，然后回车。修复Winlogon定义。
最后请楼主附上修复报告和修复完成后的HijackThis报告。

coolweb报告如下：
————————
Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read        BUILTIN\Users
(ID-IO) ALLOW  Read        BUILTIN\Users
(ID-NI) ALLOW  Read        BUILTIN\Power Users
(ID-IO) ALLOW  Read        BUILTIN\Power Users
(ID-NI) ALLOW  Full access BUILTIN\Administrators
(ID-IO) ALLOW  Full access BUILTIN\Administrators
(ID-NI) ALLOW  Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access CREATOR OWNER
——————

HiJackThis报告如下：
————————————————
Logfile of HijackThis v1.99.1
Scan saved at 12:17:25, on 2005-11-2
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SKYNET\FIREWALL\pfw.exe
C:\Documents and Settings\Administrator\桌面\HijackThis.exe

O3 - Toolbar: 新浪点点通 - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - C:\WINNT\Downlo~1\DDTONG~1.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SKYNET Personal FireWall] C:\PROGRA~1\SKYNET\FIREWALL\pfw.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\qq\QQ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: 使用彩信超级自写发送到手机 - http://mms.sina.com.cn/mmsnews.html
O8 - Extra context menu item: 使用新浪下载助手下载 - C:\WINNT\Downlo~1\sinadl.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 发送图片到手机(&M) - http://sms.sina.com.cn/diy/send.html?from=467
O8 - Extra context menu item: 收藏此页到ViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt
O8 - Extra context menu item: 收藏此页到新浪ViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt
O8 - Extra context menu item: 新浪搜索 - http://cha.sina.com.cn/ddt.html
O8 - Extra context menu item: 添加QQ网络收藏夹 - C:\Program Files\Tencent\qq\NAF.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - C:\Program Files\浩方对战平台\GameClient.exe
O9 - Extra button: 情景聊天 - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra button: 新浪点点通 - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - C:\WINNT\Downlo~1\DDTONG~1.DLL
O9 - Extra button: (no name) - {974AD624-EA50-4831-A6C0-3040F6665396} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O9 - Extra 'Tools' menuitem: 新浪点点通阅读器 - {974AD624-EA50-4831-A6C0-3040F6665396} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O9 - Extra button: 新浪点点通阅读器 - {F0646DC8-58CD-4C64-8F6B-525043914685} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O20 - Winlogon Notify: NetCache - C:\WINNT\system32\j22q0cf5ef2.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
————————————

貌似广告倒不弹出来了，
O20 - Winlogon Notify: NetCache - C:\WINNT\system32\j22q0cf5ef2.dll
这个居然还在！

【回复“bluecosmic”的帖子】



辛苦bluecosmic朋友了。
下载并使用Spy Sweeper试用版：

http://www.webroot.com/downloads/
点击右边的“Free Trial”链接，安装并更新Spy Sweeper，使用Spy Sweeper修复，然后导出报告。



感谢bluecosmic朋友的耐心配合。