今天早上我的笔记本电脑一开机，还没输入开机密码，电脑就黑屏了，一动鼠标或键盘，屏幕闪了三下，又能亮，但一会又黑屏了，在安全模式下却没有这种现象，现在电脑亮个3－5秒钟就要黑屏，只有动鼠标或键盘才能亮，就好像屏保运行一样，我该怎么办呢？什么也干不了了，就是打这些求助也费了好大劲，求各位大侠快帮帮我。急死我了，现在什么也干不了，瑞星也查不出有什么病毒。

HijackThis下载地址请参考：
【必读】本版说明及常用小软件下载
http://forum.ikaka.com/topic.asp?board=67&artid=5188931

【推荐】反浏览器劫持的一些常用操作
http://forum.ikaka.com/topic.asp?board=67&artid=6490491

运行HijackThis，先点[扫描系统并保存日志]或[Do a system scan and save a logfile]按钮，扫描完成后，LOG将会在自动弹出的记事本中
显示，再从记事本里复制/粘贴到贴子里。如果LOG比较长，一贴发不完，你可以分成几个部分发在回贴里。

【回复“命运里の金色”的帖子】
Logfile of HijackThis v1.99.1
Scan saved at 13:27:49, on 2005-8-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\conime.exe
D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
d:\program files\rising\rav\RAVMON.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\tools\hardtools\Hijack\HijackThis.exe

R3 - URLSearchHook: BDSrchHook Class - {2C5AA40E-8814-4EB6-876E-7EFB8B3F9662} - C:\WINDOWS\DOWNLO~1\BDSrHook.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BDHlprObj Class - {CA92B524-BC8A-4610-BD2C-6BD3E28155D0} - C:\WINDOWS\DOWNLO~1\BDHelper.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] ;rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [UpdateManager] ;"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] ;C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [RavTimer] D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [pdfFactory Pro 分配器 v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [RavMon] D:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 使用网际快车下载 - D:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&x) - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120784846300
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - https://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38540.7668171296
O16 - DPF: {D0A29C6C-AA71-4423-8C4A-5998B774C448} (IEDown Class) - http://download.ourgame.com/IEDown2.cab
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/Ver2005/OL2005.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A1BBC07-EB84-45E3-8ADE-401A8D13370F}: NameServer = 202.106.196.115,202.106.0.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C145D84-0A33-4597-8D9A-1E2FEB3B4E56}: NameServer = 202.106.196.115,202.106.0.20
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe

新发现的情况，如果鼠标一直点着不松手，屏幕就不会黑，这是怎么回事？谢谢大家了

R3 - URLSearchHook: BDSrchHook Class - {2C5AA40E-8814-4EB6-876E-7EFB8B3F9662} - C:\WINDOWS\DOWNLO~1\BDSrHook.dll

关于“BDSrHook.dll”的问题解释与解决的方法 


  据Anti-Spy.Info的网站讲“BDSrHook.dll”多出现在恶意插件中：

Information about bdsrhook.dll file
File: bdsrhook.dll
Name: SearchHook Module
Product: SearchHook Module


60% of request of bdsrhook.dll has no information about company, product, file. So you have to check your file by yourself.


--------------------------------------------------------------------------------

www.superadblocker.com安全网站解释到：
BDSrHook.dll
Spyware/Adware Application Explanation

Listed below is basic information about the offending spyware/adware application. Super Ad Blocker will immediately stop this application from running. Super Ad Blocker will block spyware, adware, trojans, home page hi-jackers pop-ups, pop-unders and more.

Summary
BD Url Search Hook

Company
Unknown

Description
BD Url Search Hook

Adware applications, toolbars and browser extensions may serve advertisements even while you are not surfing the Internet.

This application may serve various types of advertising, not limited to pop-up ads.

Threat Level (1-10)
10

Process List
BDSRHOOK.DLL

CLSID List
{2C5AA40E-8814-4EB6-876E-7EFB8B3F9662}


--------------------------------------------------------------------------------

综上所述：估计是你安装了百度插件，现在好多网站在你访问时都会提示安装百度的“IE搜索伴侣”。因此你只需要重装一次该插件即可解决，当然也可以打开“运行”对话框输入Msconfig，在系统配置实用程序并切换到“启动”选项卡，取消bdsrhook项。



我在日志里只发现这个,还是等高人来吧





 


eTrust对BDSrHook.dll全面的解释和解决方法
 
  BDPlugin
Overview
Category
  Toolbar :  A group of buttons which perform common tasks. A toolbar for Internet Explorer is nomally located below the menu bar at the top of the form. Toolbars may be created by Browser Helper Objects.

Browser Helper Object:  (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.



 

Origins
  Date of Origin
  December, 2002 

 

Distribution
Prevalence
  BDPlugin: < 0.00005%


Clot Factor
  BDPlugin: 5


Countries Affected
  In the past three months, we have received reports of BDPlugin in:

United States, China, United States, 

 

Operation
Storage Required
  BDPlugin: at least 165KB


Browser Performance
  Likely to slow performance of Internet Explorer. 

 

Detection and Removal
Manual Removal
  Follow these steps to remove BDPlugin from your machine.  Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake. 



 

Remove AutoRun Reference:

Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run



If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bie, delete it and reboot the machine immediately.




Unregister DLLs:

Unregister these DLLs with Regsvr32, then reboot:

bdex.dllbdplugin.dllsystemroot+\downloaded program files\bdhelper.dllsystemroot+\system\bdsrhook.dllsystemroot+\system32\bdsrhook.dll

Clean Registry:

Remove these registry items (if present) with RegEdit:

HKEY_CLASSES_ROOT\clsid\{2c5aa40e-8814-4eb6-876e-7efb8b3f9662}HKEY_CLASSES_ROOT\clsid\{bc207f7d-3e63-4aca-99b5-fb5f8428200c}HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{bc207f7d-3e63-4aca-99b5-fb5f8428200c}HKEY_CLASSES_ROOT\typelib\{2c5aa40e-8814-4eb6-876e-7efb8b3f9662}HKEY_CLASSES_ROOT\typelib\{8522f9b3-38c5-4aa4-ae40-7401f1bbc851}HKEY_CLASSES_ROOT\typelib\{ca92b524-bc8a-4610-bd2c-6bd3e28155d0}HKEY_LOCAL_MACHINE\software\classes\clsid\{bc207f7d-3e63-4aca-99b5-fb5f8428200c}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{bc207f7d-3e63-4aca-99b5-fb5f8428200c}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bie

Remove Files:

Remove these files (if present) with Windows Explorer:

bdex.dllbdplugin.dllbdplugin.txtbdsearch.infsystemroot+\downloaded program files\bdhelper.dllsystemroot+\system\bdsrhook.dllsystemroot+\system32\bdsrhook.dll 



 





 


 

【回复“命运里の金色”的帖子】
我打开了msconfig，启动项中根本没有bdsrhook啊，注册表中我也搜索了，也没有上面提到的那些文件，也搜索了bdex.dll，却发现是在瑞星的安装目录里，难道是瑞星引起的吗？bdsrhook.dll也没有搜索到。有谁能帮我啊？？

这个删除,好象很夸张,我想这个不是你电脑的只要原因,悄悄话给baohe斑竹,让他看看

首先，先把它干掉。百度搜索伴侣用rundll32.exe调用dll运行，正常模式下，系统无法终止Rundll32.exe进程，所以我们必须先重新启动计算机进入安全模式，然后用regedit打开注册表，找到以下键值，删掉（当然要提醒大家的是，对注册表动手脚之前先备份一下注册表以防不测）：
在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\下，删除键：BIE 其键值为：Rundll32 C:\WINNT\DOWNLO~1\BDPlugin.dll,Rundll32（如果是win98，这里的 C:\WINNT\DOWNLO~1\ 为 C:\WINDOWS\DOWNLO~1\）
在HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY下，删除键：BDSEARCH，此键在 Internet 选项 -> 高级 中加入了百度IE搜索伴侣的选项。
在HKEY_CLASSES_ROOT下，
删除键：BDHlprObj.BDHlprObj
删除键：BDHlprObj.BDHlprObj.1
删除键：BDHook.BDSrchHook
删除键：BDHook.BDSrchHook.1
删除键：BDHook.URLBDHook
删除键：BDHook.URLBDHook.1
删除键：BDPlugins.Interceptor
删除键：BDPlugins.Interceptor.1
在HKEY_CLASSES_ROOT\CLSID下，
删除键：{BC207F7D-3E63-4ACA-99B5-FB5F8428200C
删除键：{CA92B524-BC8A-4610-BD2C-6BD3E28155D0
在HKEY_CLASSES_ROOT\TypeLib下，
删除键：{CE7C3CE2-4B15-11D1-ABED-709549C10000
在HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID下，
删除键：{BC207F7D-3E63-4ACA-99B5-FB5F8428200C
删除键：{CA92B524-BC8A-4610-BD2C-6BD3E28155D0
在HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib下，
删除键：{CE7C3CE2-4B15-11D1-ABED-709549C10000
在HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units下，
删除键：{BC207F7D-3E63-4ACA-99B5-FB5F8428200C
删除键：{CA92B524-BC8A-4610-BD2C-6BD3E28155D0
处理完注册表，把硬盘中IE搜索伴侣的文件，在C:\WINNT\DOWNLO~1 目录下（98下为 C:\WINDOWS\DOWNLO~1\ 下同）的
BDEX.DLL 24576 12-25-02 11：43
BDPLUGIN.DLL 49152 12-25-02 11：44
BDSRHOOK.DLL 32768 12-25-02 11：45
BDHELPER.DLL 36864 12-25-02 11：52
BDSEARCH.INF 1507 12-28-02 9：48
以上文件全部删除，这样百度搜索伴侣才真正从你的机器中删去！

【回复“命运里の金色”的帖子】
谢谢金色大侠的帮助，但我感觉不像是百度搜索伴侣引起的，会不会是其他病毒引起的？现在也找到一点规律了，只要鼠标不停的点击或按住不松手，屏幕就不会黑。
郁闷死了，好像是在跟我开玩笑。

【回复“tfpiupih”的帖子】
C:\WINDOWS\system32\dla\tfswctrl.exe

请将这个文件打包传上来看看。

文件打包上来了，请斑竹查查有什么问题？谢谢了，今天一天什么都没干，就折腾电脑了

还有一个很奇怪的事，我的用户名是tf735,怎么这里显示的是tfpiupih?