Logfile of HijackThis v1.99.1
Scan saved at 9:37:22, on 2007-1-18
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\shadow\ShadowService.exe
C:\winnt\system32\stisvc.exe
C:\WINNT\system32\rundll32.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\winnt\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\winnt\system32\Shadow\ShadowTip.exe
C:\winnt\system32\internat.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Chinanet\VnetClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\winnt\TEMP\VRT3.tmp
C:\Program Files\Rising\AntiSpyware\runiep.exe
D:\ha_hijackthis_1991\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [RunShadowTip] C:\winnt\system32\Shadow\ShadowTip.exe
O4 - HKLM\..\Run: [runeip] C:\Program Files\Rising\AntiSpyware\runiep.exe
O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\winnt\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\winnt\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C8F039B-5A0C-449C-AAE5-AA46CF3D0E77}: NameServer = 10.183.0.20,61.153.177.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FC5FAAB-1D6F-4FD2-9DAE-08B7BC1140AD}: NameServer = 61.153.177.200 61.153.177.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C8F039B-5A0C-449C-AAE5-AA46CF3D0E77}: NameServer = 10.183.0.20,61.153.177.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{1C8F039B-5A0C-449C-AAE5-AA46CF3D0E77}: NameServer = 10.183.0.20,61.153.177.202
O20 - Winlogon Notify: ActiveSync - C:\winnt\SYSTEM32\WcesWlgn.dll
O20 - Winlogon Notify: igfxcui - C:\winnt\SYSTEM32\igfxsrvc.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: Shadow System Service (ShadowSystemService) - Unknown owner - C:\winnt\system32\shadow\ShadowService.exe

O4 - HKCU\..\Run: [Internat.exe] internat.exe把这个修复了，这个可能是窃取密码和个人数据的木马，杀了再说，如果可以的话，最好就用SRENG扫描一下，然后贴上来，因为HIJACKTHIS对于系统的DLL分析的不够全面

怎样粘贴日记

怎样粘贴日记

刪除
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe

引用:

【大菜鸟小碧也的贴子】O4 - HKCU\..\Run: [Internat.exe] internat.exe把这个修复了，这个可能是窃取密码和个人数据的木马，杀了再说，如果可以的话，最好就用SRENG扫描一下，然后贴上来，因为HIJACKTHIS对于系统的DLL分析的不够全面 ………………

Repair扫描结果
[CODE]

2007-01-22,12:20:24

System Repair Engineer 2.3.13.690
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <H/PC Connection Agent><"C:\PROGRA~1\MICROS~3\wcescomm.exe">  [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <Synchronization Manager><mobsync.exe /logon>  [Microsoft Corporation]
    <TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [RealNetworks, Inc.]
    <RunShadowTip><C:\winnt\system32\shadow\ShadowTip.exe>  [PowerShadow]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINNT\system32\userinit.exe,>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs>< c:\winnt\system32\ldcore.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ActiveSync]
    <WinlogonNotify: ActiveSync><WcesWlgn.dll>  [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><(无)>  [N/A]

==================================
启动文件夹
N/A

==================================
服务
[Indexing Service / cisvc][Stopped/Disabled]
  <C:\WINNT\system32\cisvc.exe><Microsoft Corporation>
[ClipBook / ClipSrv][Stopped/Manual Start]
  <C:\winnt\system32\clipsrv.exe><Microsoft Corporation>
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
  <C:\winnt\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Fax Service / Fax][Stopped/Manual Start]
  <C:\winnt\system32\faxsvc.exe><Microsoft Corporation>
[NetMeeting Remote Desktop Sharing / mnmsrvc][Stopped/Manual Start]
  <C:\WINNT\system32\mnmsrvc.exe><Microsoft Corporation>
[Distributed Transaction Coordinator / MSDTC][Stopped/Manual Start]
  <C:\WINNT\system32\msdtc.exe><Microsoft Corporation>
[Windows Installer / MSIServer][Stopped/Manual Start]
  <C:\WINNT\system32\msiexec.exe /V><Microsoft Corporation>
[Network DDE / NetDDE][Stopped/Manual Start]
  <C:\winnt\system32\netdde.exe><Microsoft Corporation>
[Network DDE DSDM / NetDDEdsdm][Stopped/Manual Start]
  <C:\winnt\system32\netdde.exe><Microsoft Corporation>
[Remote Procedure Call (RPC) Locator / RpcLocator][Stopped/Manual Start]
  <C:\winnt\system32\locator.exe><Microsoft Corporation>
[QoS RSVP / RSVP][Stopped/Manual Start]
  <C:\winnt\system32\rsvp.exe -s><Microsoft Corporation>
[Smart Card Helper / SCardDrv][Stopped/Manual Start]
  <C:\winnt\System32\SCardSvr.exe><Microsoft Corporation>
[Smart Card / SCardSvr][Stopped/Manual Start]
  <C:\winnt\System32\SCardSvr.exe><Microsoft Corporation>
[Servicel / Servicel][Running/Auto Start]
  <C:\winnt\System32\svchost.exe -k netsvcs-->C:\winnt\system32\jetspeed.dll><>
[Shadow System Service / ShadowSystemService][Stopped/Auto Start]
  <C:\winnt\system32\shadow\ShadowService.exe><N/A>
[Performance Logs and Alerts / SysmonLog][Stopped/Manual Start]
  <C:\winnt\system32\smlogsvc.exe><Microsoft Corporation>
[Telnet / TlntSvr][Stopped/Manual Start]
  <C:\winnt\system32\tlntsvr.exe><Microsoft Corporation>
[Uninterruptible Power Supply / UPS][Stopped/Manual Start]
  <C:\winnt\System32\ups.exe><Microsoft Corporation>
[Utility Manager / UtilMan][Stopped/Manual Start]
  <C:\winnt\System32\UtilMan.exe><Microsoft Corporation>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
  <C:\winnt\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>

==================================
驱动程序
[000035b5 / 000035b5][Running/Boot Start]
  <\SystemRoot\system32\drivers\000035b5.SYS><N/A>
[aeaudio / aeaudio][Running/Manual Start]
  <system32\drivers\aeaudio.sys><Andrea Electronics Corporation>
[dmboot / dmboot][Stopped/Disabled]
  <System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[WAN Miniport Driver For PPPoE Protocol / GNetPPPoE][Running/Manual Start]
  <system32\DRIVERS\PPPoE.SYS><Guangdong Data Communications Network Co.Ltd.>
[ialm / ialm][Running/Manual Start]
  <system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[npkcrypt / npkcrypt][Running/Auto Start]
  <\??\C:\Program Files\腾讯QQ2006 Final HooER 精简版 纯净绿色特别版\QQ\npkcrypt.sys><INCA Internet Co., Ltd.>

[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[WAN Miniport (PPP over Ethernet Protocol) / RMSPPPOE][Running/Manual Start]
  <system32\DRIVERS\RMSPPPOE.SYS><Robert Schlabbach>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[smwdm / smwdm][Running/Manual Start]
  <system32\drivers\smwdm.sys><Analog Devices, Inc.>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
  <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
[VIMICRO USB PC Camera / ZSMC302][Running/Manual Start]
  <System32\Drivers\usbVM31b.sys><VM>
[Intel(R) Graphics Platform (SoftBIOS) Driver / {6080A529-897E-4629-A488-ABA0C29B635E}][Running/Manual Start]
  <system32\drivers\ialmsbw.sys><Intel Corporation>
[Intel(R) Graphics Chipset (KCH) Driver / {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}][Running/Manual Start]
  <system32\drivers\ialmkchw.sys><Intel Corporation>

==================================
浏览器加载项
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\winnt\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[使用迅雷下载]
  <C:\Program Files\Thunder\geturl.htm, N/A>
[使用迅雷下载全部链接]
  <C:\Program Files\Thunder\getallurl.htm, N/A>
[导出到 Microsoft Office Excel(&X)]
  <res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>

==================================
正在运行的进程
[PID: 140][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.00.2195.6601]
[PID: 168][\??\C:\winnt\system32\csrss.exe]  [Microsoft Corporation, 5.00.2195.6601]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 188][\??\C:\winnt\system32\winlogon.exe]  [Microsoft Corporation, 5.00.2195.6898]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 216][C:\winnt\system32\services.exe]  [Microsoft Corporation, 5.00.2195.6700]
    [C:\winnt\system32\dmserver.dll]  [VERITAS Software Corp., 2195.6605.297.3]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 236][C:\winnt\system32\lsass.exe]  [Microsoft Corporation, 5.00.2195.6902]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 424][C:\winnt\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 448][C:\winnt\system32\spoolsv.exe]  [Microsoft Corporation, 5.00.2195.6659]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 480][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
    [c:\winnt\system32\jetspeed.dll]  [, 1, 0, 0, 1]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 520][C:\winnt\system32\regsvc.exe]  [Microsoft Corporation, 5.00.2195.6701]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 544][C:\winnt\system32\MSTask.exe]  [Microsoft Corporation, 4.71.2195.6704]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 656][C:\winnt\system32\stisvc.exe]  [Microsoft Corporation, 5.00.2195.6656]
    [C:\winnt\system32\VM31bSTI.dll]  [VM, 4.2.510.21]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 692][C:\winnt\System32\WBEM\WinMgmt.exe]  [Microsoft Corporation, 1.50.1085.0100]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 712][C:\WINNT\system32\rundll32.exe]  [Microsoft Corporation, 5.00.2134.1]
    [C:\winnt\TEMP\jtemp\actied.dll]  [N/A, N/A]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 732][C:\winnt\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 1020][C:\winnt\Explorer.EXE]  [Microsoft Corporation, 5.00.3700.6690]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, N/A]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 1116][C:\Program Files\Common Files\Real\Update_OB\realsched.exe]  [RealNetworks, Inc., 0.1.0.3536]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 1152][C:\PROGRA~1\MICROS~3\wcescomm.exe]  [Microsoft Corporation, 4.2.4876.0]
    [C:\Program Files\Microsoft ActiveSync\rapiproxystub.dll]  [N/A, N/A]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 1200][C:\PROGRA~1\MICROS~3\rapimgr.exe]  [Microsoft Corporation, 4.2.4876.0]
    [C:\Program Files\Microsoft ActiveSync\rapiproxystub.dll]  [N/A, N/A]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 776][C:\Program Files\Internet Explorer\IEXPLORE.EXE]  [Microsoft Corporation, 6.00.2800.1106]
    [C:\winnt\system32\Macromed\Flash\Flash9b.ocx]  [Adobe Systems, Inc., 9,0,28,0]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 996][C:\Program Files\Chinanet\VnetClient.exe]  [, 1, 0, 0, 1]
    [C:\winnt\system32\Macromed\Flash\Flash9b.ocx]  [Adobe Systems, Inc., 9,0,28,0]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
    [C:\winnt\TEMP\VRT2.tmp]  [N/A, N/A]
    [C:\winnt\system32\ldcore.dll]  [N/A, N/A]
[PID: 1052][D:\sreng2_PConline\SREng.EXE]  [Smallfrogs Studio, 2.3.13.690]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
API HOOK
N/A

==================================


[/CODE]