卡巴是不是又误报了？

朋友打开baidu,rising,hao123等网站,卡巴就报检测到Trojan-Clicker.HTML.Agent.ad木马程序.

开始以为是IE的恶意插件, 用360,windows清理助手,雅虎助手清理后问题依然存在, 安全模式下用卡巴扫描没有病毒, 很郁闷...

这是他扫描出来的日志, 大家帮忙看看

2008-04-23,09:36:56

System Repair Engineer 2.5.16.900 Emergency Scan Mode
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件
    进程特权扫描



启动项目
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <Synchronization Manager><mobsync.exe /logon>  [(Verified)]
    <YLive.exe><C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe>  [(Verified)"Beijing Yahoo! Information and Technology Co., Ltd."]
    <yassistse><C:\Program Files\Yahoo!\Assistant\yAssistSe.exe>  [(Verified)"Beijing Yahoo! Information and Technology Co., Ltd."]
    <AVP><"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe">  [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)]
    <Userinit><C:\WINNT\system32\Userinit.exe,>  [(Verified)]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]


==================================
启动文件夹
[腾讯QQ]
  <C:\Documents and Settings\prk1\「开始」菜单\程序\启动\腾讯QQ.lnk --> D:\PROGRA~1\Tencent\QQ\QQ.exe [TENCENT]><N>


==================================
服务
[卡巴斯基反病毒 6.0 / AVP][Running/Auto Start]
  <"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r><Kaspersky Lab>
[Contrl Center of Storm Media / ccosm][Running/Auto Start]
  <C:\Program Files\StormII\stormliv.exe /asservice><北京暴风网际科技有限公司>
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Google Updater Service / gusvc][Stopped/Manual Start]
  <"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"><Google>
[WMDM PMSP Service / WMDM PMSP Service][Running/Auto Start]
  <C:\WINNT\system32\mspmspsv.exe><Microsoft Corporation>


==================================
驱动程序
[Service for WDM 3D Audio Driver / ALCXSENS][Running/Manual Start]
  <system32\drivers\ALCXSENS.SYS><Sensaura Ltd>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[dmboot / dmboot][Stopped/Disabled]
  <System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[ialm / ialm][Running/Manual Start]
  <System32\DRIVERS\ialmnt5.sys><Intel Corporation>
[IdeBusDr / IdeBusDr][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\IdeBusDr.sys><Intel Corporation>
[Intel(R) Ultra ATA Controller / IdeChnDr][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\IdeChnDr.sys><Intel Corporation>
[kl1 / kl1][Running/Boot Start]
  <\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Running/System Start]
  <\??\C:\WINNT\system32\drivers\klif.sys><Kaspersky Lab>
[npkcrypt / npkcrypt][Stopped/Manual Start]
  <\??\C:\WINNT\system32\npkcrypt.sys><N/A>
[npkycryp / npkycryp][Stopped/Manual Start]
  <\??\C:\WINNT\system32\npkycryp.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver / rtl8139][Running/Manual Start]
  <System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[szjviygb / szjviygb][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\szjviygb.sys><Yahoo! China Corporation>
[Microsoft USB 2.0 Enhanced Host Controller Miniport Driver / usbehci][Running/Manual Start]
  <System32\DRIVERS\usbehci.sys><Microsoft Corporation>
[USB 2.0 Root Hub Support / usbhub20][Running/Manual Start]
  <System32\DRIVERS\usbhub20.sys><Microsoft Corporation>
[yaskp / yaskp][Running/Boot Start]
  <\SystemRoot\system32\drivers\yaskp.sys><Copyright (C) yahoo Corporation.>
[Intel(R) Graphics Platform (SoftBIOS) Driver / {6080A529-897E-4629-A488-ABA0C29B635E}][Running/Manual Start]
  <system32\drivers\ialmsbw.sys><Intel Corporation>
[Intel(R) Graphics Chipset (KCH) Driver / {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}][Running/Manual Start]
  <system32\drivers\ialmkchw.sys><Intel Corporation>


==================================
浏览器加载项
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[雅虎助手]
  {406F94F0-504F-4A40-8DFD-58B0666ABEBD} <C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar0.dll, yahoo! china>
[添加到雅虎订阅(&Y)]
  <res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT, N/A>
[雅虎搜索]
  <res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar0.dll/203, N/A>


==================================
正在运行的进程
[PID: 172][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.00.2195.6601]
[PID: 196][\??\C:\WINNT\system32\csrss.exe]  [Microsoft Corporation, 5.00.2195.6601]
[PID: 192][\??\C:\WINNT\system32\winlogon.exe]  [Microsoft Corporation, 5.00.2195.6997]
    [C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2195.6673]

[C:\WINNT\system32\msacm32.drv]  [Microsoft Corporation, 5.00.2134.1]
[PID: 244][C:\WINNT\system32\services.exe]  [Microsoft Corporation, 5.00.2195.7035]
    [C:\WINNT\system32\dmserver.dll]  [VERITAS Software Corp., 2195.6605.297.3]
[PID: 256][C:\WINNT\system32\lsass.exe]  [Microsoft Corporation, 5.00.2195.7011]
[PID: 424][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
[PID: 464][C:\WINNT\system32\spoolsv.exe]  [Microsoft Corporation, 5.00.2195.7059]
    [C:\WINNT\system32\OLFMNT40.DLL]  [Microsoft Corporation, 9.0.98.0105]
    [C:\WINNT\system32\spool\PRTPROCS\W32X86\olfpnt40.dll]  [Microsoft Corporation, 9.0.98.0105]
[PID: 504][C:\Program Files\StormII\stormliv.exe]  [北京暴风网际科技有限公司, 3, 8, 3, 15]
    [C:\Program Files\StormII\MSVCP60.dll]  [Microsoft Corporation, 6.02.3104.0]
[PID: 524][C:\WINNT\System32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\System32\unimdm.tsp]  [Microsoft Corporation, 5.00.2195.6601]
    [C:\WINNT\System32\kmddsp.tsp]  [Microsoft Corporation, 5.00.2150.1]
    [C:\WINNT\System32\ndptsp.tsp]  [Microsoft Corporation, 5.00.2143.1]
    [C:\WINNT\System32\ipconf.tsp]  [Microsoft Corporation, 5.00.2143.1]
    [C:\WINNT\System32\h323.tsp]  [Microsoft Corporation, 5.00.2195.6901]
[PID: 572][C:\WINNT\system32\MSTask.exe]  [Microsoft Corporation, 4.71.2195.6972]
[PID: 608][C:\WINNT\System32\WBEM\WinMgmt.exe]  [Microsoft Corporation, 1.50.1085.0100]
[PID: 636][C:\WINNT\system32\mspmspsv.exe]  [Microsoft Corporation, 7.10.00.3059]
[PID: 648][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
[PID: 1072][C:\WINNT\Explorer.EXE]  [Microsoft Corporation, 5.00.3700.6690]
    [C:\WINNT\AppPatch\AcLayers.DLL]  [Microsoft Corporation, 5.00.2195.6717]
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scrchpg.dll]  [Kaspersky Lab, 6.0.2.620]
    [C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2195.6673]
    [C:\WINNT\system32\msacm32.drv]  [Microsoft Corporation, 5.00.2134.1]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  [Yahoo! China, 3, 1, 5, 1033]
    [C:\WINNT\System32\igfxpph.dll]  [Intel Corporation, 3,0,0,2082]
    [C:\WINNT\System32\hccutils.DLL]  [Intel Corporation, 3,0,0,2082]
    [C:\WINNT\system32\igfxres.dll]  [Intel Corporation, 3,0,0,2082]
    [C:\WINNT\System32\igfxsrvc.dll]  [Intel Corporation, 3,0,0,2082]
    [C:\WINNT\System32\igfxdev.dll]  [Intel Corporation, 3,0,0,2082]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\yaLive.dll]  [yahoo! china, 3, 8, 0, 1140]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yalliveex.dll]  [Yahoo! China, 3, 0, 3, 1012]
    [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
[PID: 1136][C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe]  [Yahoo! China, 3, 2, 6, 1032]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  [Yahoo! China, 3, 1, 5, 1033]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\yaLive.dll]  [yahoo! china, 3, 8, 0, 1140]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yalliveex.dll]  [Yahoo! China, 3, 0, 3, 1012]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\ynotifier.dll]  [yahoo! china, 3, 0, 5, 1006]
[PID: 1144][C:\Program Files\Yahoo!\Assistant\yAssistSe.exe]  [Yahoo! China, 3, 1, 0, 1013]
    [C:\Program Files\Yahoo!\Assistant\shell\yAssecblk.dll]  [Yahoo! China, 3, 2, 1, 1029]
    [C:\Program Files\Yahoo!\Assistant\shell\yAsMenu.dll]  [Yahoo! China, 3, 0, 5, 1007]
    [C:\Program Files\Yahoo!\Assistant\shell\yMenuInfo.dll]  [Yahoo! China, 3, 0, 1, 1001]
    [C:\Program Files\Yahoo!\Assistant\shell\yIEAngel.dll]  [Yahoo! China, 3, 0, 4, 1005]
[PID: 1084][C:\WINNT\system32\conime.exe]  [Microsoft Corporation, 5.00.2195.6655]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  [Yahoo! China, 3, 1, 5, 1033]
    [C:\WINNT\system32\winpy.ime]  [Microsoft Corporation, 5.00.2195.6601]
    [C:\WINNT\system32\winabc.ime]  [Microsoft Corporation, 5.00.2195.6601]
    [C:\WINNT\system32\WINWB86.IME]  [Microsoft Corporation, 4.00.950]
[PID: 1116][C:\Program Files\Internet Explorer\IEXPLORE.EXE]  [Microsoft Corporation, 6.00.2600.0000]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  [Yahoo! China, 3, 1, 5, 1033]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\yscrblock.dll]  [Yahoo! China, 3, 0, 3, 1004]
    [C:\WINNT\System32\wshCHS.DLL]  [Microsoft Corporation, 5.6.0.6626]
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scrchpg.dll]  [Kaspersky Lab, 6.0.2.620]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\yaLive.dll]  [yahoo! china, 3, 8, 0, 1140]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yalliveex.dll]  [Yahoo! China, 3, 0, 3, 1012]
    [C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2195.6673]
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\klscav.dll]  [Kaspersky Lab, 6.0.2.620]
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.42]
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prremote.dll]  [Kaspersky Lab, 6.0.2.620]
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\MSVCP80.dll]  [Microsoft Corporation, 8.00.50727.42]
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prloader.dll]  [Kaspersky Lab, 6.0.2.620]
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prkernel.ppl]  [Kaspersky Lab, 6.0.2.620]
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\params.ppl]  [Kaspersky Lab, 6.0.2.620]
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\pxstub.ppl]  [Kaspersky Lab, 6.0.2.620]
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\tempfile.ppl]  [Kaspersky Lab, 6.0.2.620]
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\nfio.ppl]  [Kaspersky Lab, 6.0.2.620]
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\fsdrvplgn.ppl]  [Kaspersky Lab, 6.0.2.620]
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\basegui.ppl]  [Kaspersky Lab, 6.0.2.620]
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\thpimpl.ppl]  [Kaspersky Lab, 6.0.2.620]
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\FSSync.dll]  [Kaspersky Lab, 6.0.5.620]
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\winreg.ppl]  [Kaspersky Lab, 6.0.2.620]
[PID: 964][C:\Documents and Settings\prk1\桌面\sreng2\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  [Yahoo! China, 3, 1, 5, 1033]


==================================
文件关联
.TXT  Error. [C:\WINNT\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]


==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1       localhost


==================================
进程特权扫描
特殊特权被允许： SeLoadDriverPrivilege [PID = 192, C:\WINNT\SYSTEM32\WINLOGON.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 244, C:\WINNT\SYSTEM32\SERVICES.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 256, C:\WINNT\SYSTEM32\LSASS.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 464, C:\WINNT\SYSTEM32\SPOOLSV.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 524, C:\WINNT\SYSTEM32\SVCHOST.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 572, C:\WINNT\SYSTEM32\MSTASK.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 608, C:\WINNT\SYSTEM32\WBEM\WINMGMT.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 636, C:\WINNT\SYSTEM32\MSPMSPSV.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 648, C:\WINNT\SYSTEM32\SVCHOST.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1072, C:\WINNT\EXPLORER.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1084, C:\WINNT\SYSTEM32\CONIME.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1116, C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE]


==================================
API HOOK
RVA  错误： LoadLibraryA (危险等级: 高,  被下面模块所HOOK: \??\C:\WINNT\system32\drivers\klif.sys)
RVA  错误： LoadLibraryExA (危险等级: 高,  被下面模块所HOOK: \??\C:\WINNT\system32\drivers\klif.sys)
RVA  错误： LoadLibraryExW (危险等级: 高,  被下面模块所HOOK: \??\C:\WINNT\system32\drivers\klif.sys)
RVA  错误： LoadLibraryW (危险等级: 高,  被下面模块所HOOK: \??\C:\WINNT\system32\drivers\klif.sys)
RVA  错误： GetProcAddress (危险等级: 高,  被下面模块所HOOK: \??\C:\WINNT\system32\drivers\klif.sys)


==================================
隐藏进程
N/A

浪者以为：就日志来看，主要问题还是流氓或恶意软件
建议：下载windows清理助手--更新--快速扫描--清理/卸载

重启系统后看效果