这个毒怎么杀啊瑞星听诊信息4.3+hijackthis.log bbs.ikaka.com

烂笔头1 - 2006-6-30 16:13:00

未知家族病毒分析
扫描结果:
C:\WINNT\system32\msime.exe --> 与 Trojan.PSW.LMir 72%相似.

系统活动进程
C:\WINNT\SYSTEM32\SMSS.EXE
C:\WINNT\SYSTEM32\WINLOGON.EXE
C:\WINNT\SYSTEM32\CSRSS.EXE
C:\WINNT\SYSTEM32\SERVICES.EXE
C:\DOCUME~1\SALES51\LOCALS~1\TEMP\RSXAOZ.DLL

C:\WINNT\SYSTEM32\LSASS.EXE
C:\WINNT\SYSTEM32\SVCHOST.EXE
C:\WINNT\SYSTEM32\SPOOLSV.EXE
C:\WINNT\SYSTEM32\ADOBEPDF.DLL
C:\WINNT\SYSTEM32\MSVCR71.DLL
D:\PROGRAM FILES\ADOBE\ACROBAT 7.0\DISTILLR\ADISTRES.CHS
C:\WINNT\SYSTEM32\ZLHP1020.DLL
C:\WINNT\SYSTEM32\ZLM.DLL
C:\WINNT\SYSTEM32\SPOOL\PRTPROCS\W32X86\IMFPRINT.DLL
C:\WINNT\SYSTEM32\IMF32.DLL
C:\WINNT\SYSTEM32\ZTAG32.DLL
C:\WINNT\SYSTEM32\ZSPOOL.DLL

C:\WINNT\SYSTEM32\SVCHOST.EXE
C:\WINNT\SYSTEM32\UNIMDM.TSP
C:\WINNT\SYSTEM32\KMDDSP.TSP
C:\WINNT\SYSTEM32\NDPTSP.TSP
C:\WINNT\SYSTEM32\IPCONF.TSP
C:\WINNT\SYSTEM32\H323.TSP

C:\WINNT\SYSTEM32\NVSVC32.EXE
C:\DOCUME~1\SALES51\LOCALS~1\TEMP\RSXAOZ.DLL

D:\PROGRAM FILES\RISING\RAV\RAVSERVICE.EXE
D:\PROGRAM FILES\RISING\RAV\MFC42.DLL
D:\PROGRAM FILES\RISING\RAV\MSVCP60.DLL
D:\PROGRAM FILES\RISING\RAV\RSCOMMX.DLL
C:\WINNT\SYSTEM32\MSXML3.DLL

C:\WINNT\NTSERVICE.EXE
C:\WINNT\SYSTEM32\MSVBVM60.DLL
C:\WINNT\SYSTEM32\VB6CHS.DLL
C:\WINNT\NTSVC.OCX

C:\WINNT\SYSTEM32\MSTASK.EXE
C:\WINNT\SYSTEM32\STISVC.EXE
C:\WINNT\SYSTEM32\VIPTRAY.EXE
C:\WINNT\SYSTEM32\SVCHOST.EXE
C:\WINNT\SYSTEM32\MSXML3.DLL

C:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
C:\WINNT\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASPNET_FILTER.DLL
C:\WINNT\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MSVCR71.DLL

C:\WINNT\SYSTEM32\NOTEPAD.EXE
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS

D:\PROGRAM FILES\RISING\RAV\RAVMON.EXE
D:\PROGRAM FILES\RISING\RAV\RSGUILIB.DLL
D:\PROGRAM FILES\RISING\RAV\MFC42.DLL
D:\PROGRAM FILES\RISING\RAV\MSVCP60.DLL
D:\PROGRAM FILES\RISING\RAV\RSAPPMGR.DLL
D:\PROGRAM FILES\RISING\RAV\CFGDLL.DLL
D:\PROGRAM FILES\RISING\RAV\RSCOMMX.DLL

D:\绿色\GREENBROWSERGB\GREENBROWSER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
C:\WINNT\SYSTEM32\MSCOREE.DLL
C:\WINNT\MICROSOFT.NET\FRAMEWORK\V1.1.4322\CORPERFMONEXT.DLL
C:\WINNT\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MSVCR71.DLL
C:\DOCUME~1\SALES51\LOCALS~1\TEMP\RSXAOZ.DLL
D:\PROGRAM FILES\RISING\RAV\RAVSCRCH.DLL
C:\WINNT\SYSTEM32\WINABC.IME
C:\WINNT\SYSTEM32\WINWB86.IME
C:\WINNT\SYSTEM32\MSDMO.DLL
C:\WINNT\SYSTEM32\FREEWB.IME
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL
C:\WINNT\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MSCORIE.DLL
C:\WINNT\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MSCORLD.DLL
C:\DOCUME~1\SALES51\LOCALS~1\TEMP\ROBOFORM\ROBOFORM.DLL
C:\WINNT\SYSTEM32\MACROMED\FLASH\FLASH8B.OCX
C:\WINNT\SYSTEM32\MSRATELC.DLL

C:\WINNT\EXPLORER.EXE
C:\WINNT\APPPATCH\ACLAYERS.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
D:\PROGRAM FILES\ADOBE\ACROBAT 7.0\ACTIVEX\PDFSHELL.DLL
D:\PROGRAM FILES\ADOBE\ACROBAT 7.0\ACTIVEX\ACROIEHELPER.DLL
C:\WINNT\SYSTEM32\MSVCR71.DLL
C:\PROGRAM FILES\BAIDU\BAR\BAIDUBAR.DLL
C:\PROGRA~1\MYAPPL~1\IEBHO.DLL
C:\PROGRAM FILES\WINRAR\RAREXT.DLL
C:\WINNT\SYSTEM32\RAVEXT.DLL
D:\PROGRAM FILES\ADOBE\ACROBAT 7.0\ACROBAT ELEMENTS\CONTEXTMENU.CHS
C:\WINNT\SYSTEM32\NVSHELL.DLL
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL
C:\WINNT\SYSTEM32\WINDEFENDOR.DLL

C:\WINNT\SYSTEM32\CONIME.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL

C:\WINNT\SYSTEM32\MSIME.EXE
C:\DOCUME~1\SALES51\LOCALS~1\TEMP\N.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL

D:\PROGRAM FILES\RISING\RAV\RAVSTUB.EXE
D:\PROGRAM FILES\RISING\RAV\MFC42.DLL
D:\PROGRAM FILES\RISING\RAV\RSCOMMX.DLL
D:\PROGRAM FILES\RISING\RAV\RSCOMMON.DLL

D:\PROGRAM FILES\RISING\RAV\RAVTRAY.EXE
D:\PROGRAM FILES\RISING\RAV\MFC42.DLL
D:\PROGRAM FILES\RISING\RAV\MSVCP60.DLL
D:\PROGRAM FILES\RISING\RAV\RAVTRAY936.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
D:\PROGRAM FILES\RISING\RAV\RSCOMMX.DLL
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL

D:\PROGRAM FILES\RISING\RAV\RAVTIMER.EXE
D:\PROGRAM FILES\RISING\RAV\RSCOMMON.DLL
D:\PROGRAM FILES\RISING\RAV\RSAPPMGR.DLL
D:\PROGRAM FILES\RISING\RAV\CFGDLL.DLL
D:\PROGRAM FILES\RISING\RAV\RSCOMMX.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
C:\DOCUME~1\SALES51\LOCALS~1\TEMP\RSXAOZ.DLL
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL

C:\DOCUMENTS AND SETTINGS\SALES51\桌面\RSDETECT.EXE
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
C:\DOCUME~1\SALES51\LOCALS~1\TEMP\RSXAOZ.DLL

D:\PROGRAM FILES\ADOBE\ACROBAT 7.0\DISTILLR\ACROTRAY.EXE
D:\PROGRAM FILES\ADOBE\ACROBAT 7.0\DISTILLR\ACROTRAY.CHS
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL

C:\WINNT\SYSTEM32\DOWNS.EXE
C:\WINNT\SYSTEM32\MSVBVM60.DLL
C:\WINNT\SYSTEM32\VB6CHS.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
C:\WINNT\SYSTEM32\MSINET.OCX
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL

C:\WINNT\SYSTEM32\INTERNAT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL

C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATIAAP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL

C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL

C:\WINNT\SYSTEM32\RUNDLL32.EXE
C:\PROGRA~1\IE-BAR\CAST\DMIPN.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
C:\PROGRA~1\IE-BAR\CAST\DMSHELL.DLL
C:\PROGRA~1\IE-BAR\CAST\221~1.0\DMPLAYER.DLL
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL

C:\PROGRAM FILES\MICROBAK\DOWNS.EXE
C:\WINNT\SYSTEM32\MSVBVM60.DLL
C:\WINNT\SYSTEM32\VB6CHS.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
C:\WINNT\SYSTEM32\MSINET.OCX
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL

C:\DOCUME~1\SALES51\LOCALS~1\TEMP\ROBOFORM\ROBOTASKBARICON.EXE
C:\DOCUME~1\SALES51\LOCALS~1\TEMP\ROBOFORM\ROBOFORM.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL

C:\DOCUMENTS AND SETTINGS\SALES51\桌面\RSDETECT.EXE
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
C:\DOCUME~1\SALES51\LOCALS~1\TEMP\RSXAOZ.DLL

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
D:\PROGRAM FILES\ADOBE\ACROBAT 7.0\ACROBAT\ACROIEFAVCLIENT.DLL
C:\WINNT\SYSTEM32\ATL71.DLL
C:\WINNT\SYSTEM32\MSVCP71.DLL
C:\WINNT\SYSTEM32\MSVCR71.DLL
D:\PROGRAM FILES\ADOBE\ACROBAT 7.0\ACROBAT\ACROIEFAVCLIENT.CHS
C:\PROGRAM FILES\BAIDU\BAR\BAIDUBAR.DLL
D:\PROGRAM FILES\ADOBE\ACROBAT 7.0\ACTIVEX\ACROIEHELPER.DLL
C:\WINNT\SYSTEM32\WINDEFENDOR.DLL
C:\DOCUME~1\SALES51\LOCALS~1\TEMP\RSXAOZ.DLL
C:\PROGRA~1\MYAPPL~1\IEBHO.DLL
C:\DOCUME~1\SALES51\LOCALS~1\TEMP\ROBOFORM\ROBOFORM.DLL

D:\PROGRAM FILES\KINGSOFT\XDICT\XDICT.EXE
D:\PROGRAM FILES\KINGSOFT\XDICT\IHOOKS.DLL
D:\PROGRAM FILES\KINGSOFT\XDICT\ITEXTOUT.DLL
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTAB32.DLL
D:\PROGRAM FILES\KINGSOFT\XDICT\XIMAGE32.DLL
D:\PROGRAM FILES\KINGSOFT\XDICT\NEWWORD.DLL
D:\PROGRAM FILES\KINGSOFT\XDICT\XFILE.DLL
D:\PROGRAM FILES\KINGSOFT\XDICT\ITTSENGINE.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL

C:\PROGRAM FILES\WINRAR\WINRAR.EXE
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS

C:\DOCUME~1\SALES51\LOCALS~1\TEMP\RAR$EX00.438\HIJACKTHIS1991ZWW.EXE
C:\WINNT\SYSTEM32\MSVBVM60.DLL
C:\WINNT\SYSTEM32\VB6CHS.DLL
D:\PROGRAM FILES\KINGSOFT\XDICT\CJKTL32.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\SYSTEM.SYS
C:\DOCUME~1\SALES51\LOCALS~1\TEMP\RSXAOZ.DLL

普通自启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager = MOBSYNC.EXE /LOGON
nwiz = NWIZ.EXE /INSTALL
Acrobat Assistant 7.0 = "D:\PROGRAM FILES\ADOBE\ACROBAT 7.0\DISTILLR\ACROTRAY.EXE"
(Default) = (NULL)
NvCplDaemon = RUNDLL32.EXE C:\WINNT\SYSTEM32\NVCPL.DLL,NVSTARTUP
Systems32 = C:\WINNT\SYSTEM32\SERVER.EXE
RavTimer = D:\PROGRAM FILES\RISING\RAV\RAVTIMER.EXE
RavTray = D:\PROGRAM FILES\RISING\RAV\RAVTRAY.EXE
RavMon = D:\PROGRAM FILES\RISING\RAV\RAVMON.EXE -SYSTEM
\\lambda\EPSON Stylus C67 Series = C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATIAAP.EXE /P32 "\\LAMBDA\EPSON STYLUS C67 SERIES" /O6 "USB001" /M "STYLUS C67"
downs = C:\WINNT\SYSTEM32\DOWNS.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
KernelFaultCheck = C:\WINNT\SYSTEM32\MSIME.EXE

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internat.exe = INTERNAT.EXE

AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs =

系统文件关联
.exe ==> exefile = "%1" %*
.com ==> comfile = "%1" %*
.cmd ==> cmdfile = "%1" %*
.bat ==> batfile = "%1" %*
.txt ==> txtfile = NOTEPAD.EXE %1
.scr ==> scrfile = "%1" /S
.reg ==> regfile = regedit.exe "%1"
.doc ==> Word.Document.8 = "C:\Program Files\Microsoft Office\Office\WINWORD.EXE" /n

其它启动项
WIN.INI
无信息

SYSTEM.INI
SHELL = Explorer.exe
SCRNSAVE.EXE = (无)

Winlogon 启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
crypt32chain = CRYPT32.DLL
cryptnet = CRYPTNET.DLL
cscdll = CSCDLL.DLL
sclgntfy = SCLGNTFY.DLL
SensLogn = WLNOTIFY.DLL
wzcnotif = WZCDLG.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = C:\WINNT\SYSTEM32\USERINIT.EXE,
shell = EXPLORER.EXE

IE - BHO
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{2D99E8F4-56B7-457B-9A92-61B5D247D263} = C:\WINNT\system32\WinDefendor.dll
{77FEF28E-EB96-44FF-B511-3185DEA48697} = C:\Program Files\Baidu\bar\BaiduBar.DLL
{9593496E-F7B8-49D5-ABD2-74A71335D26E} = C:\PROGRA~1\MYAPPL~1\IEBHO.dll

Winsock SPI
MSAFD Tcpip [TCP/IP] = C:\WINNT\SYSTEM32\MSAFD.DLL
MSAFD Tcpip [UDP/IP] = C:\WINNT\SYSTEM32\MSAFD.DLL
MSAFD Tcpip [RAW/IP] = C:\WINNT\SYSTEM32\MSAFD.DLL
RSVP UDP Service Provider = C:\WINNT\SYSTEM32\RSVPSP.DLL
RSVP TCP Service Provider = C:\WINNT\SYSTEM32\RSVPSP.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4C6A3D68-285E-4C89-A6EF-6CE3BD59BB71}] SEQPACKET 0 = C:\WINNT\SYSTEM32\MSAFD.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4C6A3D68-285E-4C89-A6EF-6CE3BD59BB71}] DATAGRAM 0 = C:\WINNT\SYSTEM32\MSAFD.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{3897F4D1-1B14-4D69-AA01-D854D9462047}] SEQPACKET 1 = C:\WINNT\SYSTEM32\MSAFD.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{3897F4D1-1B14-4D69-AA01-D854D9462047}] DATAGRAM 1 = C:\WINNT\SYSTEM32\MSAFD.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{E2F6506B-CC73-4935-9FE8-6A5643DC7B2B}] SEQPACKET 2 = C:\WINNT\SYSTEM32\MSAFD.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{E2F6506B-CC73-4935-9FE8-6A5643DC7B2B}] DATAGRAM 2 = C:\WINNT\SYSTEM32\MSAFD.DLL

烂笔头1 - 2006-6-30 16:13:00

系统服务项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Alerter = C:\WINNT\SYSTEM32\SERVICES.EXE
AppMgmt = C:\WINNT\SYSTEM32\SERVICES.EXE
aspnet_state = C:\WINNT\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASPNET_STATE.EXE
BITS = C:\WINNT\SYSTEM32\SVCHOST.EXE -K BITSGROUP
Browser = C:\WINNT\SYSTEM32\SERVICES.EXE
cisvc = C:\WINNT\SYSTEM32\CISVC.EXE
ClipSrv = C:\WINNT\SYSTEM32\CLIPSRV.EXE
Dhcp = C:\WINNT\SYSTEM32\SERVICES.EXE
dmadmin = C:\WINNT\SYSTEM32\DMADMIN.EXE /COM
dmserver = C:\WINNT\SYSTEM32\SERVICES.EXE
Dnscache = C:\WINNT\SYSTEM32\SERVICES.EXE
Eventlog = C:\WINNT\SYSTEM32\SERVICES.EXE
EventSystem = C:\WINNT\SYSTEM32\SVCHOST.EXE -K NETSVCS
Fax = C:\WINNT\SYSTEM32\FAXSVC.EXE
IISADMIN = C:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
lanmanserver = C:\WINNT\SYSTEM32\SERVICES.EXE
lanmanworkstation = C:\WINNT\SYSTEM32\SERVICES.EXE
LmHosts = C:\WINNT\SYSTEM32\SERVICES.EXE
Macromedia Licensing Service = "C:\PROGRAM FILES\COMMON FILES\MACROMEDIA SHARED\SERVICE\MACROMEDIA LICENSING.EXE"
Messenger = C:\WINNT\SYSTEM32\SERVICES.EXE
mnmsrvc = C:\WINNT\SYSTEM32\MNMSRVC.EXE
MSDTC = C:\WINNT\SYSTEM32\MSDTC.EXE
MSFTPSVC = C:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
MSIServer = C:\WINNT\SYSTEM32\MSIEXEC.EXE /V
NetDDE = C:\WINNT\SYSTEM32\NETDDE.EXE
NetDDEdsdm = C:\WINNT\SYSTEM32\NETDDE.EXE
Netlogon = C:\WINNT\SYSTEM32\LSASS.EXE
Netman = C:\WINNT\SYSTEM32\SVCHOST.EXE -K NETSVCS
NtLmSsp = C:\WINNT\SYSTEM32\LSASS.EXE
NtmsSvc = C:\WINNT\SYSTEM32\SVCHOST.EXE -K NETSVCS
NVSvc = C:\WINNT\SYSTEM32\NVSVC32.EXE
PlugPlay = C:\WINNT\SYSTEM32\SERVICES.EXE
PolicyAgent = C:\WINNT\SYSTEM32\LSASS.EXE
ProtectedStorage = C:\WINNT\SYSTEM32\SERVICES.EXE
RasAuto = C:\WINNT\SYSTEM32\SVCHOST.EXE -K NETSVCS
RasMan = C:\WINNT\SYSTEM32\SVCHOST.EXE -K NETSVCS
RavService = "D:\PROGRAM FILES\RISING\RAV\RAVSERVICE.EXE" /SERVICE
RemoteAccess = C:\WINNT\SYSTEM32\SVCHOST.EXE -K NETSVCS
RemoteRegistry = C:\WINNT\SYSTEM32\REGSVC.EXE
RpcLocator = C:\WINNT\SYSTEM32\LOCATOR.EXE
RpcSs = C:\WINNT\SYSTEM32\SVCHOST -K RPCSS
RsRavMon = D:\PROGRAM FILES\RISING\RAV\RAVMOND.EXE
RSVP = C:\WINNT\SYSTEM32\RSVP.EXE -S
SamSs = C:\WINNT\SYSTEM32\LSASS.EXE
SCardDrv = C:\WINNT\SYSTEM32\SCARDSVR.EXE
SCardSvr = C:\WINNT\SYSTEM32\SCARDSVR.EXE
Schedule = C:\WINNT\SYSTEM32\MSTASK.EXE
seclogon = C:\WINNT\SYSTEM32\SERVICES.EXE
SENS = C:\WINNT\SYSTEM32\SVCHOST.EXE -K NETSVCS
SharedAccess = C:\WINNT\SYSTEM32\SVCHOST.EXE -K NETSVCS
SMTPSVC = C:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
Spooler = C:\WINNT\SYSTEM32\SPOOLSV.EXE
stisvc = C:\WINNT\SYSTEM32\STISVC.EXE
SysmonLog = C:\WINNT\SYSTEM32\SMLOGSVC.EXE
TapiSrv = C:\WINNT\SYSTEM32\SVCHOST.EXE -K NETSVCS
TlntSvr = C:\WINNT\SYSTEM32\TLNTSVR.EXE
TrkWks = C:\WINNT\SYSTEM32\SERVICES.EXE
UPS = C:\WINNT\SYSTEM32\UPS.EXE
UtilMan = C:\WINNT\SYSTEM32\UTILMAN.EXE
VIPTray = C:\WINNT\SYSTEM32\VIPTRAY.EXE
W32Time = C:\WINNT\SYSTEM32\SERVICES.EXE
W3SVC = C:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
WinMgmt = C:\WINNT\SYSTEM32\WBEM\WINMGMT.EXE
WmdmPmSN = C:\WINNT\SYSTEM32\SVCHOST.EXE -K NETSVCS
Wmi = C:\WINNT\SYSTEM32\SERVICES.EXE
wuauserv = C:\WINNT\SYSTEM32\SVCHOST.EXE -K WUGROUP
WZCSVC = C:\WINNT\SYSTEM32\SVCHOST.EXE -K NETSVCS

文件驱动
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
BdGuard = C:\WINNT\SYSTEM32\DRIVERS\BDGUARD.SYS
MRxSmb = C:\WINNT\SYSTEM32\DRIVERS\MRXSMB.SYS
NetBIOS = C:\WINNT\SYSTEM32\DRIVERS\NETBIOS.SYS
Rdbss = C:\WINNT\SYSTEM32\DRIVERS\RDBSS.SYS
Srv = C:\WINNT\SYSTEM32\DRIVERS\SRV.SYS

系统驱动项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
ACPI = C:\WINNT\SYSTEM32\DRIVERS\ACPI.SYS
AFD = C:\WINNT\SYSTEM32\DRIVERS\AFD.SYS
AsyncMac = C:\WINNT\SYSTEM32\DRIVERS\ASYNCMAC.SYS
atapi = C:\WINNT\SYSTEM32\DRIVERS\ATAPI.SYS
Atmarpc = C:\WINNT\SYSTEM32\DRIVERS\ATMARPC.SYS
audstub = C:\WINNT\SYSTEM32\DRIVERS\AUDSTUB.SYS
BaseTDI = C:\WINNT\SYSTEM32\DRIVERS\BASETDI.SYS
CCDECODE = C:\WINNT\SYSTEM32\DRIVERS\CCDECODE.SYS
Disk = C:\WINNT\SYSTEM32\DRIVERS\DISK.SYS
dmboot = C:\WINNT\SYSTEM32\DRIVERS\DMBOOT.SYS
dmio = C:\WINNT\SYSTEM32\DRIVERS\DMIO.SYS
dmload = C:\WINNT\SYSTEM32\DRIVERS\DMLOAD.SYS
EverestDriver = F:\补丁\TOOL\系统\EVERESTULTIMATE281B\KERNELD.WNT
ExpScaner = D:\PROGRAM FILES\RISING\RAV\EXPSCAN.SYS
Fdc = C:\WINNT\SYSTEM32\DRIVERS\FDC.SYS
Flpydisk = C:\WINNT\SYSTEM32\DRIVERS\FLPYDISK.SYS
FsVga = C:\WINNT\SYSTEM32\DRIVERS\FSVGA.SYS
Ftdisk = C:\WINNT\SYSTEM32\DRIVERS\FTDISK.SYS
Gpc = C:\WINNT\SYSTEM32\DRIVERS\MSGPC.SYS
hardlock = C:\WINNT\SYSTEM32\DRIVERS\HARDLOCK.SYS
Haspnt = C:\WINNT\SYSTEM32\DRIVERS\HASPNT.SYS
HookCont = D:\PROGRAM FILES\RISING\RAV\HOOKCONT.SYS
HookReg = D:\PROGRAM FILES\RISING\RAV\HOOKREG.SYS
hooksys = D:\PROGRAM FILES\RISING\RAV\HOOKSYS.SYS
i8042prt = C:\WINNT\SYSTEM32\DRIVERS\I8042PRT.SYS
IpFilterDriver = C:\WINNT\SYSTEM32\DRIVERS\IPFLTDRV.SYS
IpInIp = C:\WINNT\SYSTEM32\DRIVERS\IPINIP.SYS
IpNat = C:\WINNT\SYSTEM32\DRIVERS\IPNAT.SYS
IPSEC = C:\WINNT\SYSTEM32\DRIVERS\IPSEC.SYS
IRENUM = C:\WINNT\SYSTEM32\DRIVERS\IRENUM.SYS
isapnp = C:\WINNT\SYSTEM32\DRIVERS\ISAPNP.SYS
Kbdclass = C:\WINNT\SYSTEM32\DRIVERS\KBDCLASS.SYS
Mouclass = C:\WINNT\SYSTEM32\DRIVERS\MOUCLASS.SYS
MPE = C:\WINNT\SYSTEM32\DRIVERS\MPE.SYS
MSKSSRV = C:\WINNT\SYSTEM32\DRIVERS\MSKSSRV.SYS
MSPCLOCK = C:\WINNT\SYSTEM32\DRIVERS\MSPCLOCK.SYS
MSPQM = C:\WINNT\SYSTEM32\DRIVERS\MSPQM.SYS
MSTEE = C:\WINNT\SYSTEM32\DRIVERS\MSTEE.SYS
NABTSFEC = C:\WINNT\SYSTEM32\DRIVERS\NABTSFEC.SYS
NdisTapi = C:\WINNT\SYSTEM32\DRIVERS\NDISTAPI.SYS
Ndisuio = C:\WINNT\SYSTEM32\DRIVERS\NDISUIO.SYS
NdisWan = C:\WINNT\SYSTEM32\DRIVERS\NDISWAN.SYS
NetBT = C:\WINNT\SYSTEM32\DRIVERS\NETBT.SYS
NetDetect = C:\WINNT\SYSTEM32\DRIVERS\NETDTECT.SYS
New0 = C:\WINNT\SYSTEM32\NEW.SYS
NPF = C:\WINNT\SYSTEM32\DRIVERS\NPF.SYS
npkcrypt = D:\我的文档\AB\QQ2006 SP2\NPKCRYPT.SYS
nv = C:\WINNT\SYSTEM32\DRIVERS\NV4_MINI.SYS
NwlnkFlt = C:\WINNT\SYSTEM32\DRIVERS\NWLNKFLT.SYS
NwlnkFwd = C:\WINNT\SYSTEM32\DRIVERS\NWLNKFWD.SYS
P1C1394 = C:\WINNT\SYSTEM32\DRIVERS\P1C1394.SYS
Parallel = C:\WINNT\SYSTEM32\DRIVERS\PARALLEL.SYS
Parport = C:\WINNT\SYSTEM32\DRIVERS\PARPORT.SYS
PCI = C:\WINNT\SYSTEM32\DRIVERS\PCI.SYS
PCIIde = C:\WINNT\SYSTEM32\DRIVERS\PCIIDE.SYS
pfc = C:\WINNT\SYSTEM32\DRIVERS\PFC.SYS
PptpMiniport = C:\WINNT\SYSTEM32\DRIVERS\RASPPTP.SYS
Ptilink = C:\WINNT\SYSTEM32\DRIVERS\PTILINK.SYS
RasAcd = C:\WINNT\SYSTEM32\DRIVERS\RASACD.SYS
Rasl2tp = C:\WINNT\SYSTEM32\DRIVERS\RASL2TP.SYS
Raspti = C:\WINNT\SYSTEM32\DRIVERS\RASPTI.SYS
RCA = C:\WINNT\SYSTEM32\DRIVERS\RCA.SYS
rtl8139 = C:\WINNT\SYSTEM32\DRIVERS\RTL8139.SYS
serenum = C:\WINNT\SYSTEM32\DRIVERS\SERENUM.SYS
Serial = C:\WINNT\SYSTEM32\DRIVERS\SERIAL.SYS
Sfloppy = C:\WINNT\SYSTEM32\DRIVERS\SFLOPPY.SYS
SLIP = C:\WINNT\SYSTEM32\DRIVERS\SLIP.SYS
SMBios = C:\WINNT\SYSTEM32\DRIVERS\SMBIOS.SYS
streamip = C:\WINNT\SYSTEM32\DRIVERS\STREAMIP.SYS
swenum = C:\WINNT\SYSTEM32\DRIVERS\SWENUM.SYS
Tcpip = C:\WINNT\SYSTEM32\DRIVERS\TCPIP.SYS
TxNtSys = UNC\SQL\我的光碟 (D)\TXNTSYS.SYS
uhcd = C:\WINNT\SYSTEM32\DRIVERS\UHCD.SYS
Update = C:\WINNT\SYSTEM32\DRIVERS\UPDATE.SYS
usbhub = C:\WINNT\SYSTEM32\DRIVERS\USBHUB.SYS
USBSTOR = C:\WINNT\SYSTEM32\DRIVERS\USBSTOR.SYS
VgaSave = C:\WINNT\SYSTEM32\DRIVERS\VGA.SYS
Wanarp = C:\WINNT\SYSTEM32\DRIVERS\WANARP.SYS
WSTCODEC = C:\WINNT\SYSTEM32\DRIVERS\WSTCODEC.SYS

烂笔头1 - 2006-6-30 16:14:00

HijackThis_zww汉化版扫描日志 V1.99.1
保存于 16:01:06, 日期 2006-6-30
操作系统： Windows 2000 SP4 (WinNT 5.00.2195)
浏览器： Internet Explorer v6.00 SP1 (6.00.2800.1106)

当前运行的进程：
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
d:\Program Files\Rising\Rav\RavService.exe
C:\WINNT\NTService.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\VIPTray.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\conime.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINNT\system32\msime.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
D:\Program Files\Rising\Rav\RavTimer.exe
D:\Program Files\Rising\Rav\RavTray.exe
D:\Program Files\Rising\Rav\RavMon.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE
C:\WINNT\system32\downs.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\MicroBak\downs.exe
D:\绿色\GreenBrowserGB\GreenBrowser.exe
C:\DOCUME~1\sales51\LOCALS~1\Temp\RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Kingsoft\XDict\XDICT.EXE
C:\Documents and Settings\sales51\桌面\RsDetect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\sales51\LOCALS~1\Temp\Rar$EX00.438\HijackThis1991zww.exe

R3 - URLSearchHook: (no name) - {02496EBD-8455-48db-B3C7-5DAC97D9F5A7} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BrowserHelper Class - {2D99E8F4-56B7-457B-9A92-61B5D247D263} - C:\WINNT\system32\WinDefendor.dll
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\Program Files\Baidu\bar\BaiduBar.DLL
O2 - BHO: (no name) - {9593496E-F7B8-49D5-ABD2-74A71335D26E} - C:\PROGRA~1\MYAPPL~1\IEBHO.dll
O3 - IE工具栏增项: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - IE工具栏增项: 百度超级搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\Program Files\Baidu\bar\BaiduBar.DLL
O4 - 启动项HKLM\\Run: [Synchronization Manager] mobsync.exe /logon
O4 - 启动项HKLM\\Run: [nwiz] nwiz.exe /install
O4 - 启动项HKLM\\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - 启动项HKLM\\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - 启动项HKLM\\Run: [Systems32] C:\WINNT\system32\Server.exe
O4 - 启动项HKLM\\Run: [RavTimer] d:\Program Files\Rising\Rav\RavTimer.exe
O4 - 启动项HKLM\\Run: [RavTray] d:\Program Files\Rising\Rav\RavTray.exe
O4 - 启动项HKLM\\Run: [RavMon] d:\Program Files\Rising\Rav\RavMon.exe -system
O4 - 启动项HKLM\\Run: [\\lambda\EPSON Stylus C67 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P32 "\\lambda\EPSON Stylus C67 Series" /O6 "USB001" /M "Stylus C67"
O4 - 启动项HKLM\\Run: [downs] C:\WINNT\system32\downs.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = D:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: IE-BAR.lnk = C:\WINNT\system32\rundll32.exe
O8 - IE右键菜单中的新增项目: 转换为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - IE右键菜单中的新增项目: 转换为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - IE右键菜单中的新增项目: 转换选定的链接为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - IE右键菜单中的新增项目: 转换选定的链接为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - IE右键菜单中的新增项目: 转换选项为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - IE右键菜单中的新增项目: 转换选项为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - IE右键菜单中的新增项目: 转换链接目标为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - IE右键菜单中的新增项目: 转换链接目标为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C6A3D68-285E-4C89-A6EF-6CE3BD59BB71}: NameServer = 218.85.157.99,202.101.98.55
O18 - 列举现有的协议: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - 列举现有的协议: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINNT\system32\urlmon.dll
O18 - 列举现有的协议: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - 列举现有的协议: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - 列举现有的协议: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - 列举现有的协议: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - 列举现有的协议: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - 列举现有的协议: ipp - (no CLSID) - (no file)
O18 - 列举现有的协议: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\System32\itss.dll
O18 - 列举现有的协议: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - 列举现有的协议: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - 列举现有的协议: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - 列举现有的协议: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINNT\system32\inetcomm.dll
O18 - 列举现有的协议: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - 列举现有的协议: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\System32\itss.dll
O18 - 列举现有的协议: msdaipp - (no CLSID) - (no file)
O18 - 列举现有的协议: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - 列举现有的协议: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINNT\system32\mshtml.dll
O18 - 列举现有的协议: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - 列举现有的协议: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx
O23 - NT 服务: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - NT 服务: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - NT 服务: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - NT 服务: RavService - Unknown owner - d:\Program Files\Rising\Rav\RavService.exe" /service (file missing)
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - NT 服务: VIPTray - Unknown owner - C:\WINNT\System32\VIPTray.exe

我把红色的给删了对不？

轩辕小聪 - 2006-6-30 16:37:00

O2 - BHO: BrowserHelper Class - {2D99E8F4-56B7-457B-9A92-61B5D247D263} - C:\WINNT\system32\WinDefendor.dll
O4 - Global Startup: IE-BAR.lnk = C:\WINNT\system32\rundll32.exe
O23 - NT 服务: VIPTray - Unknown owner - C:\WINNT\System32\VIPTray.exe
这几项的处理参考http://forum.ikaka.com/topic.asp?board=28&artid=8113452

另外:
结束进程：
C:\WINNT\system32\downs.exe
C:\WINNT\system32\msime.exe
C:\WINNT\NTService.exe

修复：
O4 - 启动项HKLM\\Run: [Systems32] C:\WINNT\system32\Server.exe
O4 - 启动项HKLM\\Run: [downs] C:\WINNT\system32\downs.exe

删除：
C:\WINNT\system32\downs.exe
C:\WINNT\system32\msime.exe
C:\WINNT\system32\Server.exe
C:\WINNT\NTService.exe

另外：
C:\DOCUME~1\sales51\LOCALS~1\Temp\RoboForm\RoboTaskBarIcon.exe
C:\Program Files\MicroBak\downs.exe
这两个又是什么东西？自己装的？

从瑞星听诊器的日志上看，楼主中的东西不少

做完以上步骤之后，重启，在http://forum.ikaka.com/topic.asp?board=28&artid=6979213下载System Repair Engineer 2.0.21.505（RC2）和Autoruns分别导出日志。
记住用Autoruns导出日志时，要先隐藏微软项目（Options-Hide Microsoft Entries），然后刷新一下（File-Refresh）然后再导出（File-Save）。

于维克托 - 2006-6-30 16:39:00

好晕呦~~~~@#$%$#&#%@$%@
启动项HKLM\\Run: [Systems32] C:\WINNT\system32\Server.exe
好象有问题。

烂笔头1 - 2006-6-30 17:05:00

2006-06-30,16:54:04

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe> [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> []
<run><> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Synchronization Manager><mobsync.exe /logon> [Microsoft Corporation]
<nwiz><nwiz.exe /install> [NVIDIA Corporation]
<Acrobat Assistant 7.0><"D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"> [Adobe Systems Inc.]
<NvCplDaemon><RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<RavTimer><d:\Program Files\Rising\Rav\RavTimer.exe> [Beijing Rising Technology Co., Ltd.]
<RavTray><d:\Program Files\Rising\Rav\RavTray.exe> [Rising]
<RavMon><d:\Program Files\Rising\Rav\RavMon.exe -system> [Beijing Rising Technology Co., Ltd.]
<\\lambda\EPSON Stylus C67 Series><C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P32 "\\lambda\EPSON Stylus C67 Series" /O6 "USB001" /M "Stylus C67"> []
<downs><C:\WINNT\system32\downs.exe> [bcnet]
<spoolsv><C:\WINNT\system32\spoolsv\spoolsv.exe -printer> [广州傲讯信息科技有限公司]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<KernelFaultCheck><C:\WINNT\system32\msime.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [Microsoft Corporation]
<Userinit><C:\WINNT\system32\userinit.exe,> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{C9953583-932E-4EA1-A04B-4523AAB72C30}><C:\Program Files\Internet Explorer\PLUGINS\system.sys> []
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><(无)> []

==================================
启动文件夹
[Adobe Gamma Loader]
<C:\Documents and Settings\All Users.WINNT\「开始」菜单\程序\启动\Adobe Gamma Loader.lnk><N>
[Adobe Acrobat Speed Launcher]
<C:\Documents and Settings\All Users.WINNT\「开始」菜单\程序\启动\Adobe Acrobat Speed Launcher.lnk><N>
[Microsoft Office]
<C:\Documents and Settings\All Users.WINNT\「开始」菜单\程序\启动\Microsoft Office.lnk><N>
[IE-BAR]
<C:\Documents and Settings\All Users.WINNT\「开始」菜单\程序\启动\IE-BAR.lnk><N>

烂笔头1 - 2006-6-30 17:05:00

==================================
服务
[Logical Disk Manager Administrative Service / dmadmin]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Macromedia Licensing Service / Macromedia Licensing Service]
<"C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"><N/A>
[NVIDIA Display Driver Service / NVSvc]
<C:\WINNT\System32\nvsvc32.exe><NVIDIA Corporation>
[RavService / RavService]
<"d:\Program Files\Rising\Rav\RavService.exe" /service><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
<D:\PROGRAM FILES\RISING\RAV\Ravmond.exe><Beijing Rising Technology Co., Ltd.>

==================================
浏览器加载项
[AcroIEHlprObj Class]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[wmpdrm]
{0E674588-66B7-4E19-9D0E-2053B800F69F} <C:\WINNT\system32\wmpdrm.dll, Allsum Info. Tech. Ltd.>
[MyIEHelper Class]
{16A770A0-0E87-4278-B748-2460D64A8386} <C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\IEHelper\IEHelper_4552.dll, Microsoft Corporation>
[BandIE Class]
{77FEF28E-EB96-44FF-B511-3185DEA48697} <C:\Program Files\Baidu\bar\BaiduBar.DLL, Baidu.com, Inc.>
[]
{9593496E-F7B8-49D5-ABD2-74A71335D26E} <C:\PROGRA~1\MYAPPL~1\IEBHO.dll, N/A>
[Adobe PDF]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} <D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll, Adobe Systems Incorporated>
[百度超级搜霸]
{B580CF65-E151-49C3-B73F-70B13FCA8E86} <C:\Program Files\Baidu\bar\BaiduBar.DLL, Baidu.com, Inc.>
[XML DOM Document 4.0]
{88D969C0-F192-11D4-A65F-0040963251E5} <%SystemRoot%\System32\msxml4.dll, N/A>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\System32\Macromed\Flash\Flash8b.ocx, Macromedia, Inc.>
[转换为 Adobe PDF]
<res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html, N/A>
[转换为现有 PDF]
<res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html, N/A>
[转换选定的链接为 Adobe PDF]
<res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html, N/A>
[转换选定的链接为现有 PDF]
<res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html, N/A>
[转换选项为 Adobe PDF]
<res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html, N/A>
[转换选项为现有 PDF]
<res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html, N/A>
[转换链接目标为 Adobe PDF]
<res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html, N/A>
[转换链接目标为现有 PDF]
<res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html, N/A>

==================================
正在运行的进程
[PID: 136][\SystemRoot\System32\smss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 160][\??\C:\WINNT\system32\csrss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 156][\??\C:\WINNT\system32\winlogon.exe] <Microsoft Corporation><5.00.2195.6898>
[PID: 208][C:\WINNT\system32\services.exe] <Microsoft Corporation><5.00.2195.6700>
[C:\WINNT\system32\dmserver.dll] <VERITAS Software Corp.><2195.6605.297.3>
[PID: 220][C:\WINNT\system32\lsass.exe] <Microsoft Corporation><5.00.2195.6902>
[PID: 376][D:\PROGRAM FILES\RISING\RAV\Ravmond.exe] <Beijing Rising Technology Co., Ltd.><17, 0, 1, 58>
[D:\PROGRAM FILES\RISING\RAV\guidll.dll] <rising><17, 0, 0, 13>
[D:\PROGRAM FILES\RISING\RAV\RsCommX.dll] <rising><17, 0, 0, 3>
[D:\PROGRAM FILES\RISING\RAV\RSAPPMGR.DLL] <Rising Corp.><17, 0, 0, 7>
[D:\PROGRAM FILES\RISING\RAV\CfgDll.dll] <Rising Corp.><17, 0, 1, 71>
[d:\Program Files\Rising\Rav\Scanner.dll] <Rising><17, 0, 0, 43>
[D:\PROGRAM FILES\RISING\RAV\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><17, 0, 0, 17>
[d:\Program Files\Rising\Rav\libload.dll] <Rising><17, 0, 0, 14>
[d:\Program Files\Rising\Rav\VirusLib.dll] <Rising><17, 0, 0, 26>
[D:\PROGRAM FILES\RISING\RAV\MailMon.dll] < ><17, 0, 0, 9>
[d:\Program Files\Rising\Rav\SpamEng.dll] <N/A><17, 0, 0, 7>
[D:\PROGRAM FILES\RISING\RAV\MemMon.dll] <北京瑞星><17, 8, 0, 0>
[D:\PROGRAM FILES\RISING\RAV\expscan.dll] <N/A><17, 0, 0, 6>
[D:\PROGRAM FILES\RISING\RAV\mPorts.dll] <Beijing Rising Technology Corporation Limited><3, 0, 0, 3>
[D:\PROGRAM FILES\RISING\RAV\regmon.dll] < ><17, 0, 0, 12>
[D:\PROGRAM FILES\RISING\RAV\HookWeb.dll] <rising><17, 0, 0, 4>
[d:\Program Files\Rising\Rav\engine.dll] <rising><17, 0, 0, 43>
[d:\Program Files\Rising\Rav\UnExe.dll] <Rising><17, 0, 0, 31>
[d:\Program Files\Rising\Rav\ScanEx.dll] <Rising><17, 0, 0, 39>
[d:\Program Files\Rising\Rav\PostTrt.dll] <Rising><17, 0, 0, 21>
[d:\Program Files\Rising\Rav\NvFile.dll] <瑞星><17, 0, 0, 13>
[d:\Program Files\Rising\Rav\ScanMac.dll] <rising><17, 0, 0, 20>
[d:\Program Files\Rising\Rav\ScanSct.dll] <rising><17, 0, 0, 37>
[d:\Program Files\Rising\Rav\ScanExec.dll] <N/A><17, 0, 0, 23>
[d:\Program Files\Rising\Rav\Unpacker.dll] <rising><17, 0, 0, 19>
[d:\Program Files\Rising\Rav\ExtOLE.dll] <rising><17, 0, 0, 22>
[PID: 400][D:\PROGRAM FILES\RISING\RAV\RavStub.exe] <Beijing Rising Technology Co., Ltd.><17, 0, 0, 27>
[D:\PROGRAM FILES\RISING\RAV\RsCommX.dll] <rising><17, 0, 0, 3>
[D:\PROGRAM FILES\RISING\RAV\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><17, 0, 0, 17>
[PID: 432][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 468][C:\WINNT\system32\spoolsv.exe] <Microsoft Corporation><5.00.2195.7059>
[C:\WINNT\system32\AdobePDF.dll] <Adobe Systems Incorporated.><7.0.0.00>
[D:\Program Files\Adobe\Acrobat 7.0\Distillr\AdistRes.CHS] <N/A><N/A>
[C:\WINNT\system32\ZLhp1020.DLL] <Zenographics, Inc.><5, 53, 2714, 0>
[C:\WINNT\system32\ZLM.dll] <Zenographics, Inc.><5, 50, 1416, 0>
[C:\WINNT\system32\spool\PRTPROCS\W32X86\IMFPrint.DLL] <Zenographics, Inc.><5, 54, 330, 0>
[C:\WINNT\system32\Imf32.dll] <Zenographics, Inc.><5, 60, 1204, 0>
[C:\WINNT\system32\ZTAG32.dll] <Zenographics, Inc.><5, 60, 1210, 0>
[C:\WINNT\system32\ZSPOOL.dll] <Zenographics, Inc.><5, 51, 709, 0>
[PID: 512][C:\WINNT\System32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 556][C:\WINNT\System32\nvsvc32.exe] <NVIDIA Corporation><6.14.10.7610>
[PID: 600][d:\Program Files\Rising\Rav\RavService.exe] <Beijing Rising Technology Co., Ltd.><17, 0, 0, 73>
[d:\Program Files\Rising\Rav\RsCommX.dll] <rising><17, 0, 0, 3>
[PID: 672][C:\WINNT\system32\MSTask.exe] <Microsoft Corporation><4.71.2195.6704>
[PID: 700][C:\WINNT\system32\stisvc.exe] <Microsoft Corporation><5.00.2195.6656>
[PID: 760][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 776][C:\WINNT\system32\inetsrv\inetinfo.exe] <Microsoft Corporation><5.00.0984>
[PID: 1028][C:\WINNT\Explorer.EXE] <Microsoft Corporation><5.00.3700.6690>
[C:\Program Files\Internet Explorer\PLUGINS\system.sys] <N/A><N/A>
[C:\WINNT\system32\msicn\msibm.dll] <广州傲讯信息科技有限公司><2, 0, 0, 1>
[C:\WINNT\system32\msicn\plugins\bse.dll] <广州傲讯信息

烂笔头1 - 2006-6-30 17:05:00

科技有限公司><2, 0, 0, 1>
[C:\WINNT\system32\msicn\plugins\lup.dll] <广州傲讯信息科技有限公司><2, 0, 0, 1>
[C:\WINNT\system32\msicn\plugins\bm.dll] <广州傲讯信息科技有限公司><2, 0, 0, 1>
[C:\WINNT\system32\msicn\plugins\as.dll] <广州傲讯信息科技有限公司><2, 0, 0, 1>
[C:\Program Files\WinRAR\rarext.dll] <N/A><N/A>
[C:\WINNT\system32\RAVEXT.DLL] <Beijing Rising Technology Co., Ltd.><17, 0, 0, 8>
[D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll] <Adobe Systems Incorporated><7.0.0.2004121400>
[C:\Program Files\Baidu\bar\BaiduBar.DLL] <Baidu.com, Inc.><2, 0, 2, 78>
[C:\PROGRA~1\MYAPPL~1\IEBHO.dll] <N/A><N/A>
[D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] <Adobe Systems, Inc.><7.0.0.0>
[D:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll] <Adobe Systems Inc.><7.0.0.2004121400\0>
[D:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.chs] <Adobe Systems Inc.><7.0.0.2004121400\0>
[PID: 1148][D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe] <Adobe Systems Inc.><6.0.1.2004121400>
[D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.chs] <Adobe Systems Inc.><6.0.0.0>
[C:\Program Files\Internet Explorer\PLUGINS\system.sys] <N/A><N/A>
[PID: 1172][D:\Program Files\Rising\Rav\RavTimer.exe] <Beijing Rising Technology Co., Ltd.><17, 0, 0, 36>
[D:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><17, 0, 0, 17>
[D:\Program Files\Rising\Rav\RSAPPMGR.DLL] <Rising Corp.><17, 0, 0, 7>
[D:\Program Files\Rising\Rav\CfgDll.dll] <Rising Corp.><17, 0, 1, 71>
[D:\Program Files\Rising\Rav\RsCommX.dll] <rising><17, 0, 0, 3>
[C:\DOCUME~1\sales51\LOCALS~1\Temp\rsxaoz.dll] <WinRAR archiver><3, 4, 2, 0>
[C:\Program Files\Internet Explorer\PLUGINS\system.sys] <N/A><N/A>
[PID: 1152][D:\Program Files\Rising\Rav\RavTray.exe] <Rising><17, 0, 0, 32>
[D:\Program Files\Rising\Rav\RavTray936.dll] <Rising><17, 0, 0, 28>
[d:\Program Files\Rising\Rav\RsCommx.dll] <rising><17, 0, 0, 3>
[C:\Program Files\Internet Explorer\PLUGINS\system.sys] <N/A><N/A>
[PID: 1124][D:\Program Files\Rising\Rav\RavMon.exe] <Beijing Rising Technology Co., Ltd.><17, 0, 1, 39>
[D:\Program Files\Rising\Rav\RsGuiLib.dll] <Beijing Rising Technology Co., Ltd.><17, 0, 0, 40>
[D:\Program Files\Rising\Rav\RSAPPMGR.DLL] <Rising Corp.><17, 0, 0, 7>
[D:\Program Files\Rising\Rav\CfgDll.dll] <Rising Corp.><17, 0, 1, 71>
[D:\Program Files\Rising\Rav\RsCommX.dll] <rising><17, 0, 0, 3>
[D:\Program Files\Rising\Rav\PngDll.dll] <Rising><17, 0, 0, 2>
[D:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><17, 0, 0, 17>
[C:\Program Files\Internet Explorer\PLUGINS\system.sys] <N/A><N/A>
[PID: 1204][C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE] <SEIKO EPSON CORPORATION><4.00>
[C:\Program Files\Internet Explorer\PLUGINS\system.sys] <N/A><N/A>
[PID: 1224][C:\WINNT\system32\downs.exe] <bcnet><1.00>
[C:\Program Files\Internet Explorer\PLUGINS\system.sys] <N/A><N/A>
[PID: 1268][C:\WINNT\system32\internat.exe] <Microsoft Corporation><5.00.2920.0000>
[C:\Program Files\Internet Explorer\PLUGINS\system.sys] <N/A><N/A>
[C:\WINNT\system32\msicn\msibm.dll] <广州傲讯信息科技有限公司><2, 0, 0, 1>
[PID: 1336][D:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe] <Adobe Systems Incorporated><7.0.0.0>
[C:\Program Files\Internet Explorer\PLUGINS\system.sys] <N/A><N/A>
[PID: 1356][C:\WINNT\system32\rundll32.exe] <Microsoft Corporation><5.00.2134.1>
[C:\PROGRA~1\IE-BAR\Cast\dmipn.dll] <千橡互联><2, 2, 1, 0>
[C:\Program Files\Internet Explorer\PLUGINS\system.sys] <N/A><N/A>
[C:\PROGRA~1\IE-BAR\Cast\dmshell.dll] <千橡互联><2, 2, 1, 0>
[C:\Progra~1\IE-BAR\Cast\221~1.0\dmplayer.dll] <千橡互联><2, 2, 1, 0>
[PID: 1248][C:\Program Files\MicroBak\downs.exe] <bcnet><1.00>
[C:\Program Files\Internet Explorer\PLUGINS\system.sys] <N/A><N/A>
[PID: 1076][D:\绿色\sreng2\SREng2\SREng.exe] <Smallfrogs Studio><2.0.21.505>
[C:\Program Files\Internet Explorer\PLUGINS\system.sys] <N/A><N/A>
[PID: 1472][D:\绿色\GreenBrowserGB\GreenBrowser.exe] <MoreQuick><1, 0, 0, 0>
[C:\Program Files\Internet Explorer\PLUGINS\system.sys] <N/A><N/A>
[C:\DOCUME~1\sales51\LOCALS~1\Temp\rsxaoz.dll] <WinRAR archiver><3, 4, 2, 0>
[C:\WINNT\System32\Macromed\Flash\Flash8b.ocx] <Macromedia, Inc.><8,0,24,0>

==================================
文件关联
.TXT Error. [NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================

烂笔头1 - 2006-6-30 17:11:00

另外：
C:\DOCUME~1\sales51\LOCALS~1\Temp\RoboForm\RoboTaskBarIcon.exe
C:\Program Files\MicroBak\downs.exe

前面这个是自动填表工具，
后面的我不知道，我刚刚删了

烂笔头1 - 2006-6-30 17:13:00

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

+ C:\WINNT\system32\userinit.exeUserinit Logon ApplicationMicrosoft Corporationc:\winnt\system32\userinit.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

+ Explorer.exeWindows ExplorerMicrosoft Corporationc:\winnt\explorer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ \\lambda\EPSON Stylus C67 SeriesEPSON Status Monitor 3SEIKO EPSON CORPORATIONc:\winnt\system32\spool\drivers\w32x86\3\e_fatiaap.exe

+ Acrobat Assistant 7.0AcroTrayAdobe Systems Inc.d:\program files\adobe\acrobat 7.0\distillr\acrotray.exe

+ downsbcnetc:\winnt\system32\downs.exe

+ NvCplDaemonNVIDIA Display Properties ExtensionNVIDIA Corporationc:\winnt\system32\nvcpl.dll

+ nwizNVIDIA nView Wizard, Version 105.10 NVIDIA Corporationc:\winnt\system32\nwiz.exe

+ RavMonRavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.d:\program files\rising\rav\ravmon.exe

+ RavTimerRavTimerBeijing Rising Technology Co., Ltd.d:\program files\rising\rav\ravtimer.exe

+ RavTrayRavNet TrayRisingd:\program files\rising\rav\ravtray.exe

+ spoolsv傲讯浏览器辅助工具广州傲讯信息科技有限公司c:\winnt\system32\spoolsv\spoolsv.exe

+ Synchronization ManagerMicrosoft Synchronization ManagerMicrosoft Corporationc:\winnt\system32\mobsync.exe

C:\Documents and Settings\All Users.WINNT\「开始」菜单\程序\启动

+ Adobe Acrobat Speed Launcher.lnkc:\winnt\installer\{ac76ba86-2052-0000-7760-100000000002}\sc_acrobat.exe

+ Adobe Gamma Loader.lnkAdobe Gamma LoaderAdobe Systems, Inc.c:\program files\common files\adobe\calibration\adobe gamma loader.exe

+ IE-BAR.lnkRun a DLL as an AppMicrosoft Corporationc:\winnt\system32\rundll32.exe

+ Microsoft Office.lnkMicrosoft Office 2000 componentMicrosoft Corporationc:\program files\microsoft office\office\osa9.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

+ KernelFaultCheckFile not found: C:\WINNT\system32\msime.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ Internat.exeKeyboard Language Indicator AppletMicrosoft Corporationc:\winnt\system32\internat.exe

HKLM\SOFTWARE\Classes\Protocols\Filter

+ application/octet-streamMicrosoft .NET Runtime Execution EngineMicrosoft Corporationc:\winnt\system32\mscoree.dll

+ application/x-complusMicrosoft .NET Runtime Execution EngineMicrosoft Corporationc:\winnt\system32\mscoree.dll

+ application/x-msdownloadMicrosoft .NET Runtime Execution EngineMicrosoft Corporationc:\winnt\system32\mscoree.dll

+ Class Install HandlerOLE32 Extensions for Win32Microsoft Corporationc:\winnt\system32\urlmon.dll

+ deflateOLE32 Extensions for Win32Microsoft Corporationc:\winnt\system32\urlmon.dll

+ gzipOLE32 Extensions for Win32Microsoft Corporationc:\winnt\system32\urlmon.dll

+ lzdhtmlOLE32 Extensions for Win32Microsoft Corporationc:\winnt\system32\urlmon.dll

+ text/webviewhtmlWindows Shell Common DllMicrosoft Corporationc:\winnt\system32\shell32.dll

HKLM\SOFTWARE\Classes\Protocols\Handler

+ aboutMicrosoft (R) HTML ViewerMicrosoft Corporationc:\winnt\system32\mshtml.dll

+ cdlOLE32 Extensions for Win32Microsoft Corporationc:\winnt\system32\urlmon.dll

+ fileOLE32 Extensions for Win32Microsoft Corporationc:\winnt\system32\urlmon.dll

+ ftpOLE32 Extensions for Win32Microsoft Corporationc:\winnt\system32\urlmon.dll

+ gopherOLE32 Extensions for Win32Microsoft Corporationc:\winnt\system32\urlmon.dll

+ httpOLE32 Extensions for Win32Microsoft Corporationc:\winnt\system32\urlmon.dll

+ httpsOLE32 Extensions for Win32Microsoft Corporationc:\winnt\system32\urlmon.dll

+ itsMicrosoft? InfoTech Storage System LibraryMicrosoft Corporationc:\winnt\system32\itss.dll

+ javascriptMicrosoft (R) HTML ViewerMicrosoft Corporationc:\winnt\system32\mshtml.dll

+ localOLE32 Extensions for Win32Microsoft Corporationc:\winnt\system32\urlmon.dll

+ mailtoMicrosoft (R) HTML ViewerMicrosoft Corporationc:\winnt\system32\mshtml.dll

+ mhtmlMicrosoft Internet Messaging APIMicrosoft Corporationc:\winnt\system32\inetcomm.dll

+ mkOLE32 Extensions for Win32Microsoft Corporationc:\winnt\system32\urlmon.dll

+ ms-itsMicrosoft? InfoTech Storage System LibraryMicrosoft Corporationc:\winnt\system32\itss.dll

+ resMicrosoft (R) HTML ViewerMicrosoft Corporationc:\winnt\system32\mshtml.dll

+ sysimageMicrosoft (R) HTML ViewerMicrosoft Corporationc:\winnt\system32\mshtml.dll

+ vbscriptMicrosoft (R) HTML ViewerMicrosoft Corporationc:\winnt\system32\mshtml.dll

+ vnd.ms.radioWindows Media Player 2 ActiveX ControlMicrosoft Corporationc:\winnt\system32\msdxm.ocx

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components

烂笔头1 - 2006-6-30 17:14:00

+ NdisWanRemote Access NDIS WAN DriverMicrosoft Corporationc:\winnt\system32\drivers\ndiswan.sys

+ NetBTNetBios over TcpipMicrosoft Corporationc:\winnt\system32\drivers\netbt.sys

+ NetDetectNetwork Card Detection driverMicrosoft Corporationc:\winnt\system32\drivers\netdtect.sys

+ New0File not found: C:\WINNT\System32\new.sys

+ NPFnpfCACE Technologiesc:\winnt\system32\drivers\npf.sys

+ nvNVIDIA Compatible Windows 2000 Miniport Driver, Version 76.10 NVIDIA Corporationc:\winnt\system32\drivers\nv4_mini.sys

+ NwlnkFltIPX Traffic Filter DriverMicrosoft Corporationc:\winnt\system32\drivers\nwlnkflt.sys

+ NwlnkFwdIPX Traffic Forwarder DriverMicrosoft Corporationc:\winnt\system32\drivers\nwlnkfwd.sys

+ P1C1394File not found: C:\WINNT\System32\Drivers\p1c1394.sys

+ ParallelParallel Printer DriverMicrosoft Corporationc:\winnt\system32\drivers\parallel.sys

+ ParportParallel Port DriverMicrosoft Corporationc:\winnt\system32\drivers\parport.sys

+ PCINT Plug and Play PCI EnumeratorMicrosoft Corporationc:\winnt\system32\drivers\pci.sys

+ PCIIdeGeneric PCI IDE Bus DriverMicrosoft Corporationc:\winnt\system32\drivers\pciide.sys

+ pfcPadus(R) ASPI ShellPadus, Inc.c:\winnt\system32\drivers\pfc.sys

+ PptpMiniportWAN Miniport (PPTP)Microsoft Corporationc:\winnt\system32\drivers\raspptp.sys

+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\winnt\system32\drivers\ptilink.sys

+ RasAcdRemote Access Auto Connection DriverMicrosoft Corporationc:\winnt\system32\drivers\rasacd.sys

+ Rasl2tpWAN Miniport (L2TP)Microsoft Corporationc:\winnt\system32\drivers\rasl2tp.sys

+ RasptiDirect ParallelMicrosoft Corporationc:\winnt\system32\drivers\raspti.sys

+ RCARCA filterMicrosoft Corporationc:\winnt\system32\drivers\rca.sys

+ rtl8139NDIS 5.0 driver Realtek Semiconductor Corporation c:\winnt\system32\drivers\rtl8139.sys

+ serenumSerial Port EnumeratorMicrosoft Corporationc:\winnt\system32\drivers\serenum.sys

+ SerialSerial Device DriverMicrosoft Corporationc:\winnt\system32\drivers\serial.sys

+ SfloppySCSI Floppy DriverMicrosoft Corporationc:\winnt\system32\drivers\sfloppy.sys

+ SLIPMicrosoft Slip Deframing Filter MinidriverMicrosoft Corporationc:\winnt\system32\drivers\slip.sys

+ SMBiosIntel(R) System Management BIOS DriverIntel Corporationc:\winnt\system32\drivers\smbios.sys

+ streamipMicrosoft IP DriverMicrosoft Corporationc:\winnt\system32\drivers\streamip.sys

+ swenumPlug and Play Software Device EnumeratorMicrosoft Corporationc:\winnt\system32\drivers\swenum.sys

+ TcpipTCP/IP Protocol DriverMicrosoft Corporationc:\winnt\system32\drivers\tcpip.sys

+ uhcdUniversal Host Controller DriverMicrosoft Corporationc:\winnt\system32\drivers\uhcd.sys

+ UpdateUpdate DriverMicrosoft Corporationc:\winnt\system32\drivers\update.sys

+ usbhubDefault Hub Driver for USBMicrosoft Corporationc:\winnt\system32\drivers\usbhub.sys

+ USBSTORUSB Mass Storage Class DriverMicrosoft Corporationc:\winnt\system32\drivers\usbstor.sys

+ VgaSaveVGA/Super VGA Video DriverMicrosoft Corporationc:\winnt\system32\drivers\vga.sys

+ WanarpRemote Access IP ARP DriverMicrosoft Corporationc:\winnt\system32\drivers\wanarp.sys

+ WSTCODECWDM WST Codec DriverMicrosoft Corporationc:\winnt\system32\drivers\wstcodec.sys

HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute

+ autocheck autochk *Auto Check UtilityMicrosoft Corporationc:\winnt\system32\autochk.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

+ Your Image File Name Here without a pathSymbolic Debugger for Windows 2000Microsoft Corporationc:\winnt\system32\ntsd.exe

HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

+ advapi32Advanced Windows 32 Base APIMicrosoft Corporationc:\winnt\system32\advapi32.dll

+ comdlg32Common Dialogs DLLMicrosoft Corporationc:\winnt\system32\comdlg32.dll

+ gdi32GDI Client DLLMicrosoft Corporationc:\winnt\system32\gdi32.dll

+ imagehlpWindows NT Image HelperMicrosoft Corporationc:\winnt\system32\imagehlp.dll

+ kernel32Windows NT BASE API Client DLLMicrosoft Corporationc:\winnt\system32\kernel32.dll

+ lz32LZ Expand/Compress API DLLMicrosoft Corporationc:\winnt\system32\lz32.dll

+ ole32Microsoft OLE for WindowsMicrosoft Corporationc:\winnt\system32\ole32.dll

+ oleaut32Microsoft Corporationc:\winnt\system32\oleaut32.dll

+ olecli32Object Linking and Embedding Client LibraryMicrosoft Corporationc:\winnt\system32\olecli32.dll

+ olecnv32Microsoft OLE for WindowsMicrosoft Corporationc:\winnt\system32\olecnv32.dll

+ olesvr32Object Linking and Embedding Server LibraryMicrosoft Corporationc:\winnt\system32\olesvr32.dll

+ olethk32Microsoft OLE for WindowsMicrosoft Corporationc:\winnt\system32\olethk32.dll

+ rpcrt4Remote Procedure Call RuntimeMicrosoft Corporationc:\winnt\system32\rpcrt4.dll

+ shell32Windows Shell Common DllMicrosoft Corporationc:\winnt\system32\shell32.dll

+ urlInternet Shortcut Shell Extension DLLMicrosoft Corporationc:\winnt\system32\url.dll

+ urlmonOLE32 Extensions for Win32Microsoft Corporationc:\winnt\system32\urlmon.dll

+ user32Windows 2000 USER API Client DLLMicrosoft Corporationc:\winnt\system32\user32.dll

+ versionVersion Checking and File Installation LibrariesMicrosoft Corporationc:\winnt\system32\version.dll

+ wininetInternet Extensions for Win32Microsoft Corporationc:\winnt\system32\wininet.dll

+ wldap32Win32 LDAP API DLLMicrosoft Corporationc:\winnt\system32\wldap32.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ crypt32chainCrypto API32Microsoft Corporationc:\winnt\system32\crypt32.dll

+ cryptnetCrypto Network Related APIMicrosoft Corporationc:\winnt\system32\cryptnet.dll

+ cscdllOffline Network AgentMicrosoft Corporationc:\winnt\system32\cscdll.dll

+ sclgntfySecondary Logon Service Notification DLLMicrosoft Corporationc:\winnt\system32\sclgntfy.dll

+ SensLognCommon DLL to receive Winlogon notificationsMicrosoft Corporationc:\winnt\system32\wlnotify.dll

+ wzcnotifWireless Zero Configuration Service UIMicrosoft Corporationc:\winnt\system32\wzcdlg.dll

HKCU\Control Panel\Desktop\Scrnsave.exe

+ (无)File not found: (无)

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{3897F4D1-1B14-4D69-AA01-D854D9462047}] DATAGRAM 1Microsoft Windows Sockets 2.0 Service ProviderMicrosoft Corporationc:\winnt\system32\msafd.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{3897F4D1-1B14-4D69-AA01-D854D9462047}] SEQPACKET 1Microsoft Windows Sockets 2.0 Service ProviderMicrosoft Corporationc:\winnt\system32\msafd.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{4C6A3D68-285E-4C89-A6EF-6CE3BD59BB71}] DATAGRAM 0Microsoft Windows Sockets 2.0 Service ProviderMicrosoft Corporationc:\winnt\system32\msafd.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{4C6A3D68-285E-4C89-A6EF-6CE3BD59BB71}] SEQPACKET 0Microsoft Windows Sockets 2.0 Service ProviderMicrosoft Corporationc:\winnt\system32\msafd.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{E2F6506B-CC73-4935-9FE8-6A5643DC7B2B}] DATAGRAM 2Microsoft Windows Sockets 2.0 Service ProviderMicrosoft Corporationc:\winnt\system32\msafd.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{E2F6506B-CC73-4935-9FE8-6A5643DC7B2B}] SEQPACKET 2Microsoft Windows Sockets 2.0 Service ProviderMicrosoft Corporationc:\winnt\system32\msafd.dll

+ MSAFD Tcpip [RAW/IP]Microsoft Windows Sockets 2.0 Service ProviderMicrosoft Corporationc:\winnt\system32\msafd.dll

+ MSAFD Tcpip [TCP/IP]Microsoft Windows Sockets 2.0 Service ProviderMicrosoft Corporationc:\winnt\system32\msafd.dll

+ MSAFD Tcpip [UDP/IP]Microsoft Windows Sockets 2.0 Service ProviderMicrosoft Corporationc:\winnt\system32\msafd.dll

+ RSVP TCP Service ProviderMicrosoft Windows Rsvp 1.0 Service ProviderMicrosoft Corporationc:\winnt\system32\rsvpsp.dll

+ RSVP UDP Service ProviderMicrosoft Windows Rsvp 1.0 Service ProviderMicrosoft Corporationc:\winnt\system32\rsvpsp.dll

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

+ Adobe PDF PortAcrobat ? PDF PortAdobe Systems Incorporated.c:\winnt\system32\adobepdf.dll

+ BJ Language MonitorLangage Monitor for Canon Bubble-Jet PrinterMicrosoft Corporationc:\winnt\system32\cnbjmon.dll

+ HPLJ1020LMSpooler Language Monitor for HP LaserJet Series 1020/2600Zenographics, Inc.c:\winnt\system32\zlhp1020.dll

+ Local PortLocal Spooler DLLMicrosoft Corporationc:\winnt\system32\localspl.dll

+ PJL Language MonitorSpooler Setup DLLMicrosoft Corporationc:\winnt\system32\pjlmon.dll

+ Standard TCP/IP PortStandard TCP/IP Port Monitor DLLMicrosoft Corporationc:\winnt\system32\tcpmon.dll

+ USB MonitorStandard USB printing Port Monitor DLLMicrosoft Corporationc:\winnt\system32\usbmon.dll

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages

+ msv1_0Microsoft Authentication Package v1.0Microsoft Corporationc:\winnt\system32\msv1_0.dll

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages

+ scecliWindows Security Configuration Editor Client EngineMicrosoft Corporationc:\winnt\system32\scecli.dll

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

+ kerberosKerberos Security PackageMicrosoft Corporationc:\winnt\system32\kerberos.dll

+ msv1_0Microsoft Authentication Package v1.0Microsoft Corporationc:\winnt\system32\msv1_0.dll

+ schannelTLS / SSL Security ProviderMicrosoft Corporationc:\winnt\system32\schannel.dll

轩辕小聪 - 2006-6-30 17:19:00

楼主似乎没有仔细看回帖……
做完回帖所说的东西之后，重启，再导日志。而且Autoruns要先隐藏微软项目，要不然导出的日志中的项目中十有八九是系统项目，冗长无比。

烂笔头1 - 2006-6-30 17:24:00

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ \\lambda\EPSON Stylus C67 SeriesEPSON Status Monitor 3SEIKO EPSON CORPORATIONc:\winnt\system32\spool\drivers\w32x86\3\e_fatiaap.exe

+ Acrobat Assistant 7.0AcroTrayAdobe Systems Inc.d:\program files\adobe\acrobat 7.0\distillr\acrotray.exe

+ downsbcnetc:\winnt\system32\downs.exe

+ NvCplDaemonNVIDIA Display Properties ExtensionNVIDIA Corporationc:\winnt\system32\nvcpl.dll

+ nwizNVIDIA nView Wizard, Version 105.10 NVIDIA Corporationc:\winnt\system32\nwiz.exe

+ RavMonRavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.d:\program files\rising\rav\ravmon.exe

+ RavTimerRavTimerBeijing Rising Technology Co., Ltd.d:\program files\rising\rav\ravtimer.exe

+ RavTrayRavNet TrayRisingd:\program files\rising\rav\ravtray.exe

+ spoolsv傲讯浏览器辅助工具广州傲讯信息科技有限公司c:\winnt\system32\spoolsv\spoolsv.exe

C:\Documents and Settings\All Users.WINNT\「开始」菜单\程序\启动

+ Adobe Acrobat Speed Launcher.lnkc:\winnt\installer\{ac76ba86-2052-0000-7760-100000000002}\sc_acrobat.exe

+ Adobe Gamma Loader.lnkAdobe Gamma LoaderAdobe Systems, Inc.c:\program files\common files\adobe\calibration\adobe gamma loader.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

+ KernelFaultCheckFile not found: C:\WINNT\system32\msime.exe

HKLM\System\CurrentControlSet\Services

+ NVSvcProvides system and desktop level support to the NVIDIA display driverNVIDIA Corporationc:\winnt\system32\nvsvc32.exe

+ RavService瑞星杀毒软件网络版客户端通讯代理Beijing Rising Technology Co., Ltd.d:\program files\rising\rav\ravservice.exe

+ RsRavMonRavMonBeijing Rising Technology Co., Ltd.d:\program files\rising\rav\ravmond.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

+ system.sysc:\program files\internet explorer\plugins\system.sys

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ "RISING"Rising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\winnt\system32\ravext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ AcroIEHlprObj ClassAdobe Acrobat IE Helper Version 7.0 for ActiveXAdobe Systems Incorporatedd:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll

+ BandIE ClassBaiduBar ModuleBaidu.com, Inc.c:\program files\baidu\bar\baidubar.dll

+ wmpdrm傲讯浏览器辅助工具Allsum Info. Tech. Ltd.c:\winnt\system32\wmpdrm.dll

HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

+ DllDirectoryc:\winnt\system32

HKCU\Control Panel\Desktop\Scrnsave.exe

+ (无)File not found: (无)

瑞星卡卡安全论坛