求助baohe版主等高手,紧急 bbs.ikaka.com

我的疑问 - 2006-7-29 9:42:00

压缩包内容描述如下：
首先是系统好之前的扫描报告:
SREngLOG
之后是系统崩溃后的报告;
SREngLOG1
第三个是系统安全分析专家的报告：
分析报告
具体问题出现在explorer.exe上
几个截图在DOC1.DOC，文档中．

在最后一次启动前，系统一切正常，包括域服务，ＦＴＰ，ＷＥＢ，ＤＮＳ，代理服务器等等一切正常．
被破坏后的现象为：
ＥＸＰＬＯＲＥＲ．ＥＸＥ这个文件老是占用ＣＰＵ使用率５０%.不运行东西一直保持稳定．占用５０％．
进入系统后，桌面无法显示．
右下角小显示器网卡连接图标无法显示．
右击桌面，无效．
在开始那里想打开控制面板，或者我的文档，等等.
提示：找不到文件"(null)"或它的组件,请确实路径和文件名正确,而且所需的库文件均可用.
过几秒后继续弹出提示:对指定设备,路径或文件的访问被拒绝.
提示后,系统就卡住了,连任务栏也不显示.
尝试运行ctrl+alt+del,新建任务,浏览,运行process explorer,监控进程.
看到进程中explorer.exe进程中还有二个explorer.exe进程.
使用kill功能,kill掉explorer.exe进程下的二个explorer.exe子进程.
有点反应,右下角的网卡连接图案会显示出来,但是桌面还是无法显示.
双击占CPU 50%的主explorer.exe进程,弹出一个对话窗,查看threads选项(线索)
发现线索下面有个explorer.exe+oZ8188 占用cpu 50%.
使用kill功能,结束它.也有些反应.这下CPU的使用率正常了.不会超过5%.但是桌面还是不会显示.
这个时候explorer.exe进程还是运行着的.只是把他里面的explorer.exe+oZ8188 这个细节关闭.
(如压缩包的图)

点击explorer.exe,发现里面的command line:
路径为:c:\winnt\explorer.exe+e%@#%^%^&&什么的一堆乱码.
在别的正常系统上查是:c:\winnt\explorer.exe 没有后面的一堆乱码.
current directory:这个目录也跟正常的系统路径不一样:
正常的是c:\documents amd settings\你的计算机名.
而我这个路径是:d:\bc268e960fa66587e244e4404a\update\update.exe

从这上面找到一点线索,运行防火墙,查看详细设置,查看访问规则:
有一堆某名的规则运行，其中有d:\bc268e960fa66587e244e4404a\update\update.exe
d:\bc268e960fa66587e244e4404a\update\update.exe
d:\bc268e960fa66587e244e4404a\update\update.exe
d:\bc268e960fa66587e244e4404a\update\update.exe
d:\bc268e960fa66587e244e4404a\update\update.exe
有十几条这样的规则。通过运行。其中bc268e960fa66587e244e4404a这个目录名是变化的,不是一样的.
我只是没办法写这么多.复制一个做代表.
c:\winnt\softwaredistribution\download\02cdaef42faf7aa5ca7c02c80ddaad01\update\update.exe还有这规则.

回收站
c:RECYCLER 是文件夹图标

S-1-5-21-746137067-1425521274-839522115-500
S-1-5-21-746137067-57989841-839522115-500
S-1-5-21-823518204-220523388-839522115-500

D:RECYCLER 是文件夹图标

S-1-5-21-746137067-1425521274-839522115-500
S-1-5-21-746137067-57989841-839522115-500
S-1-5-21-823518204-220523388-839522115-500

E:RECYCLER 是回收站图标

S-1-5-21-746137067-1425521274-839522115-500
S-1-5-21-746137067-57989841-839522115-500
S-1-5-21-823518204-220523388-839522115-500

D盘文件夹被放的乱七八糟.

从安全模式进入系统,效果一样.在进入过程中提示:press esc to cancel loading "sptd.sys".但从网上的资料显示,此文件为daemon.tools 4.x的驱动.在ICE冰刀,选ssdt查看,有大量会红名的文件,其中也包括sdtp.sys.其他二个是安全的,一个为诺顿文件,一个为SSM文件.

内网连接不正常.外网出现故障,数据上下行差别很大.大部分也上不了外网.

我的疑问 - 2006-7-29 9:43:00

正常前的扫描:
Windows 2000 Server Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><ctfmon.exe> [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> []
<run><> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<NvCplDaemon><; RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<NvMediaCenter><; RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit> [NVIDIA Corporation]
<NeroFilterCheck><; C:\WINNT\system32\NeroCheck.exe> [Ahead Software Gmbh]
<vptray><C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe> [Symantec Corporation]
<YLive.exe><C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe> [ ]
<yassistse><"C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"> [Yahoo!]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [Microsoft Corporation]
<Userinit><C:\WINNT\system32\userinit.exe,> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> []

==================================
启动文件夹
服务
[C-DillaCdaC11BA / C-DillaCdaC11BA]
<C:\WINNT\system32\drivers\CDAC11BA.EXE><Macrovision>
[CCProxy / CCProxy]
<"C:\CCProxy\CCProxy.exe" -service><>
[DefWatch / DefWatch]
<C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe><Symantec Corporation>
[Logical Disk Manager Administrative Service / dmadmin]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[InstallDriver Table Manager / IDriverT]
<"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"><Macrovision Corporation>
[Macromedia Licensing Service / Macromedia Licensing Service]
<"C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"><N/A>
[Registry Protector / Mercha2]
<><N/A>
[Symantec AntiVirus Client / Norton AntiVirus Server]
<C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe><Symantec Corporation>
[NVIDIA Display Driver Service / NVSvc]
<C:\WINNT\system32\nvsvc32.exe><NVIDIA Corporation>
[PeanuthullCore / PeanuthullCore]
<C:\Program Files\PeanutHull3\PhCore.exe -service><广东网域>
[Rising Proxy Service / RfwProxySrv]
<c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService]
<c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Remote Packet Capture Protocol v.0 (experimental) / rpcapd]
<"C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini"><N/A>

==================================
浏览器加载项
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[雅虎助手]
{406F94F0-504F-4a40-8DFD-58B0666ABEBD} <C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll, Yahoo!>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\flash8.ocx, Macromedia, Inc.>

==================================

我的疑问 - 2006-7-29 9:44:00

==================================
正在运行的进程
[PID: 268][\SystemRoot\System32\smss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 292][\??\C:\WINNT\system32\csrss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 316][\??\C:\WINNT\system32\winlogon.exe] <Microsoft Corporation><5.00.2195.6997>
[PID: 348][C:\WINNT\system32\services.exe] <Microsoft Corporation><5.00.2195.7035>
[C:\WINNT\system32\dmserver.dll] <VERITAS Software Corp.><2195.6605.297.3>
[PID: 360][C:\WINNT\system32\lsass.exe] <Microsoft Corporation><5.00.2195.7011>
[PID: 456][C:\WINNT\System32\termsrv.exe] <Microsoft Corporation><5.00.2195.6696>
[PID: 552][c:\program files\rising\rfw\rfwsrv.exe] <Beijing Rising Technology Co., Ltd.><4, 0, 0, 32>
[c:\program files\rising\rfw\RfwRule.dll] <Beijing Rising Technology Co., Ltd.><4, 0, 0, 12>
[c:\program files\rising\rfw\rfwlog.dll] <Beijing Rising Technology Co., Ltd.><4, 0, 0, 6>
[c:\program files\rising\rfw\Rfwdrv.dll] <Beijing Rising Technology Co., Ltd.><4, 0, 0, 21>
[c:\program files\rising\rfw\MonDrv.dll] <rs><1, 0, 0, 4>
[c:\program files\rising\rfw\ProcLib.dll] <Beijing Rising Technology Co., Ltd.><4, 0, 0, 9>
[PID: 644][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 672][C:\WINNT\system32\spoolsv.exe] <Microsoft Corporation><5.00.2195.7059>
[C:\WINNT\system32\dtmon.dll] <Data Techniques, Inc.><3.00.00>
[C:\WINNT\system32\EBPMON24.DLL] <SEIKO EPSON CORPORATION><1, 12, 0, 0>
[C:\WINNT\system32\ZLhp1020.DLL] <Zenographics, Inc.><5, 53, 2714, 0>
[C:\WINNT\system32\ZLM.dll] <Zenographics, Inc.><5, 50, 1416, 0>
[C:\WINNT\system32\spool\PRTPROCS\W32X86\blproces.dll] <Black Ice Software><2.0>
[C:\WINNT\system32\spool\PRTPROCS\W32X86\IMFPrint.DLL] <Zenographics, Inc.><5, 54, 330, 0>
[C:\WINNT\system32\Imf32.dll] <Zenographics, Inc.><5, 60, 1204, 0>
[C:\WINNT\system32\ZTAG32.dll] <Zenographics, Inc.><5, 60, 1210, 0>
[C:\WINNT\system32\ZSPOOL.dll] <Zenographics, Inc.><5, 51, 709, 0>
[PID: 872][C:\WINNT\system32\drivers\CDAC11BA.EXE] <Macrovision><4.20.020>
[PID: 956][C:\CCProxy\CCProxy.exe] <><6, 3, 0, 1>
[PID: 976][C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe] <Symantec Corporation><8.1.0.821>
[PID: 992][C:\WINNT\system32\Dfssvc.exe] <Microsoft Corporation><5.00.2195.6664>
[PID: 1056][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 1116][C:\WINNT\System32\llssrv.exe] <Microsoft Corporation><5.00.2195.7021>
[PID: 1180][C:\PROGRA~1\MI6841~1\MSSQL$~2\binn\sqlservr.exe] <Microsoft Corporation><2000.080.0194.00>
[PID: 1192][C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe] <Symantec Corporation><8.1.0.821>
[C:\WINNT\system32\CBA.DLL] <Intel? Corporation><6.12.0.105 E>
[C:\WINNT\system32\MsgSys.dll] <Intel? Corporation><6.12.0.105 E>
[C:\WINNT\system32\NTS.dll] <Intel? Corporation><6.12.0.105 E>
[C:\WINNT\system32\PDS.DLL] <Intel? Corporation><6.12.0.105 E>
[C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVLU.dll] <Symantec Corporation><8.1.0.821>
[C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVNTUTL.DLL] <Symantec/Peter Norton Group><1, 0, 0, 1>
[C:\PROGRA~1\SYMANT~1\SYMANT~1\i2ldvp3.dll] <Symantec Corporation><8.1.0.821>
[C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAPI32.DLL] <Symantec Corp.><4.2.0.7>
[C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060712.021\NAVEX32a.DLL] <Symantec Corporation><20061.1.0.14>
[C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060712.021\NAVENG32.DLL] <Symantec Corporation><20061.1.0.14>
[C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP32.DLL] <Symantec Corporation><9.1.0.26>
[PID: 1228][C:\WINNT\system32\WINDOW~1\Server\nspmon.exe] <Microsoft Corporation><4.1.00.3934>
[PID: 1260][C:\WINNT\system32\WINDOW~1\Server\nscm.exe] <Microsoft Corporation><4.1.00.3934>
[PID: 1288][C:\WINNT\system32\ntfrs.exe] <Microsoft Corporation><5.00.2195.6709>
[PID: 1368][C:\WINNT\system32\nvsvc32.exe] <NVIDIA Corporation><6.14.10.8040>
[PID: 1388][C:\Program Files\PeanutHull3\PhCore.exe] <广东网域><1, 0, 0, 13>
[C:\Program Files\PeanutHull3\PhAlive.dll] <广东网域><1, 0, 1, 26>
[PID: 1456][C:\WINNT\system32\regsvc.exe] <Microsoft Corporation><5.00.2195.6701>
[PID: 1472][C:\WINNT\system32\locator.exe] <Microsoft Corporation><5.00.2195.6619>
[PID: 1488][C:\WINNT\system32\MSTask.exe] <Microsoft Corporation><4.71.2195.6972>
[PID: 1536][C:\WINNT\system32\tcpsvcs.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 1576][C:\WINNT\system32\stisvc.exe] <Microsoft Corporation><5.00.2195.6656>
[PID: 1624][C:\WINNT\System32\WBEM\WinMgmt.exe] <Microsoft Corporation><1.50.1085.0100>
[PID: 1688][C:\WINNT\System32\wins.exe] <Microsoft Corporation><5.00.2195.7005>
[PID: 1720][C:\WINNT\system32\mspmspsv.exe] <Microsoft Corporation><7.10.00.3059>
[PID: 1732][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 1760][C:\WINNT\System32\dns.exe] <Microsoft Corporation><5.00.2195.6715>
[PID: 1776][C:\WINNT\system32\inetsrv\inetinfo.exe] <Microsoft Corporation><5.00.0984>
[PID: 1836][C:\WINNT\System32\ismserv.exe] <Microsoft Corporation><5.00.2195.6684>
[PID: 1856][C:\WINNT\system32\msdtc.exe] <Microsoft Corporation><1999.9.3421.3>
[C:\olite\bin\ociw32.dll] <Oracle Corporation><7.3.4.0.0>
[PID: 2028][C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe] <Microsoft Corporation><9.107.5512.0>
[PID: 2224][C:\WINNT\system32\WINDOW~1\Server\nspm.exe] <Microsoft Corporation><4.1.00.3917>
[C:\WINNT\system32\tssoft32.acm] <DSP GROUP, INC.><1.01>
[C:\WINNT\system32\tsd32.dll] <N/A><N/A>
[C:\WINNT\system32\l3codeca.acm] <Fraunhofer Institut Integrierte Schaltungen IIS><1, 9, 0, 0305>
[C:\WINNT\system32\iac25_32.ax] <Intel Corporation><2.05.53>
[C:\WINNT\system32\vorbis.acm] <HMS http://hp.vector.co.jp/authors/VA012897/><0, 0, 3, 6>
[C:\WINNT\system32\vct3216.acm] <Voxware, Inc.><1.6.0.17>
[C:\WINNT\system32\vct3216.dll] <Voxware, Inc.><1.6.0.12>
[C:\WINNT\system32\msms001.vwp] <Voxware, Inc.><2.0.2.61>
[C:\WINNT\system32\mvoice.vwp] <Voxware, Inc.><2.0.0.12.01>
[C:\WINNT\system32\sl_anet.acm] <Sipro Lab Telecom Inc.><3.02>
[PID: 2316][C:\WINNT\system32\WINDOW~1\Server\nsum.exe] <Microsoft Corporation><4.1.00.3930>
[PID: 2876][C:\WINNT\Explorer.EXE] <Microsoft Corporation><5.00.3700.6690>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll] <Autodesk><16.0.0.86>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[C:\PROGRA~1\Yahoo!\ASSIST~1\yaLive.dll] <><2, 0, 5, 1031>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yalliveex.dll] < ><2, 0, 1, 1007>
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] <Adobe Systems, Inc.><7.0.0.0>
[e:\Herosoft\HeroV8\VCvtShell.dll] <herosoft><1, 0, 0, 1>
[C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll] <Symantec Corporation><8.1.0.821>
[C:\Program Files\WinRAR\rarext.dll] <N/A><N/A>
[PID: 2896][C:\WINNT\System32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 3036][c:\program files\rising\rfw\RfwMain.exe] <Beijing Rising Technology Co., Ltd.><4, 0, 0, 48>
[c:\program files\rising\rfw\RsGuiLib.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 23>
[c:\program files\rising\rfw\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[c:\program files\rising\rfw\PngDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
[e:\Herosoft\HeroV8\VCvtShell.dll] <herosoft><1, 0, 0, 1>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[PID: 3232][C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe] <Symantec Corporation><8.1.0.821>
[C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliproxy.dll] <Symantec Corporation><8.1.0.821>
[C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVNTUTL.DLL] <Symantec/Peter Norton Group><1, 0, 0, 1>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliscan.dll] <Symantec Corporation><8.1.0.821>
[e:\Herosoft\HeroV8\VCvtShell.dll] <herosoft><1, 0, 0, 1>
[PID: 3240][C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe] < ><2, 0, 0, 1002>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[C:\PROGRA~1\Yahoo!\ASSIST~1\yaLive.dll] <><2, 0, 5, 1031>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yalliveex.dll] < ><2, 0, 1, 1007>
[C:\Program Files\Yahoo!\Assistant\yNotifier.dll] <><1, 0, 0, 5>
[e:\Herosoft\HeroV8\VCvtShell.dll] <herosoft><1, 0, 0, 1>
[PID: 3192][C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe] <Yahoo!><1, 0, 1, 1001>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[C:\PROGRA~1\Yahoo!\Assistant\shell\yAsMenu.dll] <Yahoo><1, 0, 1, 1006>
[C:\PROGRA~1\Yahoo!\Assistant\shell\yAssecblk.dll] <Yahoo><1, 0, 2, 1002>
[C:\PROGRA~1\Yahoo!\Assistant\shell\yIEAngel.dll] <Yahoo><1, 0, 1, 1001>
[C:\PROGRA~1\Yahoo!\Assistant\shell\yMenuInfo.dll] <Yahoo><1, 0, 0, 2>
[e:\Herosoft\HeroV8\VCvtShell.dll] <herosoft><1, 0, 0, 1>
[PID: 3196][C:\WINNT\system32\ctfmon.exe] <Microsoft Corporation><1.00.2409.34 built by: Lab06_N>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[e:\Herosoft\HeroV8\VCvtShell.dll] <herosoft><1, 0, 0, 1>
[PID: 2800][C:\WINNT\system32\conime.exe] <Microsoft Corporation><5.00.2195.6655>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[e:\Herosoft\HeroV8\VCvtShell.dll] <herosoft><1, 0, 0, 1>

我的疑问 - 2006-7-29 9:44:00

[PID: 2192][C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE] <Microsoft Corporation><11.0.6502>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[e:\Herosoft\HeroV8\VCvtShell.dll] <herosoft><1, 0, 0, 1>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[C:\WINNT\system32\spool\DRIVERS\W32X86\3\SDNT5UI.DLL] <Zenographics, Inc.><5.60.709.0>
[C:\WINNT\system32\spool\DRIVERS\W32X86\3\SDDM32.DLL] <Zenographics, Inc.><5, 60, 2629, 0>
[C:\WINNT\system32\spool\DRIVERS\W32X86\3\ZSPOOL.dll] <Zenographics, Inc.><5, 51, 709, 0>
[C:\WINNT\system32\spool\DRIVERS\W32X86\3\ZGDI32.dll] <Zenographics, Inc.><5, 60, 709, 0>
[C:\WINNT\system32\spool\DRIVERS\W32X86\3\ZTAG32.dll] <Zenographics, Inc.><5, 60, 1210, 0>
[C:\WINNT\system32\spool\DRIVERS\W32X86\3\SDDMUI.DLL] <Zenographics, Inc.><5, 60, 2209, 0>
[C:\WINNT\system32\spool\DRIVERS\W32X86\3\SR32.dll] <Zenographics, Inc.><6, 0, 909, 0>
[C:\WINNT\system32\spool\DRIVERS\W32X86\3\IMFNT5.DLL] <Zenographics, Inc.><0, 3, 3508, 0>
[C:\WINNT\system32\spool\DRIVERS\W32X86\3\Imf32.dll] <Zenographics, Inc.><5, 60, 1204, 0>
[PID: 2036][E:\Program Files\Tencent\Foxmail\Foxmail.exe] <Tencent Inc.><6.03.103.21>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[e:\Herosoft\HeroV8\VCvtShell.dll] <herosoft><1, 0, 0, 1>
[E:\Program Files\Tencent\Foxmail\FoxAntiSpam.dll] <N/A><N/A>
[E:\Program Files\Tencent\Foxmail\pcre.dll] <N/A><N/A>
[E:\Program Files\Tencent\Foxmail\3rdParty\punylib.dll] <CNNIC><1, 0, 0, 3>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll] <Yahoo!><2, 1, 8, 1048>
[E:\Program Files\Tencent\Foxmail\3rdParty\cmplugin.dll] <N/A><N/A>
[PID: 916][C:\Program Files\Internet Explorer\IEXPLORE.EXE] <Microsoft Corporation><6.00.2800.1106>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[C:\PROGRA~1\Yahoo!\ASSIST~1\yscrblock.dll] <Yahoo><1, 0, 2, 1002>
[e:\Herosoft\HeroV8\VCvtShell.dll] <herosoft><1, 0, 0, 1>
[C:\PROGRA~1\Yahoo!\ASSIST~1\yaLive.dll] <><2, 0, 5, 1031>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yalliveex.dll] < ><2, 0, 1, 1007>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll] <Yahoo!><2, 1, 8, 1048>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yaswiper.dll] <Yahoo><1, 0, 1, 1004>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasiesec.dll] <Yahoo><1, 0, 2, 1003>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasnoad.dll] <><1, 1, 4, 1006>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yzsNetProto.dll] <Yahoo><1, 0, 0, 1>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll] <Yahoo! China><1, 1, 3, 1035>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll] <Yahoo! China><1, 0, 1, 1015>
[c:\progra~1\yahoo!\assist~1\assist\yadfil~1.dll] < ><1, 0, 3, 1002>
[C:\PROGRA~1\yahoo!\assistant\Shell\yAssecblk.dll] <Yahoo><1, 0, 2, 1002>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yoptimum.dll] <Yahoo><1, 0, 1, 1001>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrepair.dll] <Yahoo><1, 0, 4, 1001>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasfsks.dll] <3721.com><2, 1, 1, 87>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yXPStyle.dll] <Yahoo><1, 0, 2, 1309>
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] <Adobe Systems, Inc.><7.0.0.0>
[C:\WINNT\system32\flash8.ocx] <Macromedia, Inc.><8,0,22,0>
[F:\u\SREng2\SREng.com] <Smallfrogs Studio><2.0.21.505>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[e:\Herosoft\HeroV8\VCvtShell.dll] <herosoft><1, 0, 0, 1>

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

我的疑问 - 2006-7-29 9:45:00

出问题后的扫描:
Windows 2000 Server Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><ctfmon.exe> [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> []
<run><> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<NvCplDaemon><; RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<NvMediaCenter><; RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit> [NVIDIA Corporation]
<NeroFilterCheck><; C:\WINNT\system32\NeroCheck.exe> [Ahead Software Gmbh]
<vptray><C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe> [Symantec Corporation]
<YLive.exe><C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe> [ ]
<yassistse><"C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"> [Yahoo!]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [Microsoft Corporation]
<Userinit><C:\WINNT\system32\userinit.exe,> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\System Safety Monitor]
<WinlogonNotify: System Safety Monitor><> []

==================================
启动文件夹
服务
[C-DillaCdaC11BA / C-DillaCdaC11BA]
<C:\WINNT\system32\drivers\CDAC11BA.EXE><Macrovision>
[CCProxy / CCProxy]
<"C:\CCProxy\CCProxy.exe" -service><>
[DefWatch / DefWatch]
<C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe><Symantec Corporation>
[Logical Disk Manager Administrative Service / dmadmin]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[InstallDriver Table Manager / IDriverT]
<"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"><Macrovision Corporation>
[Macromedia Licensing Service / Macromedia Licensing Service]
<"C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"><N/A>
[Registry Protector / Mercha2]
<><N/A>
[Symantec AntiVirus Client / Norton AntiVirus Server]
<C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe><Symantec Corporation>
[NVIDIA Display Driver Service / NVSvc]
<C:\WINNT\system32\nvsvc32.exe><NVIDIA Corporation>
[PeanuthullCore / PeanuthullCore]
<C:\Program Files\PeanutHull3\PhCore.exe -service><广东网域>
[Rising Proxy Service / RfwProxySrv]
<c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService]
<c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Remote Packet Capture Protocol v.0 (experimental) / rpcapd]
<"C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini"><N/A>

==================================
浏览器加载项
[IeCatch5 Class]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} <C:\PROGRA~1\FlashGet\jccatch.dll, FlashGet>
[]
{A9930D97-9CF0-42A0-A10D-4F28836579D5} <D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[雅虎助手]
{406F94F0-504F-4a40-8DFD-58B0666ABEBD} <C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll, Yahoo!>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\flash8.ocx, Macromedia, Inc.>
[上传到QQ网络硬盘]
<D:\Program Files\Tencent\Tencent\qq\AddToNetDisk.htm, N/A>
[使用KuGoo3下载(&K)]
<D:\Program Files\KuGoo3\KuGoo3DownX.htm, N/A>
[使用网际快车下载]
<C:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
<C:\Program Files\FlashGet\jc_all.htm, N/A>
[添加到QQ自定义面板]
<D:\Program Files\Tencent\Tencent\qq\AddPanel.htm, N/A>
[添加到QQ表情]
<D:\Program Files\Tencent\Tencent\qq\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<D:\Program Files\Tencent\Tencent\qq\SendMMS.htm, N/A>

==================================

我的疑问 - 2006-7-29 9:45:00

正在运行的进程
[PID: 212][\SystemRoot\System32\smss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 236][\??\C:\WINNT\system32\csrss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 260][\??\C:\WINNT\system32\winlogon.exe] <Microsoft Corporation><5.00.2195.6997>
[C:\WINNT\system32\SSMWinlogonEx.dll] <System Safety Limited><2.1.5.580>
[PID: 288][C:\WINNT\system32\services.exe] <Microsoft Corporation><5.00.2195.7035>
[C:\WINNT\system32\dmserver.dll] <VERITAS Software Corp.><2195.6605.297.3>
[PID: 300][C:\WINNT\system32\lsass.exe] <Microsoft Corporation><5.00.2195.7011>
[PID: 392][C:\WINNT\System32\termsrv.exe] <Microsoft Corporation><5.00.2195.6696>
[PID: 492][c:\program files\rising\rfw\rfwsrv.exe] <Beijing Rising Technology Co., Ltd.><4, 0, 0, 32>
[c:\program files\rising\rfw\RfwRule.dll] <Beijing Rising Technology Co., Ltd.><4, 0, 0, 12>
[c:\program files\rising\rfw\rfwlog.dll] <Beijing Rising Technology Co., Ltd.><4, 0, 0, 6>
[c:\program files\rising\rfw\Rfwdrv.dll] <Beijing Rising Technology Co., Ltd.><4, 0, 0, 21>
[c:\program files\rising\rfw\MonDrv.dll] <rs><1, 0, 0, 4>
[c:\program files\rising\rfw\ProcLib.dll] <Beijing Rising Technology Co., Ltd.><4, 0, 0, 9>
[PID: 580][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 684][C:\WINNT\system32\drivers\CDAC11BA.EXE] <Macrovision><4.20.020>
[PID: 640][C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe] <Symantec Corporation><8.1.0.821>
[PID: 624][C:\WINNT\system32\Dfssvc.exe] <Microsoft Corporation><5.00.2195.6664>
[PID: 632][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 884][C:\WINNT\System32\llssrv.exe] <Microsoft Corporation><5.00.2195.7021>
[PID: 924][C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe] <Symantec Corporation><8.1.0.821>
[C:\WINNT\system32\CBA.DLL] <Intel? Corporation><6.12.0.105 E>
[C:\WINNT\system32\MsgSys.dll] <Intel? Corporation><6.12.0.105 E>
[C:\WINNT\system32\NTS.dll] <Intel? Corporation><6.12.0.105 E>
[C:\WINNT\system32\PDS.DLL] <Intel? Corporation><6.12.0.105 E>
[C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVLU.dll] <Symantec Corporation><8.1.0.821>
[C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVNTUTL.DLL] <Symantec/Peter Norton Group><1, 0, 0, 1>
[C:\PROGRA~1\SYMANT~1\SYMANT~1\i2ldvp3.dll] <Symantec Corporation><8.1.0.821>
[C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAPI32.DLL] <Symantec Corp.><4.2.0.7>
[C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060726.039\NAVEX32a.DLL] <Symantec Corporation><20061.2.0.24>
[C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060726.039\NAVENG32.DLL] <Symantec Corporation><20061.2.0.24>
[C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP32.DLL] <Symantec Corporation><9.1.0.26>
[PID: 1100][C:\WINNT\system32\ntfrs.exe] <Microsoft Corporation><5.00.2195.6709>
[PID: 1128][C:\WINNT\system32\nvsvc32.exe] <NVIDIA Corporation><6.14.10.8040>
[PID: 1148][C:\Program Files\PeanutHull3\PhCore.exe] <广东网域><1, 0, 0, 13>
[C:\Program Files\PeanutHull3\PhAlive.dll] <广东网域><1, 0, 1, 26>
[PID: 1192][C:\WINNT\system32\regsvc.exe] <Microsoft Corporation><5.00.2195.6701>
[PID: 1196][C:\WINNT\system32\locator.exe] <Microsoft Corporation><5.00.2195.6619>
[PID: 1264][C:\WINNT\system32\stisvc.exe] <Microsoft Corporation><5.00.2195.6656>
[PID: 1336][C:\WINNT\System32\WBEM\WinMgmt.exe] <Microsoft Corporation><1.50.1085.0100>
[PID: 1364][C:\WINNT\system32\mspmspsv.exe] <Microsoft Corporation><7.10.00.3059>
[PID: 1528][C:\WINNT\system32\inetsrv\inetinfo.exe] <Microsoft Corporation><5.00.0984>
[PID: 1536][C:\WINNT\system32\msdtc.exe] <Microsoft Corporation><1999.9.3421.3>
[C:\olite\bin\ociw32.dll] <Oracle Corporation><7.3.4.0.0>
[PID: 1568][C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe] <Microsoft Corporation><9.107.5512.0>
[PID: 1636][C:\WINNT\system32\WINDOW~1\Server\nsum.exe] <Microsoft Corporation><4.1.00.3930>
[PID: 1220][C:\WINNT\System32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 1308][C:\WINNT\Explorer.EXE] <Microsoft Corporation><5.00.3700.6690>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[PID: 1788][c:\program files\rising\rfw\RfwMain.exe] <Beijing Rising Technology Co., Ltd.><4, 0, 0, 48>
[c:\program files\rising\rfw\RsGuiLib.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 23>
[c:\program files\rising\rfw\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[c:\program files\rising\rfw\PngDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
[PID: 748][C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe] <Symantec Corporation><8.1.0.821>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliproxy.dll] <Symantec Corporation><8.1.0.821>
[C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVNTUTL.DLL] <Symantec/Peter Norton Group><1, 0, 0, 1>
[C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliscan.dll] <Symantec Corporation><8.1.0.821>
[PID: 1512][C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe] < ><2, 0, 0, 1002>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[C:\PROGRA~1\Yahoo!\ASSIST~1\yaLive.dll] <><2, 0, 5, 1031>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yalliveex.dll] < ><2, 0, 1, 1007>
[PID: 804][C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe] <Yahoo!><1, 0, 1, 1001>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[C:\PROGRA~1\Yahoo!\Assistant\shell\yAsMenu.dll] <Yahoo><1, 0, 1, 1006>
[C:\PROGRA~1\Yahoo!\Assistant\shell\yAssecblk.dll] <Yahoo><1, 0, 2, 1002>
[C:\PROGRA~1\Yahoo!\Assistant\shell\yIEAngel.dll] <Yahoo><1, 0, 1, 1001>
[C:\PROGRA~1\Yahoo!\Assistant\shell\yMenuInfo.dll] <Yahoo><1, 0, 0, 2>
[PID: 1724][C:\WINNT\system32\ctfmon.exe] <Microsoft Corporation><1.00.2409.34 built by: Lab06_N>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[PID: 1840][C:\WINNT\SOUNDMAN.EXE] <Realtek Semiconductor Corp.><5, 1, 0, 46>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[PID: 1340][C:\WINNT\system32\taskmgr.exe] <Microsoft Corporation><5.00.2195.6620>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[K:\SREng2\SREng.com] <Smallfrogs Studio><2.0.21.505>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[K:\SREng2\Plugins\SREngPluginDemo.SRE] <Smallfrogs Studio><1, 1, 1, 0>
[PID: 1768][C:\WINNT\regedit.exe] <Microsoft Corporation><5.00.2195.6707>
[C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll] <><2, 0, 1, 1018>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll] <Autodesk><16.0.0.86>

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

我的疑问 - 2006-7-29 9:46:00

#T0 SecAnalyst 分析报告版本:0, 3, 4, 8
#操作系统 : Microsoft Windows 2000 Service Pack 4 (Build 2195) (CHS)
#系统目录 : C:\WINNT\system32
#浏览器 : Internet Explorer 6.0.2800.1106
#生成时间 : 2006-7-28 17:7:2

#T2 请把报告贴到安全救援中心bbs.s-sos.net,我们的专家会为你做出诊断，另外，报告中的安全风险值仅仅表示可疑程度。
#Q1 (请在此输入你的电脑遇到的问题和异常情况..)

#O4 警告自启动:[hkey_local_machine\software\microsoft\windows\currentversion\shell extensions\approved\粉碎文件]-c:\progra~1\yahoo!\assist~1\assist\ywiper.dll
#O4 警告自启动:[hkey_local_machine\software\microsoft\windows\currentversion\shell extensions\approved\Shell Extensions for RealOne Player]-c:\program files\real\realone player\rpshell.dll
#O4 警告自启动:[hkey_local_machine\software\microsoft\windows\currentversion\shell extensions\approved\Yahoo!Photo]-c:\program files\yahoo!\assistant\assist\yphtb.dll
#O4 低风险自启动:[hkey_local_machine\software\microsoft\windows\currentversion\shell extensions\approved\WinRAR shell extension]-c:\program files\winrar\rarext.dll
#O4 低风险自启动:[hkey_local_machine\software\microsoft\windows\currentversion\shell extensions\approved\AutoCAD 数字签名图标覆盖处理程序]-c:\winnt\system32\acsignicon.dll
#O4 低风险自启动:[hkey_local_machine\software\microsoft\windows\currentversion\shell extensions\approved\LDVP Shell Extensions]-c:\program files\common files\symantec shared\ssc\vpshell2.dll
#O4 低风险自启动:[hkey_local_machine\software\microsoft\windows\currentversion\shell extensions\approved\Display Panning CPL Extension]-deskpan.dll [file not found]
#O4 低风险自启动:[hkey_local_machine\software\microsoft\windows\currentversion\run\NeroFilterCheck]-; c:\winnt\system32\nerocheck.exe [file not found]
#O4 低风险自启动:[hkey_local_machine\software\microsoft\windows\currentversion\run\NvMediaCenter]-; rundll32.exe c:\winnt\system32\nvmctray.dll,nvtaskbarinit [file not found]
#O4 低风险自启动:[hkey_local_machine\software\microsoft\windows\currentversion\run\NvCplDaemon]-; rundll32.exe c:\winnt\system32\nvcpl.dll,nvstartup [file not found]
#O4 低风险自启动:[hkey_local_machine\software\microsoft\windows\currentversion\run\yassistse]-"c:\progra~1\yahoo!\assistant\yassistse.exe"
#O4 低风险自启动:[hkey_local_machine\software\microsoft\windows\currentversion\run\YLive.exe]-c:\progra~1\yahoo!\assist~1\ylive.exe
#O4 低风险自启动:[hkey_local_machine\software\microsoft\windows\currentversion\shell extensions\approved\nView Desktop Context Menu]-c:\winnt\system32\nvshell.dll
#O4 低风险自启动:[hkey_local_machine\software\microsoft\windows\currentversion\shell extensions\approved\Desktop Explorer Menu]-c:\winnt\system32\nvshell.dll
#O4 低风险自启动:[hkey_local_machine\software\microsoft\windows\currentversion\shell extensions\approved\Desktop Explorer]-c:\winnt\system32\nvshell.dll
#O4 低风险自启动:[hkey_local_machine\software\microsoft\windows\currentversion\shell extensions\approved\Autodesk Drawing Preview]-c:\program files\common files\autodesk shared\thumbnail\acthumbnail16.dll

#D0 低风险驱动: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060726.039\NAVENG.sys
#D0 低风险驱动: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060726.039\NAVEX15.sys
#D0 低风险驱动: C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys
#D0 低风险驱动: C:\Program Files\Symantec\SYMEVENT.SYS
#D0 低风险驱动: C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
#D0 低风险驱动: C:\Program Files\HWiNFO32\HWiNFO32.SYS
#D0 低风险驱动: C:\Program Files\Rising\Rfw\RfwBase.sys
#D0 低风险驱动: c:\program files\rising\rfw\mProcRs.sys
#D0 低风险驱动: C:\WINNT\system32\DRIVERS\sniffer.sys
#D0 低风险驱动: C:\WINNT\system32\npptNT2.sys
#D0 低风险驱动: C:\WINNT\system32\DRIVERS\vcdvnic.sys
#D0 低风险驱动: C:\WINNT\System32\Drivers\Cdralw2k.SYS
#D0 低风险驱动: C:\WINNT\System32\Drivers\Cdr4_2K.SYS
#D0 低风险驱动: C:\WINNT\system32\DRIVERS\nv4_mini.sys

#R1 警告 SearchAssistant: http://toolsbar.kuaiso.com/search.html - HKCU\Software\Microsoft\Internet Explorer\Main, SearchAssistant

#R3 低风险 URLSearchHook: {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - coolbar - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll - HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks

#O2 低风险 BHO: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
#O2 低风险 BHO: {A9930D97-9CF0-42A0-A10D-4F28836579D5} - D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX

#O3 低风险 Toolbar: {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - 雅虎助手 - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll

#M0 危险 DLL: C:\WINNT\system32\MSCTF.dll
#M0 警告 DLL: C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll
#M0 警告 DLL: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
#M0 低风险 DLL: C:\PROGRA~1\Yahoo!\ASSIST~1\yscrblock.dll
#M0 低风险 DLL: C:\WINNT\system32\AcSignIcon.dll

#P0 危险进程:c:\winnt\system32\nvsvc32.exe
#P0 危险进程:c:\program files\rising\rfw\rfwsrv.exe
#P0 危险进程:c:\winnt\system32\mspmspsv.exe
#P0 警告进程:c:\winnt\system32\drivers\cdac11ba.exe
#P0 警告进程:c:\program files\peanuthull3\phcore.exe
#P0 低风险进程:c:\progra~1\yahoo!\assistant\yassistse.exe
#P0 低风险进程:c:\progra~1\yahoo!\assist~1\ylive.exe

#S0 危险 NT 服务: NVSvc - 启动方式: 自动 - 当前状态: 已启动 - C:\WINNT\system32\nvsvc32.exe
#S0 危险 NT 服务: RfwService - 启动方式: 自动 - 当前状态: 已启动 - c:\program files\rising\rfw\rfwsrv.exe
#S0 危险 NT 服务: WMDM PMSP Service - 启动方式: 自动 - 当前状态: 已启动 - C:\WINNT\system32\mspmspsv.exe
#S0 警告 NT 服务: WmdmPmSN - ServiceDll - C:\WINNT\system32\mspmsnsv.dll
#S0 警告 NT 服务: C-DillaCdaC11BA - 启动方式: 自动 - 当前状态: 已启动 - C:\WINNT\system32\drivers\CDAC11BA.EXE
#S0 警告 NT 服务: PeanuthullCore - 启动方式: 自动 - 当前状态: 已启动 - C:\Program Files\PeanutHull3\PhCore.exe -service
#S0 警告 NT 服务: Macromedia Licensing Service - 启动方式: 已禁用 - 当前状态: 已停止 - "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"
#S0 低风险 NT 服务: Mercha2 - 启动方式: 已禁用 - 当前状态: 已停止 - - [file not found]
#S0 低风险 NT 服务: CCProxy - 启动方式: 自动 - 当前状态: 已停止 - "C:\CCProxy\CCProxy.exe" -service
您的电脑整体安全风险为中(89分)，请尽快咨询安全专家，协助处理!

我的疑问 - 2006-7-29 9:47:00

图

附件: 700631200672993953.GIF

我的疑问 - 2006-7-29 9:49:00

图

附件: 700631200672994118.GIF

710207 - 2006-7-29 9:49:00

好乱呀,帖个HJK日志吧.

酷盖 - 2006-7-29 9:50:00

[Registry Protector / Mercha2]
<><N/A>
[Remote Packet Capture Protocol v.0 (experimental) / rpcapd]
<"C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini"><N/A>

我的疑问 - 2006-7-29 9:55:00

以上二项都不是.一个是注册表安全机制服务
一个是网络监控注入程序winpcap 3.1
有这么简单的话,我头都不会疼啦.
现在关键的是要分析出explorer.exe
HJK.什么也扫不出.况且以上服务我都禁止了.

710207 - 2006-7-29 10:01:00

explorer.exe是显示桌面的进程.

710207 - 2006-7-29 10:06:00

你的描述中是不是你系统有很多explorer.exe

我的疑问 - 2006-7-29 10:11:00

不单单桌面.

710207 - 2006-7-29 10:15:00

explorer.exe是系统文件但也有仿照它的病毒

你的描述中显示出你正中了那种模仿explorer.exe系统文件的病毒

安全模式删掉那个占用百分之五十的进程文件(别删成系统文件)

开始--运行--regedit--确定

编辑--查找--explorer.exe--确定

删除对应病毒文件的项目

编辑--查找下一个......直到删完(别删系统文件项目)

我的疑问 - 2006-7-29 10:21:00

你能确定哪个
explorer.exe是不对的吗?在注册表中??里面太多了.
而且不能还原注册表.

我的疑问 - 2006-7-29 10:24:00

无法确实explorer.exe哪个不正常.不正常的是里面的.
explorer.exe+oZ8188
里面这个是包括在explorer.exe下.而且二个子explorer.exe下kill掉后,故障还是一样.只是会显示出网络连接.

我的疑问 - 2006-7-29 11:26:00

无邪快来.

我无邪 - 2006-7-29 11:35:00

楼主的日志正常啊
你有什么异常描述一下。

我无邪 - 2006-7-29 11:36:00

你重启后，不要修复，直接扫个日志粘上来，

我的疑问 - 2006-7-29 11:55:00

日志我也看了.是正常的.但是故障就如楼顶扫述的一样.
进不了桌面.什么也用不了.提示错误如楼顶描述.
所有功能都崩溃

我的疑问 - 2006-7-29 13:03:00

完蛋了.郁闷.

710207 - 2006-7-29 13:07:00

楼主如还不行就重装吧,重装也用不了多长时间.

我的疑问 - 2006-7-29 13:09:00

这个我当然想过来,可问题里面的数据那么宠大.是服务器啊.
域账户就上百个.
那么多FTP数据,WEB数据.
就是怕重装了以后.下面的账客户端全部无法正常解析DNS.互联不了啊.

还有那些网络监控,分析.那么多软件.晕啊...

我的疑问 - 2006-7-29 13:23:00

天天开着SSM,很注意了.补丁也是打的很完整.
郁闷.还出现这么严重的问题.想都想不开.

我的疑问 - 2006-7-31 1:36:00

地方工业

瑞星卡卡安全论坛