瑞星卡卡安全论坛

我以把瑞星升到最高级,在安全模式下杀毒,杀了一遍又一遍,重起后它又自动生成!我已经按网上说的手动删除,还是不行!
附上网上教的办法:
这是个变态的传奇木马。没有手工杀毒经验的朋友还是建议重装系统，这样可能效果更好。
运行病毒文件之后创建以下文件：
C:\WINDOWS\Debug\DebugProgram.exe
C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\dxdiag.com
C:\WINDOWS\system32\finder.com
C:\WINDOWS\system32\MSCONFIG.COM
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\rundll32.com
C:\WINDOWS\1.com
C:\WINDOWS\ExERoute.exe
C:\WINDOWS\explorer.com
C:\WINDOWS\finder.com
C:\WINDOWS\services.exe
修改EXE文件关联。
添加到启动项：
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Torjan Program----------C:\WINDOWS\services.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Torjan Program----------C:\WINDOWS\services.exe
修改SYSTEM.INI 原始值应该为shell = Explorer.exe 修改为shell = Explorer.exe 1（实现启动加载Explore.exe后紧接着加载1）
各在磁盘根目录中添加文件autorun.inf，打开磁盘就会激活病毒。
多种方法来启动自己保护自己，比较难查杀。

查杀过程：
下载SREng.exe，并改名为SREng.com SRE的下载地址是：http://www.kztechs.com/sreng/sreng.zip  运行SREng.com，在“系统修复”→“文件关联”里勾选“.EXE”项（如果EXE关联错误默认就会勾上的），并“修复”，恢复EXE文件关联 。然后打开IceSword（下载地址：http://www.xfocus.net/tools/200509/IceSword_en1.12.rar），结束病毒的进程。注意进程里面有两个services.exe，正常的为C:\WINDOWS\system32\services.exe，那么另外一个就是病毒的进程了。结束了病毒进程之后在IceSword里面打开文件，找到并删除病毒所创建的文件（文章开头列出了这些文件）。打开注册表（开始-运行-regedit） 找到：
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
删除其中的Torjan Program----------C:\WINDOWS\services.exe
再找到：
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
把其中shell的值改回为shell = Explorer.exe
然后在每个盘的根目录中找autorun.inf文件（先显示隐藏文件和系统文件），找到就删除。
重启之后病毒就不会再出现了。
另外可能病毒杀死后会出现双击IE浏览器系统提示找不到iexplorer.com文件，这个时候你直接选浏览，然后找到iexplorer.exe，确定就可以了。
附我用网页绑架克星的SCAN:
Logfile of HijackThis v1.99.1
Scan saved at 0:41:29, on 2006-8-13
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Rising\Rav\Rav.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\System32\Server.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\olrar.exe
C:\WINDOWS\System32\conime.exe
C:\Documents and Settings\林敬满\桌面\procexp\procexp\procexp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\林敬满\桌面\恢复EXE文件关联软件\SREng2\SREng.com
C:\Documents and Settings\林敬满\桌面\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [Systems32] C:\WINDOWS\System32\Server.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O20 - AppInit_DLLs: KB914847M.LOG
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rising Proxy  Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Unknown owner - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe

请各位大侠帮我看看,谢谢你们!

2006-08-13,01:07:15

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 1 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe>  [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <CheckFaultKernel><C:\WINDOWS\System32\mswdm.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><explorer.exe>  [Microsoft Corporation]
    <Userinit><C:\WINDOWS\SYSTEM32\Userinit.exe,>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
    <{54D9498B-CF93-414F-8984-8CE7FDE0D391}><D:\Program Files\ewido anti-malware\shellhook.dll>  []
    <{EFAE7B4A-FA39-4818-ACAC-6B6D851CEFF4}><C:\Program Files\Internet Explorer\WinHook.sys>  []
    <{3FDEB171-8F86-4669-B664-69B8DB553683}><C:\NTLDR.DLL>  []

==================================
启动文件夹
服务
[Adobe LM Service / Adobe LM Service]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[ewido security suite control / ewido security suite control]
  <D:\Program Files\ewido anti-malware\ewidoctrl.exe><ewido networks>
[NVIDIA Display Driver Service / NVSvc]
  <C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>
[Rising Proxy  Service / RfwProxySrv]
  <c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService]
  <c:\program files\rising\rfw\rfwsrv.exe><N/A>
[Rising Process Communication Center / RsCCenter]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

==================================
浏览器加载项
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash8b.ocx, Macromedia, Inc.>

==================================
正在运行的进程
[PID: 500][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 560][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 584][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 628][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
[PID: 640][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 808][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\cn_spi32.dll]  <N/A><N/A>
[PID: 924][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\cn_spi32.dll]  <N/A><N/A>
[PID: 1052][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1064][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1528][C:\WINDOWS\Explorer.exe]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\system32\RavExt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 21>
    [D:\Program Files\ewido anti-malware\shellhook.dll]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\NTLDR.DLL]  <N/A><N/A>
    [C:\WINDOWS\System32\cn_spi32.dll]  <N/A><N/A>
    [C:\Program Files\WinRAR\rarext.dll]  <N/A><N/A>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [D:\Program Files\ewido anti-malware\context.dll]  <ewido networks><1.0.0.1>
    [D:\Program Files\ewido anti-malware\lang.dll]  <privat><1, 0, 0, 1>
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[PID: 1792][C:\Program Files\Rising\Rav\Rav.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 75>
    [C:\Program Files\Rising\Rav\PlugIn\RsPgScan.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 17>
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
    [C:\Program Files\Rising\Rav\CfgDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 11>
    [C:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
    [C:\Program Files\Rising\Rav\RavUI.Dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 61>
    [C:\Program Files\Rising\Rav\RsGuiLib.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 24>
    [C:\Program Files\Rising\Rav\PngDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\Rising\Rav\Scanner.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 30>
    [C:\Program Files\Rising\Rav\BWList.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 19>
    [C:\Program Files\Rising\Rav\RavUIMsg.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 25>
    [C:\WINDOWS\System32\cn_spi32.dll]  <N/A><N/A>
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\Rising\Rav\libload.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\VirusLib.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 12>
    [C:\Program Files\Rising\Rav\engine.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 30>
    [C:\Program Files\Rising\Rav\UnExe.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 11>
    [C:\Program Files\Rising\Rav\ScanEx.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 14>
    [C:\Program Files\Rising\Rav\PostTrt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 12>
    [C:\Program Files\Rising\Rav\NvFile.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 7>
    [C:\Program Files\Rising\Rav\ScanMac.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 9>
    [C:\Program Files\Rising\Rav\ScanSct.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 18>
    [C:\Program Files\Rising\Rav\ScanExec.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 11>
    [C:\Program Files\Rising\Rav\ExtOLE.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 6>
    [C:\Program Files\Rising\Rav\Unpacker.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
    [C:\Program Files\Rising\Rav\ExtFile.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 21>
    [C:\Program Files\Rising\Rav\RsStore.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
    [C:\Program Files\Rising\Rav\RsLog.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 20>
    [C:\WINDOWS\system32\RavExt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 21>
    [D:\Program Files\ewido anti-malware\shellhook.dll]  <N/A><N/A>
    [C:\NTLDR.DLL]  <N/A><N/A>
[PID: 376][C:\WINDOWS\System32\cmd.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 392][C:\WINDOWS\System32\conime.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
[PID: 440][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\olrar.exe]  <Alexander Roshal><3.60.2.0>
    [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\q9eq2ibp.dll]  <Microsoft Corporation><5.00.1764.1>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\packet.dll]  <CACE Technologies><3, 1, 0, 27>
    [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WanPacket.dll]  <CACE Technologies><3, 1, 0, 27>
[PID: 860][C:\WINDOWS\System32\conime.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
[PID: 1192][C:\Documents and Settings\林敬满\桌面\procexp\procexp\procexp.exe]  <Sysinternals><8.60>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
[PID: 708][C:\Program Files\Internet Explorer\iexplore.exe]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\WINDOWS\System32\cn_spi32.dll]  <N/A><N/A>
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\WINDOWS\System32\Macromed\Flash\Flash8b.ocx]  <Macromedia, Inc.><8,0,24,0>
    [C:\Documents and Settings\林敬满\桌面\恢复EXE文件关联软件\SREng2\SREng.com]  <Smallfrogs Studio><2.0.21.505>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\WINDOWS\System32\cn_spi32.dll]  <N/A><N/A>
[PID: 1484][C:\WINDOWS\System32\ctfmon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
[PID: 1736][C:\WINDOWS\system32\NOTEPAD.EXE]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================

O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
需要用LSPFix 来修复..
LSPFix(汉化版) 下载地址:http://forum.ikaka.com/topic.asp?board=67&artid=5188931
(8楼...)
同时下载WinsockXPFix.exe...(2楼...)
----------------------------------------------------------------
先运行LSPFix ... 勾上 我确定要进行修复操作 ...
然后将cn_spi32.dll移到右边...点下完成...
----------------------------------------------------------------
如果在操作之后不能上网...请用WinsockXPFix.exe 修复一下即可...安全模式下..

修复
O4 - HKLM\..\Run: [Systems32] C:\WINDOWS\System32\Server.exe
O20 - AppInit_DLLs: KB914847M.LOG
删除
C:\WINDOWS\System32\Server.exe
C:\WINDOWS\KB914847M.LOG

O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
参考顶置帖...

C:\WINDOWS\System32\Server.exe
C:\WINDOWS\KB914847M.LOG
这两个系统报告删除不了

谢谢,我先试试

按你的方法做了,重启后她又发作了!
Logfile of HijackThis v1.99.1
Scan saved at 4:08:07, on 2006-8-13
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\林敬满\桌面\sreng2\SREng2\SREng.exe
C:\Documents and Settings\林敬满\桌面\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Rising\Rav\Rav.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\System32\Server.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\olrar.exe
C:\WINDOWS\WINLOGON.EXE
C:\WINDOWS\System32\conime.exe
C:\Documents and Settings\林敬满\桌面\procexp\procexp\procexp.exe

F2 - REG:system.ini: Shell=Explorer.exe 1
O4 - HKLM\..\Run: [Systems32] C:\WINDOWS\System32\Server.exe
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cn_spi32.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O20 - AppInit_DLLs: KB914847M.LOG
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rising Proxy  Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Unknown owner - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe

2006-08-13,04:07:25

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 1 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe>  [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <Systems32><C:\WINDOWS\System32\Server.exe>  []
    <Torjan Program><C:\WINDOWS\WINLOGON.EXE>  [zJeuKZJHdgr43s]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <CheckFaultKernel><C:\WINDOWS\System32\mswdm.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe 1>  []
    <Userinit><C:\WINDOWS\SYSTEM32\Userinit.exe,>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><KB914847M.LOG>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
    <{54D9498B-CF93-414F-8984-8CE7FDE0D391}><D:\Program Files\ewido anti-malware\shellhook.dll>  []
    <{EFAE7B4A-FA39-4818-ACAC-6B6D851CEFF4}><C:\Program Files\Internet Explorer\WinHook.sys>  []
    <{3FDEB171-8F86-4669-B664-69B8DB553683}><C:\NTLDR.DLL>  []
    <{99F1D023-7CEB-4586-80F7-BB1A98DB7602}><C:\Program Files\Internet Explorer\IEXPLORE.Sys>  []

==================================
启动文件夹
服务
[Adobe LM Service / Adobe LM Service]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[ewido security suite control / ewido security suite control]
  <D:\Program Files\ewido anti-malware\ewidoctrl.exe><ewido networks>
[NVIDIA Display Driver Service / NVSvc]
  <C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>
[Rising Proxy  Service / RfwProxySrv]
  <c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService]
  <c:\program files\rising\rfw\rfwsrv.exe><N/A>
[Rising Process Communication Center / RsCCenter]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

==================================
浏览器加载项
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash8b.ocx, Macromedia, Inc.>

==================================

正在运行的进程
[PID: 324][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 384][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 408][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 452][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
[PID: 464][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 632][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 700][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 780][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 792][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1220][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\system32\RavExt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 21>
    [D:\Program Files\ewido anti-malware\shellhook.dll]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\NTLDR.DLL]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
    [C:\Program Files\WinRAR\rarext.dll]  <N/A><N/A>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [D:\Program Files\ewido anti-malware\context.dll]  <ewido networks><1.0.0.1>
    [D:\Program Files\ewido anti-malware\lang.dll]  <privat><1, 0, 0, 1>
[PID: 1576][C:\Documents and Settings\林敬满\桌面\sreng2\SREng2\SREng.exe]  <Smallfrogs Studio><2.0.21.505>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
[PID: 1740][C:\Documents and Settings\林敬满\桌面\HijackThis\HijackThis.exe]  <Soeperman Enterprises Ltd.><1.99.0001>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
[PID: 1748][C:\WINDOWS\system32\NOTEPAD.EXE]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
[PID: 1760][C:\Program Files\Internet Explorer\iexplore.exe]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\WINDOWS\System32\Macromed\Flash\Flash8b.ocx]  <Macromedia, Inc.><8,0,24,0>
[PID: 1804][C:\Program Files\Rising\Rav\Rav.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 75>
    [C:\Program Files\Rising\Rav\PlugIn\RsPgScan.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 17>
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
    [C:\Program Files\Rising\Rav\CfgDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 11>
    [C:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
    [C:\Program Files\Rising\Rav\RavUI.Dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 61>
    [C:\Program Files\Rising\Rav\RsGuiLib.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 24>
    [C:\Program Files\Rising\Rav\PngDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
    [C:\Program Files\Rising\Rav\Scanner.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 30>
    [C:\Program Files\Rising\Rav\BWList.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 19>
    [C:\Program Files\Rising\Rav\RavUIMsg.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 25>
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[PID: 1872][C:\WINDOWS\System32\ctfmon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
[PID: 2032][C:\WINDOWS\System32\cmd.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 128][C:\WINDOWS\System32\conime.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
[PID: 176][C:\WINDOWS\System32\Server.exe]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
[PID: 232][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\olrar.exe]  <Alexander Roshal><3.60.2.0>
    [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\q9eq2ibp.dll]  <Microsoft Corporation><5.00.1764.1>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\packet.dll]  <CACE Technologies><3, 1, 0, 27>
    [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WanPacket.dll]  <CACE Technologies><3, 1, 0, 27>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
[PID: 252][C:\WINDOWS\WINLOGON.EXE]  <zJeuKZJHdgr43s><0.00.0087>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
[PID: 348][C:\WINDOWS\System32\conime.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
[PID: 1008][C:\Documents and Settings\林敬满\桌面\procexp\procexp\procexp.exe]  <Sysinternals><8.60>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  Error. [winfiles]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

C:\WINDOWS\WINLOGON.EXE
请参考：
http://forum.ikaka.com/topic.asp?board=28&artid=8141143
http://forum.ikaka.com/topic.asp?board=28&artid=8138175
用专杀，建议先解决这个木马，再处理其它

我只能说你吖根 什么都没做..

今天早上最新扫描(能否告知先解决哪个,我真的不懂,但你说的我都做了,是不是步骤不对,请教教我吧!谢谢)
2006-08-13,10:37:10

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 1 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe>  [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <Systems32><C:\WINDOWS\System32\Server.exe>  []
    <Torjan Program><C:\WINDOWS\WINLOGON.EXE>  [zJeuKZJHdgr43s]
    <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup>  [NVIDIA Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <CheckFaultKernel><C:\WINDOWS\System32\mswdm.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe 1>  []
    <Userinit><C:\WINDOWS\SYSTEM32\Userinit.exe,>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><KB914847M.LOG>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
    <{54D9498B-CF93-414F-8984-8CE7FDE0D391}><D:\Program Files\ewido anti-malware\shellhook.dll>  []
    <{EFAE7B4A-FA39-4818-ACAC-6B6D851CEFF4}><C:\Program Files\Internet Explorer\WinHook.sys>  []
    <{3FDEB171-8F86-4669-B664-69B8DB553683}><C:\NTLDR.DLL>  []
    <{99F1D023-7CEB-4586-80F7-BB1A98DB7602}><C:\Program Files\Internet Explorer\IEXPLORE.Sys>  []
    <{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}><C:\Program Files\Internet Explorer\IEXPLORE.Dat>  []

==================================
启动文件夹
服务
[Adobe LM Service / Adobe LM Service]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[ewido security suite control / ewido security suite control]
  <D:\Program Files\ewido anti-malware\ewidoctrl.exe><ewido networks>
[NVIDIA Display Driver Service / NVSvc]
  <C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>
[Rising Proxy  Service / RfwProxySrv]
  <c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService]
  <c:\program files\rising\rfw\rfwsrv.exe><N/A>
[Rising Process Communication Center / RsCCenter]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

==================================

2006-08-13,11:03:44

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 1 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe>  [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <Systems32><C:\WINDOWS\System32\Server.exe>  []
    <Torjan Program><C:\WINDOWS\WINLOGON.EXE>  [zJeuKZJHdgr43s]
    <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup>  [NVIDIA Corporation]
    <KernelFaultCheck><%systemroot%\system32\dumprep 0 -k>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <CheckFaultKernel><C:\WINDOWS\System32\mswdm.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe 1>  []
    <Userinit><C:\WINDOWS\SYSTEM32\Userinit.exe,>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><KB914847M.LOG>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
    <{54D9498B-CF93-414F-8984-8CE7FDE0D391}><D:\Program Files\ewido anti-malware\shellhook.dll>  []
    <{EFAE7B4A-FA39-4818-ACAC-6B6D851CEFF4}><C:\Program Files\Internet Explorer\WinHook.sys>  []
    <{3FDEB171-8F86-4669-B664-69B8DB553683}><C:\NTLDR.DLL>  []
    <{99F1D023-7CEB-4586-80F7-BB1A98DB7602}><C:\Program Files\Internet Explorer\IEXPLORE.Sys>  []
    <{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}><C:\Program Files\Internet Explorer\IEXPLORE.Dat>  []

启动文件夹
服务
[Adobe LM Service / Adobe LM Service]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[ewido security suite control / ewido security suite control]
  <D:\Program Files\ewido anti-malware\ewidoctrl.exe><ewido networks>
[NVIDIA Display Driver Service / NVSvc]
  <C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>
[Rising Proxy  Service / RfwProxySrv]
  <c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService]
  <c:\program files\rising\rfw\rfwsrv.exe><N/A>
[Rising Process Communication Center / RsCCenter]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

==================================
浏览器加载项
[XBTP01967 Class]
  {F3E19DD9-6D5B-4867-A057-1EFFFC62322E} <C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Toolbar.dll, IE Toolbar>
[TT33定向搜索]
  {D940F380-49C7-4A05-9E33-53930AF5768F} <C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Toolbar.dll, IE Toolbar>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash8b.ocx, Macromedia, Inc.>

==================================
正在运行的进程
[PID: 324][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 388][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 412][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
[PID: 464][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
[PID: 484][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
[PID: 676][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
    [C:\WINDOWS\System32\cn_spi32.dll]  <N/A><N/A>
[PID: 756][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
    [C:\WINDOWS\System32\cn_spi32.dll]  <N/A><N/A>
[PID: 844][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
[PID: 856][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
[PID: 1488][C:\WINDOWS\Explorer.exe]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
    [C:\WINDOWS\system32\RavExt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 21>
    [D:\Program Files\ewido anti-malware\shellhook.dll]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\NTLDR.DLL]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Dat]  <N/A><N/A>
[PID: 1768][C:\Documents and Settings\林敬满\桌面\procexp\procexp\procexp.exe]  <Sysinternals><8.60>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Dat]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
[PID: 1836][C:\Documents and Settings\林敬满\桌面\sreng2\SREng2\SREng.exe]  <Smallfrogs Studio><2.0.21.505>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Dat]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
    [C:\WINDOWS\System32\cn_spi32.dll]  <N/A><N/A>
[PID: 1852][C:\WINDOWS\WINLOGON.EXE]  <zJeuKZJHdgr43s><0.00.0087>
    [C:\WINDOWS\KB914847M.LOG]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\WinHook.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Dat]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  Error. [winfiles]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================