瑞星卡卡安全论坛

msconfig出现了这个东西，怎么也删不了...禁也禁不了:(
求解决方法！谢谢

附件: 743689200694173835.BMP

它的具体地址如下！

附件: 743689200694174001.BMP

好像木马，用Hijackthis扫个日志上来

Logfile of HijackThis v1.99.1
Scan saved at 17:29:59, on 2006-9-4
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\Ravmond.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\RavStub.exe
c:\program files\rising\rfw\RfwMain.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\system\TOOLS\HjackThis\HijackThis.exe

O2 - BHO: 超级兔子上网精灵 - {7369D35A-5B70-4A5B-B789-B25FE09B4AF3} - E:\system\TOOLS\MagicSet\haokanbar.dll
O3 - Toolbar: 超级兔子上网精灵 - {43869BB3-22FD-4F15-9B46-238106BA2F4E} - E:\system\TOOLS\MagicSet\haokanbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] ; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] ; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] ; C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [bgswitch] C:\WINDOWS\system32\bgswitch.exe
O8 - Extra context menu item: &使用迅雷下载 - d:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - d:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: 启动迅雷 - {0062C9BD-B349-40DE-91A0-755F37ACD559} - d:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷 - {0062C9BD-B349-40DE-91A0-755F37ACD559} - d:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: 番茄花园 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.tomatolei.com (file missing)
O9 - Extra 'Tools' menuitem: 番茄花园 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.tomatolei.com (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.tomatolei.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E054CBB5-C7D8-4762-A97C-B6F89A57AA1A}: NameServer = 202.96.128.68
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe

壁纸自动换
O4 - HKCU\..\Run: [bgswitch] C:\WINDOWS\system32\bgswitch.exe
开始>>运行>>输入regsvr32.exe /u c:\windows\system32\bgswitch.dll

删除文件:c:\windows\system32\下面的bgswitch.exe和bgswitch.dll


删除注册表[HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run] "bgswitch"="C:\\WINDOWS\\system32\\bgswitch.exe"

开机提示这个吗？
C:\WINDOWS\SYSTEM32\igfxsrvc.dll

什么提示都没有！刚才我重启了计算机...msconfig里还是有这个东西出现...


附件: 743689200694192245.BMP

请参照http://forum.ikaka.com/topic.asp?board=36&artid=8144360 
用Autoruns扫个日志上来

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\RsAutorunsDisabled下里出现这个~

附件: 743689200694192827.BMP

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
这里就有这个..

附件: 743689200694193024.BMP

是不是这个？
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ HotKeysCmdshkcmd ModuleIntel Corporationc:\windows\system32\hkcmd.exe

+ IgfxTray文件未找到:    ;

+ IMJPMIG8.1文件未找到:    ;

+ PHIME2002A文件未找到:    ;

+ PHIME2002ASync文件未找到:    ;

+ RavTaskRavTimerBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravtask.exe

+ RfwMainRising Personal FireWall Main ProgramBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rfwmain.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

+ RavStubRising RavStubBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravstub.exe

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

+ ?粓??文件未找到:    ?粓??

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components

+ 0文件未找到:    About:Home

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

+ Rising Execute File Exts hookRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Display Panning CPL Extension文件未找到:    deskpan.dll

+ HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\windows\system32\hticons.dll

+ RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

+ WinRAR shell extensiond:\program files\winrar\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ 超级兔子上网精灵HaoKanBar Toolbar ModuleXiang Feng Technologye:\system\tools\magicset\haokanbar.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar

+ 超级兔子上网精灵HaoKanBar Toolbar ModuleXiang Feng Technologye:\system\tools\magicset\haokanbar.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ 番茄花园文件未找到:    http://www.tomatolei.com

+ 启动迅雷Thunder Networking Technologies,LTDd:\program files\thunder network\thunder\thunder.exe

HKLM\System\CurrentControlSet\Services

+ RfwServiceRising Personal FireWall ServiceBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rfwsrv.exe

+ RsCCenterCCenterBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ccenter.exe

+ RsRavMonRavMondBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmond.exe

HKLM\System\CurrentControlSet\Services

+ ac97intcIntel(r) Integrated Controller Hub Audio DriverIntel Corporationc:\windows\system32\drivers\ac97intc.sys

+ BaseTDIbasetdiBeijing Rising Technology Co., Ltd.c:\windows\system32\drivers\basetdi.sys

+ ExpScanerExpScan.sysc:\program files\rising\rav\expscan.sys

+ HookContTDI HOOK DriverRising tech Co. ltdc:\program files\rising\rav\hookcont.sys

+ HookRegc:\program files\rising\rav\hookreg.sys

+ HookSysHooksysRisingc:\program files\rising\rav\hooksys.sys

+ HookUrlHookUrlBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\hookurl.sys

+ ialmIntel Graphics Miniport DriverIntel Corporationc:\windows\system32\drivers\ialmnt5.sys

+ MEMSCANMemScan Driver瑞星软件有限公司c:\program files\rising\rav\memscan.sys

+ mProcRsRising Personal FireWall  mprocrs.sysBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\mprocrs.sys

+ npkcryptnProtect KeyCrypt DriverINCA Internet Co., Ltd.d:\program files\tencent\qq\npkcrypt.sys

+ PtilinkParallel Technologies DirectParallel IO LibraryParallel Technologies, Inc.c:\windows\system32\drivers\ptilink.sys

+ RsFwDrvnt_fwdrvBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rsfwdrv.sys

+ rtl8139Realtek RTL8139 NDIS 5.0 DriverRealtek Semiconductor Corporationc:\windows\system32\drivers\rtl8139.sys

+ Secdrvc:\windows\system32\drivers\secdrv.sys

+ SmartAVSSmart Assistant Driver  [CWJ]All-In-Smart [CWJ]c:\windows\system32\drivers\smartavs.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ igfxcuiigfxsrvc ModuleIntel Corporationc:\windows\system32\igfxsrvc.dll



那些没有找到的文件是不是可以删除掉？

修复

修复...
autoruns可以修复的吗？
请问怎么修复的？
偶不会用....

用什么软件修复比较好？
瑞星的修复了好象没什么用....

用Autoruns修复
http://forum.ikaka.com/topic.asp?board=36&artid=8144360
这里有说明使用方法

到底这个毒最后的解决方法是什么撒！ 我家里也中了这个毒
  在网上看了会说 是落雪木马。但是用专杀工具杀了一些毒出来，启动项里面的那两排乱码还是存在！  怎么解决！在线等啊120！