求救阿~~~~好多窗口弹出来~~好像是winlogon作祟，日志 bbs.ikaka.com

Amnny - 2006-9-25 21:53:00

好像是病毒闹得~~~~求大虾们救救我吧~~~~~~有几个程序删了，但是注册表还有他们痕迹，而且刚杀完就会又出现~！~~红伞，防火墙也开不了
日志：

2006-09-25,21:35:40

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><; C:\WINDOWS\system32\ctfmon.exe> [Microsoft Corporation]
<BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}><; "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"> [Nero AG]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<{64B239F7-0892-2052-0909-050505160056}><; "C:\Program Files\Common Files\{64B239F7-0892-2052-0909-050505160056}\Update.exe" te-110-12-0000040> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [Microsoft Corporation]
<PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [Microsoft Corporation]
<PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [Microsoft Corporation]
<BigDogPath><; C:\WINDOWS\VM_STI.EXE USB PC Camera 301P> []
<IMSCMig><; C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload> [Microsoft Corporation]
<spoolsv><; > []
<KernelFaultCheck><; %systemroot%\system32\dumprep 0 -k> []
<NeroFilterCheck><; C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe> [Nero AG]
<RfwMain><; "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup> []
<RavTask><; "C:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<TkBellExe><; "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot> [RealNetworks, Inc.]
<RichMedia><C:\WINDOWS\system32\Rundll32.exe "C:\PROGRA~1\pcast\hbcast.dll",WaitWindows> [Shanghai Henbang Technology Co., Ltd]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [Microsoft Corporation]
<Userinit><c:\windows\system32\Userinit.exe> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
<WinlogonNotify: AtiExtEvent><Ati2evxx.dll> [ATI Technologies Inc.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Group Policy]
<WinlogonNotify: Group Policy><C:\WINDOWS\system32\wsfApi.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage]
<WinlogonNotify: ModuleUsage><C:\WINDOWS\system32\WxdfPlatform.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
<WinlogonNotify: Run><C:\WINDOWS\system32\ic50_qcx.dll> []

==================================
启动文件夹
服务
[Adobe LM Service / Adobe LM Service]
<"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[Ati HotKey Poller / Ati HotKey Poller]
<C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[Command Service / cmdService]
<C:\WINDOWS\bGVub3Zv\command.exe><N/A>
[NBService / NBService]
<C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe><Nero AG>
[Network Monitor / Network Monitor]
<C:\Program Files\Network Monitor\netmon.exe service><N/A>
[Rising Process Communication Center / RsCCenter]
<"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[StarWind iSCSI Service / StarWindService]
<><N/A>
[RsRavMon Service / RsRavMon]
<"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Rising Proxy Service / RfwProxySrv]
<c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>

Amnny - 2006-9-25 21:56:00

==================================
浏览器加载项
[MyIEHelper Class]
{16B770A0-0E87-4278-B748-2460D64A8386} <C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper\IEHelper_5010.dll, N/A>
[isObject Class]
{BE0B5843-553A-48C2-9A42-258A1D791AFC} <C:\PROGRA~1\pcast\hbcast.dll, Shanghai Henbang Technology Co., Ltd>
[MMCPlayer Class]
{05C1004E-2596-48E5-8E26-39362985EEB9} <D:\Sogou PXP\MMCShell.dll, Sohu.com Inc.>
[PhotoUploadCtrl Control]
{A96C48EA-AA88-4BBD-B58C-7B41146A6EAC} <D:\QQ\QZone\PHOTOU~1.OCX, tencent>
[MyIEHelper Class]
{16B770A0-0E87-4278-B748-2460D64A8386} <C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper\IEHelper_5010.dll, N/A>
[Easy-WebPrint]
{327C2873-E90D-4C37-AA9D-10AC9BABA46C} <C:\Program Files\Canon\Easy-WebPrint\Toolband.dll, N/A>
[PhotoUploadCtrl Control]
{A96C48EA-AA88-4BBD-B58C-7B41146A6EAC} <D:\QQ\QZone\PHOTOU~1.OCX, tencent>
[isObject Class]
{BE0B5843-553A-48C2-9A42-258A1D791AFC} <C:\PROGRA~1\pcast\hbcast.dll, Shanghai Henbang Technology Co., Ltd>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[&使用迅雷下载]
<D:\Thunder\Program\GetUrl.htm, N/A>
[&使用迅雷下载全部链接]
<D:\Thunder\Program\GetAllUrl.htm, N/A>

==================================
正在运行的进程
[PID: 680][\SystemRoot\System32\smss.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 772][\??\C:\WINDOWS\system32\csrss.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 796][\??\C:\WINDOWS\system32\winlogon.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\Ati2evxx.dll] <ATI Technologies Inc.><6.14.10.4110>
[C:\WINDOWS\system32\wsfApi.dll] <N/A><N/A>
[C:\WINDOWS\system32\quartz32.dll] <><4, 1, 0, 0>
[C:\WINDOWS\system32\WxdfPlatform.dll] <N/A><N/A>
[C:\WINDOWS\system32\ic50_qcx.dll] <N/A><N/A>
[PID: 848][C:\WINDOWS\system32\services.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\quartz32.dll] <><4, 1, 0, 0>
[PID: 872][C:\WINDOWS\system32\lsass.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1012][C:\WINDOWS\system32\Ati2evxx.exe] <ATI Technologies Inc.><6.14.10.4110>
[C:\WINDOWS\system32\Ati2edxx.dll] <ATI Technologies, Inc.><6, 14, 10, 2495>
[PID: 1028][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1096][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\quartz32.dll] <><4, 1, 0, 0>
[PID: 1188][C:\WINDOWS\System32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\quartz32.dll] <><4, 1, 0, 0>
[PID: 1284][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1860][C:\WINDOWS\system32\spoolsv.exe] <Microsoft Corporation><5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)>
[C:\WINDOWS\system32\CNMLM78.DLL] <CANON INC.><1.90.2.60>
[C:\WINDOWS\System32\spool\PRTPROCS\W32X86\CNMPD78.DLL] <CANON INC.><1.90.2.60>
[PID: 344][C:\WINDOWS\system32\Ati2evxx.exe] <ATI Technologies Inc.><6.14.10.4110>
[C:\WINDOWS\system32\Ati2edxx.dll] <ATI Technologies, Inc.><6, 14, 10, 2495>
[C:\WINDOWS\bGVub3Zv\asappsrv.dll] <><2.1.3.466>
[PID: 1296][C:\WINDOWS\VM_STI.EXE] <VM.><4.2.610.4>
[C:\WINDOWS\system32\msdmo.dll] <N/A><N/A>
[C:\WINDOWS\bGVub3Zv\asappsrv.dll] <><2.1.3.466>
[PID: 1304][C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe] <ATI Technologies, Inc.><6.14.10.5134>
[C:\Program Files\ATI Technologies\ATI Control Panel\atipdsxx.dll] <ATI Technologies, Inc.><6.14.10.5134>
[C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATRPUIXX.CHS] <ATI Technologies, Inc.><6.14.10.5134>
[C:\Program Files\ATI Technologies\ATI Control Panel\atipdxxx.dll] <ATI Technologies, Inc.><6.14.10.5134>
[C:\WINDOWS\bGVub3Zv\asappsrv.dll] <><2.1.3.466>
[PID: 1464][C:\Program Files\Rising\Rav\RavTask.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 22>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\Program Files\Rising\Rav\RSAPPMGR.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
[C:\Program Files\Rising\Rav\CfgDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 11>
[C:\Program Files\Rising\Rav\RsCommX.dll] <rising><18, 0, 0, 1>
[C:\WINDOWS\bGVub3Zv\asappsrv.dll] <><2.1.3.466>
[PID: 580][C:\WINDOWS\system32\ctfmon.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\bGVub3Zv\asappsrv.dll] <><2.1.3.466>
[PID: 628][C:\Program Files\Common Files\{64B239F7-0892-2052-0909-050505160056}\Update.exe] <N/A><N/A>
[C:\Program Files\Common Files\{64B239F7-0892-2052-0909-050505160056}\services.dll] <N/A><N/A>
[C:\WINDOWS\bGVub3Zv\asappsrv.dll] <><2.1.3.466>
[C:\Program Files\Internet Explorer\PLUGINS\new123.sys] <N/A><N/A>
[C:\WINDOWS\system32\tdll.dll] <N/A><N/A>
[C:\WINDOWS\system32\msdll.dll] <N/A><N/A>
[C:\WINDOWS\system32\ztdll.dll] <N/A><N/A>
[PID: 2852][C:\WINDOWS\System32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 3112][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 3152][C:\WINDOWS\System32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\quartz32.dll] <><4, 1, 0, 0>
[PID: 2312][C:\Program Files\Rising\Rav\Rav.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 75>
[C:\WINDOWS\bGVub3Zv\asappsrv.dll] <><2.1.3.466>
[C:\Program Files\Rising\Rav\PlugIn\RsPgScan.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 17>
[C:\Program Files\Rising\Rav\RSAPPMGR.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
[C:\Program Files\Rising\Rav\CfgDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 11>
[C:\Program Files\Rising\Rav\RsCommX.dll] <rising><18, 0, 0, 1>
[C:\Program Files\Rising\Rav\RavUI.Dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 65>
[C:\Program Files\Rising\Rav\RsGuiLib.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 26>
[C:\Program Files\Rising\Rav\PngDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\Program Files\Rising\Rav\Scanner.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 32>
[C:\Program Files\Rising\Rav\BWList.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 19>
[C:\Program Files\Rising\Rav\RavUIMsg.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 27>
[C:\Program Files\Rising\Rav\RsStore.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 6>
[C:\WINDOWS\system32\RavExt.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 21>
[C:\Program Files\Rising\Rav\RavQu.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 17>
[C:\WINDOWS\system32\quartz32.dll] <><4, 1, 0, 0>
[PID: 3880][C:\WINDOWS\system32\conime.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 2868][D:\eMule\emule.exe] <http://www.emule.org.cn><0.47.0>
[D:\eMule\VNNClientS.Dll] <VNN><3.0.22.1>
[D:\eMule\ZipLib.dll] <VNN><1.0.0.1>
[D:\eMule\vdevstate.dll] <N/A><N/A>
[D:\eMule\lang\zh_CN.dll] <http://www.emule-project.net><0.47.0>
[C:\WINDOWS\system32\quartz32.dll] <><4, 1, 0, 0>
[D:\ALCOHO~1\axshlex.dll] <Alcohol Soft Development Team><1.9.5.3718>
[D:\Alcohol 120\alcoholx.dll] <Alcohol Soft Co., Ltd.><4.03.0.0>
[D:\Alcohol 120\PFCTOC.DLL] <Padus(R), Inc.><1, 0, 0, 12>
[D:\Alcohol 120\Plugins\Images\ccdmount.dll] <GENERIC><1.10.0.0>
[D:\Alcohol 120\Plugins\Images\nrgmount.dll] <GENERIC><1.11.0.0>
[D:\Alcohol 120\Plugins\Images\pdimount.dll] <GENERIC><1.01.0.0>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[PID: 928][D:\Maxthon\Maxthon.exe] <Maxthon International Ltd.><1, 5, 6, 42>
[D:\Maxthon\maxzlib.dll] < ><1, 0, 0, 2>
[D:\Maxthon\Services\RealTime\real_time.dll] <><1, 0, 0, 1>
[C:\WINDOWS\system32\quartz32.dll] <><4, 1, 0, 0>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx] <Adobe Systems, Inc.><9,0,16,0>
[PID: 3628][c:\windows\system32\wbem\smss.exe] <Microsoft><1.0.0.0>
[PID: 2428][E:\My Documents\sreng2\SREng2\SREng.exe] <Smallfrogs Studio><2.0.21.505>
[C:\WINDOWS\system32\quartz32.dll] <><4, 1, 0, 0>
[PID: 2900][C:\WINDOWS\explorer.exe] <Microsoft Corporation><6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\quartz32.dll] <><4, 1, 0, 0>

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================

我无邪 - 2006-9-26 0:14:00

建议你下载超级兔子。
http://www.pctutu.com/srmsdown.asp
安装好后，打开“超级兔子优化王”“专业卸载,卸载所有提示的垃圾软件，卸载是不要打开任何浏览窗口。卸载不了可以重启后再去卸载。

打开System Repair Engineer（也就是你的扫描日志软件SREng.exe），点“启动项目，服务，点“Win32服务应用程序”勾选“隐藏微软服务”选中病毒服务Network Monitor,Command Service，选择“删除服务”点“设置”选择“否”最后重启。（每一个逗号隔开的就是一个病毒的服务，请逐一删除）

请到http://forum.ikaka.com/topic.asp?board=67&artid=5188931，下载，LSPFix.exe，WinsockXPFix这两个软件
请到www.27814939.ys168.com,点“我的软件”下载KillBox.exe
重新启动电脑, 开机检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式进入Windows

运行LSPFix.exe
删除
quartz32.dll
附说明一份
LSPFix.exe这个软件主要用来辅助修复HijackThis扫描发现的O10项。
使用时，请关闭所有IE界面和文件夹界面后运行LSPFix，运行后，把要修复的那一个O10项从左边转到右边，点“Finish”即可。（不过这之前，需要在“I know what I`m doing”前面打勾。）

双击打开KillBox.exe，分别删除
C:\Program Files\Common Files\{64B239F7-0892-2052-0909-050505160056}\Update.exe
C:\PROGRA~1\pcast\hbcast.dll
C:\WINDOWS\system32\wsfApi.dll
C:\WINDOWS\system32\WxdfPlatform.dll
C:\WINDOWS\system32\ic50_qcx.dll
C:\Program Files\Common Files\{64B239F7-0892-2052-0909-050505160056}\services.dll
C:\Program Files\Internet Explorer\PLUGINS\new123.sys
C:\WINDOWS\system32\tdll.dll
C:\WINDOWS\system32\ztdll.dll
c:\windows\system32\wbem\smss.exe
C:\WINDOWS\bGVub3Zv\command.exe
C:\Program Files\Network Monitor
C:\WINDOWS\system32\quartz32.dll
（删除时勾选“删除前先结束Explorer.EXE进程”不行再试着勾选"删除DLL文件前反注册此文件"
给菜鸟的东东—KillBox的使用技巧
http://forum.ikaka.com/topic.asp?board=28&artid=8160799

打开System Repair Engineer（也就是你的扫描日志软件SREng.exe），使用“启动项目，注册表”来删除以下选项。
C:\Program Files\Common Files\{64B239F7-0892-2052-0909-050505160056}\Update.exe
C:\PROGRA~1\pcast\hbcast.dll
C:\WINDOWS\system32\wsfApi.dll
C:\WINDOWS\system32\WxdfPlatform.dll
C:\WINDOWS\system32\ic50_qcx.dll
完后重启，再扫个日志粘上来。

瑞星卡卡安全论坛