瑞星卡卡安全论坛

流氓软件3448卡卡可能还没有删除干净!!!
今天我中招了,用了卡卡3.0显示机器中没有了流氓软件
可是我用360安全卫士扫描了一下,发现还有残留....重起机器在360安全卫士中还是有的.
在卡卡里面显示没有了.....请教....
c:\windows\system32\advapi.dll
这个文件能删除吗?????????????
这是个  4199/9505/3448是不是变种了的呀???

请下载SREng2（最新版） ，使用“智能扫描”，按下“扫描”按钮进行扫描，
扫描完成后按下“保存报告”按钮保存报告日志文件（SREng.LOG），把保存的报告
日志文件内容复制-粘贴上来,,日志一次粘不完，分次粘完，请不要修改。

下载地址
http://www.kztechs.com/sreng/sreng2.zip

好

2006-11-18,16:44:01

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <Internat.exe><internat.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <ISUSPM Startup><C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup>  [InstallShield Software Corporation]
    <ISUSScheduler><"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start>  [InstallShield Software Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    <360Safe><Rundll32.exe C:\PROGRA~1\360safe\AntiAdwa.dll,KillAdware>  [360Safe.com]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINNT\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINNT\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
    <{87E9A375-55CC-4a8b-8DEC-5BA95BFD37E7}><c:\program files\rising\rav\huqvjxzu.dll>  [N/A]
    <{1A404685-7563-4d02-B0F6-58B308A406A9}><c:\program files\rising\rav\yapfulkm.dll>  [N/A]

==================================
启动文件夹
N/A

2006-11-18,16:44:01

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <Internat.exe><internat.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <ISUSPM Startup><C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup>  [InstallShield Software Corporation]
    <ISUSScheduler><"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start>  [InstallShield Software Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    <360Safe><Rundll32.exe C:\PROGRA~1\360safe\AntiAdwa.dll,KillAdware>  [360Safe.com]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINNT\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINNT\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
    <{87E9A375-55CC-4a8b-8DEC-5BA95BFD37E7}><c:\program files\rising\rav\huqvjxzu.dll>  [N/A]
    <{1A404685-7563-4d02-B0F6-58B308A406A9}><c:\program files\rising\rav\yapfulkm.dll>  [N/A]

==================================
启动文件夹
N/A

服务
[Logical Disk Manager Administrative Service / dmadmin]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Indexing Manager / License]
  <C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\rcvshw17.dll><N/A>
[Rising Process Communication Center / RsCCenter]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[SoundMAX Agent Service / SoundMAX Agent Service (default)]
  <C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe><Analog Devices, Inc.>

==================================
驱动程序
[BaseTDI / BaseTDI]
  <\??\C:\WINNT\system32\drivers\basetdi.sys><Beijing Rising Technology Co., Ltd.>
[Cdr4_2K / Cdr4_2K]
  <C:\WINNT\SYSTEM32\DRIVERS\Cdr4_2K.SYS><Roxio>
[Cdralw2k / Cdralw2k]
  <C:\WINNT\SYSTEM32\DRIVERS\Cdralw2k.SYS><Roxio>
[dmboot / dmboot]
  <System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio]
  <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload]
  <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[ExpScaner / ExpScaner]
  <\??\C:\Program Files\Rising\Rav\ExpScan.sys><>
[usb Card Device / ft2kEnum]
  <system32\DRIVERS\ic2kenum.sys><OEM Corporation>
[USB Chip Holder Service / GDBaseSmc]
  <system32\DRIVERS\smccardb.sys><OEM>
[GEMPC430 / GEMPC430]
  <System32\Drivers\gemusb.sys><Gemplus>
[HookCont / HookCont]
  <\??\C:\Program Files\Rising\Rav\HOOKCONT.sys><Rising tech Co. ltd>
[HookReg / HookReg]
  <\??\C:\Program Files\Rising\Rav\HookReg.sys><>
[HookSys / HookSys]
  <\??\C:\Program Files\Rising\Rav\HookSys.sys><Rising>
[ialm / ialm]
  <system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[KWatch3 / KWatch3]
  <\??\C:\WINNT\system32\drivers\KWatch3.SYS><Kingsoft Corporation>
[MEMSCAN / MEMSCAN]
  <\??\C:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件有限公司>
[MidiSyn / MidiSyn]
  <system32\drivers\MidiSyn.sys><Analog Devices Inc>
[npkcrypt / npkcrypt]
  <\??\D:\QQ\TMDlls\npkcrypt.sys><N/A>
[Direct Parallel Link Driver / Ptilink]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[SmartCard Reader Device  / Reader_Device]
  <system32\DRIVERS\usbic2k.sys><OEM>
[RsAntiSpyware / RsAntiSpyware]
  <\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising>
[RSPPSYS / RSPPSYS]
  <\??\C:\PROGRAM FILES\RISING\RAV\RSPPSYS.sys><Rising>
[Realtek 10/100/1000 NIC Family all in one NDIS NT Driver / RTL8023]
  <system32\DRIVERS\Rtlnic.sys><Realtek Semiconductor Corporation>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[senfilt / senfilt]
  <system32\drivers\senfilt.sys><Sensaura>
[smwdm / smwdm]
  <system32\drivers\smwdm.sys><Analog Devices, Inc.>
[usb token Device Driver / token]
  <system32\DRIVERS\eps2kt1.sys><N/A>

==================================
浏览器加载项
[]
  {D7ECC3AC-9614-4DDB-8FAB-69B74554CD9D} <C:\DOCUME~1\saq\APPLIC~1\MICROS~1\AddIns\IE_HEL~1.DLL, N/A>
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[卡卡上网安全助手]
  {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINNT\system32\KakaTool.dll, Beijing Rising Technology Co., Ltd.>
[InfoSecNetSign Class]
  {62B938C4-4190-4F37-8CF0-A92B0A91CC77} <C:\WINNT\system32\NetSign.dll, Infosec Technologies Co., Ltd.>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINNT\system32\wuweb.dll, Microsoft Corporation>
[Settings Class]
  {A996E48C-D3DC-4244-89F7-AFA33EC60679} <C:\WINNT\system32\capicom.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>

==================================

正在运行的进程
[PID: 148][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.00.2195.6601]
[PID: 176][\??\C:\WINNT\system32\csrss.exe]  [Microsoft Corporation, 5.00.2195.6601]
[PID: 172][\??\C:\WINNT\system32\winlogon.exe]  [Microsoft Corporation, 5.00.2195.6898]
    [c:\program files\rising\rav\huqvjxzu.dll]  [, 1, 0, 0, 11]
[PID: 224][C:\WINNT\system32\services.exe]  [Microsoft Corporation, 5.00.2195.6700]
    [C:\WINNT\system32\dmserver.dll]  [VERITAS Software Corp., 2195.6605.297.3]
[PID: 236][C:\WINNT\system32\lsass.exe]  [Microsoft Corporation, 5.00.2195.6902]
[PID: 368][C:\WINNT\System32\SCardSvr.exe]  [Microsoft Corporation, 5.00.2195.6609]
[PID: 456][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
[PID: 484][C:\Program Files\Rising\Rav\CCenter.exe]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
[PID: 540][C:\WINNT\system32\spoolsv.exe]  [Microsoft Corporation, 5.00.2195.6659]
[PID: 576][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
[PID: 620][C:\WINNT\system32\regsvc.exe]  [Microsoft Corporation, 5.00.2195.6701]
[PID: 644][C:\WINNT\system32\MSTask.exe]  [Microsoft Corporation, 4.71.2195.6704]
[PID: 684][C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe]  [Analog Devices, Inc., 3, 2, 6, 0]
[PID: 736][C:\WINNT\System32\WBEM\WinMgmt.exe]  [Microsoft Corporation, 1.50.1085.0100]
[PID: 752][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
[PID: 912][C:\Program Files\Rising\Rav\RavStub.exe]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 16]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[PID: 1144][C:\WINNT\Explorer.EXE]  [Microsoft Corporation, 5.00.3700.6690]
    [c:\program files\rising\rav\huqvjxzu.dll]  [, 1, 0, 0, 11]
    [C:\WINNT\system32\hazod.dll]  [N/A, N/A]
    [C:\WINNT\system32\drivers\3shazo.sys]  [N/A, N/A]
    [C:\WINNT\system32\RavExt.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 21]
[PID: 1236][C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe]  [InstallShield Software Corporation, 3, 10, 100, 1146]
[PID: 1272][C:\WINNT\system32\ep2k_certd_bc.exe]  [, 1, 0, 4, 1011]
    [C:\WINNT\system32\ep2pk11_bc.dll]  [, 2, 4, 4, 1202]
    [C:\WINNT\system32\drivers\3shazo.sys]  [N/A, N/A]
    [C:\WINNT\system32\hazod.dll]  [N/A, N/A]
[PID: 1308][C:\WINNT\system32\ep2k_mon_bc.exe]  [, 1, 1, 4, 1202]
    [C:\WINNT\system32\hazod.dll]  [N/A, N/A]
    [C:\WINNT\system32\drivers\3shazo.sys]  [N/A, N/A]
[PID: 1324][C:\WINNT\system32\rundll32.exe]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\hazod.dll]  [N/A, N/A]
    [C:\WINNT\system32\drivers\3shazo.sys]  [N/A, N/A]
[PID: 1352][C:\WINNT\system32\internat.exe]  [Microsoft Corporation, 5.00.2920.0000]
    [C:\WINNT\system32\hazod.dll]  [N/A, N/A]
    [C:\WINNT\system32\drivers\3shazo.sys]  [N/A, N/A]
[PID: 1364][C:\WINNT\system32\b0ti7w.exe]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\drivers\3shazo.sys]  [N/A, N/A]
    [C:\WINNT\system32\hazod.dll]  [N/A, N/A]
[PID: 1276][C:\Program Files\Rising\Rav\RsAgent.exe]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 12]
    [C:\WINNT\system32\drivers\3shazo.sys]  [N/A, N/A]
    [C:\WINNT\system32\hazod.dll]  [N/A, N/A]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
[PID: 1396][C:\WINNT\msagent\AgentSvr.exe]  [Microsoft Corporation, 2.00.0.3422]
    [C:\WINNT\system32\drivers\3shazo.sys]  [N/A, N/A]
    [C:\WINNT\system32\hazod.dll]  [N/A, N/A]
[PID: 824][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2800.1106]
    [C:\WINNT\system32\drivers\3shazo.sys]  [N/A, N/A]
    [C:\WINNT\system32\hazod.dll]  [N/A, N/A]
    [C:\WINNT\system32\KakaTool.dll]  [Beijing Rising Technology Co., Ltd., 2, 0, 2, 1]
    [C:\WINNT\system32\Macromed\Flash\Flash9.ocx]  [Adobe Systems, Inc., 9,0,16,0]
    [C:\WINNT\system32\WINWB86.IME]  [Microsoft Corporation, 4.00.950]
[PID: 1128][C:\Documents and Settings\saq\桌面\090\SREng\SREng.exe]  [Smallfrogs Studio, 2.2.6.605]
    [C:\WINNT\system32\drivers\3shazo.sys]  [N/A, N/A]
    [C:\WINNT\system32\hazod.dll]  [N/A, N/A]
    [C:\WINNT\system32\NpOpenStore.dll]  [N/A, N/A]
    [C:\WINNT\system32\NPCard.dll]  [N/A, N/A]
    [C:\WINNT\system32\RsaFun.dll]  [N/A, N/A]
    [C:\WINNT\system32\GPKPCSC.dll]  [N/A, N/A]

==================================
文件关联
.TXT  Error. [notepad.exe %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. [hh.exe %1]
.HLP  Error. [C:\WINNT\system32\winhlp32.exe %1]
.INI  Error. [notepad.exe %1]
.INF  Error. [notepad.exe %1]
.VBS  Error. [wscript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
125.91.14.230 www.kzdh.com
125.91.14.230 www.7255.com
125.91.14.230 www.7322.com
125.91.14.230 www.7939.com
125.91.14.230 www.piaoxue.com
125.91.14.230 www.feixu.net
125.91.14.230 www.6781.com
125.91.14.230 www.7b.com.cn
125.91.14.230 7b.com.cn
125.91.14.230 www.918188.com
125.91.14.230 hao.allxue.com
125.91.14.230 good.allxue.com
125.91.14.230 baby.allxue.com
125.91.14.230 www.allxue.com
125.91.14.230 about.lank.la
125.91.14.230 www.x114x.com
125.91.14.230 www.37ss.com
125.91.14.230 www.7k.cc
125.91.14.230 www.73ss.com
125.91.14.230 www.hao123.com
125.91.14.230 www.81915.com
125.91.14.230 222.88.90.22
125.91.14.230 www.9991.com
125.91.14.230 www.my123.com
125.91.14.230 www.haokan123.com
125.91.14.230 www.5566.net
125.91.14.230 www.gjj.cc
125.91.14.230 www.2345.com
125.91.14.230 dl.hao318.com
125.91.14.230 www.123wa.com

==================================

显示隐藏文件
删除： 
C:\WINNT\system32\drivers\3shazo.sys
C:\WINNT\system32\hazod.dll
C:\WINNT\system32\b0ti7w.exe
无法删除,去反病毒论坛置贴下载冰刃删除,不要到安全模式下,因为中了3448进不了安全模式



运行SREng2,使用“启动项目”－－HOSTS 文件－－删除
125.91.14.230 www.kzdh.com
125.91.14.230 www.7255.com
125.91.14.230 www.7322.com
125.91.14.230 www.7939.com
125.91.14.230 www.piaoxue.com
125.91.14.230 www.feixu.net
125.91.14.230 www.6781.com
125.91.14.230 www.7b.com.cn
125.91.14.230 7b.com.cn
125.91.14.230 www.918188.com
125.91.14.230 hao.allxue.com
125.91.14.230 good.allxue.com
125.91.14.230 baby.allxue.com
125.91.14.230 www.allxue.com
125.91.14.230 about.lank.la
125.91.14.230 www.x114x.com
125.91.14.230 www.37ss.com
125.91.14.230 www.7k.cc
125.91.14.230 www.73ss.com
125.91.14.230 www.hao123.com
125.91.14.230 www.81915.com
125.91.14.230 222.88.90.22
125.91.14.230 www.9991.com
125.91.14.230 www.my123.com
125.91.14.230 www.haokan123.com
125.91.14.230 www.5566.net
125.91.14.230 www.gjj.cc
125.91.14.230 www.2345.com
125.91.14.230 dl.hao318.com
125.91.14.230 www.123wa.com

所有东西都不是完美的

大哥,冰刃在那,我找不到啊,来个地址????
哈哈

Icesword v1.20（新手慎用）
①这是一斩断黑手的利刃，它适用于Windows 2000/XP/2003 操作系统，其内部功能是十分强大，用于查探系统中的幕后黑手-木马后门，并作出处理。可能您也用过很多类似功能的软件，比如一些进程工具、端口工具，但是现在的系统级后门功能越来越强，一般都可轻而易举地隐藏进程、端口、注册表、文件信息，一般的工具根本无法发现这些“幕后黑手”。IceSword 使用了大量新颖的内核技术，使得这些后门躲无所躲。当然使用它需要用户有一些操作系统的知识。使用前请详细阅读说明。
在对软件做讲解之前，首先说明第一注意事项：此程序运行时不要激活内核调试器(如softice)，否则系统可能即刻崩溃。另外使用前请保存好您的数据，以防万一未知的Bug带来损失。
IceSword目前只为使用32位的x86兼容CPU的系统设计，另外运行IceSword需要管理员权限。

IceSword1.20 功能改动不大..跟 1.18 没多大区别..

②最新版本下载地址：
中文：http://202.38.64.10/~jfpan/download/IceSword120_cn.zip MD5 :cfb8514add1fbfb510b0084e837e561c

老大，我的也一样，可是没有这些呀：
显示隐藏文件
删除：
C:\WINNT\system32\drivers\3shazo.sys
C:\WINNT\system32\hazod.dll
C:\WINNT\system32\b0ti7w.exe

我用你的利刃将c:\windows\system32\advapi.dll删了就没事了，
也不知这方文件有没有用