中招了,中了个明的,查的时候才发现早中了个暗的.... bbs.ikaka.com

起飞之前 - 2007-3-4 0:10:00

刚才8点不到的时候下载游戏呢,下了个618K的执行文件

以为是BT呢..运行了以后就后悔莫急了

具体症状是修改主页(我修改回来了)和添加收藏夹里的东西(本来还是不可修改的暗灰色,不过我删了),还安装了几个流氓软件(手动删除了,不知道现在会不会又恢复了...),试图连接网络和弹网页,顺便再BS下瑞星,虽然过了所谓期限,居然发现了病毒不删除,让手动删!
在驱动服务里有几项问题,可删不掉,DLL挂在Userinit.exe和explorer.exe里...也没分清楚哪个进程的问题,修改注册表无效,能进行编辑,就是好象存不上,瑞星不报告有修改动作,瑞星本来是红伞了,我乱删了一气可疑文件后变绿了.还有等等删了又出来的文件.....
上面说的是明的,我还发现我C盘少了的150M的空间,1周前吧,注意到C少了150M的空间,很纳闷,一直都比较有数的,几天没注意就少掉了,结果在C:\Documents and Settings\HHH\Local Settings\Temporary Internet Files里发现了个隐藏了个Content.IE5的文件夹,说的隐藏是很彻底的隐藏,我一直是打开着显示系统,显示隐藏文件和不点选隐藏保护系统文件,可就这样也看不见他,是瑞星在他的深层文件夹发现了病毒文件,我要手动删除的时候,才知道有他的存在,里面是些7J25YLXW,8TEJE12J,AJSDM1OH这样名字的文件夹,而里面存放的内容却吓了我一跳,大多是我最近上网的网页内容,虽然我没去找网页运行,可从JPG,GIF的图片能看出来,甚至有我在WWW.OUOU.COM上看的视频,fLV格式的(以前专门在网页缓存里找都没找到...)都被完整的存在里面,一开始都怀疑是OUOU专门做的手脚,可也有我浏览别的网页时的东西,我估计一会进去也能看见卡卡的东西...问下谁也有这情况么?
扫描完了,我发日志,晚了,怕是要明天才有人回了...

起飞之前 - 2007-3-4 0:13:00

我猜的果然没错,上了网就给我偷偷的下东西,又挂了几个IE插件..不删了,再扫描遍....

起飞之前 - 2007-3-4 0:17:00

[CODE]

2007-03-04,00:04:49

System Repair Engineer 2.3.13.690
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Corporation]
<Virtual Drive><C:\Program Files\FarStone\VirtualDrive\vdtask.exe> [FarStone Technology Inc.]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Corporation]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Corporation]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Corporation]
<RfwMain><"C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup> [Beijing Rising Technology Co., Ltd.]
<RavTask><"C:\Program Files\rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<IMEKRMIG6.1><C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE> [(Verified)Microsoft Corporation]
<MSPY2002><C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC> [(Verified)N/A]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<nwiz><nwiz.exe /install> [NVIDIA Corporation]
<RAMDrive><"C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe"> [N/A]
<VirtualDrive><"C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore> [FarStone Technology Inc.]
<StormCodec_Helper><"C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti> [N/A]
<DAEMON Tools><"C:\Program Files\DAEMON Tools\daemon.exe" -lang 2052> [(Verified)DT Soft Ltd.]
<DaemonTools_WhenUSave_Installer><C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe> [WhenU.com, Inc.]
<runeip><C:\Program Files\rising\AntiSpyware\runiep.exe> [Beijing Rising Technology Co., Ltd.]
<uckcea57><%systemroot%\system32\Rundll32.exe "%systemroot%\system32\uckcea57.dll",Start> []
<gzlkdy47><%systemroot%\system32\Rundll32.exe "%systemroot%\system32\gzlkdy47.dll",Start> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<RavStub><"C:\Program Files\rising\Rav\ravstub.exe" /RUNONCE> [Beijing Rising Technology Co., Ltd.]
<KKDelay><C:\Program Files\rising\AntiSpyware\RunOnce.exe> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><C:\WINDOWS\SYSTEM32\Userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070227.dll start> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll> [(Verified)Microsoft Corporation]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll> [Beijing Rising Technology Co., Ltd.]
<{4ED6E0B5-F47A-4609-A940-11CF60FDC3C3}><C:\WINDOWS\system32\mctet.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<PostBootReminder><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Corporation]
<CDBurn><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Corporation]
<WebCheck><%SystemRoot%\system32\webcheck.dll> [(Verified)Microsoft Corporation]
<SysTray><C:\WINDOWS\system32\stobject.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
<WinlogonNotify: crypt32chain><crypt32.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptimg]
<WinlogonNotify: cryptimg><cryptimg.dll> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
<WinlogonNotify: cryptnet><cryptnet.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
<WinlogonNotify: cscdll><cscdll.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
<WinlogonNotify: ScCertProp><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
<WinlogonNotify: Schedule><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
<WinlogonNotify: sclgntfy><sclgntfy.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
<WinlogonNotify: SensLogn><WlNotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
<WinlogonNotify: termsrv><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
<WinlogonNotify: wlballoon><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
<{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Corporation]
<{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Corporation]

起飞之前 - 2007-3-4 0:18:00

==================================
启动文件夹
N/A

==================================
服务
[ELSA Display Driver Service / NVSvc][Running/Auto Start]
<C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Proxy Service / RfwProxySrv][Stopped/Manual Start]
<c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
<c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
<"C:\Program Files\rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon][Running/Auto Start]
<"C:\Program Files\rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

==================================
驱动程序
[Intel(r) 82801 Audio Driver Install Service (WDM) / ac97intc][Running/Manual Start]
<system32\drivers\ac97intc.sys><Intel Corporation>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
<System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[C-Media PCI Audio Driver (WDM) / cmpci][Stopped/Manual Start]
<system32\drivers\cmaudio.sys><C-Media Inc>
[Sundance ST201 based Adapter NT Driver / DLH5X][Running/Manual Start]
<system32\DRIVERS\DLH5XND5.sys><D-Link Corporation>
[ExpScaner / ExpScaner][Running/Auto Start]
<\??\C:\Program Files\rising\Rav\ExpScan.sys><>
[fcdabus / fcdabus][Running/Manual Start]
<system32\DRIVERS\fcdabus.sys><FarStone Inc.>
[RamDisk Drive Service / fsRamDsk][Running/Manual Start]
<System32\Drivers\fsRamDsk.sys><FarStone>
[FVDSCSI / FVDSCSI][Running/Manual Start]
<system32\DRIVERS\fvdscsi.sys><FarStone Inc.>
[hidproc / hidproc][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\hidproc.sys><Microsoft Corporation>
[HookCont / HookCont][Running/Auto Start]
<\??\C:\Program Files\rising\Rav\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
<\??\C:\Program Files\rising\Rav\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
<\??\C:\Program Files\rising\Rav\HookSys.sys><Rising>
[HookUrl / HookUrl][Running/Auto Start]
<\??\C:\Program Files\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[jdy#hook / jdy#hook][Stopped/Manual Start]
<\??\D:\按键精灵\hknm.sys><N/A>
[Logitech WingMan Digital Devices(Auto-Detect) / LwAdiHid][Stopped/Manual Start]
<system32\DRIVERS\LwAdiHid.sys><Logitech Inc.>
[MEMSCAN / MEMSCAN][Running/Auto Start]
<\??\C:\Program Files\rising\Rav\MEMSCAN.sys><瑞星软件有限公司>
[mProcRs / mProcRs][Running/Auto Start]
<\??\c:\program files\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[npkcrypt / npkcrypt][Running/Auto Start]
<\??\C:\Program Files\Tencent\qq\npkcrypt.sys><INCA Internet Co., Ltd.>
[NPPTNT2 / NPPTNT2][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\npptNT2.sys><INCA Internet Co., Ltd.>
[Gravis GamePort device driver / ntgrip][Stopped/Manual Start]
<system32\drivers\ntgrip.sys><Kensington Technology Group>
[nv / nv][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[StarForce Protection Environment Driver v6 / prodrv06][Stopped/Disabled]
<\SystemRoot\System32\drivers\prodrv06.sys><Protection Technology>
[StarForce Protection Helper Driver v2 / prohlp02][Stopped/Disabled]
<\SystemRoot\System32\drivers\prohlp02.sys><Protection Technology>
[StarForce Protection Synchronization Driver v1 / prosync1][Stopped/Disabled]
<\SystemRoot\System32\drivers\prosync1.sys><Protection Technology>
[Psx Hid to Gamepad Port Enabler / PSXGamepadEnabler][Running/Manual Start]
<system32\drivers\psxpad.sys><Y.Kimura>
[Psx Port Enumerator / PsxPortEnumerator][Running/Manual Start]
<System32\Drivers\psxenum.sys><Y.Kimura>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsAntiSpyware / RsAntiSpyware][Stopped/Disabled]
<\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising>
[RsFwDrv / RsFwDrv][Running/Auto Start]
<\??\C:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
<\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
<\??\C:\Program Files\rising\Rav\RSPPSYS.sys><Rising>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
<system32\DRIVERS\RTL8139.SYS><N/A>
[Secdrv / Secdrv][Running/Auto Start]
<system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[StarForce Protection Helper Driver / sfhlp01][Stopped/Disabled]
<\SystemRoot\System32\drivers\sfhlp01.sys><Protection Technology>
[Sony USB Filter Driver (SONYPVU1) / SONYPVU1][Stopped/Disabled]
<system32\DRIVERS\SONYPVU1.SYS><Sony Corporation>
[uckcea5 / uckcea57][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\uckcea57.sys><N/A>
[Motorola USB Modem Driver for MPT / usbsermpt][Stopped/Manual Start]
<system32\DRIVERS\usbsermpt.sys><Microsoft Corporation>
[ffpbek / ffpbek][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\ffpbek.sys><Microsoft Corporation>
[https / https][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\https.sys><Microsoft Corporation>
[lanfs / lanfs][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\lanfs.sys><Microsoft Corporation>
[i82440bx / i82440bx][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\i82440bx.sys><Microsoft Corporation>

起飞之前 - 2007-3-4 0:19:00

==================================
浏览器加载项
[Thunder Browser Helper]
{0005A87C-D626-4B3A-84F9-1D9571695F55} <d:\Thunder\ComDlls\XunLeiBHO_006.dll, Thunder Networking Technologies,LTD>
[ThunderIEHelper Class]
{0005A87D-D626-4B3A-84F9-1D9571695F55} <C:\WINDOWS\system32\xunleibho_v14.dll, Thunder Networking Technologies,LTD>
[]
{3fc3ce01-3227-4e0d-ae2b-1b294ae19f4f} <C:\WINDOWS\system32\4e0dntos.dll, N/A>
[]
{8747e2f6-0d00-480b-8b0d-4e03f37a8dbf} <C:\WINDOWS\system32\480bcfsb.dll, N/A>
[浩方对战平台]
{0A155D3C-68E2-4215-A47A-E800A446447A} <D:\浩方对战平台\GameClient.exe, 上海浩方在线信息技术有限公司>
[CaiFuCOM Class]
{C1F0024B-8278-4999-B7E6-2718426D9FE6} <C:\Program Files\财富通\caif.dll, N/A>
[3227]
{DFCB34B6-902D-426E-AE2B-1B294AE19F4F} <C:\WINDOWS\system32\4e0dntos.dll, N/A>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[Thunder Browser Helper]
{0005A87C-D626-4B3A-84F9-1D9571695F55} <d:\Thunder\ComDlls\XunLeiBHO_006.dll, Thunder Networking Technologies,LTD>
[ThunderIEHelper Class]
{0005A87D-D626-4B3A-84F9-1D9571695F55} <C:\WINDOWS\system32\xunleibho_v14.dll, Thunder Networking Technologies,LTD>
[]
{3FC3CE01-3227-4E0D-AE2B-1B294AE19F4F} <C:\WINDOWS\system32\4e0dntos.dll, N/A>
[]
{8747E2F6-0D00-480B-8B0D-4E03F37A8DBF} <C:\WINDOWS\system32\480bcfsb.dll, N/A>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[3227]
{DFCB34B6-902D-426E-AE2B-1B294AE19F4F} <C:\WINDOWS\system32\4e0dntos.dll, N/A>
[&使用迅雷下载]
<d:\Thunder\Program\geturl.htm, N/A>
[&使用迅雷下载全部链接]
<d:\Thunder\Program\getallurl.htm, N/A>
[上传到QQ网络硬盘]
<C:\Program Files\Tencent\qq\AddToNetDisk.htm, N/A>
[添加到QQ自定义面板]
<C:\Program Files\Tencent\qq\AddPanel.htm, N/A>
[添加到QQ表情]
<C:\Program Files\Tencent\qq\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<C:\Program Files\Tencent\qq\SendMMS.htm, N/A>

起飞之前 - 2007-3-4 0:21:00

==================================
正在运行的进程
[PID: 468][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 540][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 564][\??\C:\WINDOWS\SYSTEM32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\SYSTEM32\sfc_os.dll] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\SYSTEM32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\SYSTEM32\cryptimg.dll] [Microsoft Corporation, 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 608][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 620][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 772][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 820][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 900][C:\Program Files\rising\Rav\CCenter.exe] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
[PID: 920][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\System32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\System32\sfc_os.dll] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1036][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1140][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1152][C:\Program Files\rising\Rav\Ravmond.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 43]
[C:\Program Files\rising\Rav\BWList.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
[C:\Program Files\rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[C:\Program Files\rising\Rav\rfwctrl.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 11]
[C:\Program Files\rising\Rav\RsPPsys.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
[C:\Program Files\rising\Rav\RSAPPMGR.DLL] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
[C:\Program Files\rising\Rav\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
[C:\Program Files\rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[C:\Program Files\rising\Rav\RsLog.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 20]
[C:\Program Files\rising\Rav\HOOKSYS.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 0]
[C:\Program Files\rising\Rav\Scanner.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 12]
[C:\Program Files\rising\Rav\libload.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 16]
[C:\Program Files\rising\Rav\VirusLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 10]
[C:\Program Files\rising\Rav\regmon.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 6]
[C:\Program Files\rising\Rav\psapi.dll] [Microsoft Corporation, 4.00]
[C:\Program Files\rising\Rav\HookWeb.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 1]
[C:\Program Files\rising\Rav\MemMon.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 12]
[C:\Program Files\rising\Rav\expscan.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[C:\Program Files\rising\Rav\mPorts.dll] [Beijing Rising Technology Co., Ltd., 4, 0, 0, 3]
[C:\Program Files\rising\Rav\HookCont.dll] [Rising, 19, 0, 0, 0]
[C:\Program Files\rising\Rav\SpamEng.dll] [N/A, 18, 0, 0, 6]
[C:\Program Files\rising\Rav\engine.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 20]
[C:\Program Files\rising\Rav\PostTrt.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 8]
[C:\Program Files\rising\Rav\UnExe.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
[C:\Program Files\rising\Rav\ScanExec.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 16]
[C:\Program Files\rising\Rav\ScanEx.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 34]
[C:\Program Files\rising\Rav\ExtFile.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 23]
[C:\Program Files\rising\Rav\NvFile.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 11]
[C:\Program Files\rising\Rav\ScanMac.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 13]
[C:\Program Files\rising\Rav\ScanSct.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 19]
[C:\Program Files\rising\Rav\Unpacker.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 17]
[C:\Program Files\rising\Rav\ScanPack.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 18]
[C:\Program Files\rising\Rav\RsVM.dll] [N/A, 19, 0, 0, 13]
[C:\Program Files\rising\Rav\Uroutine.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 19]
[C:\Program Files\rising\Rav\Uscript.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 17]
[C:\Program Files\rising\Rav\ScanNet.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[C:\Program Files\rising\Rav\RsStore.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
[PID: 1344][c:\program files\rising\rfw\rfwsrv.exe] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 30]
[c:\program files\rising\rfw\RfwRule.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 3]
[c:\program files\rising\rfw\rfwlog.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 2]
[c:\program files\rising\rfw\Rfwdrv.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 10]
[c:\program files\rising\rfw\psapi.dll] [Microsoft Corporation, 4.00]
[c:\program files\rising\rfw\MonDrv.dll] [rs, 1, 0, 0, 4]
[c:\program files\rising\rfw\ProcLib.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 5]
[c:\program files\rising\rfw\mPorts.dll] [Beijing Rising Technology Co., Ltd., 4, 0, 0, 3]
[PID: 1512][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1696][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\sfc_os.dll] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\System32\spool\PRTPROCS\W32X86\hpzpp3xu.dll] [Hewlett-Packard Corporation, 60.051.641.00]
[PID: 1840][C:\Program Files\rising\Rav\RavStub.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 4]
[C:\Program Files\rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[C:\Program Files\rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[PID: 2024][c:\program files\rising\rfw\RfwMain.exe] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 70]
[c:\program files\rising\rfw\RsGuiLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 31]
[c:\program files\rising\rfw\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[c:\program files\rising\rfw\RfwCtrl.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 11]
[c:\program files\rising\rfw\RsXML.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
[c:\program files\rising\rfw\PngDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[C:\Program Files\rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 180][C:\WINDOWS\system32\nvsvc32.exe] [NVIDIA Corporation, 6.14.10.5303]
[PID: 184][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\System32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]

起飞之前 - 2007-3-4 0:21:00

[PID: 1060][C:\Program Files\rising\Rav\RavTask.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
[C:\Program Files\rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[C:\Program Files\rising\Rav\RSAPPMGR.DLL] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
[C:\Program Files\rising\Rav\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
[C:\Program Files\rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[C:\Program Files\rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1464][C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe] [, 1, 0, 0, 1]
[C:\Program Files\FarStone\VirtualDrive\VHD\FsLodLib.dll] [, 1, 0, 0, 1]
[C:\Program Files\FarStone\VirtualDrive\VHD\RDrvInterface.dll] [, 1, 0, 0, 1]
[C:\Program Files\FarStone\VirtualDrive\VHD\RDTask_RC.dll] [, 1, 0, 0, 1]
[C:\Program Files\FarStone\VirtualDrive\VHD\RDrv2KInterface.dll] [, 1, 0, 0, 1]
[C:\Program Files\rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 444][C:\Program Files\FarStone\VirtualDrive\VDTask.exe] [FarStone Technology Inc., 7, 0, 0, 1]
[C:\Program Files\FarStone\VirtualDrive\FsLodLib.dll] [, 1, 0, 0, 1]
[C:\Program Files\FarStone\VirtualDrive\FarTCP.dll] [FarStone Technology Inc., 7, 0, 0, 0]
[C:\Program Files\FarStone\VirtualDrive\vdtask_RC.dll] [FarStone Technology Inc., 7, 0, 0, 1]
[C:\Program Files\FarStone\VirtualDrive\EvalInterface.dll] [, 1, 0, 0, 1]
[C:\Program Files\rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 2120][C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe] [WhenU.com, Inc., 1, 0, 2, 2]
[C:\Program Files\rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 2668][C:\Program Files\rising\Rav\RavMon.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 36]
[C:\Program Files\rising\Rav\RsGuiLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 28]
[C:\Program Files\rising\Rav\BWList.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
[C:\Program Files\rising\Rav\RSAPPMGR.DLL] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
[C:\Program Files\rising\Rav\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
[C:\Program Files\rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[C:\Program Files\rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[C:\Program Files\rising\Rav\RsXML.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
[C:\Program Files\rising\Rav\PngDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[C:\Program Files\rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 3000][C:\WINDOWS\system32\conime.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 3724][C:\WINDOWS\explorer.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[C:\WINDOWS\system32\RavExt.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
[d:\Thunder\ComDlls\XunLeiBHO_006.dll] [Thunder Networking Technologies,LTD, 5, 0, 0, 3]
[C:\WINDOWS\system32\xunleibho_v14.dll] [Thunder Networking Technologies,LTD, 4, 6, 0, 62]
[C:\Program Files\WinRAR\rarext.dll] [N/A, N/A]
[C:\WINDOWS\system32\vgdshell.dll] [FarStone Technology Inc., 1,7, 0, 0]
[C:\WINDOWS\system32\VGDShlRc.dll] [FarStone Technology Inc., 1,7, 0, 0]
[C:\Program Files\FarStone\VirtualDrive\BurnInterFace.dll] [, 1, 0, 0, 1]
[C:\Program Files\rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[C:\WINDOWS\system32\mctet.dll] [, 5, 3, 1, 120]
[C:\Program Files\FarStone\VirtualDrive\VDExt900.dll] [, 1, 0, 0, 1]
[PID: 848][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[d:\Thunder\ComDlls\XunLeiBHO_006.dll] [Thunder Networking Technologies,LTD, 5, 0, 0, 3]
[C:\WINDOWS\system32\xunleibho_v14.dll] [Thunder Networking Technologies,LTD, 4, 6, 0, 62]
[C:\Program Files\rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[C:\Program Files\rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0]
[C:\WINDOWS\system32\4e0dntos.dll] [N/A, N/A]
[C:\WINDOWS\system32\480bcfsb.dll] [N/A, N/A]
[PID: 2816][F:\常用工具\手工杀毒工具集\sreng2\SREng.EXE] [Smallfrogs Studio, 2.3.13.690]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[C:\WINDOWS\system32\sfc_os.dll] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost

==================================
API HOOK
N/A

==================================

[/CODE]

起飞之前 - 2007-3-4 0:33:00

搞的头昏昏,占个位置,洗洗睡了...
把那个元凶发上来请高手研究下,已经打包,用RAR格式,加后缀名JPG了,...菜鸟别以为是图片下载玩哈~~

顺便提下现在我打开某个驱动器时,瑞星就发现个病毒在临时文件夹里...

....论坛改了?怎么提示我发的图片错误,算了不发就不发了,真要需要了,留个邮箱给我

fjsclzr - 2007-3-4 0:42:00

升级瑞星完后制作U盘杀毒盘关掉网络重启杀一下试试,还有就是再用诺顿等其他杀毒软件试试,不同的杀毒软件有不同的特点

起飞之前 - 2007-3-4 0:49:00

谢谢,先不说瑞星了,电脑比较老,还不支持U盘启动...-_-!其他的杀毒软件正在寻找ing...

Ahtiman - 2007-3-4 3:00:00

我不太想害你,你家的东西太多了,不认得的很多,怕让你删错了~~~

起飞之前 - 2007-3-4 18:31:00

嘿嘿~不怕不怕,我已经做好重做系统的心理准备了,就是不服气找不到病根在哪,比较添乱的是前面刚装了2个新版本的虚拟光驱,都搞什么支持加密光驱,虚拟了好几个驱动,还没分清楚哪个是白道呢,就中了黑道,现在我全糊了...

peichunhui - 2007-3-4 19:14:00

Content.IE5 这是什么玩意? 我的c盘用瑞星杀毒的时候也有不知道是什么东东

newcenturymoon - 2007-3-4 19:18:00

启动计算机进入安全模式(开机后不断按F8键然后出来一个高级菜单选择第一项安全模式进入系统)
打开sreng （就是你扫日志的软件）启动项目注册表
删除<uckcea57><%systemroot%\system32\Rundll32.exe "%systemroot%\system32\uckcea57.dll",Start> []
<gzlkdy47><%systemroot%\system32\Rundll32.exe "%systemroot%\system32\gzlkdy47.dll",Start> []
<{4ED6E0B5-F47A-4609-A940-11CF60FDC3C3}><C:\WINDOWS\system32\mctet.dll> []
双击Userinit 把其键值改为C:\WINDOWS\SYSTEM32\Userinit.exe,

双击我的电脑－工具－文件夹选项－查看－显示所有文件和文件夹，把“隐藏受保护的系统文件”的勾去掉。
然后删除如下文件C:\WINDOWS\system32\4e0dntos.dll
C:\WINDOWS\system32\480bcfsb.dll
C:\WINDOWS\system32\mctet.dll

起飞之前 - 2007-3-5 23:11:00

先谢谢newcenturymoon

照你的办法试过了,安全模式下还是删不干净.
昨天卸了瑞星,找了个地方下了了卡巴,升到最新病毒库后狂杀一气,反反复复的杀了100+病毒,经常是才杀完,再扫描还有病毒.中间更有数个小时是卡巴启动后发现内存有病毒删不掉,所以自动重起,重起后又发现病毒又杀,然后再重起,再杀再重起.....后来还是用98盘进了DOS,把我记的名字的那些文件挨个手动删除(10+个)后,才没有这样反复启动...现在总算是暂时风平浪静了,可依然有可疑的迹象.我截了几张图拼了下.

附件: 499189200735230225.jpg

起飞之前 - 2007-3-5 23:13:00

再发下今天的日志,大家帮忙哈~
[CODE]

2007-03-05,22:05:32

System Repair Engineer 2.3.13.690
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Corporation]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Corporation]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Corporation]
<IMEKRMIG6.1><C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE> [(Verified)Microsoft Corporation]
<MSPY2002><C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC> [(Verified)N/A]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<nwiz><nwiz.exe /install> [NVIDIA Corporation]
<AVP><"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"> [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><C:\WINDOWS\SYSTEM32\Userinit.exe,> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<PostBootReminder><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Corporation]
<CDBurn><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Corporation]
<WebCheck><%SystemRoot%\system32\webcheck.dll> [(Verified)Microsoft Corporation]
<SysTray><C:\WINDOWS\system32\stobject.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
<WinlogonNotify: crypt32chain><crypt32.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptimg]
<WinlogonNotify: cryptimg><cryptimg.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
<WinlogonNotify: cryptnet><cryptnet.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
<WinlogonNotify: cscdll><cscdll.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
<WinlogonNotify: klogon><C:\WINDOWS\system32\klogon.dll> [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
<WinlogonNotify: ScCertProp><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
<WinlogonNotify: Schedule><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
<WinlogonNotify: sclgntfy><sclgntfy.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
<WinlogonNotify: SensLogn><WlNotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
<WinlogonNotify: termsrv><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
<WinlogonNotify: wlballoon><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
<{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Corporation]

==================================
启动文件夹
N/A

==================================
服务
[Kaspersky Anti-Virus 6.0 / AVP][Running/Auto Start]
<"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r><Kaspersky Lab>
[ELSA Display Driver Service / NVSvc][Running/Auto Start]
<C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>

起飞之前 - 2007-3-5 23:14:00

==================================
驱动程序
[Intel(r) 82801 Audio Driver Install Service (WDM) / ac97intc][Running/Manual Start]
<system32\drivers\ac97intc.sys><Intel Corporation>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
<System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[C-Media PCI Audio Driver (WDM) / cmpci][Stopped/Manual Start]
<system32\drivers\cmaudio.sys><C-Media Inc>
[Sundance ST201 based Adapter NT Driver / DLH5X][Running/Manual Start]
<system32\DRIVERS\DLH5XND5.sys><D-Link Corporation>
[hidproc / hidproc][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\hidproc.sys><Microsoft Corporation>
[kl1 / kl1][Running/Boot Start]
<\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Running/System Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[lanfs / lanfs][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\lanfs.sys><Microsoft Corporation>
[Logitech WingMan Digital Devices(Auto-Detect) / LwAdiHid][Stopped/Manual Start]
<system32\DRIVERS\LwAdiHid.sys><Logitech Inc.>
[npkcrypt / npkcrypt][Running/Auto Start]
<\??\C:\Program Files\Tencent\qq\npkcrypt.sys><INCA Internet Co., Ltd.>
[NPPTNT2 / NPPTNT2][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\npptNT2.sys><INCA Internet Co., Ltd.>
[Gravis GamePort device driver / ntgrip][Stopped/Manual Start]
<system32\drivers\ntgrip.sys><Kensington Technology Group>
[nv / nv][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[StarForce Protection Environment Driver v6 / prodrv06][Stopped/Auto Start]
<\SystemRoot\System32\drivers\prodrv06.sys><Protection Technology>
[StarForce Protection Helper Driver v2 / prohlp02][Running/Auto Start]
<\SystemRoot\System32\drivers\prohlp02.sys><Protection Technology>
[StarForce Protection Synchronization Driver v1 / prosync1][Running/Auto Start]
<\SystemRoot\System32\drivers\prosync1.sys><Protection Technology>
[Psx Hid to Gamepad Port Enabler / PSXGamepadEnabler][Running/Manual Start]
<system32\drivers\psxpad.sys><Y.Kimura>
[Psx Port Enumerator / PsxPortEnumerator][Running/Manual Start]
<System32\Drivers\psxenum.sys><Y.Kimura>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Secdrv / Secdrv][Running/Auto Start]
<system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[StarForce Protection Helper Driver / sfhlp01][Running/Auto Start]
<\SystemRoot\System32\drivers\sfhlp01.sys><Protection Technology>
[Sony USB Filter Driver (SONYPVU1) / SONYPVU1][Stopped/Auto Start]
<system32\DRIVERS\SONYPVU1.SYS><Sony Corporation>
[TSP / TSP][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>

==================================
浏览器加载项
[]
{3fc3ce01-3227-4e0d-ae2b-1b294ae19f4f} <C:\WINDOWS\system32\4e0dntos.dll, N/A>
[Web Anti-Virus]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll, Kaspersky Lab>
[3227]
{DFCB34B6-902D-426E-AE2B-1B294AE19F4F} <C:\WINDOWS\system32\4e0dntos.dll, N/A>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[]
{3FC3CE01-3227-4E0D-AE2B-1B294AE19F4F} <C:\WINDOWS\system32\4e0dntos.dll, N/A>
[3227]
{DFCB34B6-902D-426E-AE2B-1B294AE19F4F} <C:\WINDOWS\system32\4e0dntos.dll, N/A>

==================================
正在运行的进程
[PID: 552][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 608][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 632][\??\C:\WINDOWS\SYSTEM32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\SYSTEM32\sfc_os.dll] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\SYSTEM32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\klogon.dll] [Kaspersky Lab, 6.0.2.542]
[PID: 676][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 688][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 844][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 892][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 968][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\System32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\System32\sfc_os.dll] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1064][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1184][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1400][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scrchpg.dll] [Kaspersky Lab, 6.0.2.542]
[PID: 1520][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\sfc_os.dll] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\System32\spool\PRTPROCS\W32X86\hpzpp3xu.dll] [Hewlett-Packard Corporation, 60.051.641.00]
[PID: 1524][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1948][C:\WINDOWS\system32\nvsvc32.exe] [NVIDIA Corporation, 6.14.10.5303]
[PID: 1932][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\System32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2068][C:\WINDOWS\system32\wuauclt.exe] [Microsoft Corporation, 5.8.0.2469 built by: lab01_n(wmbla)]
[C:\WINDOWS\system32\sfc_os.dll] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2444][F:\常用工具\手工杀毒工具集\sreng2\SREng.EXE] [Smallfrogs Studio, 2.3.13.690]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\sfc_os.dll] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost

==================================
API HOOK
警告！System Repair Engineer 提醒
你下面的函数内容与预期值不符，他
们可能被一些恶意的软件所修改：
RVA 错误： LoadLibraryA
RVA 错误： LoadLibraryExA
RVA 错误： LoadLibraryExW
RVA 错误： LoadLibraryW

==================================

[/CODE]

瑞星卡卡安全论坛