瑞星卡卡安全论坛

最近两天我的电脑用瑞星免费查毒（19.13）经常先出现这个 Trojan.psw.wordonline ，然后有出现好几个Trojan.psw开头的病毒提示，我不知道他是什么木马或病毒，我的电脑c盘是干净的，有还原卡保护，但最近几天一开机上网浏览网页不一会就出现上面的提示，随后瑞星被非法关闭，提示内存什么区块错误，瑞星进程被杀掉，出现可以进程若干个，系统变慢。 我该如何对付这个东西！请高手指教！

下载 System Repair Engineer，
http://www.kztechs.com/sreng/download.html
1 解压缩sreng2.zip
2 运行SREng.exe
3 智能扫描=》扫描=》保存报告
4 把日志中的报告完整拷贝贴上来，不要修改

扫描出现AppInit_DLLs=APIhookdll.dll
什么意思

没事

灾难再次终于出现 瑞星进程被病毒杀死了

SREng智能扫描
第一次
[CODE]

2007-03-24,19:54:44

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Server Service Pack 4 (Build 2195) - 管理权

限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer

sion\Run]
    <Internat.exe><internat.exe>  [(Verified)Microsoft

Windows 2000 Publisher]
    <PhMain><C:\Program Files\PeanutHull3\Phmain.exe>  [

广东网域]
[HKEY_CURRENT_USER\Software\Microsoft\Windows

NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVe

rsion\Run]
    <IgfxTray><C:\WINNT\system32\igfxtray.exe> 

[(Verified)Microsoft Windows Hardware Compatibility

Publisher]
    <HotKeysCmds><C:\WINNT\system32\hkcmd.exe> 

[(Verified)Microsoft Windows Hardware Compatibility

Publisher]
    <SoundMan><soundman.exe>  [Avance Logic, Inc.]
    <Soltek><C:\WINNT\system32\autorun.exe>  []
    <runeip><C:\Program

Files\Rising\AntiSpyware\runiep.exe>  [Beijing Rising

Technology Co., Ltd.]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe"

-system>  [Beijing Rising Technology Co., Ltd.]
    <mppjds><C:\WINNT\mppjds.exe>  []
    <cmdbcs><C:\WINNT\cmdbcs.exe>  []
    <winform><C:\WINNT\winform.exe>  []
    <msccrt><C:\WINNT\msccrt.exe>  []
    <upxdnd><C:\WINNT\TEMP\TIMPLATF0RM.exe>  []
    <wgs3><C:\WINNT\wgs3.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows

2000 Publisher]
    <Userinit><C:\WINNT\system32\userinit.exe,> 

[(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVe

rsion\Explorer\ShellExecuteHooks]
   

<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINNT\system

32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><(无)>  [N/A]

==================================
启动文件夹
[meibuddns43]
  <C:\Documents and Settings\All Users\「开始」菜单\程序

\启动\meibuddns43.lnk -->

C:\PROGRA~1\MEIBUD~1\meibu\MEIBUD~1.EXE [N/A]><N>

==================================
服务
[Logical Disk Manager Administrative Service /

dmadmin][Stopped/Manual Start]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software

Corp.>
[PeanuthullCore / PeanuthullCore][Stopped/Auto Start]
  <C:\Program Files\PeanutHull3\PhCore.exe -service><广

东网域>
[Portable Media Serial Number Service /

WmdmPmSN][Stopped/Manual Start]
  <C:\WINNT\System32\svchost.exe -k

netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft

Corporation>
[Rising Process Communication Center /

RsCCenter][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing

Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing

Rising Technology Co., Ltd.>

==================================
驱动程序
[Service for Avance AC97 Audio (WDM) /

ALCXWDM][Running/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Avance Logic, Inc.>
[dmboot / dmboot][Stopped/Disabled]
  <System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmio.sys><VERITAS

Software Corp.>
[dmload / dmload][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmload.sys><VERITAS

Software Corp.>
[Intel PRO Adapter Driver / E100B][Running/Manual Start]
  <system32\DRIVERS\e100bnt5.sys><Intel Corporation>
[ialm / ialm][Running/Manual Start]
  <system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[IdeBusDr / IdeBusDr][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\IdeBusDr.sys><Intel

Corporation>
[Intel(R) Ultra ATA Controller / IdeChnDr][Running/Boot

Start]
  <\SystemRoot\system32\DRIVERS\IdeChnDr.sys><Intel

Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual

Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies,

Inc.>
[World Standard Teletext Codec /

WSTCODEC][Stopped/Manual Start]
  <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
[RSPPSYS / RSPPSYS][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\RSPPSYS.sys><Rising>
[ExpScaner / ExpScaner][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\ExpScan.sys><>
[HookCont / HookCont][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HOOKCONT.sys><Rising>
[HookSys / HookSys][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HookSys.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HookReg.sys><>
[MEMSCAN / MEMSCAN][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件

有限公司>
[Basetdi / Basetdi][Running/Auto Start]
  <\??\C:\WINNT\system32\drivers\basetdi.sys><Beijing

Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI][Stopped/Boot Start]
  <\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing

Rising Technology Co., Ltd.>
[squell / squell][Running/]
  <2 - 系统找不到指定的文件。
><N/A>
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
  <system32\DRIVERS\npf.sys><CACE Technologies>

==================================
浏览器加载项
[AlxTB BHO Class]
  {F1FABE79-25FC-46de-8C5A-2C6DB9D64333}

<C:\WINNT\system32\AlxTB1.dll, Alexa Internet>
[网址大全]
  {C18CB140-0BBB-11D4-8FE8-0088CC102438}

<http://www.mpsoft.net/wz.htm, N/A>
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467}

<C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[Alexa]
  {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B}

<C:\WINNT\system32\SHDOCVW.DLL, Microsoft Corporation>
[Alexa Web Search]
 

<http://client.alexa.com/holiday/script/actions/search.h

tm, N/A>
[Get Alexa Data]
 

<http://client.alexa.com/holiday/script/actions/sitedata

.htm, N/A>
[Mail to a Friend...]
 

<http://client.alexa.com/holiday/script/actions/mailto.h

tm, N/A>
[See Related Links]
 

<http://client.alexa.com/holiday/script/actions/related.

htm, N/A>
[Write a Review...]
 

<http://client.alexa.com/holiday/script/actions/review.h

tm, N/A>

==================================
正在运行的进程
[PID: 168][\SystemRoot\System32\smss.exe]  [Microsoft

Corporation, 5.00.2195.6601]
[PID: 192][\??\C:\WINNT\system32\csrss.exe]  [Microsoft

Corporation, 5.00.2195.6601]
[PID: 948][C:\WINNT\Explorer.EXE]  [Microsoft

Corporation, 5.00.3700.6690]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\WINNT\system32\winform.dll]  [N/A, ]
    [C:\WINNT\system32\cmdbcs.dll]  [N/A, ]
    [C:\WINNT\system32\msccrt.dll]  [N/A, ]
    [C:\WINNT\TEMP\upxdnd.dll]  [N/A, ]
    [C:\WINNT\system32\RavExt.dll]  [Beijing Rising

Technology Co., Ltd., 19, 0, 0, 9]
    [C:\WINNT\system32\AlxTB1.dll]  [Alexa Internet, 7,

0, 1, 57]
[PID: 1048][C:\WINNT\system32\hkcmd.exe]  [Intel

Corporation, 3.0.0.3924]
    [C:\WINNT\system32\hccutils.DLL]  [Intel

Corporation, 3.0.0.3924]
    [C:\WINNT\system32\igfxdev.dll]  [Intel Corporation,

3.0.0.3924]
    [C:\WINNT\system32\igfxsrvc.dll]  [Intel

Corporation, 3.0.0.3924]
    [C:\WINNT\system32\igfxhk.dll]  [Intel Corporation,

3.0.0.3924]
    [C:\WINNT\system32\igfxres.dll]  [Intel Corporation,

3.0.0.3924]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1056][C:\WINNT\soundman.exe]  [Avance Logic, Inc.,

5, 0, 0, 0]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 956][F:\scon\scon.exe]  [N/A, ]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1096][C:\WINNT\system32\internat.exe]  [Microsoft

Corporation, 5.00.2920.0000]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1392][C:\Program

Files\Rising\AntiSpyware\runiep.exe]  [Beijing Rising

Technology Co., Ltd., 1, 0, 1, 4]
    [C:\Program Files\Rising\AntiSpyware\iep_ctrl.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 4]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1084][C:\Program Files\Rising\Rav\RavTask.exe] 

[Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing

Rising Technology Co., Ltd., 19, 0, 0, 5]
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  [Beijing

Rising Technology Co., Ltd., 18, 0, 0, 2]
    [C:\Program Files\Rising\Rav\CfgDll.dll]  [Beijing

Rising Technology Co., Ltd., 18, 0, 0, 13]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising,

18, 0, 0, 1]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1372][C:\Program Files\Rising\Rav\RsAgent.exe] 

[Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising,

18, 0, 0, 1]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1596][C:\WINNT\msagent\AgentSvr.exe]  [Microsoft

Corporation, 2.00.0.3422]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1380][C:\Documents and Settings\Administrator\桌面

\病毒日志扫描工具sreng2\SREng.EXE]  [Smallfrogs Studio,

2.4.12.806]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINNT\system32\wsttrs.dll]  [N/A, ]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================


[/CODE]

========================
第二次的  （瑞星死掉后）

[CODE]

2007-03-24,19:59:17

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Server Service Pack 4 (Build 2195) - 管理权

限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer

sion\Run]
    <Internat.exe><internat.exe>  [(Verified)Microsoft

Windows 2000 Publisher]
    <PhMain><C:\Program Files\PeanutHull3\Phmain.exe>  [

广东网域]
[HKEY_CURRENT_USER\Software\Microsoft\Windows

NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVe

rsion\Run]
    <IgfxTray><C:\WINNT\system32\igfxtray.exe> 

[(Verified)Microsoft Windows Hardware Compatibility

Publisher]
    <HotKeysCmds><C:\WINNT\system32\hkcmd.exe> 

[(Verified)Microsoft Windows Hardware Compatibility

Publisher]
    <SoundMan><soundman.exe>  [Avance Logic, Inc.]
    <Soltek><C:\WINNT\system32\autorun.exe>  []
    <runeip><C:\Program

Files\Rising\AntiSpyware\runiep.exe>  [Beijing Rising

Technology Co., Ltd.]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe"

-system>  [Beijing Rising Technology Co., Ltd.]
    <mppjds><C:\WINNT\mppjds.exe>  []
    <cmdbcs><C:\WINNT\cmdbcs.exe>  []
    <winform><C:\WINNT\winform.exe>  []
    <msccrt><C:\WINNT\msccrt.exe>  []
    <upxdnd><C:\WINNT\TEMP\TIMPLATF0RM.exe>  []
    <wgs3><C:\WINNT\wgs3.exe>  []
    <wsttrs><C:\WINNT\wsttrs.exe>  []
    <wms3><C:\WINNT\wms3.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows

2000 Publisher]
    <Userinit><C:\WINNT\system32\userinit.exe,> 

[(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVe

rsion\Explorer\ShellExecuteHooks]
   

<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINNT\system

32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><(无)>  [N/A]

==================================
启动文件夹
[meibuddns43]
  <C:\Documents and Settings\All Users\「开始」菜单\程序

\启动\meibuddns43.lnk -->

C:\PROGRA~1\MEIBUD~1\meibu\MEIBUD~1.EXE [N/A]><N>

==================================
服务
[Logical Disk Manager Administrative Service /

dmadmin][Stopped/Manual Start]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software

Corp.>
[PeanuthullCore / PeanuthullCore][Stopped/Auto Start]
  <C:\Program Files\PeanutHull3\PhCore.exe -service><广

东网域>
[Portable Media Serial Number Service /

WmdmPmSN][Stopped/Manual Start]
  <C:\WINNT\System32\svchost.exe -k

netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft

Corporation>
[Rising Process Communication Center /

RsCCenter][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing

Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing

Rising Technology Co., Ltd.>

==================================
驱动程序
[Service for Avance AC97 Audio (WDM) /

ALCXWDM][Running/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Avance Logic, Inc.>
[dmboot / dmboot][Stopped/Disabled]
  <System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmio.sys><VERITAS

Software Corp.>
[dmload / dmload][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmload.sys><VERITAS

Software Corp.>
[Intel PRO Adapter Driver / E100B][Running/Manual Start]
  <system32\DRIVERS\e100bnt5.sys><Intel Corporation>
[ialm / ialm][Running/Manual Start]
  <system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[IdeBusDr / IdeBusDr][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\IdeBusDr.sys><Intel

Corporation>
[Intel(R) Ultra ATA Controller / IdeChnDr][Running/Boot

Start]
  <\SystemRoot\system32\DRIVERS\IdeChnDr.sys><Intel

Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual

Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies,

Inc.>
[World Standard Teletext Codec /

WSTCODEC][Stopped/Manual Start]
  <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
[RSPPSYS / RSPPSYS][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\RSPPSYS.sys><Rising>
[ExpScaner / ExpScaner][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\ExpScan.sys><>
[HookCont / HookCont][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HOOKCONT.sys><Rising>
[HookSys / HookSys][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HookSys.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HookReg.sys><>
[MEMSCAN / MEMSCAN][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件

有限公司>
[Basetdi / Basetdi][Running/Auto Start]
  <\??\C:\WINNT\system32\drivers\basetdi.sys><Beijing

Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI][Stopped/Boot Start]
  <\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing

Rising Technology Co., Ltd.>
[squell / squell][Running/]
  <2 - 系统找不到指定的文件。
><N/A>
[Netgroup Packet Filter / NPF][Running/Manual Start]
  <system32\DRIVERS\npf.sys><CACE Technologies>

==================================
浏览器加载项
[AlxTB BHO Class]
  {F1FABE79-25FC-46de-8C5A-2C6DB9D64333}

<C:\WINNT\system32\AlxTB1.dll, Alexa Internet>
[网址大全]
  {C18CB140-0BBB-11D4-8FE8-0088CC102438}

<http://www.mpsoft.net/wz.htm, N/A>
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467}

<C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[Alexa]
  {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B}

<C:\WINNT\system32\SHDOCVW.DLL, Microsoft Corporation>
[Alexa Web Search]
 

<http://client.alexa.com/holiday/script/actions/search.h

tm, N/A>
[Get Alexa Data]
 

<http://client.alexa.com/holiday/script/actions/sitedata

.htm, N/A>
[Mail to a Friend...]
 

<http://client.alexa.com/holiday/script/actions/mailto.h

tm, N/A>
[See Related Links]
 

<http://client.alexa.com/holiday/script/actions/related.

htm, N/A>
[Write a Review...]
 

<http://client.alexa.com/holiday/script/actions/review.h

tm, N/A>

==================================
正在运行的进程
[PID: 168][\SystemRoot\System32\smss.exe]  [Microsoft

Corporation, 5.00.2195.6601]
[PID: 192][\??\C:\WINNT\system32\csrss.exe]  [Microsoft

Corporation, 5.00.2195.6601]
[PID: 212][\??\C:\WINNT\system32\winlogon.exe] 

[Microsoft Corporation, 5.00.2195.6898]
[PID: 948][C:\WINNT\Explorer.EXE]  [Microsoft

Corporation, 5.00.3700.6690]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\WINNT\system32\winform.dll]  [N/A, ]
    [C:\WINNT\system32\cmdbcs.dll]  [N/A, ]
    [C:\WINNT\system32\msccrt.dll]  [N/A, ]
    [C:\WINNT\TEMP\upxdnd.dll]  [N/A, ]
    [C:\WINNT\system32\RavExt.dll]  [Beijing Rising

Technology Co., Ltd., 19, 0, 0, 9]
    [C:\WINNT\system32\wsttrs.dll]  [N/A, ]
    [C:\WINNT\system32\AlxTB1.dll]  [Alexa Internet, 7,

0, 1, 57]
[PID: 1048][C:\WINNT\system32\hkcmd.exe]  [Intel

Corporation, 3.0.0.3924]
    [C:\WINNT\system32\hccutils.DLL]  [Intel

Corporation, 3.0.0.3924]
    [C:\WINNT\system32\igfxdev.dll]  [Intel Corporation,

3.0.0.3924]
    [C:\WINNT\system32\igfxsrvc.dll]  [Intel

Corporation, 3.0.0.3924]
    [C:\WINNT\system32\igfxhk.dll]  [Intel Corporation,

3.0.0.3924]
    [C:\WINNT\system32\igfxres.dll]  [Intel Corporation,

3.0.0.3924]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1056][C:\WINNT\soundman.exe]  [Avance Logic, Inc.,

5, 0, 0, 0]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 956][F:\scon\scon.exe]  [N/A, ]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINNT\system32\wsttrs.dll]  [N/A, ]
[PID: 1096][C:\WINNT\system32\internat.exe]  [Microsoft

Corporation, 5.00.2920.0000]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1392][C:\Program

Files\Rising\AntiSpyware\runiep.exe]  [Beijing Rising

Technology Co., Ltd., 1, 0, 1, 4]
    [C:\Program Files\Rising\AntiSpyware\iep_ctrl.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 4]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1084][C:\Program Files\Rising\Rav\RavTask.exe] 

[Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing

Rising Technology Co., Ltd., 19, 0, 0, 5]
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  [Beijing

Rising Technology Co., Ltd., 18, 0, 0, 2]
    [C:\Program Files\Rising\Rav\CfgDll.dll]  [Beijing

Rising Technology Co., Ltd., 18, 0, 0, 13]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising,

18, 0, 0, 1]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1372][C:\Program Files\Rising\Rav\RsAgent.exe] 

[Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising,

18, 0, 0, 1]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1596][C:\WINNT\msagent\AgentSvr.exe]  [Microsoft

Corporation, 2.00.0.3422]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINNT\system32\wsttrs.dll]  [N/A, ]
[PID: 1680][C:\Documents and Settings\Administrator\桌面

\病毒日志扫描工具sreng2\SREng.EXE]  [Smallfrogs Studio,

2.4.12.806]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll] 

[Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINNT\system32\wsttrs.dll]  [N/A, ]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
API HOOK
N/A

==================================
隐藏进程
    [904] C:\WINNT\TEMP\byetmr.exe

==================================

注意：隐藏进程
    [904] C:\WINNT\TEMP\byetmr.exe


  ？是什么...........

注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<mppjds><C:\WINNT\mppjds.exe> []
<cmdbcs><C:\WINNT\cmdbcs.exe> []
<winform><C:\WINNT\winform.exe> []
<msccrt><C:\WINNT\msccrt.exe> []
<upxdnd><C:\WINNT\TEMP\TIMPLATF0RM.exe> []
<wgs3><C:\WINNT\wgs3.exe> []

驱动
[squell / squell][Running/]
<2 - 系统找不到指定的文件。
><N/A>
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
<system32\DRIVERS\npf.sys><CACE Technologies>

用SREng删除以上启动项目，重启电脑，安全模式下删除如下文件：
C:\WINNT\mppjds.exe
C:\WINNT\cmdbcs.exe
C:\WINNT\winform.exe
C:\WINNT\msccrt.exe
C:\WINNT\TEMP\TIMPLATF0RM.exe
C:\WINNT\wgs3.exe
C:\WINNT\system32\DRIVERS\npf.sys
C:\WINNT\TEMP\byetmr.exe
C:\WINNT\system32\wsttrs.dll

PS：你的日志贴的太怪异了，看着别扭！

做这病毒的傻笔要是被我抓住非打死他不可.操.....

还好有还原卡，重启系统后可疑进程
C:\WINNT\mppjds.exe
C:\WINNT\cmdbcs.exe
C:\WINNT\winform.exe
C:\WINNT\msccrt.exe
C:\WINNT\TEMP\TIMPLATF0RM.exe
C:\WINNT\wgs3.exe
C:\WINNT\system32\DRIVERS\npf.sys
C:\WINNT\TEMP\byetmr.exe
C:\WINNT\system32\wsttrs.dll
都找不到了，但我不明白病毒是在我机器里隐藏的还是从网络感染的呢？？？

做这病毒的傻笔要是被我抓住非打死他不可.操.....他把这病毒升级了,开始反瑞星了,我的卡卡助手会被他自动关闭. 这人就他妈是个垃圾,我好好双核被他搞的跟奔三都不如,要是被我抓住,我就把他脱光游街.

终于在C:\WINNT\temp找到可以文件样本  逮捕 送毒管中心

当瑞星死掉后检查c:\winnt\temp下出现
009.mdb
7.dll
IECOFIG.EXE
MCONFIG.EXE
npf.sys
npptools.dll
Packet.dll
SPSJ.EXE
upxdnd.dll
TIMPLATF0RM.exe
wgs0.dll
WanPacket.dll
可疑文件    高手帮忙分析一下

有知道怎么清除的吗？

jinru anquan muoushi shangchu wenjian.