瑞星卡卡安全论坛

2006-03-30,20:15:56

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 1 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <RavTask><"d:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot>  [RealNetworks, Inc.]
    <HotKeysCmds><; C:\WINDOWS\System32\hkcmd.exe>  [Intel Corporation]
    <IgfxTray><; C:\WINDOWS\System32\igfxtray.exe>  [Intel Corporation]
    <IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [Microsoft Corporation]
    <IMSCMig><; C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload>  [Microsoft Corporation]
    <PHIME2002A><; C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [Microsoft Corporation]
    <PHIME2002ASync><; C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [Microsoft Corporation]
    <SoundMan><; SOUNDMAN.EXE>  [Realtek Semiconductor Corp.]
    <KernelFaultCheck><%systemroot%\system32\dumprep 0 -k>  []
    <A><C:\WINDOWS\System32\rundll32.exe 1.1 s>  []
    <kernel32><C:\WINDOWS\Kernel32.exe>  []
    <winform><C:\WINDOWS\winform.exe>  []
    <System><C:\Program Files\Common Files\System\Updaterun.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [Microsoft Corporation]
    <Userinit><C:\WINDOWS\System32\userinit.exe,rundll32.exe C:\WINDOWS\System32\winsys16_070328.dll start>  []
    <UIHost><logonui.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
    <{90BC520C-9175-470E-94B8-10FD869D170B}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.vxd>  []
    <{7AD0369C-7AD0-7AD0-BE14-F258BE147AD0}><C:\WINDOWS\System32\ZYBE.dll>  []
    <{DD7D4640-4464-48C0-82FD-21338366D2D2}><C:\Program Files\Internet Explorer\InfoMs.tdm>  []

==================================
启动文件夹
服务
[51D90943 / 51D90943]
  <C:\WINDOWS\System32\51D90943.EXE -service><N/A>
[7E526995 / 7E526995]
  <C:\WINDOWS\System32\7E526995.EXE -service><N/A>
[Rising Process Communication Center / RsCCenter]
  <"d:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon]
  <"d:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Remote Administrator Service / r_server]
  <"C:\WINDOWS\System32\r_server.exe" /service><>
[Registry Protector / SOCEESe]
  <C:\WINDOWS\SYSTEM32\RUNDLL2000.EXE C:\WINDOWS\SYSTEM32\WBEM\WAGYQ.DLL,Export 1087><N/A>

==================================
浏览器加载项
[Info cache]
  {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll, 金泰丰(广州)科技有限公司>
[启动迅雷5]
  {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <D:\Program Files\Thunder Network\Thunder\Thunder.exe, Thunder Networking Technologies,LTD>
[信息检索(&R)]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL, Microsoft Corporation>
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[QQ]
  {c95fe080-8f5d-11d2-a20b-00aa003c157b} <D:\Program Files\QQ.EXE, TENCENT>
[QQIEFloatBarCfgCmd Class]
  {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} <, N/A>
[CaiFuCOM Class]
  {C1F0024B-8278-4999-B7E6-2718426D9FE6} <C:\Program Files\财富通\caif.dll, N/A>
[电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, Microsoft Corporation>
[实用搜索工具条2.0]
  {03465FF5-00AE-411a-9C34-960ED566EC03} <C:\Program Files\superutilbar\superutilbar.dll, www.shiyongsousuo.com>
[PGEdit Class]
  {2BFAA61B-5C83-4865-8281-D8BDBF863061} <C:\WINDOWS\Downloaded Program Files\PG_ATL_Edit.dll, 银联网络支付集团有限公司>
[PowerPlayer Control]
  {5EC7C511-CD0F-42E6-830C-1BD9882F3458} <C:\DOCUME~1\user\APPLIC~1\ppStream\100~1.139\POWERP~1.DLL, PPStream Inc.>
[AxInputControl Class]
  {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} <C:\WINDOWS\DOWNLO~1\INPUTC~1.DLL, >
[Qzone Media Tools]
  {A96C48EA-AA88-4BBD-B58C-7B41146A6EAC} <D:\PROGRA~1\QZone\QZONEM~1.OCX, Tencent Technology (Shenzhen) Company Limited>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[TXPhoneSupport.SystemSpecInfo]
  {E6AE07CB-9961-423A-9EC6-7F11A9F47ADF} <C:\WINDOWS\DOWNLO~1\TXPhone.ocx, TENCENT>
[CPasswordEditCtrl Object]
  {E787FD25-8D7C-4693-AE67-9406BC6E22DF} <C:\WINDOWS\System32\qqedit\qqedit.dll, 腾讯科技（深圳）有限公司>
[&使用迅雷下载]
  <D:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm, N/A>
[&使用迅雷下载全部链接]
  <D:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm, N/A>
[上传到QQ网络硬盘]
  <D:\Program Files\AddToNetDisk.htm, N/A>
[导出到 Microsoft Office Excel(&X)]
  <res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000, N/A>
[添加到QQ自定义面板]
  <D:\Program Files\AddPanel.htm, N/A>
[添加到QQ表情]
  <D:\Program Files\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <D:\Program Files\SendMMS.htm, N/A>

正在运行的进程
[PID: 464][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 528][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 552][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\System32\winlib .dll]  <N/A><N/A>
[PID: 596][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 608][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 784][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 864][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\olite\bin\oci.dll]  <Oracle Corporation><8.0.5.0.1>
    [C:\olite\bin\ORA805.dll]  <Oracle Corporation><8.0.5.0.0>
    [C:\olite\bin\CORE40.dll]  <Oracle Corporation><4.0.5.0.0>
    [C:\olite\bin\NLSRTL33.dll]  <Oracle Corporation><3.3.2.0.0>
    [C:\olite\bin\NL80.dll]  <Oracle Corporation><8.0.4.0.0 Production>
    [C:\olite\bin\OTRACE80.dll]  <Oracle Corporation><8.0.4.0.0>
    [C:\olite\bin\NS80.dll]  <Oracle Corporation><8.0.4.0.2 Production>
    [C:\olite\bin\nasns80.dll]  <Oracle Corporation><8.0.4.0.0 Production>
    [C:\olite\bin\nz80.dll]  <Oracle Corporation><8.0.4.0.0 Production>
    [C:\olite\bin\NNFG80.dll]  <Oracle Corporation><8.0.4.0.1 Production>
    [C:\olite\bin\NNCI80.dll]  <Oracle Corporation><8.0.4.0.0 Production>
    [C:\olite\bin\NNG80.dll]  <Oracle Corporation><8.0.4.0.2 Production>
    [C:\olite\bin\NMP80.dll]  <Oracle Corporation><8.0.4.0.0 Production>
    [C:\olite\bin\NPL80.dll]  <Oracle Corporation><8.0.4.0.0 Production>
    [C:\olite\bin\NR80.dll]  <Oracle Corporation><8.0.4.0.0 Production>
    [C:\olite\bin\NT80.dll]  <Oracle Corporation><8.0.4.0.1 Production>
    [C:\olite\bin\NCR80.dll]  <Oracle Corporation><8.0.4.0.0 Production>
    [C:\olite\bin\NMS80.dll]  <Oracle Corporation><8.0.4.0.0 Production>
    [C:\olite\bin\NNFD80.dll]  <Oracle Corporation><8.0.4.0.0 Production>
    [C:\olite\bin\NNFN80.dll]  <Oracle Corporation><8.0.4.0.0 Production>
    [C:\olite\bin\NI80.dll]  <Oracle Corporation><8.0.4.0.0 Production>
    [C:\olite\bin\PLS805.dll]  <Oracle Corporation><8.0.5.0.0>
    [C:\olite\bin\NDWSI80.DLL]  <N/A><N/A>
    [C:\olite\bin\SQLLib80.dll]  <Oracle Corporation><8.0.5.0.0>
    [C:\olite\bin\xa80.dll]  <Oracle Corporation><8.0.5.0.0>
[PID: 924][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1024][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1160][C:\WINDOWS\system32\spoolsv.exe]  <Microsoft Corporation><5.1.2600.0 (XPClient.010817-1148)>
    [C:\WINDOWS\system32\EBPMON2.DLL]  <SEIKO EPSON CORPORATION><2, 20, 0, 0>
[PID: 1252][d:\Program Files\Rising\Rav\RavStub.exe]  <Beijing Rising Technology Co., Ltd.><19, 0, 0, 4>
    [d:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
    [d:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><19, 0, 0, 5>
[PID: 1856][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1876][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1980][C:\WINDOWS\System32\r_server.exe]  <><2, 2, 0, 0>
[PID: 176][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\system32\RavExt.dll]  <Beijing Rising Technology Co., Ltd.><19, 0, 0, 9>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.vxd]  <N/A><N/A>
    [C:\WINDOWS\System32\ZYBE.dll]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\InfoMs.tdm]  <N/A><N/A>
    [C:\WINDOWS\system32\pjoai.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\winform.dll]  <N/A><N/A>
    [C:\DOCUME~1\user\LOCALS~1\Temp\~Tm4.tmp.rom]  <N/A><N/A>
    [C:\DOCUME~1\user\LOCALS~1\Temp\Tmp5.tmp.rom]  <N/A><N/A>
    [C:\WINDOWS\System32\igfxpph.dll]  <Intel Corporation><3,0,0,2082>
    [C:\WINDOWS\System32\hccutils.DLL]  <Intel Corporation><3,0,0,2082>
    [C:\WINDOWS\System32\igfxres.dll]  <Intel Corporation><3,0,0,2082>
    [C:\WINDOWS\System32\igfxsrvc.dll]  <Intel Corporation><3,0,0,2082>
    [C:\WINDOWS\System32\igfxdev.dll]  <Intel Corporation><3,0,0,2082>
    [C:\WINDOWS\System32\igfxress.dll]  <Intel Corporation><3,0,0,2082>
    [d:\Program Files\WinRAR\rarext.dll]  <N/A><N/A>
    [d:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><19, 0, 0, 5>
[PID: 340][C:\WINDOWS\SYSTEM32\RUNDLL2000.EXE]  <Microsoft Corporation><5.00.2134.1>
[PID: 480][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 516][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1340][C:\WINDOWS\System32\wbem\lsass.exe]  <Microsoft><1.0.0.0>
    [C:\Program Files\Internet Explorer\InfoMs.tdm]  <N/A><N/A>
    [C:\DOCUME~1\user\LOCALS~1\Temp\~Tm4.tmp.rom]  <N/A><N/A>
[PID: 1364][C:\WINDOWS\System32\AE9C7762.exe]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\InfoMs.tdm]  <N/A><N/A>
    [C:\DOCUME~1\user\LOCALS~1\Temp\~Tm4.tmp.rom]  <N/A><N/A>
[PID: 1400][C:\WINDOWS\System32\21980CEE.exe]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\InfoMs.tdm]  <N/A><N/A>
    [C:\DOCUME~1\user\LOCALS~1\Temp\~Tm4.tmp.rom]  <N/A><N/A>
[PID: 1396][C:\program files\internet explorer\iexplore.exe]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\System32\winsys32_070328.dll]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\InfoMs.tdm]  <N/A><N/A>
    [C:\Program Files\superutilbar\superutilbar.dll]  <www.shiyongsousuo.com><2, 1, 8, 24>
    [C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll]  <金泰丰(广州)科技有限公司><2, 3, 0, 0>
    [C:\DOCUME~1\user\LOCALS~1\Temp\~Tm4.tmp.rom]  <N/A><N/A>
[PID: 2400][C:\WINDOWS\System32\rundll32.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\ZYBE.dll]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\InfoMs.tdm]  <N/A><N/A>
    [C:\DOCUME~1\user\LOCALS~1\Temp\~Tm4.tmp.rom]  <N/A><N/A>
[PID: 2568][C:\WINDOWS\System32\ctfmon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\Program Files\Internet Explorer\InfoMs.tdm]  <N/A><N/A>
    [C:\DOCUME~1\user\LOCALS~1\Temp\~Tm4.tmp.rom]  <N/A><N/A>
[PID: 2788][C:\Program Files\Common Files\Real\Update_OB\realsched.exe]  <RealNetworks, Inc.><0.1.0.1622>
    [C:\DOCUME~1\user\LOCALS~1\Temp\~Tm4.tmp.rom]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\InfoMs.tdm]  <N/A><N/A>
[PID: 3004][C:\Program Files\Common Files\System\Updaterun.exe]  <N/A><N/A>
[PID: 3116][C:\WINDOWS\System32\wuauclt.exe]  <Microsoft Corporation><5.8.0.2469 built by: lab01_n(wmbla)>
[PID: 2636][C:\Documents and Settings\user\桌面\sreng2\SREng2\SREng.exe]  <Smallfrogs Studio><2.0.21.505>
    [C:\DOCUME~1\user\LOCALS~1\Temp\~Tm4.tmp.rom]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\InfoMs.tdm]  <N/A><N/A>
    [C:\DOCUME~1\user\LOCALS~1\Temp\Tmp5.tmp.rom]  <N/A><N/A>

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<A><C:\WINDOWS\System32\rundll32.exe 1.1 s> []
<kernel32><C:\WINDOWS\Kernel32.exe> []
<winform><C:\WINDOWS\winform.exe> []
<System><C:\Program Files\Common Files\System\Updaterun.exe> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{90BC520C-9175-470E-94B8-10FD869D170B}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.vxd> []
<{7AD0369C-7AD0-7AD0-BE14-F258BE147AD0}><C:\WINDOWS\System32\ZYBE.dll> []
<{DD7D4640-4464-48C0-82FD-21338366D2D2}><C:\Program Files\Internet Explorer\InfoMs.tdm> []
[51D90943 / 51D90943]
<C:\WINDOWS\System32\51D90943.EXE -service><N/A>
[7E526995 / 7E526995]
<C:\WINDOWS\System32\7E526995.EXE -service><N/A>
[Remote Administrator Service / r_server]
<"C:\WINDOWS\System32\r_server.exe" /service><>
[Registry Protector / SOCEESe]
< C:\WINDOWS\SYSTEM32\RUNDLL2000.EXE,C:\WINDOWS\SYSTEM32\WBEM\WAGYQ.DLL,Export 1087><N/A>


用SREng删除以上启动项目及服务，
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<Userinit><C:\WINDOWS\System32\userinit.exe,rundll32.exe C:\WINDOWS\System32
\winsys16_070328.dll start> []
编辑此项注册表，红色部分去掉！

重启电脑进安全模式删除如下文件：
C:\WINDOWS\Kernel32.exe
C:\WINDOWS\winform.exe
C:\Program Files\Common Files\System\Updaterun.exe
C:\WINDOWS\SYSTEM32\WBEM\WAGYQ.DLL
C:\WINDOWS\SYSTEM32\RUNDLL2000.EXE
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\System32\7E526995.EXE
C:\WINDOWS\System32\51D90943.EXE
C:\WINDOWS\System32\wbem\lsass.exe
C:\WINDOWS\System32\winsys32_070328.dll
 
用Icesword强制卸除插入explorer.exe中的下列模块，并强制删除下列文件！
C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.vxd
C:\WINDOWS\System32\ZYBE.dll
C:\Program Files\Internet Explorer\InfoMs.tdm
C:\WINDOWS\system32\pjoai.dll
C:\WINDOWS\System32\winform.dll
C:\DOCUME~1\user\LOCALS~1\Temp\~Tm4.tmp.rom
C:\DOCUME~1\user\LOCALS~1\Temp\Tmp5.tmp.rom
 
  清空此文件夹：C:\DOCUME~1\user\LOCALS~1\Temp

置顶的工具帖子中下载killbox，运行后，勾选“替换后重启”，处理下面那个文件！
C:\WINDOWS\System32\winlib .dll
最后用兔子升至最新，完整清理系统！

谢了，我先去处理！

郁闷，无法进入安全模式！！！

还是无法清除！！而且在每个盘下生成rising.exe文件，lsass.exe无法清除掉。后来我格式话C、D盘，重做系统，好了。

引用:

【azhuo的贴子】谢了，我先去处理！ 郁闷，无法进入安全模式！！！ 还是无法清除！！而且在每个盘下生成rising.exe文件，lsass.exe无法清除掉。后来我格式话C、D盘，重做系统，好了。 ………………

不知是你的日志没有贴全还是SRE没有扫出来你非系统分区目录下的rising.exe！