电脑种种被入侵迹象，请高手帮忙！（PS：日志） bbs.ikaka.com

Lucifer521 - 2007-4-7 18:18:00

1。图标经常被更改，特别是游戏图标
2。自动更新被锁定，手动都不能调过来
3。每次开机，点击“我的电脑”，要等很就才能看到盘
4。有个未知程序重复出现，用“Windows清理恶意软件“助手都不能清除。
5。用”瑞星漏洞扫描“发现磁盘被共享，但不能修复。
6。不能打开Windows的“帮助与支持”
7。老出现“驱动器没有软盘”对话框
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
<System Boot Check><C:\WINDOWS\system32\sysload3.exe> [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<run><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k> [N/A]
<SysExplr><; C:\Program Files\Herosoft\Hero 9\SysExplr.EXE> [N/A]
<SoundMan><SOUNDMAN.EXE> [Realtek Semiconductor Corp.]
<ShStatEXE><; "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE> [N/A]
<PLoader><; c:\program files\umsd\umsd.exe sys_auto_run C:\program files\UMSD> [N/A]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<MsmqIntCert><regsvr32 /s mqrt.dll> [N/A]
<McAfeeUpdaterUI><; "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey> [N/A]
<IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<nwiz><nwiz.exe /install> []
<QuickTime Task><; "C:\Program Files\QuickTime\qttask.exe" -atboottime> [Apple Computer, Inc.]
<RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<KKDelay><C:\Program Files\Rising\AntiSpyware\RunOnce.exe> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><C:\WINDOWS\system32\ICBCADSS.SCR> []

==================================
启动文件夹
N/A

==================================
服务
[AntiVir Service / AntiVirService][Stopped/Manual Start]
<C:\Program Files\AVPersonal\AVGUARD.EXE><N/A>
[AntiVir Update / AVWUpSrv][Stopped/Auto Start]
<"C:\Program Files\AVPersonal\AVWUPSRV.EXE"><N/A>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[McAfee Framework Service / McAfeeFramework][Stopped/Auto Start]
<C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart><N/A>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
<C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
<"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
<"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[SYS ATTRlB / SYSATTRlB][Stopped/Auto Start]
<C:\WINDOWS\system32\ATTRlB.EXE><N/A>

==================================
驱动程序
[Service for WDM 3D Audio Driver / ALCXSENS][Running/Manual Start]
<system32\drivers\ALCXSENS.SYS><Sensaura>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[avgntdd / avgntdw][Stopped/Manual Start]
<\??\C:\Program Files\AVPersonal\AVGNTDD.SYS><N/A>
[BaseTDI / BaseTDI][Running/Auto Start]

附件: 859986200747180821.bmp

Lucifer521 - 2007-4-7 18:18:00

<\??\C:\WINDOWS\system32\drivers\basetdi.sys><Beijing Rising Technology Co., Ltd.>
[ExpScaner / ExpScaner][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\ExpScan.sys><>
[HookCont / HookCont][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\HookSys.sys><Rising>
[IsDrv120 / IsDrv120][Running/System Start]
<\SystemRoot\System32\Drivers\IsDrv120.sys><N/A>
[MEMSCAN / MEMSCAN][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件有限公司>
[NaiAvFilter1 / NaiAvFilter1][Stopped/Manual Start]
<system32\drivers\naiavf5x.sys><Network Associates, Inc.>
[NaiAvTdi1 / NaiAvTdi1][Running/System Start]
<system32\drivers\mvstdi5x.sys><Network Associates, Inc.>
[ndsjqjp / ndsjqjp][Stopped/Boot Start]
<\SystemRoot\\SystemRoot\System32\drivers\ndsjqjp.sys><N/A>
[npkycryp / npkycryp][Stopped/Manual Start]
<\??\D:\PROGRAM FILES\Tencent\QQ\npkycryp.sys><N/A>
[nv / nv][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[USB Mass Storage / OEMSTOR][Stopped/Manual Start]
<system32\DRIVERS\USBMSDk.SYS><USB Mass Storage.>
[oreans32 / oreans32][Stopped/System Start]
<\??\C:\WINDOWS\system32\drivers\oreans32.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
<\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising>
[RsNTGDI / RsNTGDI][Running/Boot Start]
<\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\RSPPSYS.sys><Rising>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[sgxztkep / sgxztkep][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\sgxztkep.sys><Yahoo! China Corporation>
[SiS AGP Filter / SISAGP][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\SISAGPX.sys><Silicon Integrated Systems Corporation>
[SiSide / SiSide][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\siside.sys><Silicon Integrated Systems Corp.>
[sisidex / sisidex][Running/Boot Start]
<\SystemRoot\system32\drivers\sisidex.sys><Windows (R) 2000 DDK provider>
[SiS PCI Fast Ethernet Adapter Driver / SISNIC][Running/Manual Start]
<system32\DRIVERS\sisnic.sys><SiS Corporation>
[Add Performance Filter Driver / sisperf][Running/Boot Start]
<\SystemRoot\system32\drivers\sisperf.sys><Silicon Integrated Systems Corp.>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
[VIMICRO USB PC Camera 301H / ZSMC303][Stopped/Manual Start]
<System32\Drivers\usbVM303.sys><VM>
[npkcrypt / npkcrypt][Running/Auto Start]
<\??\D:\PROGRAM FILES\Tencent\QQ\npkcrypt.sys><INCA Internet Co., Ltd.>

==================================
浏览器加载项
[浩方对战平台]
{0A155D3C-68E2-4215-A47A-E800A446447A} <D:\游戏\游戏平台\浩方\GameClient.exe, 上海浩方在线信息技术有限公司>
[卡卡上网安全助手]
{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINDOWS\system32\kakatool.dll, Beijing Rising Technology Co., Ltd.>
[Windows Genuine Advantage Validation Tool]
{17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\LegitCheckControl.DLL, Microsoft Corporation>
[AxSubmitControl Class]
{8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} <C:\WINDOWS\DOWNLO~1\SUBMIT~1.DLL, >
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[卡卡上网安全助手]
{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINDOWS\system32\kakatool.dll, Beijing Rising Technology Co., Ltd.>
[上传到QQ网络硬盘]
<D:\PROGRAM FILES\Tencent\QQ\AddToNetDisk.htm, N/A>
[添加到QQ自定义面板]
<D:\PROGRAM FILES\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
<D:\PROGRAM FILES\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<D:\PROGRAM FILES\Tencent\QQ\SendMMS.htm, N/A>

==================================
正在运行的进程
[PID: 460][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 524][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1456][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\nvcpl.dll] [NVIDIA Corporation, 6.14.10.8426]
[C:\WINDOWS\system32\NVRSZHC.DLL] [NVIDIA Corporation, 6.14.10.8426]
[C:\WINDOWS\system32\nvshell.dll] [, ]
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[PID: 1716][C:\WINDOWS\SOUNDMAN.EXE] [Realtek Semiconductor Corp., 1, 0, 0, 10]
[PID: 1852][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 220][C:\WINDOWS\system32\wscntfy.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2712][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0]
[PID: 3084][C:\WINDOWS\system32\NOTEPAD.EXE] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3224][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.687\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================

[/CODE]

Lucifer521 - 2007-4-7 18:19:00

另一个东西
HijackThis_zww汉化版扫描日志 V1.99.1
保存于 18:05:03, 日期 2007-4-7
操作系统： Windows XP SP2 (WinNT 5.01.2600)
浏览器： Internet Explorer v6.00 SP2 (6.00.2900.2180)

当前运行的进程：
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.922\HijackThis1991zww.exe

O3 - IE工具栏增项: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\kakatool.dll
O4 - 启动项HKLM\\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - 启动项HKLM\\Run: [SysExplr] ; C:\Program Files\Herosoft\Hero 9\SysExplr.EXE
O4 - 启动项HKLM\\Run: [SoundMan] SOUNDMAN.EXE
O4 - 启动项HKLM\\Run: [ShStatEXE] ; "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - 启动项HKLM\\Run: [PLoader] ; c:\program files\umsd\umsd.exe sys_auto_run C:\program files\UMSD
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - 启动项HKLM\\Run: [McAfeeUpdaterUI] ; "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - 启动项HKLM\\Run: [nwiz] nwiz.exe /install
O4 - 启动项HKLM\\Run: [QuickTime Task] ; "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - 启动项HKLM\\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - 启动项HKLM\\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Boot Check] C:\WINDOWS\system32\sysload3.exe
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - D:\PROGRAM FILES\Tencent\QQ\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - D:\PROGRAM FILES\Tencent\QQ\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - D:\PROGRAM FILES\Tencent\QQ\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - D:\PROGRAM FILES\Tencent\QQ\SendMMS.htm
O9 - 浏览器额外的按钮: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - D:\游戏\游戏平台\浩方\GameClient.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O23 - NT 服务: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)
O23 - NT 服务: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - NT 服务: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (file missing)
O23 - NT 服务: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - NT 服务: Rising RealTime Monitor (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - NT 服务: SYS ATTRlB (SYSATTRlB) - Unknown owner - C:\WINDOWS\system32\ATTRlB.EXE (file missing)

瑞星卡卡安全论坛