【求助】刚刚杀完毒，不知道彻底了没，请大侠过来看看 bbs.ikaka.com

好朋友2 - 2007-9-7 21:37:00

刚刚用这种方法杀了顽固的病毒：LYLOADER.EXE LYMANGR.DLL MSDEG32.DLL病毒解决方案2007-08-10 08:50病毒别名：Trojan.PSW.Win32.XYOnline.ah（瑞星）, Trojan.PSW.Win32.OnlineGames.cwz（瑞星）
　　　　　 Win32.Troj.OnlineGames.nn.94208（毒霸）
病毒大小：16,384 字节
加壳方式：
样本MD5：6a8691aec2bb2537cbdc718bd53b1fbf
样本SHA1：99f3f161e0077d5bcefe9582007666b7d543ce84
发现时间：2007.6
更新时间：2007.7.3
关联病毒：
传播方式：通过恶意站传播，其它木马下载

技术分析
==========

木马运行后释放另一个exe到临时目录，并将其运行：
%temp%\LYLOADER.EXE
释放两个dll文件注入进程：
%temp%\LYMANGR.DLL
%temp%\MSDEG32.DLL

同事复制到系统目录下：
%system%\LYLOADER.EXE
%system%\LYMANGR.DLL
%system%\MSDEG32.DLL

创建启动项：

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"MSDEG32"="LYLoader.exe"
"MSDWG32"="LYLoadbr.exe"
"MSDCG32 "="LYLeador.exe"
"MSOG32"="LYLoador.exe"
"MSDSG32"="LYLoadar.exe"
"MSDMG32"="LYLoadmr.exe"
"MSDHG32"="LYLoadhr.exe"
"MSDQG32"="LYLoadqr.exe"

清除步骤
==========

1. 删除启动项(开始菜单－运行－输入“regedit”依次打开以下项,然后删除即可)：

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"MSDEG32"="LYLoader.exe"
"MSDWG32"="LYLoadbr.exe"
"MSDCG32 "="LYLeador.exe"
"MSDOG32"="LYLoador.exe"
"MSDSG32"="LYLoadar.exe"
"MSDMG32"="LYLoadmrexe"
"MSDHG32"="LYLoadhr.exe"
"MSDQG32"="LYLoadqr.exe"

2. 重新启动计算机

3. 删除文件(如遇提示无法删除文件，到down.45it.com下载费尔木马强制删除器工具进行强制删除)：
%temp%\LYLOADER.EXE
%temp%\LYMANGR.DLL
%temp%\MSDEG32.DLL
%system%\LYLOADER.EXE
%system%\LYMANGR.DLL
%system%\MSDEG32.DLL

不知道还会有毒没？
下张帖子附日志：

[用户系统信息]Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

好朋友2 - 2007-9-7 21:38:00

瑞星卡卡电脑诊断日志 v1.30 (2007-9-7 21:16:38) 北京瑞星科技股份有限公司

注释:[A]表示该文件存在自启动关联;
[M]表示该文件在内存中;

+ 注册表自运行项目
+ 系统服务
+ HKLM\System\CurrentControlSet\Services
RfwProxySrv
[A ] 1. d:\progra~1\rising\rfw\rfwproxy.exe
Beijing Rising Technology Co., Ltd.
Rising Personal Proxy Service
.text,.rdata,.data,.rsrc,

RfwService
[A ] 2. d:\progra~1\rising\rfw\rfwsrv.exe
Beijing Rising Technology Co., Ltd.
Rising Personal FireWall Service
.text,.rdata,.data,.rsrc,

RsCCenter
[A ] 3. d:\progra~1\rising\rav\ccenter.exe
Beijing Rising Technology Co., Ltd.
CCenter
.text,.rdata,.data,.rsrc,

RsRavMon
[A ] 4. d:\progra~1\rising\rav\ravmond.exe
Beijing Rising Technology Co., Ltd.
RavMond
.text,.rdata,.data,.rsrc,

WmdmPmSN
[A ] 5. c:\winnt\system32\mspmsnsv.dll
Microsoft Corporation
Microsoft Media Device Service Provider
.text,.data,.rsrc,.reloc,

+ 内核驱动
+ HKLM\System\CurrentControlSet\Services
ADM9X
[A ] 6. c:\winnt\system32\drivers\adm9x.sys
ADMtek Incorporated.
ADMtek AN983/AN985/ADM951X NDIS5 Driver
.text,.rdata,.data,PAGE,INIT,.rsrc,.reloc,

BaseTDI
[A ] 7. c:\winnt\system32\drivers\basetdi.sys
Beijing Rising Technology Co., Ltd.
basetdi
.text,.rdata,.data,INIT,.rsrc,.reloc,

Cdr4_2K
[A ] 8. c:\winnt\system32\drivers\cdr4_2k.sys
Roxio
CDR4_2k CDR Helper
.text,.rdata,.data,INIT,.rsrc,.reloc,

Cdralw2k
[A ] 9. c:\winnt\system32\drivers\cdralw2k.sys
Roxio
CDRAL for Windows 2000 Kernel Driver
.text,.rdata,.data,INIT,.rsrc,.reloc,

ExpScaner
[A ] 10. d:\progra~1\rising\rav\expscan.sys
ExpScan.sys
.text,.rdata,.data,INIT,.rsrc,.reloc,

HOOKAPI
[A ] 11. d:\progra~1\rising\rav\hookapi.sys
瑞星软件有限公司
HOOKAPI Driver
.text,.rdata,.data,.edata,INIT,.rsrc,.reloc,

HookCont
[A ] 12. d:\progra~1\rising\rav\hookcont.sys
Rising
HookCont
.text,.rdata,.data,INIT,.rsrc,.reloc,

HookReg
[A ] 13. d:\progra~1\rising\rav\hookreg.sys
.text,.rdata,.data,INIT,.rsrc,.reloc,

HookSys
[A ] 14. d:\progra~1\rising\rav\hooksys.sys
Rising
Hooksys
.text,.rdata,.data,INIT,.rsrc,.reloc,

HookUrl
[A ] 15. d:\progra~1\rising\rfw\hookurl.sys
Beijing Rising Technology Co., Ltd.
HookUrl
.text,.rdata,.data,INIT,.rsrc,.reloc,

MEMSCAN
[A ] 16. d:\progra~1\rising\rav\memscan.sys
Beijing Rising Technology Co., Ltd.
MemScan Driver
.text,.rdata,.data,INIT,.rsrc,.reloc,

MPE
[A ] 17. c:\winnt\system32\drivers\mpe.sys
Microsoft Corporation
Microsoft MPE to IP Filter
.text,.rdata,.data,PAGECONS,INIT,.rsrc,.reloc,

mProcRs
[A ] 18. d:\progra~1\rising\rfw\mprocrs.sys
Beijing Rising Technology Co., Ltd.
Rising Personal FireWall mprocrs.sys
.text,.rdata,.data,INIT,.rsrc,.reloc,

好朋友2 - 2007-9-7 21:39:00

NABTSFEC
[A ] 19. c:\winnt\system32\drivers\nabtsfec.sys
Microsoft Corporation
WDM NABTS/FEC VBI Codec
.text,.rdata,.data,PAGECONS,INIT,.rsrc,.reloc,

npkcrypt
[A ] 20. d:\qq2006\qq\npkcrypt.sys

nwupspx
[A ] 21. c:\winnt\system32\drivers\nwupspx.sys

RMSPPPOE
[A ] 22. c:\winnt\system32\drivers\rmspppoe.sys
Robert Schlabbach
PPP over Ethernet Protocol NDIS Intermediate Driver
.text,.rdata,.data,INIT,.rsrc,.reloc,

RsAntiSpyware
[A ] 23. c:\winnt\system32\drivers\rsboot.sys
Beijing Rising Technology Co., Ltd.
Anti-RootKit Driver
.text,.rdata,.data,INIT,.rsrc,.reloc,

RsFwDrv
[A ] 24. d:\progra~1\rising\rfw\rsfwdrv.sys
Beijing Rising Technology Co., Ltd.
nt_fwdrv
.text,.rdata,.data,INIT,.rsrc,.reloc,

RsNTGDI
[A ] 25. c:\winnt\system32\drivers\rsntgdi.sys
Beijing Rising Technology Co., Ltd.
RsNTGDI
.text,.rdata,INIT,.rsrc,.reloc,

RSPPSYS
[A ] 26. d:\progra~1\rising\rav\rsppsys.sys
Rising
RSPPSYS.SYS
.text,.rdata,.data,INIT,.rsrc,.reloc,

RTL8023
[A ] 27. c:\winnt\system32\drivers\rtlnic.sys
Realtek Semiconductor Corporation
Realtek 10/100/1000 NDIS 5.0 Driver
.text,.rdata,.data,PAGE,INIT,.rsrc,.reloc,

SLIP
[A ] 28. c:\winnt\system32\drivers\slip.sys
Microsoft Corporation
Microsoft Slip Deframing Filter Minidriver
.text,.rdata,.data,PAGECONS,INIT,.rsrc,.reloc,

streamip
[A ] 29. c:\winnt\system32\drivers\streamip.sys
Microsoft Corporation
Microsoft IP Driver
.text,.rdata,.data,PAGECONS,INIT,.rsrc,.reloc,

WSTCODEC
[A ] 30. c:\winnt\system32\drivers\wstcodec.sys
Microsoft Corporation
WDM WST Codec Driver
.text,.rdata,.data,INIT,.rsrc,.reloc,

+ IE浏览器加载模块
+ HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C}
[A ] 31. c:\winnt\system32\kakatool.dll
Beijing Rising Technology Co., Ltd.
Rising AntiSpyware Toolbar
.text,.rdata,.data,MonitorS,.rsrc,.reloc,

+ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{01443AEC-0FD1-40fd-9C87-E93D1494C233}
[A ] 32. e:\program files\thunder\comdlls\tdatonce_now.dll
Thunder Networking Technologies,LTD
迅雷浏览器高级特性支持模块
.text,.rdata,.data,.rsrc,.reloc,

{889D2FEB-5411-4565-8998-1DD2C5261283}
[A ] 33. e:\program files\thunder\comdlls\xunleibho_now.dll
Thunder Networking Technologies,LTD
XunLeiBHO
.text,.rdata,.data,.rsrc,.reloc,

+ HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
Exec
[A ] 34. e:\program files\thunder\thunder.exe
Thunder Networking Technologies,LTD
.text,.rdata,.data,.rsrc,

Script
[A ] 35. c:\winnt\web\related.htm

+ 资源管理器加载模块
+ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
[A ] 36. c:\winnt\system32\updcrl.exe
Microsoft Corporation
UPDCRL
.text,.data,.rsrc,

[A ] 37. c:\winnt\system32\verisignpub1.crl

+ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
RISING
[AM] 38. c:\winnt\system32\ravext.dll
Beijing Rising Technology Co., Ltd.
Rising Shell Ext Module
.text,.rdata,.data,.rsrc,.reloc,

Yahoo Trojan Cleanner
[A ] 39. d:\progra~1\ske\contmenu.dll
UPX0,UPX1,.rsrc,

+ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{32CD708B-60A7-4C00-9377-D73EAA495F0F}
[AM] 38. c:\winnt\system32\ravext.dll
Beijing Rising Technology Co., Ltd.
Rising Shell Ext Module
.text,.rdata,.data,.rsrc,.reloc,

{AC2DC2EF-5165-40A3-8CDF-41DCA1B0901A}
[AM] 40. c:\winnt\system32\shlhook.dll
Beijing Rising Technology Co., Ltd.
shlhook Module
.text,.rdata,.data,.rsrc,.reloc,

+ 用户登陆自运行项目
+ HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RavTask
[A ] 41. d:\progra~1\rising\rav\ravtask.exe
Beijing Rising Technology Co., Ltd.
RavTimer
.text,.rdata,.data,.rsrc,

IgfxTray
[A ] 42. c:\winnt\system32\igfxtray.exe
Intel Corporation
igfxTray Module
.text,.rdata,.data,.rsrc,

+ 映像劫持
+ HKCR\.mp3
RealPlayer.MP3.6\open\Command
[A ] 43. c:\program files\real\realplayer\realplay.exe
RealNetworks, Inc.
RealPlayer
.text,.rdata,.data,.rsrc,

+ 正在运行的进程
+ 0000008c(140) smss.exe

+ 000000a4(164) csrss.exe

+ 000000b8(184) winlogon.exe
77520000[00008000]
[ M] 44. c:\winnt\system32\wdmaud.drv
Microsoft Corporation
WDM Audio driver mapper
.text,.data,.rsrc,.reloc,

773C0000[00008000]
[ M] 45. c:\winnt\system32\msacm32.drv
Microsoft Corporation
Microsoft Sound Mapper
.text,.data,.rsrc,.reloc,

+ 000000d4(212) services.exe

+ 000000e0(224) lsass.exe

+ 0000011c(284) conime.exe
10000000[0001B000]
[ M] 46. d:\progra~1\卡卡\ieprot.dll
Beijing Rising Technology Co., Ltd.
IE Protector
.text,.rdata,.data,.rsrc,.reloc,

+ 00000194(404) svchost.exe

+ 000001cc(460) Ras.exe
00400000[0013F000]
[ M] 47. d:\progra~1\卡卡\ras.exe
Beijing Rising Technology Co., Ltd.
Rising AntiSpyware
.text,.rdata,.data,.rsrc,

780C0000[00061000]
[ M] 48. c:\winnt\system32\msvcp60.dll
Microsoft Corporation
Microsoft (R) C++ Runtime Library
.text,.rdata,.data,.rsrc,.reloc,

10000000[000A3000]
[ M] 49. d:\progra~1\卡卡\rasgui.dll
Beijing Rising Technology Co., Ltd.
RasGUI
.text,.rdata,.data,.rsrc,.reloc,

01670000[0001B000]
[ M] 46. d:\progra~1\卡卡\ieprot.dll
Beijing Rising Technology Co., Ltd.
IE Protector
.text,.rdata,.data,.rsrc,.reloc,

好朋友2 - 2007-9-7 21:39:00

379B0000[0008C000]
[ M] 50. c:\program files\common files\microsoft shared\web folders\msonsext.dll
.text,.data,.rsrc,.reloc,

+ 00000220(544) spoolsv.exe
00DB0000[00005000]
[ M] 51. c:\winnt\system32\spool\prtprocs\w32x86\vprproc.dll
Windows (R) 2000 DDK provider
Windows DDK Print DLL
.text,.data,.rsrc,.reloc,

+ 00000248(584) svchost.exe
63B50000[00034000]
[ M] 52. c:\winnt\system32\unimdm.tsp
Microsoft Corporation
Unimodem 5 Service Provider
.text,.data,.rsrc,.reloc,

63BC0000[00008000]
[ M] 53. c:\winnt\system32\kmddsp.tsp
Microsoft Corporation
TAPI Kernel-Mode Service Provider
.text,.data,.rsrc,.reloc,

63BB0000[0000C000]
[ M] 54. c:\winnt\system32\ndptsp.tsp
Microsoft Corporation
NDIS Proxy TAPI Service Provider
.text,.data,.rsrc,.reloc,

63BD0000[00006000]
[ M] 55. c:\winnt\system32\ipconf.tsp
Microsoft Corporation
Microsoft Multicast Conference TAPI Service Provider
.text,.data,.rsrc,.reloc,

63BE0000[00044000]
[ M] 56. c:\winnt\system32\h323.tsp
Microsoft Corporation
Microsoft H.323 TAPI Service Provider
.text,.data,.rsrc,.reloc,

+ 00000274(628) regsvc.exe

+ 00000288(648) MSTask.exe

+ 000002c4(708) WinMgmt.exe

+ 000002f4(756) svchost.exe

+ 000003a4(932) runiep.exe
00400000[00013000]
[ M] 57. d:\progra~1\卡卡\runiep.exe
Beijing Rising Technology Co., Ltd.
Rising AntiSpyware Monitor
.text,.rdata,.data,.rsrc,

00B20000[0001B000]
[ M] 46. d:\progra~1\卡卡\ieprot.dll
Beijing Rising Technology Co., Ltd.
IE Protector
.text,.rdata,.data,.rsrc,.reloc,

+ 000003ac(940) Explorer.EXE
23000000[00056000]
[ M] 58. c:\winnt\apppatch\aclayers.dll
Microsoft Corporation
Windows 2000 Shim Accessory DLL
.text,.data,.CRT,.rsrc,.reloc,

77520000[00008000]
[ M] 44. c:\winnt\system32\wdmaud.drv
Microsoft Corporation
WDM Audio driver mapper
.text,.data,.rsrc,.reloc,

773C0000[00008000]
[ M] 45. c:\winnt\system32\msacm32.drv
Microsoft Corporation
Microsoft Sound Mapper
.text,.data,.rsrc,.reloc,

10000000[00032000]
[ M] 59. c:\winnt\system32\igfxpph.dll
Intel Corporation
igfxpph Module
.text,.rdata,.data,.rsrc,.reloc,

022A0000[0001D000]
[ M] 60. c:\winnt\system32\hccutils.dll
Intel Corporation
hccutils Module
.text,.rdata,.data,.rsrc,.reloc,

022E0000[0008E000]
[ M] 61. c:\winnt\system32\igfxres.dll
Intel Corporation
xxxxres Module
.text,.rdata,.data,.rsrc,.reloc,

02380000[00046000]
[ M] 62. c:\winnt\system32\igfxsrvc.dll
Intel Corporation
igfxsrvc Module
.text,.rdata,.data,.rsrc,.reloc,

02810000[0001B000]
[AM] 38. c:\winnt\system32\ravext.dll
Beijing Rising Technology Co., Ltd.
Rising Shell Ext Module
.text,.rdata,.data,.rsrc,.reloc,

02840000[00011000]
[AM] 40. c:\winnt\system32\shlhook.dll
Beijing Rising Technology Co., Ltd.
shlhook Module
.text,.rdata,.data,.rsrc,.reloc,

02870000[0001B000]
[ M] 46. d:\progra~1\卡卡\ieprot.dll
Beijing Rising Technology Co., Ltd.
IE Protector
.text,.rdata,.data,.rsrc,.reloc,

02BD0000[00019000]
[ M] 63. d:\progra~1\rising\rav\ravscrch.dll
Beijing Rising Technology Co., Ltd.
RavScrCh Module
.text,.rdata,.data,.rsrc,.reloc,

69B10000[00115000]
[ M] 64. c:\winnt\system32\msxml3.dll
Microsoft Corporation
MSXML 3.0 SP 3
.text,.data,.rsrc,.reloc,

23700000[0001A000]
[ M] 65. d:\progra~1\rising\rav\rscommon.dll
Beijing Rising Technology Co., Ltd.
Rising Common Function Dynamic Link Library
.text,.rdata,.data,.rsrc,.reloc,

+ 000003c8(968) RfwMain.exe
00400000[00073000]
[ M] 66. d:\progra~1\rising\rfw\rfwmain.exe
Beijing Rising Technology Co., Ltd.
Rising Personal FireWall Main Program
.text,.rdata,.data,.rsrc,

780C0000[00061000]
[ M] 48. c:\winnt\system32\msvcp60.dll
Microsoft Corporation
Microsoft (R) C++ Runtime Library
.text,.rdata,.data,.rsrc,.reloc,

26600000[0007D000]
[ M] 67. d:\progra~1\rising\rfw\rsguilib.dll
Beijing Rising Technology Co., Ltd.
Rising GUI Library Loader
.text,.rdata,.data,.rsrc,.reloc,

23700000[0001A000]
[ M] 68. d:\progra~1\rising\rfw\rscommon.dll
Beijing Rising Technology Co., Ltd.
Rising Common Function Dynamic Link Library
.text,.rdata,.data,.rsrc,.reloc,

10000000[0000F000]
[ M] 69. d:\progra~1\rising\rfw\rfwctrl.dll
Beijing Rising Technology Co., Ltd.
RfwCtrl DLL
.text,.rdata,.data,.rsrc,.reloc,

23800000[0001A000]
[ M] 70. d:\progra~1\rising\rfw\rsxml.dll
Beijing Rising Technology Co., Ltd.
RsXML
.text,.rdata,.data,.rsrc,.reloc,

23900000[00031000]
[ M] 71. d:\progra~1\rising\rfw\pngdll.dll
Beijing Rising Technology Co., Ltd.
Rising .Png File Loader Dynamic Link Library
.text,.rdata,.data,.rsrc,.reloc,

01860000[0001B000]
[ M] 46. d:\progra~1\卡卡\ieprot.dll
Beijing Rising Technology Co., Ltd.
IE Protector
.text,.rdata,.data,.rsrc,.reloc,

+ 000004ec(1260) internat.exe
10000000[0001B000]
[ M] 46. d:\progra~1\卡卡\ieprot.dll
Beijing Rising Technology Co., Ltd.
IE Protector
.text,.rdata,.data,.rsrc,.reloc,

好朋友2 - 2007-9-7 21:40:00

[CODE]

2007-09-07,21:20:52

System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195) - 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
进程特权扫描

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Synchronization Manager><mobsync.exe /logon> [(Verified)Microsoft Windows 2000 Publisher]
<RavTask><"D:\PROGRA~1\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<IgfxTray><C:\WINNT\system32\igfxtray.exe> [Intel Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows 2000 Publisher]
<Userinit><C:\WINNT\system32\Userinit.exe,> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINNT\system32\RavExt.dll> [Beijing Rising Technology Co., Ltd.]
<{AC2DC2EF-5165-40A3-8CDF-41DCA1B0901A}><C:\WINNT\system32\shlhook.dll> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer 访问><"%SystemRoot%\system32\shmgrate.exe" OCInstallUserConfigIE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express 访问><"%SystemRoot%\system32\shmgrate.exe" OCInstallUserConfigOE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<Address Book 5><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
<CRLUpdate><%SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl> [N/A]

==================================
启动文件夹
N/A

==================================
服务
[81117A72 / 81117A72][Stopped/]
<2 - 系统找不到指定的文件。
><N/A>
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Rising Proxy Service / RfwProxySrv][Running/Manual Start]
<d:\progra~1\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
<d:\progra~1\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
<"D:\PROGRA~1\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
<"D:\PROGRA~1\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
<C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>

==================================
驱动程序
[TENDA TEL8139D 10/100Mbps Fast Ethernet Adapter / ADM9X][Running/Manual Start]
<system32\DRIVERS\ADM9X.sys><ADMtek Incorporated.>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
<System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[dmboot / dmboot][Stopped/Disabled]
<System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
<\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
<\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[ExpScaner / ExpScaner][Running/Auto Start]
<\??\D:\PROGRA~1\Rising\Rav\ExpScan.sys><>
[HOOKAPI / HOOKAPI][Stopped/Manual Start]
<\??\D:\PROGRA~1\RISING\RAV\HOOKAPI.SYS><瑞星软件有限公司>
[HookCont / HookCont][Running/Auto Start]
<\??\D:\PROGRA~1\Rising\Rav\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
<\??\D:\PROGRA~1\Rising\Rav\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
<\??\D:\PROGRA~1\Rising\Rav\HookSys.sys><Rising>
[HookUrl / HookUrl][Running/Auto Start]
<\??\D:\PROGRA~1\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[i81x / i81x][Running/Manual Start]
<system32\DRIVERS\i81xnt5.sys><Intel(R) Corporation>
[MEMSCAN / MEMSCAN][Running/Auto Start]
<\??\D:\PROGRA~1\Rising\Rav\MEMSCAN.sys><Beijing Rising Technology Co., Ltd.>
[mProcRs / mProcRs][Running/Auto Start]
<\??\d:\progra~1\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[npkcrypt / npkcrypt][Stopped/Auto Start]
<\??\D:\QQ2006\qq\npkcrypt.sys><N/A>
[nwupspx / nwupspx][Stopped/Boot Start]
<\SystemRoot\system32\drivers\nwupspx.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[WAN 微型端口 (PPP over Ethernet 协议) / RMSPPPOE][Running/Manual Start]
<system32\DRIVERS\RMSPPPOE.SYS><Robert Schlabbach>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
<\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising Technology Co., Ltd.>
[RsFwDrv / RsFwDrv][Running/Auto Start]
<\??\D:\PROGRA~1\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
<\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
<\??\D:\PROGRA~1\Rising\Rav\RSPPSYS.sys><Rising>
[TENDA 10/100/1000 NIC Family all in one NDIS NT Driver / RTL8023][Stopped/Manual Start]
<system32\DRIVERS\Rtlnic.sys><Realtek Semiconductor Corporation>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
<system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>

==================================

好朋友2 - 2007-9-7 21:41:00

浏览器加载项
[ThunderAtOnce Class]
{01443AEC-0FD1-40fd-9C87-E93D1494C233} <E:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <E:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
[启动迅雷5]
{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <E:\Program Files\Thunder\Thunder.exe, Thunder Networking Technologies,LTD>
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[卡卡上网安全助手]
{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINNT\system32\kakatool.dll, Beijing Rising Technology Co., Ltd.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[CPasswordEditCtrl Object]
{E787FD25-8D7C-4693-AE67-9406BC6E22DF} <C:\WINNT\system32\qqedit\qqedit.dll, 腾讯科技（深圳）有限公司>
[Thunder Agent Class]
{485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <E:\Program Files\Thunder\ComDlls\ThunderAgent_Now.dll, Thunder Networking Technologies,LTD>
[Vod Class]
{EEDD6FF9-13DE-496B-9A1C-D78B3215E266} <E:\Program Files\Thunder\Components\DownAndPlay\DapPlayer_Now.dll, XunLei>
[使用迅雷下载]
<E:\Program Files\Thunder\Program\GetUrl.htm, N/A>
[使用迅雷下载全部链接]
<E:\Program Files\Thunder\Program\GetAllUrl.htm, N/A>

==================================
正在运行的进程
[PID: 140][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 164][\??\C:\WINNT\system32\csrss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 184][\??\C:\WINNT\system32\winlogon.exe] [Microsoft Corporation, 5.00.2195.6898]
[C:\WINNT\system32\wdmaud.drv] [Microsoft Corporation, 5.00.2195.6673]
[C:\WINNT\system32\msacm32.drv] [Microsoft Corporation, 5.00.2134.1]
[PID: 212][C:\WINNT\system32\services.exe] [Microsoft Corporation, 5.00.2195.6700]
[C:\WINNT\system32\dmserver.dll] [VERITAS Software Corp., 2195.6605.297.3]
[PID: 224][C:\WINNT\system32\lsass.exe] [Microsoft Corporation, 5.00.2195.6902]
[PID: 404][C:\WINNT\system32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[PID: 544][C:\WINNT\system32\spoolsv.exe] [Microsoft Corporation, 5.00.2195.6659]
[C:\WINNT\system32\spool\PRTPROCS\W32X86\vprproc.dll] [Windows (R) 2000 DDK provider, 5.00.2195.1620]
[PID: 584][C:\WINNT\system32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[C:\WINNT\system32\unimdm.tsp] [Microsoft Corporation, 5.00.2195.6601]
[C:\WINNT\system32\kmddsp.tsp] [Microsoft Corporation, 5.00.2150.1]
[C:\WINNT\system32\ndptsp.tsp] [Microsoft Corporation, 5.00.2143.1]
[C:\WINNT\system32\ipconf.tsp] [Microsoft Corporation, 5.00.2143.1]
[C:\WINNT\system32\h323.tsp] [Microsoft Corporation, 5.00.2195.6901]
[PID: 628][C:\WINNT\system32\regsvc.exe] [Microsoft Corporation, 5.00.2195.6701]
[PID: 648][C:\WINNT\system32\MSTask.exe] [Microsoft Corporation, 4.71.2195.6704]
[PID: 708][C:\WINNT\System32\WBEM\WinMgmt.exe] [Microsoft Corporation, 1.50.1085.0100]
[PID: 756][C:\WINNT\system32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[PID: 940][C:\WINNT\Explorer.EXE] [Microsoft Corporation, 5.00.3700.6690]
[C:\WINNT\AppPatch\AcLayers.DLL] [Microsoft Corporation, 5.00.2195.6717]
[C:\WINNT\system32\wdmaud.drv] [Microsoft Corporation, 5.00.2195.6673]
[C:\WINNT\system32\msacm32.drv] [Microsoft Corporation, 5.00.2134.1]
[C:\WINNT\system32\igfxpph.dll] [Intel Corporation, 3,0,0,1757]
[C:\WINNT\system32\hccutils.DLL] [Intel Corporation, 3,0,0,1757]
[C:\WINNT\system32\igfxres.dll] [Intel Corporation, 3,0,0,1757]
[C:\WINNT\system32\igfxsrvc.dll] [Intel Corporation, 3,0,0,1757]
[C:\WINNT\system32\RavExt.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
[C:\WINNT\system32\shlhook.dll] [Beijing Rising Technology Co., Ltd., 4.0.0.9]
[D:\PROGRA~1\卡卡\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
[D:\PROGRA~1\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[C:\WINNT\system32\msxml3.dll] [Microsoft Corporation, 8.30.9926.0]
[D:\PROGRA~1\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[E:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll] [Thunder Networking Technologies,LTD, 1.0.2.9]
[E:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll] [Thunder Networking Technologies,LTD, 5, 0, 3, 11]
[E:\Program Files\Thunder\Components\ResWorker\DsBho_00.dll] [, 1, 0, 0, 4]
[C:\WINNT\system32\MSVCP60.dll] [Microsoft Corporation, 6.00.8168.0]
[E:\Program Files\Thunder\Components\ResWorker\DataProcessor_00.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 6]
[PID: 968][d:\progra~1\rising\rfw\RfwMain.exe] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 72]
[C:\WINNT\system32\MSVCP60.dll] [Microsoft Corporation, 6.00.8168.0]
[d:\progra~1\rising\rfw\RsGuiLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 33]
[d:\progra~1\rising\rfw\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[d:\progra~1\rising\rfw\RfwCtrl.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 11]
[d:\progra~1\rising\rfw\RsXML.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
[d:\progra~1\rising\rfw\PngDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[D:\PROGRA~1\卡卡\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
[PID: 1260][C:\WINNT\system32\internat.exe] [Microsoft Corporation, 5.00.2920.0000]
[D:\PROGRA~1\卡卡\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
[PID: 932][D:\PROGRA~1\卡卡\runiep.exe] [Beijing Rising Technology Co., Ltd., 4.0.0.18]
[D:\PROGRA~1\卡卡\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
[PID: 284][C:\WINNT\system32\conime.exe] [Microsoft Corporation, 5.00.2195.6655]
[D:\PROGRA~1\卡卡\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
[PID: 888][D:\下载专用包\sreng2\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[D:\PROGRA~1\卡卡\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
[D:\下载专用包\sreng2\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]
[D:\下载专用包\sreng2\Plugins\NTFSTREAM.SRE] [Smallfrogs Studio, 1, 0, 0, 5]
[C:\WINNT\system32\MSISIP.DLL] [Microsoft Corporation, 2.0.2600.1183]
[C:\WINNT\system32\wshCHS.DLL] [Microsoft Corporation, 5.6.0.6626]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost

==================================
进程特权扫描
特殊特权被允许： SeLoadDriverPrivilege [PID = 932, D:\PROGRA~1\卡卡\RUNIEP.EXE]

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================

[/CODE]

好朋友2 - 2007-9-8 15:34:00

没人告诉我?

好朋友2 - 2007-9-8 15:35:00

快告诉我啊

好朋友2 - 2007-9-9 12:18:00

斑竹帮忙下啊，我担心杀不干净啊

好朋友2 - 2007-9-9 12:19:00

真的好冷漠啊，就算正常也跟我说以下啊

好朋友2 - 2007-9-11 12:26:00

？？？？？？？？？？？？？？？？？/

天月来了 - 2007-9-11 12:50:00

在扫日志的SRENG工具中的：启动项目》服务》Win32服务应用程序》修改下面启动类型为“Disabled”

[81117A72 / 81117A72][Stopped/]

——————————————————————————————————————————
在扫日志的SRENG工具中的：启动项目》服务》驱动程序》修改下面启动类型为“Disabled”

[nwupspx / nwupspx][Stopped/Boot Start]

其他看不出了。

建议用Windows清理助手清理系统或360或卡卡清理吧。

瑞星卡卡安全论坛