瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 发现了比较牛的病毒。。。。。。
紫宸 - 2007-11-18 8:52:00
11月17日中的病毒,瑞星和安博士,还有NOD32均不报毒,进程内多了SVCHOST进程(不是系统进程),USERINIT进程,USERINIT访问网络,以及两个名称为*_071115的进程名,后查系统文件夹内有五个*_071115,但前面*号名称不同,注册表被更改,现按F8不能进入安全模式,关机提示错误,需要第二次才能关机。以下为扫描:
Logfile of HijackThis v1.99.0
Scan saved at 8:29:16, on 2007-11-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Rising\Rfw\rfwmain.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Compuware\SoftICE Driver Suite\Common\Bin\DSRSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Maxthon\Max.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Maxthon\Max.exe
D:\HijackThis.exe

O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - D:\应用程序\金山快译\IEBand.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O8 - Extra context menu item: &使用快车(FlashGet)下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - D:\应用程序\QQ2006\AddEmotion.htm
O9 - Extra button: (no name) - RsAutorunsDisabled - (no file)
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: 快车 - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: 快车(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1E0DFFCF-27FF-4574-849B-55007349FEDA} (iTrusPTA Class) - https://img.alipay.com/download/1101/aliedit.cab
O16 - DPF: {8686F2A6-DC01-4E8F-BDE3-DCC7DBBAD6AE} (163Uploader Control) - http://photo.163.com/163Uploader.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://www.ahn.com.cn/aspservice/plugin/myfirewall20.cab
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/pcver2006new/OL2006.cab
O16 - DPF: {E787FD25-8D7C-4693-AE67-9406BC6E22DF} (PasswordEditCtrl Class) - https://password.qq.com/download/qqedit.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69BCA3CF-ED1E-4FD0-BF65-B7A04A45B6AD}: NameServer = 202.102.152.3
O18 - Protocol hijack: ic32pp - ?{BBCA9F81-8F4F-11D2-90FF-0080C83D3571}
O23 - Service: Contrl Center of Storm Media - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: DriverStudio Remote Control - Unknown - C:\Program Files\Compuware\SoftICE Driver Suite\Common\Bin\DSRSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rising Proxy  Service - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe

请问如何处理?谢谢。

[用户系统信息]Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)
紫宸 - 2007-11-18 15:35:00
没人能帮忙么?
我把能看到的多余的进程给清掉了,系统文件夹内的也清掉了,现在进程中看不到那几个进程。
现在关机提示错误,需要按机箱重启后第二次关机,按F8进不了安全模式,有时还会重启。
独孤剑客 - 2007-11-18 15:46:00
O23 - Service: NOD32 Kernel Service - Eset - C:\Program Files\Eset\nod32krn.exe
nod??
换sregn日志..
紫宸 - 2007-11-18 16:34:00
[CODE]

2007-11-18,16:15:21

System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 1 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件
    进程特权扫描


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
    <run><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows XP Publisher]
    <PHIME2002ASync><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Windows XP Publisher]
    <PHIME2002A><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Windows XP Publisher]
    <SoundMan><SOUNDMAN.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup>  [(Verified)Microsoft Windows XP Publisher]
    <nwiz><nwiz.exe /install>  [(Verified)Microsoft Windows XP Publisher]
    <IMSCMig><C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload>  [(Verified)Microsoft Corporation]
    <RfwMain><"C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup>  [Beijing Rising Technology Co., Ltd.]
    <nod32kui><"C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE>  [Eset ]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <Userinit><C:\WINDOWS\System32\inf\svchost.exe C:\WINDOWS\System32\lwisys16_071115.dll start>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows XP Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
    <N/A><"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser>  [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3A202177-913D-112B-54CD-72FF5FE1CF20}]
    <N/A><C:\WINDOWS\System32\nwizmhxy.exe>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser>  [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FA302103-F04D-11cf-64CD-11EF5FE1CF20}]
    <N/A><C:\WINDOWS\System32\nwizqjsj.exe>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <Flashget><; "C:\Program Files\FlashGet\FlashGet.exe" /min>  [FlashGet.com]
    <runeip><; "C:\Program Files\Rising\AntiSpyware\runiep.exe" /startup>  [Beijing Rising Technology Co., Ltd.]
    <TkBellExe><; "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot>  [RealNetworks, Inc.]
    <WinampAgent><; C:\Program Files\Winamp\winampa.exe>
紫宸 - 2007-11-18 16:34:00
==================================
启动文件夹
N/A

==================================
服务
[Contrl Center of Storm Media / ccosm][Stopped/Auto Start]
  <C:\Program Files\StormII\stormliv.exe /asservice><北京暴风网际科技有限公司>
[DriverStudio Remote Control / DriverStudio Remote Control][Running/Auto Start]
  <C:\Program Files\Compuware\SoftICE Driver Suite\Common\Bin\DSRSvc.exe><N/A>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Macromedia Licensing Service / Macromedia Licensing Service][Stopped/Manual Start]
  <"C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"><>
[NOD32 Kernel Service / NOD32krn][Running/Auto Start]
  <"C:\Program Files\Eset\nod32krn.exe"><Eset>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
  <C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>
[Rising Proxy  Service / RfwProxySrv][Stopped/Manual Start]
  <c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
  <c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\System32\mspmsnsv.dll><Microsoft Corporation>

==================================
驱动程序
[Service for WDM 3D Audio Driver / ALCXSENS][Running/Manual Start]
  <system32\drivers\ALCXSENS.SYS><Sensaura Ltd>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[AMON / AMON][Running/Auto Start]
  <\??\C:\WINDOWS\System32\drivers\amon.sys><Eset>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
  <System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[HookUrl / HookUrl][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[ISO DVD/CD-ROM Device Driver / ISODrive][Running/System Start]
  <\??\D:\应用程序\UltraISO\drivers\ISODrive.sys><EZB Systems, Inc.>
[jdy#hook / jdy#hook][Stopped/Manual Start]
  <\??\C:\Program Files\按键精灵\hknm.sys><N/A>
[kmsinput / kmsinput][Stopped/Manual Start]
  <\??\C:\WINDOWS\System32\drivers\kmsinput.sys><N/A>
[mProcRs / mProcRs][Running/Auto Start]
  <\??\c:\program files\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[DriverStudio Device Filter / nmfilter][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\nmfilter.sys><Compuware Corporation - NuMega Lab>
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
  <system32\drivers\npf.sys><CACE Technologies>
[npkcrypt / npkcrypt][Running/Auto Start]
  <\??\D:\应用程序\QQ2006\npkcrypt.sys><INCA Internet Co., Ltd.>
[nv / nv][Running/Manual Start]
  <System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[nvatabus / nvatabus][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\nvatabus.sys><NVIDIA Corporation>
[NVIDIA nForce MCP Networking Controller Driver / NVENET][Running/Manual Start]
  <System32\DRIVERS\NVENET.sys><NVIDIA Corporation>
[nvidesm / nvidesm][Running/Boot Start]
  <\SystemRoot\system32\drivers\nvidesm.sys><NVIDIA Corporation>
[NVIDIA nForce AGP Bus Filter / nv_agp][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\nv_agp.sys><NVIDIA Corporation>
[Padus ASPI Shell / pfc][Running/Manual Start]
  <system32\drivers\pfc.sys><Padus, Inc.>
[PmDrv / PmDrv][Stopped/Manual Start]
  <\??\E:\Process Monitor\PmDrv.sys><N/A>
[PortTalk / PortTalk][Stopped/Manual Start]
  <System32\Drivers\PortTalk.sys><Beyond Logic http://www.beyondlogic.org>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
  <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[ReadSamer / ReadSamer][Stopped/Manual Start]
  <\??\E:\readsam\reader.sys><N/A>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
  <\SystemRoot\System32\drivers\RsBoot.sys><Beijing Rising Technology Co., Ltd.>
[RsFwDrv / RsFwDrv][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[Secdrv / Secdrv][Running/Auto Start]
  <System32\DRIVERS\secdrv.sys><N/A>
[SiwvidStart / SiwvidStart][Stopped/Manual Start]
  <\??\C:\Program Files\Compuware\SoftICE Driver Suite\Common\Binsiwvid.sys><N/A>
[vfdriver / vfdriver][Stopped/Manual Start]
  <\??\E:\debuggy_unleashed\ptoolz\vfdriver.sys><N/A>
[WinDriver6 / WinDriver6][Stopped/Manual Start]
  <system32\drivers\windrvr6.sys><Jungo>

==================================
浏览器加载项
[信息检索(&R)]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, Microsoft Corporation>
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[快车]
  {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <C:\Program Files\FlashGet\FlashGet.exe, FlashGet.com>
[电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, Microsoft Corporation>
[金山快译(&K)]
  {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} <D:\应用程序\金山快译\IEBand.dll, >
[AlternaTIFF ActiveX]
  {106E49CF-797A-11D2-81A2-00E02C015623} <C:\WINDOWS\Downloaded Program Files\alttiff.ocx, Medical Informatics Engineering, Inc.>
[iTrusPTA Class]
  {1E0DFFCF-27FF-4574-849B-55007349FEDA} <C:\WINDOWS\System32\aliedit\pta.dll, >
[163Uploader Control]
  {8686F2A6-DC01-4E8F-BDE3-DCC7DBBAD6AE} <C:\WINDOWS\System32\163UPL~1.OCX, 广州网易互动娱乐有限公司>
[SysMonOCX Control]
  {9BDBC41E-C335-4263-83C0-ECE78EE28A33} <C:\WINDOWS\DOWNLO~1\SYSMON~1.OCX, AhnLab>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[Rising Web Scan Object]
  {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} <C:\WINDOWS\DOWNLO~1\OL2005.dll, Beijing Rising Technology Co., Ltd.>
[PasswordEditCtrl Class]
  {E787FD25-8D7C-4693-AE67-9406BC6E22DF} <C:\WINDOWS\System32\qqedit\qqedit.dll, 腾讯科技(深圳)有限公司>
[safe360AutoLive]
  {E5212438-921F-44a3-8865-11C0B9BA4AF2} <C:\Program Files\safe360\autolive.dll, N/A>
[FGAutoLive]
  {F90D830D-C175-4bbe-82C7-FF94669A4C42} <C:\Program Files\FlashGet\fgupdate.dll, www.flashget.com>
[FGCatchUrl]
  {FB5DA724-162B-11D3-8B9B-AA70B4B0B524} <C:\Program Files\FlashGet\jccatch.dll, N/A>
[&使用快车(FlashGet)下载]
  <C:\Program Files\FlashGet\jc_link.htm, N/A>
[&使用快车(FlashGet)下载全部链接]
  <C:\Program Files\FlashGet\jc_all.htm, N/A>
[&使用迅雷下载]
  <C:\Program Files\Thunder Network\Thunder\geturl.htm, N/A>
[导出到 Microsoft Office Excel(&X)]
  <res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>
[添加到QQ表情]
  <D:\应用程序\QQ2006\AddEmotion.htm, N/A>
紫宸 - 2007-11-18 16:35:00
==================================
正在运行的进程
[PID: 692 / SYSTEM][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 776 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 800 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 844 / SYSTEM][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 856 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 1020 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1168 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1292 / NETWORK SERVICE][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1404 / LOCAL SERVICE][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1452 / SYSTEM][c:\program files\rising\rfw\rfwsrv.exe]  [Beijing Rising Technology Co., Ltd., 5, 0, 0, 35]
    [c:\program files\rising\rfw\RfwRule.dll]  [Beijing Rising Technology Co., Ltd., 5, 0, 0, 3]
    [c:\program files\rising\rfw\rfwlog.dll]  [Beijing Rising Technology Co., Ltd., 5, 0, 0, 2]
    [c:\program files\rising\rfw\Rfwdrv.dll]  [Beijing Rising Technology Co., Ltd., 5, 0, 0, 10]
    [c:\program files\rising\rfw\psapi.dll]  [Microsoft Corporation, 4.00]
    [c:\program files\rising\rfw\MonDrv.dll]  [rs, 1, 0, 0, 4]
    [c:\program files\rising\rfw\ProcLib.dll]  [Beijing Rising Technology Co., Ltd., 5, 0, 0, 5]
    [c:\program files\rising\rfw\mPorts.dll]  [Beijing Rising Technology Co., Ltd., 4, 0, 0, 3]
[PID: 1612 / Administrator][C:\WINDOWS\Explorer.exe]  [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
    [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
    [C:\WINDOWS\System32\nvshell.dll]  [NVIDIA Corporation, 6.14.10.5216]
    [C:\WINDOWS\System32\NVWRSZHC.DLL]  [NVIDIA Corporation, 6.14.10.5216]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\Program Files\Eset\nodshex.dll]  [N/A, ]
    [C:\WINDOWS\System32\WINWB98.IME]  [Microsoft Corporation, 4.00.950]
[PID: 1808 / Administrator][C:\WINDOWS\SOUNDMAN.EXE]  [Realtek Semiconductor Corp., 5.1.11]
[PID: 1844 / Administrator][C:\Program Files\Rising\Rfw\rfwmain.exe]  [Beijing Rising Technology Co., Ltd., 5, 0, 0, 72]
    [C:\Program Files\Rising\Rfw\RsGuiLib.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 33]
    [C:\Program Files\Rising\Rfw\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
    [C:\Program Files\Rising\Rfw\RfwCtrl.dll]  [Beijing Rising Technology Co., Ltd., 5, 0, 0, 11]
    [C:\Program Files\Rising\Rfw\RsXML.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
    [C:\Program Files\Rising\Rfw\PngDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[PID: 1852 / Administrator][C:\Program Files\Eset\nod32kui.exe]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\nod32rui.dll]  [N/A, ]
    [C:\Program Files\Eset\pu_amon.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_amon.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pu_dmon.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_dmon.dll]  [N/A, ]
    [C:\Program Files\Eset\pu_emon.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_emon.dll]  [N/A, ]
    [C:\Program Files\Eset\pu_imon.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_imon.dll]  [N/A, ]
    [C:\Program Files\Eset\pu_mirr.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_mirr.dll]  [N/A, ]
    [C:\Program Files\Eset\pu_nod32.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_nod32.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pu_upd.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_upd.dll]  [N/A, ]
[PID: 400 / SYSTEM][C:\Program Files\Compuware\SoftICE Driver Suite\Common\Bin\DSRSvc.exe]  [N/A, ]
    [C:\Program Files\Compuware\SoftICE Driver Suite\Common\Bin\DSCPanelServer.dss]  [N/A, ]
    [C:\Program Files\Compuware\SoftICE Driver Suite\Common\Bin\DSStatusServer.dss]  [Compuware Corporation - NuMega Lab, 2.7.0 (Build 562)]
    [C:\Program Files\Compuware\SoftICE Driver Suite\Common\Bin\DSRReboot.dll]  [N/A, ]
    [C:\Program Files\Compuware\SoftICE Driver Suite\SoftICE\Setup\SIInitServer.dss]  [Compuware Corporation - NuMega Lab, 2.7.0 (Build 562)]
[PID: 676 / SYSTEM][C:\Program Files\Eset\nod32krn.exe]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\nod32krr.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\ps_amon.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_amon.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\ps_dmon.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_dmon.dll]  [N/A, ]
    [C:\Program Files\Eset\ps_emon.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_emon.dll]  [N/A, ]
    [C:\WINDOWS\System32\imon.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_imon.dll]  [N/A, ]
    [C:\Program Files\Eset\ps_mirr.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_mirr.dll]  [N/A, ]
    [C:\Program Files\Eset\ps_nod32.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_nod32.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\ps_upd.dll]  [Eset , 2, 51, 26 ]
    [C:\Program Files\Eset\pr_upd.dll]  [N/A, ]
[PID: 724 / SYSTEM][C:\WINDOWS\System32\nvsvc32.exe]  [NVIDIA Corporation, 6.14.10.5216]
[PID: 948 / Administrator][C:\Program Files\Maxthon\Max.exe]  [Maxthon International Ltd., 1, 5, 3, 18]
    [C:\Program Files\Maxthon\maxzlib.dll]  [ , 1, 0, 0, 2]
    [C:\Program Files\Maxthon\Services\RealTime\real_time.dll]  [, 1, 0, 0, 1]
    [C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx]  [Adobe Systems, Inc., 9,0,28,0]
    [C:\WINDOWS\System32\WINWB98.IME]  [Microsoft Corporation, 4.00.950]
[PID: 1524 / SYSTEM][C:\WINDOWS\System32\wbem\wmiapsrv.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 540 / Administrator][C:\Program Files\Microsoft Visual Studio\VB98\vb6.exe]  [Microsoft Corporation, 6.00.8176]
    [C:\Program Files\Microsoft Visual Studio\VB98\VBA6.dll]  [Microsoft Corporation, 6.0.8169]
    [C:\Program Files\Microsoft Visual Studio\VB98\VB6IDE.DLL]  [Microsoft Corporation, 6.00.8169]
    [C:\Program Files\Common Files\Microsoft Shared\VBA\MSO97RT.DLL]  [, ]
    [C:\Program Files\Microsoft Visual Studio\VB98\DATAVIEW.DLL]  [Microsoft Corp., 6.00.8178]
    [C:\WINDOWS\System32\vb6chs.dll]  [Microsoft Corporation, 6.00.8988]
    [C:\WINDOWS\System32\COMMTB32.dll]  [Microsoft Corporation, 01.10]
    [C:\Program Files\Microsoft Visual Studio\Common\Tools\VCM\VCMMGR.DLL]  [Microsoft Corp., 6.00.8169]
    [C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL]  [Microsoft Corporation, 6.00.8169]
    [C:\Program Files\Microsoft Visual Studio\VB98\Wizards\RESEDIT.DLL]  [Microsoft Corporation, 6.00.8169]
    [C:\Program Files\YFSoft\API浏览器.net\APIINEX.dll]  [北京金日新事业技术有限公司, 1.00]
    [C:\PROGRA~1\MICROS~4\VB98\VBSCC.DLL]  [, 06.00.8142]
    [C:\PROGRA~1\MICROS~4\VB98\AddSccus.dll]  [, 06.00.8142]
    [D:\应用程序\VB6.0企业版安装文件\vb6.0\vb6\VSS\win32\SSSCC.DLL]  [, 06.00.8169]
    [D:\应用程序\VB6.0企业版安装文件\vb6.0\vb6\VSS\win32\ssus.dll]  [, 06.00.8163]
    [C:\WINDOWS\System32\WINWB98.IME]  [Microsoft Corporation, 4.00.950]
[PID: 1980 / Administrator][C:\Program Files\Microsoft Visual Studio\Common\Tools\Winapi\APILOAD.EXE]  [Microsoft Corporation, 6.00.8169]
    [C:\WINDOWS\System32\vb6chs.dll]  [Microsoft Corporation, 6.00.8988]
    [C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL]  [Microsoft Corporation, 6.00.8169]
[PID: 556 / Administrator][F:\VB学习文件\VB源码程序集和学习资料\PE文件标志软件\JiurlPedumpAver0.1.exe]  [, 1, 0, 0, 1]
[PID: 1536 / Administrator][C:\WINDOWS\system32\calc.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1216 / Administrator][D:\应用程序\金山词霸\金山词霸程序\XDICT.EXE]  [Kingsoft Co, Ltd., 8, 5, 0, 0]
    [D:\应用程序\金山词霸\金山词霸程序\DicMngr.dll]  [Kingsoft, 1, 0, 0, 0]
    [D:\应用程序\金山词霸\金山词霸程序\doshow.dll]  [N/A, ]
    [D:\应用程序\金山词霸\金山词霸程序\ITextOut.dll]  [Kingsoft, 1, 1, 0, 0]
    [D:\应用程序\金山词霸\金山词霸程序\KPic10.dll]  [N/A, ]
    [D:\应用程序\金山词霸\金山词霸程序\ijl11.dll]  [Intel Corporation, 1.1.2]
    [D:\应用程序\金山词霸\金山词霸程序\NormGrab.DLL]  [Kingsoft Co, Ltd., 6, 0, 0, 0]
    [D:\应用程序\金山词霸\金山词霸程序\toTTSEngine50.dll]  [Kingsoft Corporation, 1, 0, 0, 1]
    [D:\应用程序\金山词霸\金山词霸程序\xfile.dll]  [N/A, ]
    [D:\应用程序\金山词霸\金山词霸程序\DBCore10.dll]  [Kingsoft  Corp., 1, 0, 0, 0]
    [D:\应用程序\金山词霸\金山词霸程序\XdictGrb.dll]  [Kingsoft Co, Ltd., 8, 5, 0, 0]
[PID: 1484 / Administrator][F:\手工清毒工具专用\sreng2\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
    [F:\手工清毒工具专用\sreng2\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]
紫宸 - 2007-11-18 16:35:00
==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. ["hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
进程特权扫描
特殊特权被允许: SeLoadDriverPrivilege [PID = 948, C:\PROGRAM FILES\MAXTHON\MAX.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 540, C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\VB98\VB6.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 1980, C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\COMMON\TOOLS\WINAPI\APILOAD.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 556, F:\VB学习文件\VB源码程序集和学习资料\PE文件标志软件\JIURLPEDUMPAVER0.1.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 1216, D:\应用程序\金山词霸\金山词霸程序\XDICT.EXE]

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================


[/CODE]
紫宸 - 2007-12-2 22:07:00
汗哦,等到12月了,还没人来帮帮忙呵。
newcenturymoon - 2007-12-2 22:28:00
USERINIT访问网络 多半是中了机器狗
天月来了 - 2007-12-3 9:12:00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<Userinit><C:\WINDOWS\system32\userinit.exe,> []

从上面这启动项看,应该C:\WINDOWS\system32\userinit.exe文件已被替换了。

怎还没格盘重装系统呢?



第一老狮子 - 2007-12-3 9:37:00
不用格盘吧
1
查看完整版本: 发现了比较牛的病毒。。。。。。
© 2000 - 2026 Rising Corp. Ltd.