瑞星卡卡安全论坛

被搞的头都大了
请达人帮忙
[CODE]

2008-03-11,16:27:53

System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195) - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件
    进程特权扫描


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><ctfmon.exe>  [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <SunJavaUpdateSched><C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe>  [Sun Microsystems, Inc.]
    <Synchronization Manager><mobsync.exe /logon>  [(Verified)Microsoft Windows 2000 Publisher]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [(Verified)Beijing Rising Science and Technology Corporation Limited]
    <RfwMain><"C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup>  [(Verified)Beijing Rising Science and Technology Corporation Limited]
    <runeip><"C:\Program Files\Rising\AntiSpyware\runiep.exe" /startup>  [Beijing Rising Technology Co., Ltd.]
    <CnxDslTaskBar><"C:\Program Files\D-Link\DSL-200\CnxDslTb.exe">  [Conexant Systems Inc.]
    <IMSCMig><C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows 2000 Publisher]
    <Userinit><C:\WINNT\system32\userinit.exe,>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINNT\system32\RavExt.dll>  [(Verified)Beijing Rising Science and Technology Corporation Limited]
    <{AC2DC2EF-5165-40A3-8CDF-41DCA1B0901A}><C:\WINNT\system32\shlhook.dll>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer 访问><"C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigIE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express 访问><"C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <Address Book 5><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
    <N/A><C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
    <CRLUpdate><%SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl>  [N/A]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><(无)>  [N/A]

==================================
启动文件夹
[QQ游戏启动加速程序]
  <C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\QQ游戏启动加速程序.lnk --> C:\PROGRA~1\Tencent\QQGame\Accel.exe [深圳市腾讯计算机系统有限公司]><N>
[腾讯QQ]
  <C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\腾讯QQ.lnk --> C:\PROGRA~1\Tencent\QQ\QQ.exe [TENCENT]><N>

==================================
服务
[ASP.NET State Service / aspnet_state][Stopped/Manual Start]
  <C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[ClipBool / ClipBool][Stopped/Auto Start]
  <C:\WINNT\systrm><N/A>
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Gray_Pigeon_Serve / GrayPigeonServe][Stopped/Auto Start]
  <C:\WINNT\syszb><N/A>
[PerAdaps Tation / Peridtig Dista][Stopped/Auto Start]
  <C:\WINNT\system32\wints.exe><N/A>
[Rising Proxy  Service / RfwProxySrv][Running/Auto Start]
  <c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
  <c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Remote Procedure Call System / RpcS][Running/Auto Start]
  <C:\WINNT\system32\RpcS.exe><Microsoft Corporation>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Stopped/Auto Start]
  <"C:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
  <C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>

==================================
驱动程序
[Conexant AccessRunner USB ADSL WAN Adapter Filter Driver / CnxEtP][Running/Manual Start]
  <system32\DRIVERS\CnxEtP.sys><Conexant>
[Conexant

[用户系统信息]Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

斑竹帮帮忙吧 谢谢啦

将日志内容不遗漏任何一个字母复制到另一个新建的空记事本里保存，再以附件形式发论坛来。
一定要以附件形式发论坛来
可以点我这贴的右下角的“引用”就知道怎么以附件形式发来了

弱弱的问个问题,发的日志内容是杀毒前的,还是杀毒后的?
我这个是杀毒后的,

附件: 10223882008312145821.txt

这两文件不认识，自己去看看去。
C:\Program Files\Outlook Express\msinm.exe
C:\Program Files\Internet Explorer\ieapi.dll
————————————————————————————————————————

这里官网下载费尔木马强力清除助手,勾选“抑制文件再生”删除。
http://dl.filseclab.com/down/powerrmv.zip

删除
C:\WINNT\system32\wints.exe
C:\WINNT\system32\RpcS.exe
C:\WINNT\system32\RpcS.dll
D:\Autorun.inf
D:\snow.exe
E:\Autorun.inf
E:\snow.exe
——————————————————————————————————————————————————
在扫日志的SRENG工具》启动项目》服务》Win32服务应用程序》里面找下面项删除，或将启动类型改为“Disabled”
==================================
服务
[ClipBool / ClipBool][Stopped/Auto Start]
  <C:\WINNT\systrm><N/A>

[Gray_Pigeon_Serve / GrayPigeonServe][Stopped/Auto Start]
  <C:\WINNT\syszb><N/A>

[PerAdaps Tation / Peridtig Dista][Stopped/Auto Start]
  <C:\WINNT\system32\wints.exe><N/A>

[Remote Procedure Call System / RpcS][Running/Auto Start]
  <C:\WINNT\system32\RpcS.exe><Microsoft Corporation>
————————————————————————————————————
再重启电脑，升级杀毒软件至最新版本全盘杀毒。

这里 下 载 W i n d o w s 清理助手，清理你那系统。
http://www.arswp.com/

记得用QQ医生和瑞星漏洞扫描打打系统补丁，检测到的都打全

清空IE缓存，清空临时文件夹。



再详细说说病毒文件名和路径

【回复“天月来了”的帖子】
谢谢斑竹 辛苦啦~