瑞星卡卡安全论坛
Trojan87 - 2008-5-8 18:54:00
[CODE]
2008-05-08,18:52:05
System Repair Engineer 2.5.16.900
Smallfrogs (
http://www.KZTechs.com)
Windows XP Professional Service Pack 1 (Build 2600) - 管理权限用户 - 完整功能
以下内容被选中:
所有的启动项目(包括注册表、启动文件夹、服务等)
浏览器加载项
正在运行的进程(包括进程模块信息)
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
进程特权扫描
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<RavTask><"C:\Program Files\rising\Rav\RavTask.exe" -system> [(Verified)Beijing Rising Science and Technology Corporation Limited]
<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot> [(Verified)"RealNetworks, Inc."]
<rujookjb><C:\WINDOWS\uokbubia.exe> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows XP Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll> [(Verified)Beijing Rising Science and Technology Corporation Limited]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
<N/A><"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [N/A]
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><C:\WINDOWS\System32\AQUARIUM.SCR> []
用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Trojan87 - 2008-5-8 18:54:00
==================================
启动文件夹
N/A
==================================
服务
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
<C:\WINDOWS\System32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart][Stopped/Auto Start]
<C:\WINDOWS\system32\ati2sgag.exe><>
[Forceware Web Intexxxce / ForcewareWebIntexxxce][Running/Auto Start]
<"C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice><Apache Software Foundation>
[Human Intexxxce Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[ForceWare IP service / nSvcIp][Running/Auto Start]
<C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe><N/A>
[ForceWare user log service / nSvcLog][Running/Auto Start]
<C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe><N/A>
[P4P Service / P4P Service][Running/Auto Start]
<C:\Program Files\Common Files\Sogou PXP\p2psvr.exe><Sohu.com Inc.>
[Rising Proxy Service / RfwProxySrv][Running/Auto Start]
<C:\Program Files\Rising\Rfw\rfwProxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
<C:\Program Files\Rising\Rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
<"C:\Program Files\rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Stopped/Auto Start]
<"C:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
==================================
驱动程序
[Service for WDM 3D Audio Driver / ALCXSENS][Running/Manual Start]
<system32\drivers\ALCXSENS.SYS><Sensaura>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[ati2mtag / ati2mtag][Running/Manual Start]
<System32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[ATICDSDr / ATICDSDr][Stopped/Manual Start]
<\??\C:\Program Files\ATI Technologies\ATI Control Panel\atiicdxx.sys><ATI Technologies Inc.>
[Atixeve27578 / Atixeve27578][Stopped/Manual Start]
<\??\C:\WINDOWS\TEMP\~wxp2ins.468.tmp><N/A>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
<System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[HookCont / HookCont][Running/System Start]
<\SystemRoot\system32\drivers\HookCont.sys><Beijing Rising Technology Co., Ltd>
[HookNtos / HookNtos][Running/System Start]
<\SystemRoot\system32\drivers\HookNtos.sys><Beijing Rising Technology Co., Ltd>
[HookReg / HookReg][Running/System Start]
<\SystemRoot\system32\drivers\HookReg.sys><Beijing Rising Technology Co., Ltd>
[HookSys / HookSys][Running/System Start]
<\SystemRoot\system32\drivers\HookSys.sys><Beijing Rising Technology Co., Ltd>
[HookUrl / HookUrl][Running/Auto Start]
<\??\C:\Program Files\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[jtio / jtio][Stopped/Auto Start]
<\??\C:\WINDOWS\TEMP\tmp18.tmp><N/A>
[kmsinput / kmsinput][Stopped/Manual Start]
<\??\C:\WINDOWS\System32\drivers\kmsinput.sys><N/A>
[Nokia USB Generic / Nokia USB Generic][Stopped/Manual Start]
<system32\drivers\nmwcdc.sys><Nokia>
[Nokia USB Modem / Nokia USB Modem][Stopped/Manual Start]
<system32\drivers\nmwcdcm.sys><Nokia>
[Nokia USB Phone Parent / Nokia USB Phone Parent][Stopped/Manual Start]
<system32\drivers\nmwcd.sys><Nokia>
[npkcrypt / npkcrypt][Running/Auto Start]
<\??\D:\Program Files\Tencent\qq\npkcrypt.sys><INCA Internet Co., Ltd.>
[nvatabus / nvatabus][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\nvatabus.sys><NVIDIA Corporation>
[NVIDIA nForce Networking Controller Driver / NVENETFD][Running/Manual Start]
<System32\DRIVERS\NVENETFD.sys><NVIDIA Corporation>
[NVIDIA Network Bus Enumerator / nvnetbus][Running/Manual Start]
<System32\DRIVERS\nvnetbus.sys><NVIDIA Corporation>
[NVIDIA nForce AGP Bus Filter / nv_agp][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\nv_agp.sys><NVIDIA Corporation>
[ping / ping][Stopped/Auto Start]
<\??\C:\WINDOWS\TEMP\tmpB.tmp><N/A>
[ptfs / ptfs][Stopped/Auto Start]
<\??\C:\WINDOWS\TEMP\tmp16.tmp><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Rising Rfwbase Driver / RfwBase][Running/Auto Start]
<System32\DRIVERS\rfwbase.SYS><Beijing Rising Technology Co., Ltd.>
[RsFwDrv / RsFwDrv][Running/System Start]
<\??\C:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
<\SystemRoot\System32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[Secdrv / Secdrv][Stopped/Manual Start]
<System32\DRIVERS\secdrv.sys><N/A>
[USB PC Camera (SNPSTD3) / SNPSTD3][Stopped/Manual Start]
<System32\DRIVERS\snpstd3.sys><>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<System32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
Trojan87 - 2008-5-8 18:55:00
==================================
浏览器加载项
[ThunderAtOnce Class]
{01443AEC-0FD1-40fd-9C87-E93D1494C233} <D:\123456\新建文件夹\Thunder\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <D:\123456\新建文件夹\Thunder\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
[知识库]
{06926B30-424E-4f1c-8EE3-543CD96573DC} <
http://blank.la/?h, N/A>
[启动迅雷5]
{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <D:\123456\新建文件夹\Thunder\Thunder.exe, Thunder Networking Technologies,LTD>
[浩方对战平台]
{0A155D3C-68E2-4215-A47A-E800A446447A} <F:\浩方\浩方对战平台\GameClient.exe, 上海浩方在线信息技术有限公司>
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, Microsoft Corporation>
[GDGetTokenInfo Class]
{3AA9CF07-DF20-48FF-98BE-DED276E40146} <C:\WINDOWS\System32\GDREAD~1.DLL, >
[EditCtrl Class]
{488A4255-3236-44B3-8F27-FA1AECAA8844} <C:\WINDOWS\System32\aliedit\aliedit.dll, >
[InfoSecNetSign Class]
{5CB840B5-A94E-4AD9-B785-4866E3B04476} <C:\WINDOWS\DOWNLO~1\ICBCNE~1.DLL, Infosec Technologies Co., Ltd.>
[AxSubmitControl Class]
{8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} <C:\WINDOWS\DOWNLO~1\SUBMIT~1.DLL, >
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9f.ocx, Adobe Systems, Inc.>
[Thunder Agent Class]
{485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <D:\123456\新建文件夹\Thunder\ComDlls\ThunderAgent_Now.dll, Thunder Networking Technologies,LTD>
[XMP Class]
{6483F145-A768-4C41-AACC-52D4D7845851} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\xplayer.dll_1_work, >
[XDRM]
{693571CB-54A3-4E90-9D52-EEAE1334E2D3} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\xdrm.dll_1_work, >
[WangWangObj Class]
{6E213FC7-DD5A-4115-B7E6-D4C7838C361E} <F:\00000000000000\WangWang\WangWangX4.dll, 阿里巴巴软件(上海)有限公司>
[360SafeLive]
{87515F61-A66C-4319-A0E0-D416CB8059E3} <E:\新建文件夹 (3)\360safe\live.dll, 360.cn>
[RMGetLicense Class]
{A9FC132B-096D-460B-B7D5-1DB0FAE0C062} <C:\WINDOWS\System32\msnetobj.dll, Microsoft Corporation>
[XPPlayer Class]
{F3E70CEA-956E-49CC-B444-73AFE593AD7F} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\pplayer.dll_1_work, Thunder>
[上传到QQ网络硬盘]
<D:\Program Files\Tencent\qq\AddToNetDisk.htm, N/A>
[使用迅雷下载]
<D:\123456\新建文件夹\Thunder\Program\geturl.htm, N/A>
[使用迅雷下载全部链接]
<D:\123456\新建文件夹\Thunder\Program\getallurl.htm, N/A>
[导出到 Microsoft Office Excel(&X)]
<res://F:\新建文~2\OFFICE11\EXCEL.EXE/3000, N/A>
[添加到QQ自定义面板]
<D:\Program Files\Tencent\qq\AddPanel.htm, N/A>
[添加到QQ表情]
<D:\Program Files\Tencent\qq\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<D:\Program Files\Tencent\qq\SendMMS.htm, N/A>
Trojan87 - 2008-5-8 18:56:00
==================================
正在运行的进程
[PID: 576 / SYSTEM][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 660 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[PID: 684 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[C:\WINDOWS\system32\Ati2evxx.dll] [ATI Technologies Inc., 6.14.10.4109]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[C:\WINDOWS\System32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
[C:\WINDOWS\System32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 728 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[PID: 740 / SYSTEM][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[C:\WINDOWS\system32\mfc40u.dll] [N/A, ]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[PID: 912 / SYSTEM][C:\WINDOWS\System32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4109]
[C:\WINDOWS\System32\Ati2edxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2495]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[PID: 972 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Windows NT\qasfo.dll] [Microsoft Corporation, 5, 2, 2939, 1432 (srv03_sp1_rtm.050733-1233)]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[PID: 1080 / SYSTEM][C:\Program Files\rising\Rav\CCenter.exe] [Beijing Rising Technology Co., Ltd., 20.0.0.28]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[PID: 1096 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[C:\Program Files\Windows NT\qasfo.dll] [Microsoft Corporation, 5, 2, 2939, 1432 (srv03_sp1_rtm.050733-1233)]
[PID: 1200 / NETWORK SERVICE][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[PID: 1244 / LOCAL SERVICE][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[C:\Program Files\Windows NT\qasfo.dll] [Microsoft Corporation, 5, 2, 2939, 1432 (srv03_sp1_rtm.050733-1233)]
[PID: 1360 / SYSTEM][C:\Program Files\Rising\Rfw\rfwsrv.exe] [Beijing Rising Technology Co., Ltd., 7.0.0.68]
[C:\WINDOWS\System32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\System32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
Trojan87 - 2008-5-8 18:56:00
[C:\Program Files\Rising\Rfw\ProcCom.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\Program Files\Rising\Rfw\RsCommX2.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\Program Files\Rising\Rfw\RSAPPMGR.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.0]
[C:\Program Files\Rising\Rfw\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.16]
[C:\Program Files\Rising\Rfw\RfwRule.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.13]
[C:\Program Files\Rising\Rfw\rfwlog.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.12]
[C:\Program Files\Rising\Rfw\Rfwdrv.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.41]
[C:\Program Files\Rising\Rfw\ijt_ctrl.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.0]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[C:\Program Files\Rising\Rfw\unvdet.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.5]
[C:\Program Files\Rising\Rfw\mPorts.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.3]
[PID: 1376 / SYSTEM][C:\PROGRAM FILES\RISING\RAV\ravmond.exe] [Beijing Rising Technology Co., Ltd., 20.0.0.76]
[C:\PROGRAM FILES\RISING\RAV\BWList.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.4]
[C:\WINDOWS\System32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\System32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\PROGRAM FILES\RISING\RAV\RSAPPMGR.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.0]
[C:\PROGRAM FILES\RISING\RAV\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.16]
[C:\PROGRAM FILES\RISING\RAV\RsLog.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.34]
[C:\PROGRAM FILES\RISING\RAV\ProcCom.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\PROGRAM FILES\RISING\RAV\RsCommX2.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\PROGRAM FILES\RISING\RAV\MonRule.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.29]
[C:\PROGRAM FILES\RISING\RAV\Hooksys.dll] [Beijing Rising Technology Co., Ltd, 22, 0, 0, 9]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[C:\PROGRAM FILES\RISING\RAV\HookReg.dll] [Beijing Rising Technology Co., Ltd, 22, 0, 0, 4]
[C:\PROGRAM FILES\RISING\RAV\HookNtos.dll] [Beijing Rising Technology Co., Ltd, 22, 0, 0, 2]
[C:\PROGRAM FILES\RISING\RAV\rswalmon.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 22]
[C:\PROGRAM FILES\RISING\RAV\recomp.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 36]
[C:\PROGRAM FILES\RISING\RAV\refs.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 17]
[C:\PROGRAM FILES\RISING\RAV\ffr.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 13]
[C:\Program Files\rising\Rav\RsStore.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.8]
[C:\PROGRAM FILES\RISING\RAV\HookCont.dll] [Beijing Rising Technology Co., Ltd, 22, 0, 0, 1]
[C:\Program Files\rising\Rav\fakescan.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.13]
[C:\Program Files\rising\Rav\Scanner.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.36]
[C:\PROGRAM FILES\RISING\RAV\viruslib.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 26]
[C:\PROGRAM FILES\RISING\RAV\relibldr.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 16]
[C:\Program Files\Windows NT\qasfo.dll] [Microsoft Corporation, 5, 2, 2939, 1432 (srv03_sp1_rtm.050733-1233)]
[C:\PROGRAM FILES\RISING\RAV\HookWeb.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.2]
[C:\PROGRAM FILES\RISING\RAV\extfile.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 29]
[C:\PROGRAM FILES\RISING\RAV\pearc.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 5]
[C:\PROGRAM FILES\RISING\RAV\nvfile.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 6]
[C:\PROGRAM FILES\RISING\RAV\scanexec.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 17]
[C:\PROGRAM FILES\RISING\RAV\unexe.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 4]
[C:\PROGRAM FILES\RISING\RAV\scanex.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 65]
[C:\PROGRAM FILES\RISING\RAV\scanpack.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 9]
[C:\PROGRAM FILES\RISING\RAV\revm.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 8]
[C:\PROGRAM FILES\RISING\RAV\urutils.dll] [, 20, 0, 0, 6]
Trojan87 - 2008-5-8 18:57:00
[C:\PROGRAM FILES\RISING\RAV\ur000.dat] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 18]
[C:\PROGRAM FILES\RISING\RAV\scriptci.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 3]
[C:\PROGRAM FILES\RISING\RAV\uroutine.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 26]
[C:\PROGRAM FILES\RISING\RAV\posttrt.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 18]
[C:\PROGRAM FILES\RISING\RAV\ur023.dat] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 1]
[C:\PROGRAM FILES\RISING\RAV\ur001.dat] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 3]
[C:\PROGRAM FILES\RISING\RAV\scansct.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 9]
[C:\PROGRAM FILES\RISING\RAV\extmail.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 9]
[PID: 1400 / SYSTEM][C:\Program Files\Rising\Rfw\rfwProxy.exe] [Beijing Rising Technology Co., Ltd., 7.0.0.32]
[C:\WINDOWS\System32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Rising\Rfw\ProcCom.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\Program Files\Rising\Rfw\RsCommX2.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\Program Files\Rising\Rfw\RfwRule.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.13]
[C:\Program Files\Windows NT\qasfo.dll] [Microsoft Corporation, 5, 2, 2939, 1432 (srv03_sp1_rtm.050733-1233)]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[C:\Program Files\Rising\Rfw\MonMid.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.4]
[PID: 1736 / SYSTEM][C:\Program Files\Rising\Rfw\rfwstub.exe] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\WINDOWS\System32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Rising\Rfw\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 16]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[PID: 1952 / SYSTEM][C:\PROGRAM FILES\RISING\RAV\RavStub.exe] [Beijing Rising Technology Co., Ltd., 20.0.0.9]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[C:\PROGRAM FILES\RISING\RAV\ProcCom.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\PROGRAM FILES\RISING\RAV\RsCommX2.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\PROGRAM FILES\RISING\RAV\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 16]
[PID: 2032 / 123][C:\WINDOWS\system32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4109]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[C:\WINDOWS\system32\Ati2edxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2495]
[PID: 184 / 123][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
[C:\WINDOWS\system32\RavExt.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.17]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[C:\PROGRA~1\WINDOW~2\wmpband.dll] [Microsoft Corporation, 10.00.00.3646]
[C:\WINDOWS\System32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
[C:\WINDOWS\System32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[D:\123456\新建文件夹\Thunder\ComDlls\TDAtOnce_Now.dll] [Thunder Networking Technologies,LTD, 1.0.5.16]
[D:\123456\新建文件夹\Thunder\ComDlls\xunleiBHO_Now.dll] [Thunder Networking Technologies,LTD, 5, 0, 8, 55]
[D:\123456\新建文件夹\Thunder\Components\ResWorker\DsBho_01.dll] [, 1, 0, 0, 12]
[D:\123456\新建文件夹\Thunder\Components\ResWorker\DataProcessor_01.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 13]
[F:\新建文件夹 (2)\OFFICE11\msohev.dll] [Microsoft Corporation, 11.0.5510]
Trojan87 - 2008-5-8 18:57:00
[PID: 192 / 123][C:\Program Files\Rising\Rfw\RfwMain.exe] [Beijing Rising Technology Co., Ltd., 7.0.1.65]
[C:\WINDOWS\System32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\System32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\Rising\Rfw\RsGuiLib.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 88]
[C:\Program Files\Rising\Rfw\ProcCom.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\Program Files\Rising\Rfw\RsCommX2.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\Program Files\Rising\Rfw\RSAPPMGR.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.0]
[C:\Program Files\Rising\Rfw\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.16]
[C:\Program Files\Rising\Rfw\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 16]
[C:\Program Files\Rising\Rfw\RfwCtrl.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.7]
[C:\Program Files\Rising\Rfw\RsXML.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 0]
[C:\Program Files\Rising\Rfw\PngDll.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 4]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[C:\Program Files\Rising\Rfw\RfwRule.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.13]
[PID: 336 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[PID: 1076 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[C:\Program Files\Windows NT\qasfo.dll] [Microsoft Corporation, 5, 2, 2939, 1432 (srv03_sp1_rtm.050733-1233)]
[PID: 1192 / SYSTEM][C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\libapr.dll] [Apache Software Foundation, 0.0.0.0]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\libaprutil.dll] [Apache Software Foundation, 0.0.0.0]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\libapriconv.dll] [Apache Software Foundation, 0.0.0.0]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\libhttpd.dll] [Apache Software Foundation, 2.0.49]
[C:\Program Files\Windows NT\qasfo.dll] [Microsoft Corporation, 5, 2, 2939, 1432 (srv03_sp1_rtm.050733-1233)]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_access.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_actions.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_alias.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_asis.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_auth.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_autoindex.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_cgi.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_dir.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_env.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_expires.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_headers.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_imap.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_include.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_isapi.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_log_config.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_mime.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_negotiation.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_rewrite.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_setenvif.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_ssl.so] [Apache Software Foundation, 2.0.47]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\SSLEAY32.dll] [N/A, ]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\LIBEAY32.dll] [N/A, ]
Trojan87 - 2008-5-8 18:58:00
[PID: 1636 / SYSTEM][C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe] [N/A, ]
[C:\NVIDIA\NetworkAccessManager\bin\nv_common.dll] [N/A, ]
[C:\NVIDIA\NetworkAccessManager\bin\nv_common_firewall.dll] [N/A, ]
[C:\NVIDIA\NetworkAccessManager\bin\NMI.dll] [NVIDIA Corporation, 1, 0, 2, 0]
[C:\NVIDIA\NetworkAccessManager\bin\SpecialCase.dll] [N/A, ]
[PID: 1720 / SYSTEM][C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\libapr.dll] [Apache Software Foundation, 0.0.0.0]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\libaprutil.dll] [Apache Software Foundation, 0.0.0.0]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\libapriconv.dll] [Apache Software Foundation, 0.0.0.0]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\libhttpd.dll] [Apache Software Foundation, 2.0.49]
[C:\Program Files\Windows NT\qasfo.dll] [Microsoft Corporation, 5, 2, 2939, 1432 (srv03_sp1_rtm.050733-1233)]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_access.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_actions.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_alias.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_asis.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_auth.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_autoindex.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_cgi.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_dir.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_env.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_expires.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_headers.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_imap.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_include.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_isapi.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_log_config.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_mime.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_negotiation.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_rewrite.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_setenvif.so] [Apache Software Foundation, 2.0.49]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\modules\mod_ssl.so] [Apache Software Foundation, 2.0.47]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\SSLEAY32.dll] [N/A, ]
[C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\LIBEAY32.dll] [N/A, ]
[PID: 2020 / SYSTEM][C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe] [N/A, ]
[C:\NVIDIA\NetworkAccessManager\bin\nv_common.dll] [N/A, ]
[PID: 448 / SYSTEM][C:\Program Files\Common Files\Sogou PXP\p2psvr.exe] [Sohu.com Inc., 2, 0, 0, 20]
[C:\Program Files\Windows NT\qasfo.dll] [Microsoft Corporation, 5, 2, 2939, 1432 (srv03_sp1_rtm.050733-1233)]
[C:\Program Files\P4P\p4pipc.dll] [Sohu.com Inc., 1, 0, 0, 11]
Trojan87 - 2008-5-8 18:58:00
[PID: 2764 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 2848 / LOCAL SERVICE][C:\WINDOWS\System32\wdfmgr.exe] [Microsoft Corporation, 5.2.3790.1230 built by: DNSRV(bld4act)]
[PID: 3952 / 123][C:\Program Files\rising\Rav\RavTask.exe] [Beijing Rising Technology Co., Ltd., 20.0.0.23]
[C:\Program Files\rising\Rav\ProcCom.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\Program Files\rising\Rav\RsCommX2.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\Program Files\rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 16]
[C:\Program Files\rising\Rav\RSAPPMGR.DLL] [Beijing Rising Technology Co., Ltd., 20.0.0.0]
[C:\Program Files\rising\Rav\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.16]
[PID: 3964 / 123][C:\Program Files\Common Files\Real\Update_OB\realsched.exe] [RealNetworks, Inc., 0.1.1.45]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[PID: 3976 / 123][C:\WINDOWS\System32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[PID: 324 / 123][C:\Program Files\rising\Rav\Ravmon.exe] [Beijing Rising Technology Co., Ltd., 20.0.01.19]
[C:\WINDOWS\System32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\System32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\rising\Rav\ProcCom.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\Program Files\rising\Rav\RsCommX2.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[C:\Program Files\rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 16]
[C:\Program Files\rising\Rav\recomp.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 36]
[C:\Program Files\rising\Rav\refs.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 17]
[C:\Program Files\rising\Rav\viruslib.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 26]
[C:\Program Files\rising\Rav\relibldr.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 16]
[C:\Program Files\rising\Rav\RSAPPMGR.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.0]
[C:\Program Files\rising\Rav\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.16]
[C:\Program Files\rising\Rav\MonRule.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.29]
[C:\Program Files\rising\Rav\PngDll.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 4]
[C:\Program Files\rising\Rav\Rsguilib.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 88]
[C:\Program Files\rising\Rav\RsXML.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 0]
[PID: 3396 / 123][E:\4321\新建文件夹 (4)\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[C:\Program Files\Rising\Rfw\ijt_base.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.10]
[C:\Program Files\Rising\Rfw\olemon.dll] [Beijing Rising Technology Co., Ltd., 7.0.0.6]
[E:\4321\新建文件夹 (4)\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]
==================================
文件关联
.TXT Error. [C:\WINDOWS\notepad.exe %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. ["hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
MSAFD Tcpip [TCP/IP]
C:\Program Files\Windows NT\qasfo.dll(Microsoft Corporation, Microsoft Windows Sockets 2.0 Service Provider)
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.2 localhost
==================================
进程特权扫描
特殊特权被允许: SeLoadDriverPrivilege [PID = 684, C:\WINDOWS\SYSTEM32\WINLOGON.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 740, C:\WINDOWS\SYSTEM32\LSASS.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 1636, C:\NVIDIA\NETWORKACCESSMANAGER\BIN\NSVCIP.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2020, C:\NVIDIA\NETWORKACCESSMANAGER\BIN\NSVCLOG.EXE]
==================================
API HOOK
入口点错误:CreateProcessA (危险等级: 高, 被下面模块所HOOK: 0x00D81FFD)
入口点错误:CreateProcessW (危险等级: 高, 被下面模块所HOOK: 0x00D820E5)
==================================
隐藏进程
N/A
==================================
[/CODE]
豪斯登堡新郎 - 2008-5-8 18:58:00
请将日志文件直接以附件形式上传 以确保日志内容完整
Trojan87 - 2008-5-8 19:00:00
这个是日志的附件 谢谢帮我看看 ~!
附件:
SREngLOG.log
豪斯登堡新郎 - 2008-5-8 19:21:00
http://bbs.ikaka.com/showtopic-8502100.aspx 参考这里的 下载并安装PE 然后下载“费尔……助手” 重起进入PE
1.用费尔……助手删除以下文件:
c:\windows\uokbubia.exe
c:\windows\temp\tmp16.tmp
c:\windows\temp\tmpb.tmp
c:\windows\temp\tmp18.tmp
c:\windows\temp\~wxp2ins.468.tmp
c:\windows\system32\drivers\kmsinput.sys
C:\Program Files\Windows NT\qasfo.dll
2.很重要:复制c:\windows\system32\dllcache\文件夹里的lsass.exe和mfc40u.dll 两文件全部粘贴到c:\windows\system32\文件夹内,提示替换时选“是” 这步一定要做好 不做重起又是一堆木马来
做好重起进入系统
重启后使用SREng修复下面各项: 启动项目 -- 注册表之如下项删除:
[rujookjb]
启动项目 -- 服务-- 驱动程序之如下项删除:
[ptfs / ptfs]
[ping / ping]
[jtio / jtio]
[Atixeve27578 / Atixeve27578]
[kmsinput / kmsinput]
全部做完 下载以下软件清理一次并更新杀毒软件至最新,进行全盘杀毒
清理系统临时文件和IE临时文件夹
http://www.atribune.org/public-beta/ATF-Cleaner.exe 用金山清理专家清理恶意软件
http://www.duba.net/zt/ksc/down.shtml 下载 windows清理助手清理一遍
http://www.arswp.com/download/arswp2/arswp2.zip 如果上面操作时发现c:\windows\system32\dllcache\文件夹里并没有备份文件 那么到其他相同系统的机子上拷贝一个过来 因为你的系统是SP1 我是SP2的不能给你提供
全部做完后 如果还感觉有问题 再扫描日志上传 因为不知道在你扫描完日志到现在是否还在下载其他木马
豪斯登堡新郎 - 2008-5-8 19:28:00
忘了还一步:
SRE修复的时候记的修复这个:
系统修复--Winsock供应者--重置所有内容为默认值
Trojan87 - 2008-5-8 20:04:00
刚才下那个PE以后 马上机器就出现问题了 然后开网页都打不开 然后起机器 半天没起来 起来以后 瑞星 360 都不好使了而且机器 出现了好几个多余的盘 以前我就有 C D E F 这4个盘着一下多了好几个 我刚扫描了日志 高手在帮我看看
谢谢.了 ~!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!在线等
附件:
SREngLOG.log
Trojan87 - 2008-5-8 20:25:00
高手在帮我看看吧 ~! 这次的木马肯定比刚才多很多~! 刚才瑞星还能用呢 现在都打不开了 ~!555555555555
谢谢高手了 ~!!!!!!!!!!!!!!!!!!!!
豪斯登堡新郎 - 2008-5-8 20:47:00
先下载附件 解压后将注册表导入
同样的参考这里http://bbs.ikaka.com/showtopic-8502100.aspx
下载PE并安装 并下载“费尔木马强力清除助手”
重起选择进入PE用“费尔木马强力清除助手”删除以下文件:
c:\windows\temp\_qosec3.msi
c:\windows\temp\_qosec1.msi
c:\windows\system32\msosdohs00.dll
c:\windows\system32\msosjtio00.dll
c:\windows\system32\msosping00.dll
c:\windows\system32\msosptfs00.dll
c:\windows\system32\msosdohs01.dll
c:\windows\system32\msosjtio01.dll
c:\windows\system32\msosping01.dll
c:\windows\system32\msosptfs01.dll
c:\windows\system32\msosdohs02.dll
c:\windows\system32\msosjtio02.dll
c:\windows\system32\msosping02.dll
c:\windows\system32\msosptfs02.dll
c:\windows\system32\fdght.dll
c:\windows\system32\fjyjy.dll
c:\windows\system32\frntrn.dll
c:\windows\system32\kduy.dll
c:\windows\system32\lariytrz.dll
c:\windows\system32\sperls.dll
c:\windows\system32\ypdjebmp.dll
c:\windows\system32\lofsajbo.dll
c:\program files\internet explorer\plugins\winsys16.sys
c:\windows\368717mm.dll
c:\windows\system32\bsgzco.dll
c:\windows\system32\chelyn.dll
c:\windows\system32\dbhlp32.dll
c:\windows\system32\dionpis.dll
c:\windows\system32\efoqii.dll
c:\windows\system32\fiosectc.dll
c:\windows\system32\fmsiocps.dll
c:\windows\system32\grsnwr.dll
c:\windows\system32\huifitc.dll
c:\windows\system32\itoxiu.dll
c:\windows\system32\jewosh.dll
c:\windows\system32\mmfkkljk1071.dll
c:\windows\system32\msepbe.dll
c:\windows\system32\ojqfpo.dll
c:\windows\system32\pliesn.dll
c:\windows\system32\ptshell.dll
c:\windows\system32\ticisms.dll
c:\windows\system32\tjhkcmxb.dll
c:\windows\system32\uezawn.dll
c:\windows\system32\winsvr64.dll
c:\windows\system32\wkfuxp.dll
c:\windows\system32\xowoao.dll
c:\windows\system32\yuiabct.dll
c:\windows\temp\1.tmp
c:\windows\winsvr64.exe
c:\windows\uokbubia.exe
c:\windows\huifitc.exe
c:\windows\368717m.exe
c:\windows\ticisms.exe
c:\windows\ptshell.exe
c:\windows\fiosectc.exe
c:\windows\dionpis.exe
c:\windows\dbhlp32.exe
c:\windows\fmsiocps.exe
c:\windows\yuiabct.exe
rundll32.exe c:\windows\system32\hbkrnl.dll,dllregisterserver
c:\windows\temp\tmp16.tmp
c:\windows\temp\tmpb.tmp
c:\windows\system32\drivers\msosmsfpfis64.sys
c:\windows\system32\drivers\kmsinput.sys
c:\windows\temp\tmp18.tmp
c:\windows\system32\drivers\hbkernel.sys
c:\windows\temp\~wxp2ins.468.tmp
C:\Program Files\Windows NT\qasfo.dll
还是同样的很重要的一步:复制c:\windows\system32\dllcache\文件夹里的lsass.exe和mfc40u.dll文件粘贴到c:\windows\system32\目录下 选择替换时选“是”
做完后重起计算机进入系统 继续下面的 记住 如果你的文件没有替换好 那重起以后连上网就又会自动下载一群木马了 所以那步替换文件非常重要
2.删除重启后使用SREng修复下面各项:
启动项目 -- 注册表之如下项删除:
[{170165F1-9F65-569F-F895-F14F58F41071}]
[{71954FAC-1023-154F-895A-1458258AD817}]
[{4eab7e69-1251-4caf-ad41-c06a8e69e933}]
[{25D5402E-DEB1-4BF5-A1C5-CB9CF353488F}]
注意该项[AppInit_DLLs]修改:把<ghynjr.dll,dgxsrr.dll,dfhtrhy.dll,ghjkdr.dll,sefawe.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gjjte.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,dgxsrr.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,ghjdtry.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,rdthr.dll,rgfjj.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,rgghjj.dll,fdght.dll,,msosjtio00.dll>修改为<>即清空
[WINSvr64]
[rujookjb]
[huifitc]
[WinSysM]
[ticisms]
[ptshell]
[fiosectc]
[dionpis]
[dbhlp32]
[fmsiocps]
[yuiabct]
[HB Kernel]
启动项目 -- 服务-- 驱动程序之如下项删除:
[ptfs / ptfs]
[ping / ping]
[msfpfis64 / msfpfis64]
[kmsinput / kmsinput]
[jtio / jtio]
[HBKernel Driver / HBKernel]
[Atixeve27578 / Atixeve27578]
系统修复-- 浏览器加载项之如下项删除:
[] <C:\WINDOWS\System32\ypdjebmp.dll>
[] <C:\WINDOWS\System32\lofsajbo.dll>
系统修复-- Winsock 供应者-- 重置所有内容为默认值
全部做完下载以下软件清理一次并更新杀毒软件至最新,进行全盘扫描
清理系统临时文件和IE临时文件夹
http://www.atribune.org/public-beta/ATF-Cleaner.exe
用金山清理专家清理恶意软件
http://www.duba.net/zt/ksc/down.shtml
下载 windows清理助手清理一遍
http://www.arswp.com/download/arswp2/arswp2.zip
附件:
附件1.rar
Trojan87 - 2008-5-8 20:58:00
复制c:\windows\system32\dllcache\文件夹里的lsass.exe和mfc40u.dll文件粘贴到c:\windows\system32\目录下 选择替换时选“是”
在 c:\windows\system32 里面没找到 dllcache\ 这个文件夹啊
豪斯登堡新郎 - 2008-5-8 21:12:00
在XP系统里 是隐藏的
直接“开始 运行 c:\windows\system32\dllcache\ ” 如果在PE里 就直接能看见了
Trojan87 - 2008-5-8 21:26:00
斑竹 可以告诉我一下
注意该项[AppInit_DLLs]修改:把<ghynjr.dll,dgxsrr.dll,dfhtrhy.dll,ghjkdr.dll,sefawe.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gjjte.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,dgxsrr.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,ghjdtry.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,rdthr.dll,rgfjj.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,rgghjj.dll,fdght.dll,,msosjtio00.dll>修改为<>即清空
[WINSvr64]
[rujookjb]
[huifitc]
[WinSysM]
[ticisms]
[ptshell]
[fiosectc]
[dionpis]
[dbhlp32]
[fmsiocps]
[yuiabct]
[HB Kernel]
这个地方我有点没看明白 我是电脑白痴可以在告诉我一下吗 谢谢你了 !~~~~~~~~~~~~~~~~~~~~~~~
豪斯登堡新郎 - 2008-5-8 21:30:00
就是用你扫描日志的那个工具。。。
打开后 点“启动项目-注册表” 就可以看到那些 红色那个AppInit_DLLs 需要你编辑他的值为空 下面那些 全部都要删除
Trojan87 - 2008-5-8 22:01:00
谢谢斑竹 ~! 我都弄完事了但是用瑞星全盘杀毒 有显示杀出来好多病毒 啊
用清理助手扫描也有木马 ~!
是不是我还得少秒一个日志 啊 ??????????
豪斯登堡新郎 - 2008-5-8 22:05:00
把杀软报毒记录发上来看下
超级游戏迷 - 2008-5-8 22:18:00
这位朋友的日志问题比较多,处理起来比较麻烦,现将有关事项解释如下,希望大家从中学习到有关知识,同时也想求助下自己的几个疑问:
1、注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<rujookjb><C:\WINDOWS\uokbubia.exe> [N/A]
该路径下的RUN子项一般对应安装的程序文件,如果应用程序缺省安装,则主进程文件应在c:\program files\软件文件夹这个路径下,你会把应用程序安装到c:\windows目录下么?显然有诈……
2、驱动程序
[jtio / jtio][Stopped/Auto Start]
<\??\C:\WINDOWS\TEMP\tmp18.tmp><N/A>
[ping / ping][Stopped/Auto Start]
<\??\C:\WINDOWS\TEMP\tmpB.tmp><N/A>
[ptfs / ptfs][Stopped/Auto Start]
<\??\C:\WINDOWS\TEMP\tmp16.tmp><N/A>
上面这些驱动程序映像文件均在C:\WINDOWS\TEMP\这个系统临时文件夹路径下,一般正常的驱动程序,其映像路径大部分应在c:\windows\system32\drivers目录下,以临时文件作为驱动程序映像文件,用意显然居心不良,砍了……
3、正在运行的进程
[PID: 740 / SYSTEM][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[C:\WINDOWS\system32\mfc40u.dll] [N/A, ]
这里,我们在C:\WINDOWS\system32\lsass.exe这个系统核心文件的子进程下,发现一个没有微软数字签名的“系统库文件”,到正常机下找同路径同名文件,会发现这个文件是有微软数字签名的,这表明C:\WINDOWS\system32\mfc40u.dll已被病毒文件替换。这个病毒是时下比较流行的感染系统核心文件
C:\WINDOWS\system32\lsass.exe的病毒,由于系统核心文件不可在windows下用任务管理器关闭,因此C:\WINDOWS\system32\mfc40u.dll这个病毒文件不能用常规方式删除,且即便通过使用dos工具强行把它删除,也会导致系统核心文件C:\WINDOWS\system32\lsass.exe无法从正常的C:\WINDOWS\system32\mfc40u.dll库文件调用运行,因此将导致系统启动出现严重错误。要解决这个问题,我们可以在PE环境下,用系统备份文件夹(c:\windows\system32\dllcache)中保存的同名备份文件替换此两个文件即可。
4、Winsock 提供者
MSAFD Tcpip [TCP/IP]
C:\Program Files\Windows NT\qasfo.dll(Microsoft Corporation, Microsoft Windows Sockets 2.0 Service Provider)
数字签名很完整,但C:\Program Files\Windows NT\qasfo.dll这个文件名和所在路径很猥琐,用GOOGLE查阅无记录,个人认为是修改默认winsocklsp的病毒,通过WINSOCKLSP天然自启动来实现做恶的目的。还不很确定,等高手确认。如果确认病毒,可用SRENG扫描工具的相关项目修复该winsock项。
5、HOSTS 文件
127.0.0.2 localhost
正常情况下本机hosts文件内容只有一行,即“127.0.0.1 localhost”。这个“127.0.0.2 localhost”是楼主自行修改的么?还是被病毒修改?正常么?一个疑问留给大家(我也不知道,别鄙视俺):default6:
1
© 2000 - 2026 Rising Corp. Ltd.