中了盗号木马，机器狗等病毒，瑞星不能杀毒，不能升级，也不能修复。 bbs.ikaka.com

zjjx - 2008-6-8 10:35:00

2008-06-08 00:09将360Safe.exe改名后清理了以下流氓软件：
清理恶评软件 - 盗号木马 -
清理恶评软件 - msdos盗号木马残留 -
清理恶评软件 - huifitc盗号木马 -
清理恶评软件 - 机器狗三代BHO盗号木马aeee -
清理恶评软件 - 机器狗三代BHO盗号木马aind -
清理恶评软件 - 机器狗木马变种midi -
清理恶评软件 - mpwddapi盗号木马 -

用AVG Anti-Spyware扫描后仍有遗留，想用瑞星再进一步查杀，谁知瑞星启动后无法进行硬盘扫描，也不能升级，监控被关闭后也无法开
启，运行瑞星修复程序则出现“检验组件瑞星通用库（SCANNER）错误”的窗口：

错误信息为：
D:\rising\Rav\Update\Scanner.dll
D:\rising\Rav\Update\SmartUp.exe
D:\rising\Rav\Update\Scanner.dll
D:\rising\Rav\Update\Scanner.dll

SREng扫描日志：

2008-06-08,08:55:36
System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)
Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能
以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
进程特权扫描

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><; C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
<PPS Accelerator><; d:\Program Files\PPStream\ppsap.exe> [(Verified)SHANGHAI ZHONGYUAN NETWORKS LIMITED]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<RTHDCPL><RTHDCPL.EXE> [Realtek Semiconductor Corp.]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows XP Publisher]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<RavTask><"D:\Rising\Rav\RavTask.exe" -system> [(Verified)Beijing Rising Science and Technology Corporation Limited]
<Alcmtr><; ALCMTR.EXE> [Realtek Semiconductor Corp.]
<Grid Service><; "C:\Program Files\GridService\peer.exe" -n Grid> [Mercury]
<NeroFilterCheck><; C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe> [(Verified)Nero AG]
<NvCplDaemon><; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [N/A]
<NvMediaCenter><; RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit> [N/A]
<nwiz><; nwiz.exe /install> [N/A]
<SkyTel><; SkyTel.EXE> [Realtek Semiconductor Corp.]
<StartCCC><; C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe> []
<Storm2Set><; C:\WINDOWS\system32\rundll32.exe "D:\暴风影~1.8\StormSet.dll",CheckEnv> [N/A]
<StormCodec_Helper><; "D:\Storm Codec\StormSet.exe" /S /opti> []
<WangWang><; > [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll> [(Verified)Beijing Rising Science and Technology Corporation Limited]
<{4F4F0064-71E0-4f0d-0005-708476C7815F}><C:\WINDOWS\system32\midimapzx.dll> [N/A]
<{4F4F0064-71E0-4f0d-0015-708476C7815F}><C:\WINDOWS\system32\midimapmy.dll> [N/A]
<{45AADFAA-DD36-42AB-83AD-0521BBF58C24}><> [N/A]
<{5A069845-2036-6084-9054-6087502480A5}><C:\WINDOWS\system32\ozfyebyt.dll> [N/A]
<{6A041F13-A111-12A3-B0CF-F99818AA68A6}><> [N/A]
<{5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5}><> [N/A]
<{EB71E0B3-E97D-4D30-8733-E28266467617}><> [N/A]
<{4FD45A54-9875-698F-E56E-65102358FDF4}><C:\WINDOWS\system32\apsgdjba.dll> [N/A]
<{13FD5987-65D2-C58D-D87E-987451F12531}><> [N/A]
<{7C8D1401-A58D-A81C-CD24-A5915C4517C7}><C:\WINDOWS\system32\mnmhgsrv.dll> [N/A]
<{528DF602-9541-A985-210A-984A698C6F25}><> [N/A]
<{81954FAC-1023-154F-895A-1458258AD818}><> [N/A]
<{4F4F0064-71E0-4f0d-0022-708476C7815F}><C:\WINDOWS\system32\midimapqn3.dll> [N/A]
<{4F4F0064-71E0-4f0d-0004-708476C7815F}><C:\WINDOWS\system32\midimapwl.dll> [N/A]
<{4F4F0064-71E0-4f0d-0017-708476C7815F}><C:\WINDOWS\system32\midimaptl.dll> [N/A]
<{9490415F-65F8-B5C5-D8BA-9405FB120549}><C:\WINDOWS\system32\yzztimsn.dll> [N/A]
<{33512378-9874-5641-1025-985420368733}><> [N/A]
<{14698742-2059-3025-9058-954023874141}><> [N/A]
<{37AC9076-C898-B098-D098-A18319080973}><C:\WINDOWS\system32\nhmxcjkl.dll> [N/A]
<{4F4F0064-71E0-4f0d-0006-708476C7815F}><C:\WINDOWS\system32\midimapcb.dll> [N/A]
<{22596546-2036-9451-6058-658402589722}><> [N/A]
<{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6}><C:\WINDOWS\system32\fsrgeb.dll> [N/A]
<{4F4F0064-71E0-4f0d-0023-708476C7815F}><C:\WINDOWS\system32\midimapcq.dll> [N/A]
<{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}><C:\WINDOWS\system32\wyrsdj.dll> [N/A]
<{57B86673-276A-48B2-BAE7-C6DBB3020EB8}><d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll> [(Verified)GRISOFT LTD]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll> [(Verified)Microsoft Windows Publisher]
<midimapzx><C:\WINDOWS\system32\midimapzx.dll> [N/A]
<midimapmy><C:\WINDOWS\system32\midimapmy.dll> [N/A]
<midimapqn3><C:\WINDOWS\system32\midimapqn3.dll> [N/A]
<midimapwl><C:\WINDOWS\system32\midimapwl.dll> [N/A]
<midimaptl><C:\WINDOWS\system32\midimaptl.dll> [N/A]
<midimapcb><C:\WINDOWS\system32\midimapcb.dll> [N/A]
<midimapcq><C:\WINDOWS\system32\midimapcq.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
<WinlogonNotify: WgaLogon><WgaLogon.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
<IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
<N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install> [(Verified)Microsoft Corporation]
==================================
启动文件夹
N/A
==================================
服务
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
<C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart][Stopped/Auto Start]
<C:\WINDOWS\system32\ati2sgag.exe><>
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard][Running/Auto Start]
<d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe><GRISOFT s.r.o.>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[NBService / NBService][Stopped/Manual Start]
<C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe><Nero AG>
[NMIndexingService / NMIndexingService][Stopped/Manual Start]
<"C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe"><Nero AG>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
<"D:\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Stopped/Auto Start]
<"D:\RISING\RAV\Ravmond.exe"><N/A>
==================================

用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)

zjjx - 2008-6-8 10:35:00

驱动程序
[AMD Processor Driver / AmdK8][Running/System Start]
<system32\DRIVERS\AmdK8.sys><Advanced Micro Devices>
[AMDPCI / AMDPCI][Stopped/Manual Start]
<\??\C:\DOCUME~1\jxyyc\LOCALS~1\Temp\AMDPCI.sys><N/A>
[AMD Special Tools Driver / amdtools][Running/System Start]
<system32\DRIVERS\amdtools.sys><AMD, Inc.>
[ati2mtag / ati2mtag][Running/Manual Start]
<system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver][Running/System Start]
<\??\d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
<System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[dtscsi / dtscsi][Running/Manual Start]
<\SystemRoot\System32\Drivers\dtscsi.sys><N/A>
[fmsq / fmsq][Stopped/Auto Start]
<\??\C:\DOCUME~1\jxyyc\LOCALS~1\Temp\tmp3F.tmp><N/A>
[ATI Function Driver for High Definition Audio Service / HdAudAddService][Running/Manual Start]
<system32\drivers\AtiHdAud.sys><ATI Research Inc.>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
<system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[HiddFldy / HiddFldy][Stopped/Auto Start]
<\??\C:\WINDOWS\system32\d32dx9.sys><N/A>
[HookCont / HookCont][Running/System Start]
<\SystemRoot\system32\drivers\HookCont.sys><Beijing Rising Technology Co., Ltd>
[HookNtos / HookNtos][Running/System Start]
<\SystemRoot\system32\drivers\HookNtos.sys><Beijing Rising Technology Co., Ltd>
[HookReg / HookReg][Running/System Start]
<\SystemRoot\system32\drivers\HookReg.sys><Beijing Rising Technology Co., Ltd>
[HookSys / HookSys][Running/System Start]
<\SystemRoot\system32\drivers\HookSys.sys><Beijing Rising Technology Co., Ltd>
[IIS Manager / IIS Manager ][Stopped/Manual Start]
<\??\C:\DOCUME~1\jxyyc\LOCALS~1\Temp\1.tmp><N/A>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
<system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[ATK0110 ACPI UTILITY / MTsensor][Running/Manual Start]
<system32\DRIVERS\ASACPI.sys><>
[NVIDIA nForce Networking Controller Driver / NVENETFD][Running/Manual Start]
<system32\DRIVERS\NVENETFD.sys><NVIDIA Corporation>
[NVIDIA Network Bus Enumerator / nvnetbus][Running/Manual Start]
<system32\DRIVERS\nvnetbus.sys><NVIDIA Corporation>
[ptfs / ptfs][Stopped/Auto Start]
<\??\C:\DOCUME~1\jxyyc\LOCALS~1\Temp\tmp47.tmp><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
<\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[sptd / sptd][Running/Boot Start]
<\SystemRoot\System32\Drivers\sptd.sys><N/A>
[zftp / zftp][Stopped/Auto Start]
<\??\C:\DOCUME~1\jxyyc\LOCALS~1\Temp\tmp39.tmp><N/A>

==================================

zjjx - 2008-6-8 10:36:00

浏览器加载项
[ThunderAtOnce Class]
{01443AEC-0FD1-40fd-9C87-E93D1494C233} <D:\Thunder 5.7.4\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
[]
{37AC9076-C898-B098-D098-A18319080973} <C:\WINDOWS\system32\nhmxcjkl.dll, N/A>
[]
{4FD45A54-9875-698F-E56E-65102358FDF4} <C:\WINDOWS\system32\apsgdjba.dll, N/A>
[]
{5A069845-2036-6084-9054-6087502480A5} <C:\WINDOWS\system32\ozfyebyt.dll, N/A>
[]
{7C8D1401-A58D-A81C-CD24-A5915C4517C7} <C:\WINDOWS\system32\mnmhgsrv.dll, N/A>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <D:\Thunder 5.7.4\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
[]
{9490415F-65F8-B5C5-D8BA-9405FB120549} <C:\WINDOWS\system32\yzztimsn.dll, N/A>
[]
{e2e2dd38-d088-4134-82b7-f2ba38496583} <%windir%\Network Diagnostic\xpnetdiag.exe, N/A>
[Shockwave ActiveX Control]
{166B1BCA-3F9C-11CF-8075-444553540000} <C:\WINDOWS\system32\macromed\Director\SwDir.dll, Adobe Systems, Inc.>
[AxInputControl Class]
{73E4740C-08EB-4133-896B-8D0A7C9EE3CD} <C:\WINDOWS\DOWNLO~1\INPUTC~1.DLL, >
[ScreenCapture Class]
{BFB79EE1-04AE-4D4A-B85E-27EE5F30C095} <C:\WINDOWS\system32\TXGYMailActiveX.dll, Tencent Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx, Adobe Systems, Inc.>
[Microsoft Outlook 8.0 对象库]
{0006F033-0000-0000-C000-000000000046} <, N/A>
[Microsoft Outlook]
{0006F03A-0000-0000-C000-000000000046} <, N/A>
[ThunderAtOnce Class]
{01443AEC-0FD1-40FD-9C87-E93D1494C233} <D:\Thunder 5.7.4\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
[Object for constructing type libraries for scriptlets]
{06290BD5-48AA-11D2-8432-006008C3FBFC} <C:\WINDOWS\system32\scrobj.dll, Microsoft Corporation>
[PeerDraw Class]
{10072CEC-8CC1-11D1-986E-00A0C955B42E} <%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll, N/A>
[Shockwave ActiveX Control]
{166B1BCA-3F9C-11CF-8075-444553540000} <C:\WINDOWS\system32\macromed\Director\SwDir.dll, Adobe Systems, Inc.>
[PowerList Control]
{20C2C286-BDE8-441B-B73D-AFA22D914DA5} <d:\PROGRA~1\PPStream\POWERL~1.OCX, PPStream Inc.>
[Windows Media Player]
{22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\msdxm.ocx, Microsoft Corporation>
[Shockwave ActiveX Control]
{233C1507-6A77-46A4-9443-F871F945D258} <C:\WINDOWS\system32\Macromed\Director\swdir.dll, Adobe Systems, Inc.>
[HTML Document]
{25336920-03F9-11CF-8FD0-00AA00686F13} <C:\WINDOWS\system32\mshtml.dll, Microsoft Corporation>
[XML DOM Document]
{2933BF90-7B36-11D2-B20E-00C04F983E60} <%SystemRoot%\system32\msxml3.dll, N/A>
[DHTML Edit Control Safe for Scripting for IE5]
{2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
[Zyzzyva]
{30FA9641-9CFE-4D71-A3AA-DF8B6FA02FCC} <, N/A>
[]
{37AC9076-C898-B098-D098-A18319080973} <C:\WINDOWS\system32\nhmxcjkl.dll, N/A>
[XML Document]
{48123BC4-99D9-11D1-A6B3-00C04FD91555} <%SystemRoot%\system32\msxml3.dll, N/A>
[Thunder Agent Class]
{485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <D:\Thunder 5.7.4\ComDlls\ThunderAgent_Now.dll, Thunder Networking Technologies,LTD>
[]
{4FD45A54-9875-698F-E56E-65102358FDF4} <C:\WINDOWS\system32\apsgdjba.dll, N/A>
[HHCtrl Object]
{52A2AAAE-085D-4187-97EA-8C30DB990436} <C:\WINDOWS\system32\hhctrl.ocx, Microsoft Corporation>
[Shell Name Space]
{55136805-B2DE-11D1-B9F2-00A0C98BC547} <C:\WINDOWS\system32\ieframe.dll, Microsoft Corporation>
[]
{5A069845-2036-6084-9054-6087502480A5} <C:\WINDOWS\system32\ozfyebyt.dll, N/A>
[PowerPlayer Control]
{5EC7C511-CD0F-42E6-830C-1BD9882F3458} <d:\PROGRA~1\PPStream\POWERP~1.DLL, PPStream Inc.>
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[Windows Media Player]
{6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AxInputControl Class]
{73E4740C-08EB-4133-896B-8D0A7C9EE3CD} <C:\WINDOWS\DOWNLO~1\INPUTC~1.DLL, >
[]
{7C8D1401-A58D-A81C-CD24-A5915C4517C7} <C:\WINDOWS\system32\mnmhgsrv.dll, N/A>
[Peer Adapter]
{80E18282-3716-48CA-B50C-F7B7F6A32791} <, N/A>
[360SafeLive]
{87515F61-A66C-4319-A0E0-D416CB8059E3} <D:\绿色软件\360safe-v3.63final\live.dll, 360.cn>
[Microsoft Web Browser]
{8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\ieframe.dll, Microsoft Corporation>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <D:\Thunder 5.7.4\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
[XML DOM Document 4.0]
{88D969C0-F192-11D4-A65F-0040963251E5} <C:\WINDOWS\system32\msxml4.dll, Microsoft Corporation>
[Free Threaded XML DOM Document 4.0]
{88D969C1-F192-11D4-A65F-0040963251E5} <C:\WINDOWS\system32\msxml4.dll, Microsoft Corporation>
[XSL Template 4.0]
{88D969C3-F192-11D4-A65F-0040963251E5} <C:\WINDOWS\system32\msxml4.dll, Microsoft Corporation>
[XML HTTP 4.0]
{88D969C5-F192-11D4-A65F-0040963251E5} <C:\WINDOWS\system32\msxml4.dll, Microsoft Corporation>
[Uploader Class]
{8B054DFE-79A3-4A6A-9F46-CD2A2F601129} <C:\WINDOWS\system32\TXGYMailActiveX.dll, Tencent Inc.>
[AxSubmitControl Class]
{8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} <C:\WINDOWS\DOWNLO~1\SUBMIT~1.DLL, >
[]
{9490415F-65F8-B5C5-D8BA-9405FB120549} <C:\WINDOWS\system32\yzztimsn.dll, N/A>
[UploadFilePartition Class]
{A877BA28-1F7E-4876-B299-50B3199A1A5D} <C:\WINDOWS\system32\TXGYMailActiveX.dll, Tencent Inc.>
[RMGetLicense Class]
{A9FC132B-096D-460B-B7D5-1DB0FAE0C062} <C:\WINDOWS\system32\msnetobj.dll, Microsoft Corporation>
[SearchAssistantOC]
{B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[RDS.DataSpace]
{BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[ScreenCapture Class]
{BFB79EE1-04AE-4D4A-B85E-27EE5F30C095} <C:\WINDOWS\system32\TXGYMailActiveX.dll, Tencent Inc.>
[QQPlayerSvr Proxy Control]
{CD108273-D434-43E6-AA90-1469F97EB398} <D:\qq\QzoneMusic.dll, 腾讯科技>
[AUDIO__MID Moniker Class]
{CD3AFA74-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__MP3 Moniker Class]
{CD3AFA76-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__MPEGURL Moniker Class]
{CD3AFA78-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__WAV Moniker Class]
{CD3AFA7B-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__X_MS_WAX Moniker Class]
{CD3AFA83-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__X_MS_WMA Moniker Class]
{CD3AFA84-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_ASF Moniker Class]
{CD3AFA8F-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_WMV Moniker Class]
{CD3AFA94-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[RealPlayer G2 Control]
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} <C:\WINDOWS\system32\rmoc3260.dll, RealNetworks, Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx, Adobe Systems, Inc.>
[OfficeObj Class]
{D2BD7935-05FC-11D2-9059-00C04FD7A1BD} <, N/A>
[Microsoft Agent Control 2.0]
{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F} <C:\WINDOWS\msagent\agentctl.dll, Microsoft Corporation>
[QuickTimeCheck Class]
{DE4AF3B0-F4D4-11D3-B41A-0050DA2E6C21} <D:\Storm Codec\QTSystem\QTCheck.ocx, Apple Computer, Inc.>
[WebViewFolderIcon Class]
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849} <C:\WINDOWS\system32\webvw.dll, Microsoft Corporation>
[TimwpDll.TimwpCheck]
{ED4CA2E5-0EEA-44C1-AD7E-74A07A7507A4} <D:\qq\Timwp.dll, TENCENT>
[XML HTTP Request]
{ED8C108E-4349-11D2-91A4-00C04F7969E8} <%SystemRoot%\system32\msxml3.dll, N/A>
[XPPlayer Class]
{F3E70CEA-956E-49CC-B444-73AFE593AD7F} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\pplayer.dll_1_work, Thunder>
[XML DOM Document 3.0]
{F5078F32-C551-11D3-89B9-0000F81FE221} <%SystemRoot%\system32\msxml3.dll, N/A>
[Free Threaded XML DOM Document 3.0]
{F5078F33-C551-11D3-89B9-0000F81FE221} <%SystemRoot%\system32\msxml3.dll, N/A>
[XML HTTP 3.0]
{F5078F35-C551-11D3-89B9-0000F81FE221} <%SystemRoot%\system32\msxml3.dll, N/A>
[XSL Template 3.0]
{F5078F36-C551-11D3-89B9-0000F81FE221} <%SystemRoot%\system32\msxml3.dll, N/A>
[XML DOM Document]
{F6D90F11-9C73-11D3-B32E-00C04F990BB4} <%SystemRoot%\system32\msxml3.dll, N/A>
[XML HTTP]
{F6D90F16-9C73-11D3-B32E-00C04F990BB4} <%SystemRoot%\system32\msxml3.dll, N/A>
[&U使用纳米机器人下载并收藏]
<D:\Program Files\NamiRobot\Data\du.html, N/A>
[使用迅雷下载]
<D:\Thunder 5.7.4\Program\geturl.htm, N/A>
[使用迅雷下载全部链接]
<D:\Thunder 5.7.4\Program\getallurl.htm, N/A>

==================================

zjjx - 2008-6-8 10:36:00

正在运行的进程
[PID: 668 / SYSTEM][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 736 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 772 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Ati2evxx.dll] [ATI Technologies Inc., 6.14.10.4163]
[PID: 816 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 828 / SYSTEM][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 992 / SYSTEM][C:\WINDOWS\system32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4174]
[C:\WINDOWS\system32\Ati2edxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2512]
[C:\WINDOWS\system32\atipdlxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2522]
[PID: 1012 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1068 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1180 / SYSTEM][D:\Rising\Rav\CCenter.exe] [Beijing Rising Technology Co., Ltd., 20.0.0.28]
[PID: 1196 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1312 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1364 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1504 / SYSTEM][C:\WINDOWS\system32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4174]
[C:\WINDOWS\system32\Ati2edxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2512]
[C:\WINDOWS\system32\atipdlxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2522]
[C:\WINDOWS\system32\ati2evxx.dll] [ATI Technologies Inc., 6.14.10.4163]
[PID: 1616 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[PID: 1864 / jxyyc][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
[C:\WINDOWS\system32\RavExt.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.17]
[d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll] [GRISOFT s.r.o., 7, 5, 1, 36]
[C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll] [Nero AG, 2, 0, 0, 8]
[C:\Program Files\Common Files\Ahead\Lib\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\Common Files\Ahead\Lib\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Common Files\Ahead\Lib\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\Thunder 5.7.4\ComDlls\TDAtOnce_Now.dll] [Thunder Networking Technologies,LTD, 1.0.5.16]
[D:\Thunder 5.7.4\ComDlls\xunleiBHO_Now.dll] [Thunder Networking Technologies,LTD, 5, 0, 8, 44]
[D:\WinRAR 3.70\rarext.dll] [N/A, ]
[C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll] [Nero AG, 2, 7, 3, 2]
[C:\Program Files\Nero\Nero 7\Nero BackItUp\MFC71U.DLL] [Microsoft Corporation, 7.10.3077.0]
[D:\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 16]
[D:\Program Files\NamiRobot\Data\NamipanExt.dll] [N/A, ]
[C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll] [Nero AG, 2, 8, 3, 0]
[d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll] [GRISOFT s.r.o., 7, 5, 1, 36]
[C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll] [, 2, 0, 0, 0]
[PID: 476 / jxyyc][C:\WINDOWS\RTHDCPL.EXE] [Realtek Semiconductor Corp., 2.1.1.4]
[PID: 508 / jxyyc][D:\Rising\Rav\RavTask.exe] [Beijing Rising Technology Co., Ltd., 20.0.0.23]
[D:\Rising\Rav\ProcCom.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[D:\Rising\Rav\RsCommX2.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[D:\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 16]
[D:\Rising\Rav\RSAPPMGR.DLL] [Beijing Rising Technology Co., Ltd., 20.0.0.0]
[D:\Rising\Rav\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.16]
[PID: 516 / jxyyc][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 536 / jxyyc][D:\Rising\Rav\Ravmon.exe] [Beijing Rising Technology Co., Ltd., 20.0.01.19]
[C:\WINDOWS\system32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\Rising\Rav\ProcCom.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[D:\Rising\Rav\RsCommX2.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
[D:\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 16]
[D:\Rising\Rav\recomp.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 39]
[D:\Rising\Rav\refs.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 17]
[D:\Rising\Rav\viruslib.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 26]
[D:\Rising\Rav\relibldr.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 16]
[D:\Rising\Rav\RSAPPMGR.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.0]
[D:\Rising\Rav\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.16]
[D:\Rising\Rav\MonRule.dll] [Beijing Rising Technology Co., Ltd., 20.0.0.29]
[D:\Rising\Rav\PngDll.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 4]
[D:\Rising\Rav\Rsguilib.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 89]
[D:\Rising\Rav\RsXML.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 0]
[PID: 1464 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 712 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1396 / jxyyc][C:\WINDOWS\system32\wscntfy.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3784 / jxyyc][C:\WINDOWS\notepad.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2468 / jxyyc][D:\绿色软件\SREng2.3\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[D:\绿色软件\SREng2.3\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]
[PID: 1440 / jxyyc][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 7.00.6000.16640 (vista_gdr.080213-1606)]
[D:\Thunder 5.7.4\ComDlls\TDAtOnce_Now.dll] [Thunder Networking Technologies,LTD, 1.0.5.16]
[D:\Thunder 5.7.4\ComDlls\xunleiBHO_Now.dll] [Thunder Networking Technologies,LTD, 5, 0, 8, 44]
[D:\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 20, 0, 0, 3]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost

==================================
进程特权扫描
特殊特权被允许： SeLoadDriverPrivilege [PID = 476, C:\WINDOWS\RTHDCPL.EXE]

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================

[/CODE]

瑞星卡卡安全论坛