SREng日志（注明：我是在安全模式下扫的，管用不？）


2006-11-11,10:25:36

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional  (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe>  [Microsoft Corporation]
    <MsWinb><rem C:\Program Files\白猫清理工\MsWinb.exe>  []
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <explorer><C:\WINDOWS\system32\explorer.exe>  []
    <iexplore><C:\WINDOWS\system32\iexplore.exe>  []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><C:\WINDOWS\rundl132.exe>  []
    <run><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32>  [Microsoft Corporation]
    <PHIME2002ASync><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [Microsoft Corporation]
    <PHIME2002A><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [Microsoft Corporation]
    <IMSCMig><C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload>  [Microsoft Corporation]
    <RfwMain><"C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup>  [Beijing Rising Technology Co., Ltd.]
    <kav><"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe">  [Kaspersky Lab]
    <systemdll><regsvr32 /s c:\WINDOWS\system32\system.dll>  []
    <IEXPLORER><C:\WINDOWS\System32\IEXPLORER.EXE>  [Microsoft Corporation]
    <system><C:\WINDOWS\system32\system.exe>  [Microsoft Corporation]
    <KernelFaultCheck><; %systemroot%\system32\dumprep 0 -k>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
    <system><C:\WINDOWS\system32\system.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  []
    <Userinit><C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\explorer.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{1A404685-7563-4d02-B0F6-58B308A406A9}><c:\program files\internet explorer\fcguxsrz.dll>  []
    <{9A0CFC58-5A6F-41ba-9FFE-4320F4F621BA}><C:\WINDOWS\System32\Cnscheck001.dll>  []

==================================
启动文件夹
服务
[Ati HotKey Poller / Ati HotKey Poller]
  <C:\WINDOWS\System32\Ati2evxx.exe><N/A>
[ATI Smart / ATI Smart]
  <C:\WINDOWS\system32\ati2sgag.exe><>
[卡巴斯基反病毒软件6.0 / AVP]
  <C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe -r><Kaspersky Lab>
[Disk Managering / DisManager]
  <C:\WINDOWS\DisManager.exe><N/A>
[ewido anti-spyware 4.0 guard / ewido anti-spyware 4.0 guard]
  <D:\ZZ\tools\ewido_4.0.0.172c_3.3\guard.exe><Anti-Malware Development a.s.>
[IMAPI CD-Burning COM Service / ImapiService]
  <C:\WINDOWS\System32\imapi.exe><Microsoft Corporation>
[Machine Debug Manager / MDM]
  <"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"><N/A>
[Rising Personal Firewall Service / RfwService]
  <C:\Program Files\Rising\Rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[System Envents / System Envents]
  <C:\WINDOWS\Server><N/A>
[windows update / windows update]
  <C:\WINDOWS\cctv.com><N/A>

==================================
浏览器加载项
[]
  {E936184C-31D7-561B-BA1B-A317F03F34FB} <c:\WINDOWS\system32\system.dll, N/A>
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[卡卡上网安全助手]
  {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINDOWS\System32\kakatool.dll, Beijing Rising Technology Co., Ltd.>

==================================
正在运行的进程
[PID: 500][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 572][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 600][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [c:\program files\internet explorer\fcguxsrz.dll]  <><1, 0, 0, 11>
[PID: 644][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 656][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 832][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 940][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1040][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1060][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1444][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.2600.0000 (xpclient.010817-1148)>
    [c:\program files\internet explorer\fcguxsrz.dll]  <><1, 0, 0, 11>
    [C:\WINDOWS\System32\Cnscheck001.dll]  <N/A><N/A>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[PID: 1716][C:\WINDOWS\System32\conime.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\Cnscheck001.dll]  <N/A><N/A>
[PID: 1732][C:\WINDOWS\System32\cmd.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1768][C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe]  <Kaspersky Lab><6.0.0.299>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\pr_remote.dll]  <Kaspersky Lab><6.0.0.299>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\FSSync.dll]  <Kaspersky Lab><6.0.5.0>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\AVPGS.PPL]  <Kaspersky Lab><6.0.0.299>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prloader.dll]  <Kaspersky Lab><6.0.0.299>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prkernel.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\pxstub.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\params.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\winreg.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\tm.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\nfio.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\fsdrvplgn.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\bl.ppl]  <Kaspersky Lab><6.0.0.300>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\wmihlpr.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\ndetect.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\crpthlpr.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\schedule.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\timer.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\thpimpl.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\lic60.ppl]  <Kaspersky Lab><6.0.0.300>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\report.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\hashmd5.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\avs.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\avpmgr.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\wdiskio.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\avlib.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\avspm.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\avp3info.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\avpgui.ppl]  <Kaspersky Lab><6.0.0.300>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\basegui.dll]  <Kaspersky Lab><6.0.0.300>
    [C:\WINDOWS\System32\Cnscheck001.dll]  <N/A><N/A>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\qb.ppl]  <Kaspersky Lab><6.0.0.299>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\inflate.ppl]  <Kaspersky Lab><6.0.0.16>
    [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\prutil.ppl]  <Kaspersky Lab><6.0.0.299>
[PID: 424][D:\ZZ\tools\TheWorldFull\TheWorld.exe]  <Phoenix Studio><1, 2, 3, 5>
    [D:\ZZ\tools\THEWOR~1\Plugin\SysState\SysState.dll]  <Phoenix Stdio><1, 0, 0, 4>
    [C:\WINDOWS\System32\Macromed\Flash\Flash9.ocx]  <Adobe Systems, Inc.><9,0,16,0>
    [C:\WINDOWS\System32\Cnscheck001.dll]  <N/A><N/A>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scr_ch_pg.dll]  <Kaspersky Lab><1.0.6.299>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\klscav.dll]  <Kaspersky Lab><6.0.0.299>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prloader.dll]  <Kaspersky Lab><6.0.0.299>
    [C:\WINDOWS\System32\UNISPIM.IME]  <北京清华紫光软件股份有限公司><3.0.0.3045>
    [C:\WINDOWS\System32\upengine.dll]  <北京清华紫光软件股份有限公司><3.0.0.3045>
[PID: 580][C:\WINDOWS\System32\ctfmon.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\Cnscheck001.dll]  <N/A><N/A>
[PID: 1556][D:\ZZ\tools\SREng2\SREng.exe]  <Smallfrogs Studio><2.0.21.505>
    [C:\WINDOWS\System32\Cnscheck001.dll]  <N/A><N/A>

==================================
文件关联
.TXT  Error. [notepad.exe %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. [hh.exe %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  Error. [notepad.exe %1]
.INF  Error. [notepad.exe %1]
.VBS  Error. [wscript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================

打开SREng 系统修复 修复文件关联..

用sreng
删除启动项目=>注册表
<explorer><C:\WINDOWS\system32\explorer.exe> []
<iexplore><C:\WINDOWS\system32\iexplore.exe> []
<load><C:\WINDOWS\rundl132.exe> []
<run><> []
<systemdll><regsvr32 /s c:\WINDOWS\system32\system.dll> []
<IEXPLORER><C:\WINDOWS\System32\IEXPLORER.EXE> [Microsoft Corporation]
<system><C:\WINDOWS\system32\system.exe> [Microsoft Corporation]
<system><C:\WINDOWS\system32\system.exe> [Microsoft Corporation]
<{1A404685-7563-4d02-B0F6-58B308A406A9}><c:\program files\internet explorer\fcguxsrz.dll> []
<{9A0CFC58-5A6F-41ba-9FFE-4320F4F621BA}><C:\WINDOWS\System32\Cnscheck001.dll> []
删除
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\iexplore.exe
C:\WINDOWS\rundl132.exe
c:\WINDOWS\system32\system.dll
C:\WINDOWS\System32\IEXPLORER.EXE
C:\WINDOWS\system32\system.exe
c:\program files\internet explorer\fcguxsrz.dll
C:\WINDOWS\System32\Cnscheck001.dll

<Userinit> 编辑改为 C:\WINDOWS\system32\userinit.exe,
删除文件
C:\WINDOWS\system32\explorer.exe

[Disk Managering / DisManager]
<C:\WINDOWS\DisManager.exe><N/A>
[System Envents / System Envents]
<C:\WINDOWS\Server><N/A>
[windows update / windows update]
<C:\WINDOWS\cctv.com><N/A>
灰鸽子..安全模式...打开注册表编辑器，展开：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
搜索 DisManager 
System Envents 和windows update 删除...
删除文件
C:\WINDOWS\DisManager.exe
C:\WINDOWS\Server
C:\WINDOWS\cctv.com

mopery
扫了这么多东东出来，学习

学习!