引用:

【李峥的贴子】我什么也没开，也从来不打系统补丁的！ ………………

最好打下补丁 去系统版 置顶有补丁地址

用安全卫士 或者 windows清理助手

如果不行 再扫日志

我下午有点事，等会我再把日志扫上来，忙反你再帮我看一下，谢谢了！

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
    <run><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <ISUSPM Startup><C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup>  [InstallShield Software Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    <RavStub><"C:\PROGRAM FILES\RISING\RAV\ravstub.exe" /RUNONCE>  [Beijing Rising Technology Co., Ltd.]
    <KKDelay><C:\Program Files\Rising\AntiSpyware\RunOnce.exe>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <twin><; C:\WINDOWS\System32\ctfnom.exe>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows XP Publisher]
    <Userinit><C:\WINDOWS\System32\userinit.exe,>  [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows XP Publisher]

==================================
启动文件夹
N/A

==================================
服务
[Windows fsya RunThem / fsya][Running/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\antv\kxdf.dll>< >
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[IMAPI CD-Burning COM Service / ImapiService][Stopped/Manual Start]
  <C:\WINDOWS\System32\imapi.exe><Microsoft Corporation>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
  <C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
  <"C:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

==================================
驱动程序
[Intel(r) 82801 Audio Driver Install Service (WDM) / ac97intc][Running/Manual Start]
  <system32\drivers\ac97intc.sys><Intel Corporation>
[BaseTDI / BaseTDI][Running/Auto Start]
  <\??\C:\WINDOWS\System32\drivers\basetdi.sys><Beijing Rising Technology Co., Ltd.>
[ExpScaner / ExpScaner][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\ExpScan.sys><>
[HookCont / HookCont][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\HookSys.sys><Rising>
[iejjefhd / iejjefhd][Stopped/Boot Start]
  <\SystemRoot\system32\drivers\iejjefhd.sys><N/A>
[MEMSCAN / MEMSCAN][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\MEMSCAN.sys><瑞星软件有限公司>
[npkcrypt / npkcrypt][Stopped/Auto Start]
  <\??\D:\QQ\npkcrypt.sys><N/A>
[nv / nv][Running/Manual Start]
  <System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
  <\SystemRoot\System32\drivers\RsBoot.sys><Beijing Rising>
[RsNTGDI / RsNTGDI][Running/Boot Start]
  <\SystemRoot\System32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\RSPPSYS.sys><Rising>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
  <System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
  <System32\DRIVERS\secdrv.sys><N/A>

==================================
浏览器加载项
[上传到QQ网络硬盘]
  <D:\QQ\AddToNetDisk.htm, N/A>
[添加到QQ自定义面板]
  <D:\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
  <D:\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <D:\QQ\SendMMS.htm, N/A>

==================================
正在运行的进程
[PID: 444][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 524][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 548][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\WINDOWS\system32\wdmaud.drv]  [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [c:\progra~1\antv\nagi.dll]  [, 1, 0, 0, 6]
    [c:\progra~1\antv\sfln.dll]  [ , 1, 0, 0, 6]
[PID: 592][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 604][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 776][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 840][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1060][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1168][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1360][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
    [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\UNIDRVUI.DLL]  [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
[PID: 1432][C:\PROGRAM FILES\RISING\RAV\RavStub.exe]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 4]
    [C:\PROGRAM FILES\RISING\RAV\RsCommX.dll]  [rising, 18, 0, 0, 1]
    [C:\PROGRAM FILES\RISING\RAV\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[PID: 1852][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [c:\progra~1\antv\kxdf.dll]  [ , 4, 1, 0, 6]
    [c:\progra~1\antv\nagi.dll]  [, 1, 0, 0, 6]
    [c:\progra~1\antv\sfln.dll]  [ , 1, 0, 0, 6]
    [c:\progra~1\antv\pcik.dll]  [ , 1, 0, 0, 6]
[PID: 1888][C:\WINDOWS\System32\nvsvc32.exe]  [NVIDIA Corporation, 6.14.10.5664]
    [c:\progra~1\antv\nagi.dll]  [, 1, 0, 0, 6]
    [c:\progra~1\antv\sfln.dll]  [ , 1, 0, 0, 6]
[PID: 2992][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 3496][C:\WINDOWS\explorer.exe]  [Microsoft Corporation, 6.00.2600.0000 (xpclient.010817-1148)]
    [c:\progra~1\antv\nagi.dll]  [, 1, 0, 0, 6]
    [c:\progra~1\antv\sfln.dll]  [ , 1, 0, 0, 6]
    [C:\WINDOWS\System32\nvcpl.dll]  [NVIDIA Corporation, 6.14.10.5664]
    [C:\WINDOWS\System32\nvshell.dll]  [NVIDIA Corporation, 6.14.10.5664]
    [C:\WINDOWS\System32\NVWRSZHC.DLL]  [NVIDIA Corporation, 6.14.10.5664]
    [C:\WINDOWS\System32\wdmaud.drv]  [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
    [C:\WINDOWS\System32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\WINDOWS\system32\RavExt.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
[PID: 3532][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2600.0000 (xpclient.010817-1148)]
    [c:\progra~1\antv\nagi.dll]  [, 1, 0, 0, 6]
    [c:\progra~1\antv\sfln.dll]  [ , 1, 0, 0, 6]
    [C:\WINDOWS\System32\wdmaud.drv]  [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
    [C:\WINDOWS\System32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\WINDOWS\System32\Macromed\Flash\Flash9c.ocx]  [Adobe Systems, Inc., 9,0,45,0]
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[PID: 320][C:\Documents and Settings\qz0515\桌面\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]
    [c:\progra~1\antv\nagi.dll]  [, 1, 0, 0, 6]
    [c:\progra~1\antv\sfln.dll]  [ , 1, 0, 0, 6]
    [C:\Documents and Settings\qz0515\桌面\Plugins\NWMON.SRE]  [Smallfrogs Studio, 1, 0, 0, 8]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1        localhost

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================


[/CODE]

女校男声，帮我看一下撒！上面是我刚扫描的目录。

第一份的处理意见:
删除启动项：
<1MJPMIG__><C:\WINDOWS\IMEINPUTS.EXE> []
<winform><C:\WINDOWS\winform.exe> []
<cmdbcs><C:\WINDOWS\cmdbcs.exe> []
<msccrt><C:\WINDOWS\msccrt.exe> []
<Kvsc3><C:\WINDOWS\Kvsc3.exe> []
<upxdnd><C:\DOCUME~1\qz0515\LOCALS~1\Temp\upxdnd.exe> [N/A]
<mppds><C:\WINDOWS\mppds.exe> []
<CdnCtr><C:\Program Files\CNNIC\Cdn\cdnup.exe> [CNNIC]
删除服务：
[23C239CE / 23C239CE][Stopped/Auto Start]
<C:\WINDOWS\System32\200F6E14.EXE -d><Microsoft Corporation>
删除HOSTS：
127.0.0.1 popwin.9983.com
61.152.169.246 www.kuaiso.com
61.152.169.246 www.my6688.cn
61.152.169.246 www.union123.com
61.152.169.246 www.ktan.cn
61.152.169.246 www.2t2t.cn
61.152.169.246 www.cq530.com
61.152.169.246 www.365tc.com
61.152.169.246 ad.qucha.net
61.152.169.246 www.tan8.cn
61.152.169.246 www.itjj.net
61.152.169.246 www.start188.com
61.152.169.246 www.at58.cn
61.152.169.246 union.yxad.com
61.152.169.246 www.iptan.com
61.152.169.246 www.ip2008.net
61.152.169.246 www.yqif.com
61.152.169.246 www.2t2t.cn
61.152.169.246 www.17tan8.com
61.152.169.246 17tan8.com
61.152.169.246 www.688ip.com
61.152.169.246 www.17tc.com
61.152.169.246 www.zztan.com
61.152.169.246 www.5tanip.com
61.152.169.246 www.16tc.com
61.152.169.246 www.163se.net
61.152.169.246 www.724tc.com
61.152.169.246 www1.6tan.com
61.152.169.246 www2.6tan.com
61.152.169.246 www.6tan.com
61.152.169.246 quxiuu.com
61.152.169.246 www.quxiuu.com
61.152.169.246 www.23b.cn
61.152.169.246 www.ookkw.com
61.152.169.246 www.97725.com
61.152.169.246 down.97725.com
61.152.169.246 www.54699.com
61.152.169.246 web.77276.com
61.152.169.246 www.77276.com
61.152.169.246 d.77276.com
61.152.169.246 do.77276.coms

第二份的处理意见
删除驱动：
[iejjefhd / iejjefhd][Stopped/Boot Start]
<\SystemRoot\system32\drivers\iejjefhd.sys><N/A>
[npkcrypt / npkcrypt][Stopped/Auto Start]
<\??\D:\QQ\npkcrypt.sys><N/A>
删除文件：
[c:\progra~1\antv\nagi.dll] [, 1, 0, 0, 6]
[c:\progra~1\antv\sfln.dll] [ , 1, 0, 0, 6]
[c:\progra~1\antv\kxdf.dll] [ , 4, 1, 0, 6]
[c:\progra~1\antv\nagi.dll] [, 1, 0, 0, 6]
[c:\progra~1\antv\sfln.dll] [ , 1, 0, 0, 6]
[c:\progra~1\antv\pcik.dll] [ , 1, 0, 0, 6]

请楼主另外注意:
使用恶意软件清理助手清理你中的流氓软件
还有请清理IE临时文件夹

卸在QQ 运行SRE 启动项目 注册表 删除

<twin>

安全模式下删除
C:\WINDOWS\System32\ctfnom.exe(QQ木马)

谢谢！