[C:\WINDOWS\system32\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\Rising\Rav\ProcCom.dll]  [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
    [C:\Program Files\Rising\Rav\RsCommX2.dll]  [Beijing Rising Technology Co., Ltd., 20, 0, 0, 18]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
[PID: 3100 / zhumin][C:\WINDOWS\msagent\AgentSvr.exe]  [Microsoft Corporation, 2.00.0.3424]
    [C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Sys]  [N/A, ]
    [C:\WINDOWS\system32\avwlamn.dll]  [N/A, ]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
    [C:\WINDOWS\system32\MsIMMs32.dll]  [N/A, ]
    [C:\WINDOWS\system32\rarjapi.dll]  [N/A, ]
    [C:\WINDOWS\system32\rsztbpm.dll]  [N/A, ]
    [C:\WINDOWS\system32\jyzprr.dll]  [N/A, ]
    [C:\Program Files\NetMeeting\ravcqmon.dat]  [N/A, ]
    [C:\Program Files\NetMeeting\ravmsmon.dat]  [N/A, ]
[PID: 1960 / zhumin][C:\WINDOWS\system32\rsztbsp.exe]  [N/A, ]
    [C:\WINDOWS\system32\avwlamn.dll]  [N/A, ]
    [C:\WINDOWS\system32\rsztbpm.dll]  [N/A, ]
[PID: 536 / zhumin][C:\WINDOWS\system32\rarjatl.exe]  [N/A, ]
    [C:\WINDOWS\system32\rarjapi.dll]  [N/A, ]
[PID: 1844 / zhumin][C:\Program Files\Tencent\TT\TTraveler.exe]  [Tencent, 3, 8, 308, 201]
    [C:\Program Files\NetMeeting\ravcqmon.dat]  [N/A, ]
    [C:\Program Files\NetMeeting\ravmsmon.dat]  [N/A, ]
    [C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Sys]  [N/A, ]
    [C:\Program Files\Tencent\TT\Plugins\QQFloatBar\QQFloatBar4TT2.dll]  [腾讯公司, 1, 1, 0, 5]
    [C:\WINDOWS\system32\avwlamn.dll]  [N/A, ]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
    [C:\WINDOWS\system32\rarjapi.dll]  [N/A, ]
    [C:\WINDOWS\system32\jyzprr.dll]  [N/A, ]
    [C:\WINDOWS\system32\rsztbpm.dll]  [N/A, ]
    [C:\WINDOWS\system32\MsIMMs32.dll]  [N/A, ]
    [C:\Program Files\Tencent\TT\TTNetFavor.dll]  [N/A, ]
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 20, 0, 0, 3]
    [C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx]  [Adobe Systems, Inc., 9,0,47,0]
[PID: 3476 / zhumin][C:\实用工具\sreng\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
    [C:\WINDOWS\system32\rarjapi.dll]  [N/A, ]
    [C:\Program Files\NetMeeting\ravcqmon.dat]  [N/A, ]
    [C:\Program Files\NetMeeting\ravmsmon.dat]  [N/A, ]
    [C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Sys]  [N/A, ]
    [C:\WINDOWS\system32\avwlamn.dll]  [N/A, ]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
    [C:\WINDOWS\system32\jyzprr.dll]  [N/A, ]
    [C:\WINDOWS\system32\rsztbpm.dll]  [N/A, ]
    [C:\WINDOWS\system32\MsIMMs32.dll]  [N/A, ]
    [C:\实用工具\sreng\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]
[PID: 2588 / zhumin][C:\program files\internet explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\avwlamn.dll]  [N/A, ]
    [C:\Program Files\NetMeeting\ravcqmon.dat]  [N/A, ]
    [C:\Program Files\NetMeeting\ravmsmon.dat]  [N/A, ]
    [C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Sys]  [N/A, ]
    [C:\实用工具\迅雷5\ComDlls\TDAtOnce_Now.dll]  [Thunder Networking Technologies,LTD, 1.0.5.15]
    [C:\实用工具\迅雷5\ComDlls\xunleiBHO_Now.dll]  [Thunder Networking Technologies,LTD, 5, 0, 8, 18]
    [C:\实用工具\迅雷5\Components\ResWorker\DsBho_00.dll]  [, 1, 0, 0, 11]
    [C:\实用工具\迅雷5\Components\ResWorker\DataProcessor_00.dll]  [Thunder Networking Technologies,LTD, 1, 0, 0, 12]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
    [C:\WINDOWS\system32\rarjapi.dll]  [N/A, ]
    [C:\WINDOWS\system32\jyzprr.dll]  [N/A, ]
    [C:\WINDOWS\system32\rsztbpm.dll]  [N/A, ]
    [C:\WINDOWS\system32\MsIMMs32.dll]  [N/A, ]

==================================
文件关联
.TXT  Error. [C:\WINDOWS\notepad.exe %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. ["hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
进程特权扫描
特殊特权被允许： SeLoadDriverPrivilege [PID = 2028, C:\PROGRA~1\THINKPAD\PKGMGR\HOTKEY\TPHKMGR.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2044, C:\PROGRA~1\THINKPAD\UTILIT~1\EZEJMNAP.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 120, C:\PROGRAM FILES\IBM\MESSAGES BY IBM\IBMMESSAGES.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 148, C:\IBMTOOLS\UTILS\IBMPRC.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 160, C:\PROGRAM FILES\THINKPAD\CONNECTUTILITIES\QCWLICON.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 228, C:\PROGRAM FILES\THINKPAD\PKGMGR\HOTKEY\TPONSCR.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 280, C:\PROGRAM FILES\THINKPAD\PKGMGR\HOTKEY_1\TPSCREX.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 484, C:\PROGRAM FILES\DIGITAL LINE DETECT\DLG.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1092, C:\PROGRAM FILES\IBM\IBM RAPID RESTORE ULTRA\RRPCSB.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 3176, C:\WINDOWS\SYSTEM32\RSZTBSP.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1924, C:\WINDOWS\SYSTEM32\RARJATL.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1960, C:\WINDOWS\SYSTEM32\RSZTBSP.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 536, C:\WINDOWS\SYSTEM32\RARJATL.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 1844, C:\PROGRAM FILES\TENCENT\TT\TTRAVELER.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1844, C:\PROGRAM FILES\TENCENT\TT\TTRAVELER.EXE]

==================================
API HOOK
N/A

==================================
隐藏进程
    [3436] C:\DOCUME~1\zhumin\LOCALS~1\Temp\ravsons.exe

以后发日志去反病毒区或者日志区.

先下载XDelbox1.5删除工具: http://bbs.duba.net/attachment.php?aid=16039019
打开XDelbox1.5把以下路径添加进去,然后点右键,立即重启并删除.
C:\DOCUME~1\zhumin\LOCALS~1\Temp\ravsons.exe
C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Sys
C:\WINDOWS\system32\rsztbpm.dll
C:\WINDOWS\system32\rsjzbpm.dll
C:\WINDOWS\system32\ratbdpi.dll
C:\WINDOWS\system32\avwlamn.dll
C:\WINDOWS\system32\rarjapi.dll
C:\WINDOWS\system32\MsIMMs32.dll
C:\WINDOWS\system32\DbgHlp32.dll
C:\Program Files\NetMeeting\ravzxmon.dat
C:\WINDOWS\system32\jyzprr.dll
C:\Program Files\NetMeeting\ravcqmon.dat
C:\Program Files\NetMeeting\ravmsmon.dat
C:\WINDOWS\system32\pwdmon.dll
C:\WINDOWS\system32\Rising.ExE
C:\WINDOWS\WinForm.exe
C:\WINDOWS\DbgHlp32.exe
删除完后重启计算机时按F8进入安全模式:
打开sreng
启动项目--注册表--删除如下项目:
<ravcqmon>
<WinForm>
<ravmsmon>
<DbgHlp32>
<ravzxmon>
<compmgmt>
<{40117B96-998D-4D80-8F89-5E9DBD9F3460>
<{1598FF45-DA60-F48A-BC43-10AC47853D51}>
<{234345F1-DACF-3452-CB7D-4620F34A1532}>
<{46650011-3344-6688-4899-345FABCD1564}>
<{22FAACDE-34DA-CCD4-AB4D-DA34485A3422}>
<{1960356A-458E-DE24-BD50-268F589A56A1}>
双击<AppInit_DLLs>清空<avwlamn.dll>
打开sreng
点击启动项目--服务--驱动程序-- 勾选“隐藏经认证的微软项目”
等待列表出来之后点击以下项目:
[fox999 / fox999][Running/]
<2 - 系统找不到指定的文件。
><N/A>
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
<system32\DRIVERS\npf.sys><CACE Technologies>