[CODE]

2007-07-14,18:50:37

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
    <bgswitch><C:\WINDOWS\system32\bgswitch.exe>  []
    <BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}><"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe">  [N/A]
    <Death.exe><C:\WINDOWS\system32\Death.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <EEventManager><C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe>  [N/A]
    <KernelFaultCheck><; %systemroot%\system32\dumprep 0 -k>  [N/A]
    <NeroFilterCheck><; C:\WINDOWS\system32\NeroCheck.exe>  [Ahead Software Gmbh]
    <Google IME Autoupdater><"D:\新建文件夹\Google Pinyin\GooglePinyinDaemon.exe">  [(Verified)Google Inc]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <360Safetray><; D:\Program Files\360\360safe\safemon\360tray.exe>  [奇虎网]
    <AVP><; "D:\Program Files\kabasiji\avp.exe">  [N/A]
    <DAEMON Tools-2052><; "C:\Program Files\D-Tools\daemon.exe"  -lang 2052>  [DAEMON'S HOME]
    <RemoteControl><; "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe">  [Cyberlink Corp.]
    <SoundMAX><; C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray>  [Analog Devices, Inc.]
    <SoundMAXPnP><; C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe>  [Analog Devices, Inc.]
    <StormCodec_Helper><; >  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\UserInit.exe,>  [(Verified)Microsoft Windows Publisher]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]

==================================
启动文件夹
N/A

==================================
服务
[ASP.NET State Service / aspnet_state][Stopped/Manual Start]
  <C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
  <C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
  <"C:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[SoundMAX Agent Service / SoundMAX Agent Service (default)][Running/Auto Start]
  <C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe><Analog Devices, Inc.>
[Ulead Burning Helper / UleadBurningHelper][Running/Auto Start]
  <C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe><Ulead Systems, Inc.>

==================================
驱动程序
[aeaudio / aeaudio][Running/Manual Start]
  <system32\drivers\aeaudio.sys><Andrea Electronics Corporation>
[ati2mtag / ati2mtag][Running/Manual Start]
  <system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
  <System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[d347bus / d347bus][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\d347bus.sys><>
[d347prt / d347prt][Running/Boot Start]
  <\SystemRoot\System32\Drivers\d347prt.sys><>
[ExpScaner / ExpScaner][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\ExpScan.sys><>
[HookCont / HookCont][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\HookSys.sys><Rising>
[KRegEx / KRegEx][Stopped/System Start]
  <\??\C:\PROGRA~1\KV2006\KRegEx.sys><N/A>
[KvMemon / KvMemon][Stopped/Manual Start]
  <\??\C:\PROGRA~1\KV2006\KvMemon.sys><N/A>
[MEMSCAN / MEMSCAN][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\MEMSCAN.sys><瑞星软件有限公司>
[MidiSyn / MidiSyn][Stopped/Manual Start]
  <system32\drivers\MidiSyn.sys><Analog Devices Inc>
[NetGroup Packet Filter Driver / NPF][Stopped/Manual Start]
  <system32\drivers\npf.sys><CACE Technologies>
[npkcrypt / npkcrypt][Running/Auto Start]
  <\??\D:\Program Files\Tencent\QQ\npkcrypt.sys><INCA Internet Co., Ltd.>
[NPPTNT2 / NPPTNT2][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\npptNT2.sys><INCA Internet Co., Ltd.>
[PCLEPCI / PCLEPCI][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\pclepci.sys><Pinnacle Systems GmbH>
[PProtect / PProtect][Stopped/System Start]
  <\??\C:\PROGRA~1\KV2006\PProtect.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
  <\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\RSPPSYS.sys><Rising>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><N/A>
[smwdm / smwdm][Running/Manual Start]
  <system32\drivers\smwdm.sys><Analog Devices, Inc.>
[Sony USB Filter Driver (SONYPVU1) / SONYPVU1][Stopped/Manual Start]
  <system32\DRIVERS\SONYPVU1.SYS><Sony Corporation>
[UnlockerDriver4 Driver / UnlockerDriver4][Stopped/Manual Start]
  <\??\C:\Program Files\Unlocker\UnlockerDriver4.sys><N/A>
[NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller / yukonwxp][Running/Manual Start]
  <system32\DRIVERS\yk51x86.sys><Marvell>

==================================
浏览器加载项
[Thunder Browser Helper]
  {889D2FEB-5411-4565-8998-1DD2C5261283} <D:\Program Files\xunlei\ComDlls\XunLeiBHO_007.dll, Thunder Networking Technologies,LTD>
[NavigatMon Class]
  {B69F34DD-F0F9-42DC-9EDD-957187DA688D} <D:\Program Files\360\360safe\safemon\safemon.dll, >
[]
  {E3616E66-C13B-2628-2CDF-EDABCFA235E1} <C:\Program Files\Common Files\Relive.dll, N/A>
[启动迅雷5]
  {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <D:\Program Files\xunlei\Thunder.exe, Thunder Networking Technologies,LTD>
[豪杰超级解霸9]
  {367E0A21-8601-4986-9C9A-153BF5ACA118} <C:\Program Files\Herosoft\Hero 9\STHSDVD.EXE, herosoft>
[番茄花园]
  {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <http://www.tomatolei.com, N/A>
[QQ]
  {c95fe080-8f5d-11d2-a20b-00aa003c157b} <D:\Program Files\Tencent\QQ\QQ.EXE, TENCENT>
[Yahoo! Toolbar]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[Yahoo! Toolbar Helper]
  {02478D38-C3F9-4EFB-9B51-7695ECA05670} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[Shell Name Space]
  {55136805-B2DE-11D1-B9F2-00A0C98BC547} <%SystemRoot%\system32\shdocvw.dll, N/A>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Microsoft Web 浏览器]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[Thunder Browser Helper]
  {889D2FEB-5411-4565-8998-1DD2C5261283} <D:\Program Files\xunlei\ComDlls\XunLeiBHO_007.dll, Thunder Networking Technologies,LTD>
[NavigatMon Class]
  {B69F34DD-F0F9-42DC-9EDD-957187DA688D} <D:\Program Files\360\360safe\safemon\safemon.dll, >
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[]
  {E3616E66-C13B-2628-2CDF-EDABCFA235E1} <C:\Program Files\Common Files\Relive.dll, N/A>
[Yahoo! Toolbar]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[&使用迅雷下载]
  <D:\Program Files\xunlei\Program\GetUrl.htm, N/A>
[&使用迅雷下载全部链接]
  <D:\Program Files\xunlei\Program\GetAllUrl.htm, N/A>
[上传到QQ网络硬盘]
  <D:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[使用超级解霸播放]
  <C:\Program Files\Herosoft\Hero 9\MPURLGET.HTM, N/A>
[添加到QQ自定义面板]
  <D:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
  <D:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <D:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

==================================
正在运行的进程
[PID: 636][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 744][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 768][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\Ati2evxx.dll]  [ATI Technologies Inc., 6.14.10.4113]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 812][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 824][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 976][C:\WINDOWS\system32\Ati2evxx.exe]  [ATI Technologies Inc., 6.14.10.4113]
    [C:\WINDOWS\system32\Ati2edxx.dll]  [ATI Technologies, Inc., 6, 14, 10, 2496]
[PID: 988][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1064][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1204][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 344][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\RavExt.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
    [C:\WINDOWS\system32\icm32.dll]  [Microsoft Corporation, 5.1.2600.2709 (xpsp_sp2_gdr.050628-1518)]
    [C:\WINDOWS\system32\msdmo.dll]  [, ]
    [C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm]  [Ulead Systems, Inc., 1.0.0.3]
    [D:\Program Files\xunlei\ComDlls\XunLeiBHO_007.dll]  [Thunder Networking Technologies,LTD, 5, 0, 1, 4]
    [D:\Program Files\360\360safe\safemon\safemon.dll]  [, 1, 0, 0, 1002]
[PID: 1324][D:\新建文件夹\Google Pinyin\GooglePinyinDaemon.exe]  [Google Inc., 1, 0, 0, 1]
    [C:\WINDOWS\system32\GooglePinyin.ime]  [Google Inc., ]
[PID: 352][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1164][C:\WINDOWS\system32\Death.exe]  [N/A, ]
[PID: 1416][C:\WINDOWS\system32\conime.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2192][J:\Death.exe]  [N/A, ]
[PID: 2664][J:\Death.exe]  [N/A, ]
[PID: 3484][J:\Death.exe]  [N/A, ]
[PID: 3648][G:\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost
188.188.122.33  localhost
dnl-us1.kaspersky-labs.com      localhost
dnl-us2.kaspersky-labs.com      localhost
dnl-us3.kaspersky-labs.com      localhost
dnl-us4.kaspersky-labs.com      localhost
dnl-us5.kaspersky-labs.com      localhost
dnl-us6.kaspersky-labs.com      localhost
dnl-us7.kaspersky-labs.com      localhost
dnl-us8.kaspersky-labs.com      localhost
dnl-us9.kaspersky-labs.com      localhost
dnl-us10.kaspersky-labs.com      localhost
dnl-us11.kaspersky-labs.com      localhost
dnl-us12.kaspersky-labs.com      localhost
dnl-us13.kaspersky-labs.com      localhost
dnl-us14.kaspersky-labs.com      localhost
dnl-us15.kaspersky-labs.com      localhost
dnl-us16.kaspersky-labs.com      localhost
dnl-us17.kaspersky-labs.com      localhost
dnl-us18.kaspersky-labs.com      localhost
dnl-us19.kaspersky-labs.com      localhost
dnl-us20.kaspersky-labs.com      localhost
update.jiangmin.info      localhost
update1.jiangmin.info      localhost
update2.jiangmin.info      localhost
update3.jiangmin.info      localhost
update4.jiangmin.info      localhost
update5.jiangmin.info      localhost
update6.jiangmin.info      localhost
update7.jiangmin.info      localhost
update8.jiangmin.info      localhost
update9.jiangmin.info      localhost
update10.jiangmin.info      localhost
update.jiangmin.com      localhost
update1.jiangmin.com      localhost
update2.jiangmin.com      localhost
update3.jiangmin.com      localhost
update4.jiangmin.com      localhost
update5.jiangmin.com      localhost
update6.jiangmin.com      localhost
update7.jiangmin.com      localhost
update8.jiangmin.com      localhost
update9.jiangmin.com      localhost
update10.jiangmin.com      localhost
edu.jiangmin.com      localhost
edu1.jiangmin.com      localhost
edu2.jiangmin.com      localhost
edu3.jiangmin.com      localhost
rsdownauto.rising.com.cn      localhost

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================


[/CODE]

启动项目
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Death.exe><C:\WINDOWS\system32\Death.exe> []
<KernelFaultCheck><; %systemroot%\system32\dumprep 0 -k> [N/A]
删除以上注册表值项值。
==================================
驱动程序
[NetGroup Packet Filter Driver / NPF][Stopped/Manual Start]
<system32\drivers\npf.sys><CACE Technologies>
删除以上驱动程序。
==================================
正在运行的进程
[PID: 1164][C:\WINDOWS\system32\Death.exe] [N/A, ]
[PID: 2192][J:\Death.exe] [N/A, ]
[PID: 2664][J:\Death.exe] [N/A, ]
[PID: 3484][J:\Death.exe] [N/A, ]
c:\windows\system32\drivers\npf.sys
删除以上文件！
==================================
HOSTS 文件
188.188.122.33 localhost
dnl-us1.kaspersky-labs.com localhost
dnl-us2.kaspersky-labs.com localhost
dnl-us3.kaspersky-labs.com localhost
dnl-us4.kaspersky-labs.com localhost
dnl-us5.kaspersky-labs.com localhost
dnl-us6.kaspersky-labs.com localhost
dnl-us7.kaspersky-labs.com localhost
dnl-us8.kaspersky-labs.com localhost
dnl-us9.kaspersky-labs.com localhost
dnl-us10.kaspersky-labs.com localhost
dnl-us11.kaspersky-labs.com localhost
dnl-us12.kaspersky-labs.com localhost
dnl-us13.kaspersky-labs.com localhost
dnl-us14.kaspersky-labs.com localhost
dnl-us15.kaspersky-labs.com localhost
dnl-us16.kaspersky-labs.com localhost
dnl-us17.kaspersky-labs.com localhost
dnl-us18.kaspersky-labs.com localhost
dnl-us19.kaspersky-labs.com localhost
dnl-us20.kaspersky-labs.com localhost
update.jiangmin.info localhost
update1.jiangmin.info localhost
update2.jiangmin.info localhost
update3.jiangmin.info localhost
update4.jiangmin.info localhost
update5.jiangmin.info localhost
update6.jiangmin.info localhost
update7.jiangmin.info localhost
update8.jiangmin.info localhost
update9.jiangmin.info localhost
update10.jiangmin.info localhost
update.jiangmin.com localhost
update1.jiangmin.com localhost
update2.jiangmin.com localhost
update3.jiangmin.com localhost
update4.jiangmin.com localhost
update5.jiangmin.com localhost
update6.jiangmin.com localhost
update7.jiangmin.com localhost
update8.jiangmin.com localhost
update9.jiangmin.com localhost
update10.jiangmin.com localhost
edu.jiangmin.com localhost
edu1.jiangmin.com localhost
edu2.jiangmin.com localhost
edu3.jiangmin.com localhost
rsdownauto.rising.com.cn localhost
用SRENG日志删除HOSTS文件以上所有内容！
==================================
最后，安全模式下全盘杀毒！

这个病毒 估计没法完全清除 他好像会替换exe文件 ...