2007-10-24,13:30:00

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Server Service Pack 4 (Build 2195) - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
N/A

==================================
启动文件夹
N/A

==================================
服务
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Microsoft Search / MSSEARCH][Running/Auto Start]
  <"C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe"><Microsoft Corporation>
[MSSQLSERVER / MSSQLSERVER][Running/Auto Start]
  <C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe><Microsoft Corporation>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
  <"C:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
  <C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>

==================================
驱动程序
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
  <System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[CnsMinKP / CnsMinKP][Running/Boot Start]
  <\SystemRoot\system32\drivers\CnsMinKP.sys><国风因特软件（北京）有限公司>
[dmboot / dmboot][Stopped/Disabled]
  <System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[FXDRV / FXDRV][Stopped/Manual Start]
  <\??\G:\Fxdrv.sys><N/A>
[HookCont / HookCont][Running/System Start]
  <\SystemRoot\system32\drivers\HookCont.sys><Beijing Rising Technology Co., Ltd>
[HookNtos / HookNtos][Running/System Start]
  <\SystemRoot\system32\drivers\HookNtos.sys><Beijing Rising Technology Co., Ltd>
[HookReg / HookReg][Running/System Start]
  <\SystemRoot\system32\drivers\HookReg.sys><Beijing Rising Technology Co., Ltd>
[HookSys / HookSys][Running/System Start]
  <\SystemRoot\system32\drivers\HookSys.sys><Beijing Rising Technology Co., Ltd>
[kjohnisck / kjohnisck][Running/System Start]
  <2 - 系统找不到指定的文件。
><N/A>
[npkcrypt / npkcrypt][Running/Auto Start]
  <\??\D:\Program Files\Tencent\QQ\npkcrypt.sys><INCA Internet Co., Ltd.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
  <\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[Realtek 10/100/1000 NIC Family all in one NDIS NT Driver / RTL8023][Running/Manual Start]
  <system32\DRIVERS\Rtlnic.sys><Realtek Semiconductor Corporation>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[VIA AGP Filter / viaagp1][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\viaagp1.sys><VIA Technologies, Inc.>
[VIA USB Filter / viafilter][Stopped/Manual Start]
  <\SystemRoot\System32\Drivers\viausb.sys><VIA Technologies, Inc.>
[viagfx / viagfx][Running/Manual Start]
  <system32\DRIVERS\vtmini.sys><Copyright (C) VIA/S3 Graphics Co, Ltd.>
[viaide / viaide][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\viaide.sys><VIA Technologies, Inc.>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
  <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
[ljrfpfsd / ljrfpfsd][Running/Boot Start]
  <\SystemRoot\\SystemRoot\System32\drivers\ljrfpfsd.sys><N/A>

==================================
浏览器加载项
[CnsHook Class]
  {D157330A-9EF3-49F8-9A67-4141AC41ADD4} <C:\WINNT\downlo~1\CnsHook.dll, 国风因特软件（北京）有限公司>
[assist]
  {FE3ECAE7-0A37-4506-8A7D-3CC9A04D2CA8} <C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yassist.dll, N/A>
[Yahoo 3.5G电邮]
  {507F9113-CD77-4866-BA92-0E86DA3D0B97} <http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail, N/A>
[名品折扣]
  {59BC54A2-56B3-44a0-93E5-432D58746E26} <http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1&sid=5042&show=ignore&url=http://www.taobao.com/vertical/mall/pro.php?allyesPara=816, N/A>
[雅虎助手]
  {5D73EE86-05F1-49ed-B850-E423120EC338} <http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist, N/A>
[雅虎WIDGET]
  {6354ABE6-05F1-49ed-B850-E423120EC338} <http://cn.widget.yahoo.com/index.htm?source=Cns, N/A>
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[情景聊天]
  {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} <http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg, N/A>
[]
  {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} <http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair, N/A>
[]
  {FD00D911-7529-4084-9946-A29F1BDF4FE5} <http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[雅虎助手]
  {406F94F0-504F-4A40-8DFD-58B0666ABEBD} <C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll, N/A>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[AutoLive]
  {7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} <C:\PROGRA~1\3721\autolive.dll, 国风因特软件（北京）有限公司>
[360SafeLive]
  {87515F61-A66C-4319-A0E0-D416CB8059E3} <C:\Program Files\360safe\live.dll, 360safe.com>
[雅虎搜索]
  <res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203, N/A>

[用户系统信息]Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)

==================================
正在运行的进程
[PID: 176][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.00.2195.6601]
[PID: 208][\??\C:\WINNT\system32\csrss.exe]  [Microsoft Corporation, 5.00.2195.6601]
[PID: 1988][C:\Program Files\Rising\Rav\RavTask.exe]  [Beijing Rising Technology Co., Ltd., 20.0.0.20]
    [C:\Program Files\Rising\Rav\ProcCom.dll]  [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
    [C:\Program Files\Rising\Rav\RsCommX2.dll]  [Beijing Rising Technology Co., Ltd., 20, 0, 0, 19]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 20, 0, 0, 16]
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  [Beijing Rising Technology Co., Ltd., 20.0.0.0]
    [C:\Program Files\Rising\Rav\CfgDll.dll]  [Beijing Rising Technology Co., Ltd., 20.0.0.10]
[PID: 1996][C:\WINNT\system32\rundll32.exe]  [Microsoft Corporation, 5.00.2134.1]
    [C:\PROGRA~1\3721\helper.dll]  [国风因特软件（北京）有限公司, 2.5.3.1006]
    [C:\WINNT\downlo~1\CnsMin.dll]  [国风因特软件（北京）有限公司, 2.5.1.2]
    [C:\PROGRA~1\3721\CnsM.dll]  [, 2.5.6.1009]
    [C:\PROGRA~1\3721\autolive.dll]  [国风因特软件（北京）有限公司, 2.5.6.1011]
    [C:\PROGRA~1\3721\notifier.dll]  [国风因特软件（北京）有限公司, 2.5.1.1003]
    [C:\PROGRA~1\3721\alLiveEx.dll]  [ , 1, 0, 3, 1006]
[PID: 2024][C:\WINNT\system32\internat.exe]  [Microsoft Corporation, 5.00.2920.0000]
    [C:\WINNT\downlo~1\CnsMin.dll]  [国风因特软件（北京）有限公司, 2.5.1.2]
    [C:\PROGRA~1\3721\CnsM.dll]  [, 2.5.6.1009]
    [C:\PROGRA~1\3721\helper.dll]  [国风因特软件（北京）有限公司, 2.5.3.1006]
[PID: 1932][C:\Program Files\Tencent\QQ\TIMPlatform.exe]  [TENCENT, 7,0,365,1701]
    [C:\PROGRA~1\3721\CnsM.dll]  [, 2.5.6.1009]
    [C:\PROGRA~1\3721\helper.dll]  [国风因特软件（北京）有限公司, 2.5.3.1006]
    [C:\WINNT\downlo~1\CnsMin.dll]  [国风因特软件（北京）有限公司, 2.5.1.2]
    [C:\Program Files\Tencent\QQ\TIMProxy.dll]  [tencent, 0, 3, 2, 4]
[PID: 2704][C:\WINNT\system32\conime.exe]  [Microsoft Corporation, 5.00.2195.6655]
    [C:\PROGRA~1\3721\CnsM.dll]  [, 2.5.6.1009]
    [C:\PROGRA~1\3721\helper.dll]  [国风因特软件（北京）有限公司, 2.5.3.1006]
    [C:\WINNT\downlo~1\CnsMin.dll]  [国风因特软件（北京）有限公司, 2.5.1.2]
[PID: 2372][C:\Program Files\360safe\safemon\360Tray.exe]  [奇虎网, 3, 6, 1, 1001]
    [C:\PROGRA~1\3721\CnsM.dll]  [, 2.5.6.1009]
    [C:\PROGRA~1\3721\helper.dll]  [国风因特软件（北京）有限公司, 2.5.3.1006]
    [C:\WINNT\downlo~1\CnsMin.dll]  [国风因特软件（北京）有限公司, 2.5.1.2]
    [C:\Program Files\360safe\safemon\safemon.dll]  [, 3, 6, 1, 1001]
    [C:\Program Files\360safe\safemon\SafeKrnl.dll]  [奇虎网, 3, 6, 0, 1001]
    [C:\Program Files\360safe\AntiAdwa.dll]  [360Safe.com, 3, 6, 1, 1001]
[PID: 2672][C:\WINNT\explorer.exe]  [Microsoft Corporation, 5.00.3700.6690]
    [C:\Program Files\360safe\safemon\safemon.dll]  [, 3, 6, 1, 1001]
    [C:\PROGRA~1\3721\CnsM.dll]  [, 2.5.6.1009]
    [C:\PROGRA~1\3721\helper.dll]  [国风因特软件（北京）有限公司, 2.5.3.1006]
    [C:\PROGRA~1\3721\alrex.dll]  [国风因特软件（北京）有限公司, 2.5.1.1003]
    [C:\WINNT\downlo~1\CnsMin.dll]  [国风因特软件（北京）有限公司, 2.5.1.2]
    [C:\WINNT\downlo~1\CnsHook.dll]  [国风因特软件（北京）有限公司, 2.5.1.6]
    [C:\PROGRA~1\3721\autolive.dll]  [国风因特软件（北京）有限公司, 2.5.6.1011]
    [C:\PROGRA~1\3721\alLiveEx.dll]  [ , 1, 0, 3, 1006]
    [C:\WINNT\system32\ALSNDMGR.CPL]  [Realtek Semiconductor Corp., 2, 2, 0, 48]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 20, 0, 0, 16]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\PROGRA~1\3721\ske\contmenu.dll]  [N/A, ]
    [C:\WINNT\system32\RavExt.dll]  [Beijing Rising Technology Co., Ltd., 20.0.0.16]
[PID: 952][F:\SREng2.EXE]  [Smallfrogs Studio, 2.4.12.806]
    [C:\PROGRA~1\3721\CnsM.dll]  [, 2.5.6.1009]
    [C:\Program Files\360safe\safemon\safemon.dll]  [, 3, 6, 1, 1001]
    [C:\PROGRA~1\3721\helper.dll]  [国风因特软件（北京）有限公司, 2.5.3.1006]
    [C:\WINNT\downlo~1\CnsMin.dll]  [国风因特软件（北京）有限公司, 2.5.1.2]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
API HOOK
入口点错误：CreateProcessA (危险等级: 一般,  被下面模块所HOOK: C:\Program Files\360safe\safemon\safemon.dll)
入口点错误：CreateProcessW (危险等级: 一般,  被下面模块所HOOK: C:\Program Files\360safe\safemon\safemon.dll)

==================================
隐藏进程
N/A

==================================

【回复“水晶青蛙”的帖子】
日志不完整

同时有个问题，在这台机子上装了个网页服务，但是所有的网页后面都被注入代码，删了还会被自动加上！

重新扫描日志.把日志名改为SREngPS.txt以附件的形式上传.