瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 求大虾帮助!!!!
任八 - 2005-11-16 10:24:00
windows2k系统特慢,有的时候就不动了,还没有死机,打开任务管理器的时候发现有进程,system ilde process 长时间占用cpu。用杀毒软件差没有病毒。
任八 - 2005-11-16 10:27:00
HijackThis_815汉化版扫描日志 V1.99.1
保存于      10:20:03, 日期 2005-11-16
操作系统:  Windows 2000 SP4 (WinNT 5.00.2195)
浏览器:    Internet Explorer v6.00 SP1 (6.00.2800.1106)

当前运行的进程:         
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cmd.exe
c:\program files\rising\rfw\RfwMain.exe
C:\WINNT\system32\ftp.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\WINNT\system32\ctfmon.exe
D:\HijackThis\HijackThis1991zww.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - IE工具栏增项: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - 启动项HKLM\\Run: [Synchronization Manager] mobsync.exe /logon
O4 - 启动项HKLM\\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - 启动项HKLM\\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - 启动项HKLM\\Run: [nwiz] nwiz.exe /install
O4 - 启动项HKLM\\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - 启动项HKLM\\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - 启动项HKLM\\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - 启动项HKLM\\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - 启动项HKLM\\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - 启动项HKLM\\Run: [RfwMain] "C:\Program Files\rising\Rfw\rfwmain.exe" -Startup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - IE右键菜单中的新增项目: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - 浏览器额外的按钮: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - 浏览器额外的按钮: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - 浏览器额外的“工具”菜单项: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - 未知的文件在 Winsock LSP: c:\winnt\system32\tcpipdog0.dll
O10 - 未知的文件在 Winsock LSP: c:\winnt\system32\tcpipdog0.dll
O10 - 未知的文件在 Winsock LSP: c:\winnt\system32\tcpipdog0.dll
O10 - 未知的文件在 Winsock LSP: c:\winnt\system32\tcpipdogr0.dll
O10 - 未知的文件在 Winsock LSP: c:\winnt\system32\tcpipdogr0.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131961407767
O17 - HKLM\System\CCS\Services\Tcpip\..\{82F0D09E-ABD4-4A56-BA03-2465E8BA99F1}: NameServer =
O23 - NT 服务: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - NT 服务: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - NT 服务: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - c:\program files\rising\rfw\rfwsrv.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - NT 服务: SmartLinkService (SLService) -  - C:\WINNT\SYSTEM32\slserv.exe

这是日志,请大虾帮助啊!!!!!,在线等
任八 - 2005-11-16 10:33:00
自己顶!!!!!!!!!
BlackStone - 2005-11-16 11:22:00
没看出啥问题

用Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038第14楼
任八 - 2005-11-16 13:07:00
谢谢了先,我的问题是有的时候很正常,出毛病的时候很慢!!!!
任八 - 2005-11-16 13:36:00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run           

+ C-Media Mixer    Mixer    C-Media Electronic Inc.    c:\program files\pci audio applications\mixer.exe

+ NeroFilterCheck    NeroCheck    Ahead Software Gmbh    c:\winnt\system32\nerocheck.exe

+ NvCplDaemon    NVIDIA Display Properties Extension    NVIDIA Corporation    c:\winnt\system32\nvcpl.dll

+ NvMediaCenter    NVIDIA Media Center Library    NVIDIA Corporation    c:\winnt\system32\nvmctray.dll

+ nwiz    NVIDIA nView Wizard, Version 110.07     NVIDIA Corporation    c:\winnt\system32\nwiz.exe

+ RavMon    RavMon Rising realtime monitor     Beijing Rising Technology Co., Ltd.    c:\program files\rising\rav\ravmon.exe

+ RavTimer    RavTimer    Beijing Rising Technology Co., Ltd.    c:\program files\rising\rav\ravtimer.exe

+ RfwMain    Rising Personal FireWall Main Program    Beijing Rising Technology Corporation Limited    c:\program files\rising\rfw\rfwmain.exe

C:\Documents and Settings\All Users\「开始」菜单\程序\启动           

+ Adobe Gamma Loader.lnk    Adobe Gamma Loader    Adobe Systems, Inc.    c:\program files\common files\adobe\calibration\adobe gamma loader.exe

HKLM\System\CurrentControlSet\Services           

+ NVSvc    Provides system and desktop level support to the NVIDIA display driver    NVIDIA Corporation    c:\winnt\system32\nvsvc32.exe

+ RfwService    Rising Personal Firewall Service    Beijing Rising Technology Corporation Limited    c:\program files\rising\rfw\rfwsrv.exe

+ RsCCenter    CCenter    rising    c:\program files\rising\rav\ccenter.exe

+ RsRavMon    RavMon    Beijing Rising Technology Co., Ltd.    c:\program files\rising\rav\ravmond.exe

+ SLService    User-Level Modem Service         c:\winnt\system32\slserv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved           

+ RISING    Rising Shell Ext Module    Beijing Rising Technology Co., Ltd.    c:\winnt\system32\ravext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects           

+ AcroIEHlprObj Class    AcroIEHelper Module        d:\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx

HKLM\Software\Microsoft\Internet Explorer\Extensions           

+ @shdoclc.dll,-864            c:\winnt\web\related.htm

HKCU\Control Panel\Desktop\Scrnsave.exe           

+ (无)            File not found: (无)

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9           

+ MSAFD Tcpip [RAW/IP]            c:\winnt\system32\tcpipdog0.dll

+ MSAFD Tcpip [TCP/IP]            c:\winnt\system32\tcpipdog0.dll

+ MSAFD Tcpip [UDP/IP]            c:\winnt\system32\tcpipdog0.dll

+ RSVP TCP Service Provider            c:\winnt\system32\tcpipdogr0.dll

+ RSVP UDP Service Provider            c:\winnt\system32\tcpipdogr0.dll



这是autoruns的日志,求大虾帮忙看看吧,万分感激!
BlackStone - 2005-11-16 13:41:00
+ SLService User-Level Modem Service c:\winnt\system32\slserv.exe
+ MSAFD Tcpip [RAW/IP] c:\winnt\system32\tcpipdog0.dll

+ MSAFD Tcpip [TCP/IP] c:\winnt\system32\tcpipdog0.dll

+ MSAFD Tcpip [UDP/IP] c:\winnt\system32\tcpipdog0.dll

+ RSVP TCP Service Provider c:\winnt\system32\tcpipdogr0.dll

+ RSVP UDP Service Provider c:\winnt\system32\tcpipdogr0.dll

禁用重启试试
任八 - 2005-11-16 13:56:00
第一个可以禁用,其余的禁用时,出现提示框说,winsock service providers cannot be disabled(only deletion is supported).那我是不是可以把它们删除哪?
BlackStone - 2005-11-16 13:59:00
删除前备份一下
任八 - 2005-11-16 14:13:00
是指用ghost吗,还是什么,我是个菜鸟!!!
谢了,看了你的贴子,替大家(象我这样的菜鸟感谢!!!)
BlackStone - 2005-11-16 14:15:00
偶的意思
删除c:\winnt\system32\tcpipdogr0.dll它是备份一下
若删错了还可以手工恢复的
lll1234 - 2005-11-16 14:17:00
那位大侠给看一下,谢了!
HijackThis@Qoo的扫描日志  V1.97.7
Scan saved at 14:04:28, on 2005-11-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
d:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\efsserv.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\Program Files\Rising\Rav\RavMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
d:\program files\rising\rfw\RfwMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\GkStar\gkplatform.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\hijackThis\HijackThis.exe

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] C:\Program Files\Rising\Rav\RavMon.exe -system
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RfwMain] "d:\Program Files\rising\Rfw\rfwmain.exe" -Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG
O4 - Startup: ntuser.ini
O4 - Global Startup: ntuser.dat
O4 - Global Startup: ntuser.dat.LOG
O8 - Extra context menu item: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&x) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: QQ (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114767074296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6A9ABFF-78EB-45D6-9BEE-C5713987816D}: NameServer = 61.139.39.73,61.139.2.69

任八 - 2005-11-16 14:19:00
就是把它复制一下吗,要是有问题在拷回去。对吗。
任八 - 2005-11-16 14:35:00
这问题是不是太菜了,大虾都不理我了,我刚才把注册表文件导出了,是不是不行的时候再导入就可以了阿,这种方法可以吗?
1
查看完整版本: 求大虾帮助!!!!
© 2000 - 2026 Rising Corp. Ltd.