帮我看个日志 bbs.ikaka.com

KAEDE217 - 2005-12-6 15:14:00

Process PID CPU Description Company Name
System Idle Process 0 95.45
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
SMSS.EXE 564 Windows NT Session Manager Microsoft Corporation
CSRSS.EXE 640 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 668 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 720 3.03 Services and Controller app Microsoft Corporation
ATI2EVXX.EXE 880 ATI External Event Utility EXE Module ATI Technologies Inc.
SVCHOST.EXE 892 Generic Host Process for Win32 Services Microsoft Corporation
TIMPlatform.exe 528 TIMPlatform tencent
AgentSvr.exe 3172 Microsoft Agent Server Microsoft Corporation
SVCHOST.EXE 972 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 1068 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 1124 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 1280 Generic Host Process for Win32 Services Microsoft Corporation
SPOOLSV.EXE 1536 Spooler SubSystem App Microsoft Corporation
CCenter.exe 1772 CCenter rising
RavMonD.exe 1808 RavMon Beijing Rising Technology Co., Ltd.
RavStub.exe 456 Rising Rav Stub Beijing Rising Technology Co., Ltd.
SVCHOST.EXE 1924 Generic Host Process for Win32 Services Microsoft Corporation
ALG.EXE 644 Application Layer Gateway Service Microsoft Corporation
LSASS.EXE 732 LSA Shell (Export Version) Microsoft Corporation
EXPLORER.EXE 1632 Windows Explorer Microsoft Corporation
SysExplr.exe 1384
RavMon.exe 1312 RavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.
RavTimer.exe 1392 RavTimer Beijing Rising Technology Co., Ltd.
YLive.exe 1476 YLive
yassistse.exe 1296 AssistSetting Yahoo!
CTFMON.EXE 1432 CTF Loader Microsoft Corporation
QQ.exe 1756 QQ TENCENT
QQPet.exe 252 QQ宠物腾讯公司
iexplore.exe 2924 Internet Explorer Microsoft Corporation
Thunder.exe 3092 Thunder Networking Technologies,LTD
RsAgent.exe 2808 RsAgent Application Beijing Rising Technology Co., Ltd.
procexp.exe 3348 1.52 Sysinternals Process Explorer Sysinternals

Process: Pid: 720

Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\DINPUTWINMM
Event \BaseNamedObjects\SC_AutoStartComplete
Event \BaseNamedObjects\SvcctrlStartEvent_A3752DX
Event \BaseNamedObjects\ScNetDrvMsg
Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event \BaseNamedObjects\PnP_No_Pending_Install_Events
Event \BaseNamedObjects\userenv: User Profile setup event
File \Device\KsecDD
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\scerpc
File \Device\NamedPipe\scerpc
File \Device\NamedPipe\net\NtControlPipe1
File \Device\NamedPipe\net\NtControlPipe2
File \Device\NamedPipe\net\NtControlPipe3
File \Device\NamedPipe\net\NtControlPipe3
File C:\WINDOWS\system32\config\AppEvent.Evt
File C:\WINDOWS\system32\config\SecEvent.Evt
File C:\WINDOWS\system32\config\SysEvent.Evt
File \Device\NamedPipe\net\NtControlPipe4
File \Device\NamedPipe\net\NtControlPipe5
File \Device\NamedPipe\net\NtControlPipe0
File \Device\NamedPipe\net\NtControlPipe6
File \Device\NamedPipe\net\NtControlPipe7
File \Device\NamedPipe\net\NtControlPipe8
File \Device\NamedPipe\net\NtControlPipe11
File \Device\NamedPipe\net\NtControlPipe10
File \Device\NamedPipe\net\NtControlPipe12
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
File \Device\NamedPipe\net\NtControlPipe13
File C:\WINDOWS\system32\
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\Order
Key HKLM
Key HKLM\SYSTEM\ControlSet001\Control\ServiceGroupOrder
Key HKU\S-1-5-19
Key HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent
Key HKLM\SYSTEM\ControlSet001\Services\Eventlog
Key HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
Key HKU
Key HKU\S-1-5-20
Key HKU\.DEFAULT
Key HKU\S-1-5-20
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
Key HKU\S-1-5-19
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
Key HKLM\SYSTEM\ControlSet001\Services
Key HKLM\SYSTEM\ControlSet001\Enum
Key HKLM\SYSTEM\ControlSet001\Control\Class
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant \BaseNamedObjects\SHIMLIB_LOG_MUTEX
Mutant \BaseNamedObjects\ShimCacheMutex
Mutant \BaseNamedObjects\PnP_Init_Mutex
Port \RPC Control\ntsvcs
Port \ErrorLogPort
Process (880)
Process SVCHOST.EXE(892)
Process SVCHOST.EXE(972)
Process (1068)
Process SVCHOST.EXE(1124)
Process SVCHOST.EXE(1280)
Process SPOOLSV.EXE(1536)
Process CCenter.exe(1772)
Process RavMonD.exe(1808)
Process (1924)
Process ALG.EXE(644)
Section \BaseNamedObjects\ShimSharedMemory
Section \BaseNamedObjects\mc2IInjT$2d0
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Thread (720): 784
Thread (720): 792
Thread (720): 796
Thread (720): 860
Thread (720): 864
Thread (720): 868
Thread (720): 876
Thread (720): 852
Thread (720): 908
Thread (720): 960
Thread (720): 1572
Thread (720): 1140
Thread (720): 1768
Thread (720): 1892
Thread (720): 1136
Thread (720): 404
Thread (720): 424
Thread (720): 416
Token NT AUTHORITY\NETWORK SERVICE
Token NT AUTHORITY\LOCAL SERVICE
Token NT AUTHORITY\NETWORK SERVICE
Token 0D4AFEEE17EB4C4\p
Token NT AUTHORITY\LOCAL SERVICE
WindowStation \Windows\WindowStations\Service-0x0-3e7$
WindowStation \Windows\WindowStations\Service-0x0-3e7$
有病毒吗

KAEDE217 - 2005-12-6 15:17:00

ProcessPIDCPUDescriptionCompany Name
System Idle Process089.23
Interruptsn/a1.54Hardware Interrupts
DPCsn/a1.54Deferred Procedure Calls
System41.54
SMSS.EXE564Windows NT Session ManagerMicrosoft Corporation
CSRSS.EXE640Client Server Runtime ProcessMicrosoft Corporation
WINLOGON.EXE668Windows NT Logon ApplicationMicrosoft Corporation
SERVICES.EXE7201.54Services and Controller appMicrosoft Corporation
ATI2EVXX.EXE880ATI External Event Utility EXE ModuleATI Technologies Inc.
SVCHOST.EXE892Generic Host Process for Win32 ServicesMicrosoft Corporation
TIMPlatform.exe528TIMPlatformtencent
AgentSvr.exe3172Microsoft Agent ServerMicrosoft Corporation
SVCHOST.EXE972Generic Host Process for Win32 ServicesMicrosoft Corporation
SVCHOST.EXE1068Generic Host Process for Win32 ServicesMicrosoft Corporation
SVCHOST.EXE1124Generic Host Process for Win32 ServicesMicrosoft Corporation
SVCHOST.EXE1280Generic Host Process for Win32 ServicesMicrosoft Corporation
SPOOLSV.EXE1536Spooler SubSystem AppMicrosoft Corporation
CCenter.exe1772CCenterrising
RavMonD.exe1808RavMonBeijing Rising Technology Co., Ltd.
RavStub.exe456Rising Rav StubBeijing Rising Technology Co., Ltd.
SVCHOST.EXE1924Generic Host Process for Win32 ServicesMicrosoft Corporation
ALG.EXE644Application Layer Gateway ServiceMicrosoft Corporation
LSASS.EXE732LSA Shell (Export Version)Microsoft Corporation
EXPLORER.EXE1632Windows ExplorerMicrosoft Corporation
SysExplr.exe1384
RavMon.exe1312RavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.
Rav.exe188Rising Antivirus Main exeBeijing Rising Technology Co., Ltd.
RavTimer.exe1392RavTimerBeijing Rising Technology Co., Ltd.
YLive.exe1476YLive
yassistse.exe1296AssistSettingYahoo!
CTFMON.EXE1432CTF LoaderMicrosoft Corporation
QQ.exe1756QQTENCENT
QQPet.exe252QQ宠物腾讯公司
iexplore.exe2924Internet ExplorerMicrosoft Corporation
Thunder.exe30921.54Thunder Networking Technologies,LTD
WinRAR.exe2548
procexp.exe32323.08Sysinternals Process ExplorerSysinternals
RsAgent.exe2808RsAgent ApplicationBeijing Rising Technology Co., Ltd.

Process: Procexp Pid: -2

TypeName

KAEDE217 - 2005-12-6 15:27:00

没人呀

BlackStone - 2005-12-6 15:36:00

不是procexp的日志

用Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038

KAEDE217 - 2005-12-6 15:44:00

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ NeroFilterCheckNeroCheckAhead Software Gmbhc:\windows\system32\nerocheck.exe

+ RavMonRavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmon.exe

+ RavTimerRavTimerBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravtimer.exe

+ SysExplrc:\herosoft\herov8\sysexplr.exe

+ yassistseAssistSettingYahoo!c:\program files\yahoo!\assistant\yassistse.exe

+ YLive.exeYLive c:\program files\yahoo!\assistant\ylive.exe

C:\Documents and Settings\p\「开始」菜单\程序\启动

+ 腾讯QQ.lnkQQTENCENTe:\tencent\qq\qq.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

+ Yahoo!PhotoyPhtbYahoo! Chinac:\program files\yahoo!\assistant\assist\yphtb.dll

+ 粉碎文件Wiper 动态链接库c:\program files\yahoo!\assistant\assist\ywiper.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ AntiFish Classyangling.dllYahoo.c:\program files\yahoo!\assistant\assist\yangling.dll

+ DragSearch BHODragSearchc:\program files\yahoo!\assistant\assist\ydragsearch.dll

+ Google Toolbar HelperGoogle IE 客户端工具栏Google Inc.c:\program files\google\googletoolbar1.dll

+ IeCatch2 Classjccatch ModuleAmaze Softc:\program files\flashget\jccatch.dll

+ QQBrowserHelperObject ClassQQIEHelper Module深圳市腾讯计算机系统有限公司e:\tencent\qq\qqiehelper.dll

+ ThunderIEHelper Classxunleibho BHOThunder Networking Technologies,LTDc:\windows\system32\xunleibho_v8.dll

+ Yahoo!PhotoyPhtbYahoo! Chinac:\program files\yahoo!\assistant\assist\yphtb.dll

+ 雅虎助手ToolBarYahoo!c:\program files\yahoo!\assistant\assist\yasbar.dll

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

+ coolbarToolBarYahoo!c:\program files\yahoo!\assistant\assist\yasbar.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar

+ FlashGet BarFlashGet IE BarAmaze Softc:\program files\flashget\fgiebar.dll

+ 雅虎助手ToolBarYahoo!c:\program files\yahoo!\assistant\assist\yasbar.dll

HKLM\System\CurrentControlSet\Services

+ Ati HotKey PollerATI External Event Utility EXE ModuleATI Technologies Inc.c:\windows\system32\ati2evxx.exe

+ ATI SmartATI Smartc:\windows\system32\ati2sgag.exe

+ RsCCenterCCenterrisingc:\program files\rising\rav\ccenter.exe

+ RsRavMonRavMonBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmond.exe

HKLM\System\CurrentControlSet\Services

+ ALCXWDMRealtek AC'97 Audio Driver (WDM)Realtek Semiconductor Corp.c:\windows\system32\drivers\alcxwdm.sys

+ ati2mtagATI Radeon WindowsNT Miniport DriverATI Technologies Inc.c:\windows\system32\drivers\ati2mtag.sys

+ BaseTDIbasetdiRisingc:\windows\system32\drivers\basetdi.sys

+ EagleNTFile not found: C:\WINDOWS\system32\drivers\EagleNT.sys

+ ExpScanerExpScan.sysc:\program files\rising\rav\expscan.sys

+ HookContTDI HOOK DriverRising tech Co. ltdc:\program files\rising\rav\hookcont.sys

+ HookRegc:\program files\rising\rav\hookreg.sys

+ HookSys瑞星c:\program files\rising\rav\hooksys.sys

+ New0File not found: C:\WINDOWS\system32\new.sys

+ npkcryptnProtect KeyCrypt DriverINCA Internet Co., Ltd.e:\tencent\qq\npkcrypt.sys

+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\windows\system32\drivers\ptilink.sys

+ SecdrvSafeDisc driverc:\windows\system32\drivers\secdrv.sys

+ viamraidVIA RAID DRIVER FOR WIN 2000/XP/2003IA32VIA Technologies inc,.ltdc:\windows\system32\drivers\viamraid.sys

+ yukonwxpNDIS5.1 Miniport Driver for Marvell Yukon Ethernet ControllerMarvellc:\windows\system32\drivers\yk51x86.sys

+ zntportFile not found: C:\WINDOWS\system32\zntport.sys

+ ZSMC303Video streaming and Capture Device DriverVimicro Corporationc:\windows\system32\drivers\usbvm303.sys

KAEDE217 - 2005-12-6 15:46:00

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ NeroFilterCheck NeroCheck Ahead Software Gmbh c:\windows\system32\nerocheck.exe

+ RavMon RavMon Rising realtime monitor Beijing Rising Technology Co., Ltd. c:\program files\rising\rav\ravmon.exe

+ RavTimer RavTimer Beijing Rising Technology Co., Ltd. c:\program files\rising\rav\ravtimer.exe

+ SysExplr c:\herosoft\herov8\sysexplr.exe

+ yassistse AssistSetting Yahoo! c:\program files\yahoo!\assistant\yassistse.exe

+ YLive.exe YLive c:\program files\yahoo!\assistant\ylive.exe

C:\Documents and Settings\p\「开始」菜单\程序\启动

+ 腾讯QQ.lnk QQ TENCENT e:\tencent\qq\qq.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ RISING Rising Shell Ext Module Beijing Rising Technology Co., Ltd. c:\windows\system32\ravext.dll

+ Yahoo!Photo yPhtb Yahoo! China c:\program files\yahoo!\assistant\assist\yphtb.dll

+ 粉碎文件 Wiper 动态链接库 c:\program files\yahoo!\assistant\assist\ywiper.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ AntiFish Class yangling.dll Yahoo. c:\program files\yahoo!\assistant\assist\yangling.dll

+ DragSearch BHO DragSearch c:\program files\yahoo!\assistant\assist\ydragsearch.dll

+ Google Toolbar Helper Google IE 客户端工具栏 Google Inc. c:\program files\google\googletoolbar1.dll

+ IeCatch2 Class jccatch Module Amaze Soft c:\program files\flashget\jccatch.dll

+ QQBrowserHelperObject Class QQIEHelper Module 深圳市腾讯计算机系统有限公司 e:\tencent\qq\qqiehelper.dll

+ ThunderIEHelper Class xunleibho BHO Thunder Networking Technologies,LTD c:\windows\system32\xunleibho_v8.dll

+ Yahoo!Photo yPhtb Yahoo! China c:\program files\yahoo!\assistant\assist\yphtb.dll

+ 雅虎助手 ToolBar Yahoo! c:\program files\yahoo!\assistant\assist\yasbar.dll

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

+ coolbar ToolBar Yahoo! c:\program files\yahoo!\assistant\assist\yasbar.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar

+ FlashGet Bar FlashGet IE Bar Amaze Soft c:\program files\flashget\fgiebar.dll

+ 雅虎助手 ToolBar Yahoo! c:\program files\yahoo!\assistant\assist\yasbar.dll

HKLM\System\CurrentControlSet\Services

+ Ati HotKey Poller ATI External Event Utility EXE Module ATI Technologies Inc. c:\windows\system32\ati2evxx.exe

+ ATI Smart ATI Smart c:\windows\system32\ati2sgag.exe

+ RsCCenter CCenter rising c:\program files\rising\rav\ccenter.exe

+ RsRavMon RavMon Beijing Rising Technology Co., Ltd. c:\program files\rising\rav\ravmond.exe

HKLM\System\CurrentControlSet\Services

+ ALCXWDM Realtek AC'97 Audio Driver (WDM) Realtek Semiconductor Corp. c:\windows\system32\drivers\alcxwdm.sys

+ ati2mtag ATI Radeon WindowsNT Miniport Driver ATI Technologies Inc. c:\windows\system32\drivers\ati2mtag.sys

+ BaseTDI basetdi Rising c:\windows\system32\drivers\basetdi.sys

+ EagleNT File not found: C:\WINDOWS\system32\drivers\EagleNT.sys

+ ExpScaner ExpScan.sys c:\program files\rising\rav\expscan.sys

+ HookCont TDI HOOK Driver Rising tech Co. ltd c:\program files\rising\rav\hookcont.sys

+ HookReg c:\program files\rising\rav\hookreg.sys

+ HookSys 瑞星 c:\program files\rising\rav\hooksys.sys

+ New0 File not found: C:\WINDOWS\system32\new.sys

+ npkcrypt nProtect KeyCrypt Driver INCA Internet Co., Ltd. e:\tencent\qq\npkcrypt.sys

+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\drivers\ptilink.sys

+ Secdrv SafeDisc driver c:\windows\system32\drivers\secdrv.sys

+ viamraid VIA RAID DRIVER FOR WIN 2000/XP/2003IA32 VIA Technologies inc,.ltd c:\windows\system32\drivers\viamraid.sys

+ yukonwxp NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller Marvell c:\windows\system32\drivers\yk51x86.sys

+ zntport File not found: C:\WINDOWS\system32\zntport.sys

+ ZSMC303 Video streaming and Capture Device Driver Vimicro Corporation c:\windows\system32\drivers\usbvm303.sys

BlackStone - 2005-12-6 15:59:00

没看出问题，还是昨天那个病毒吗，如果是有可能是街头篮球有问题。

瑞星卡卡安全论坛