瑞星卡卡安全论坛

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
    <ravshell><C:\Progra~1\Eset\1explore.exe>  []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Publisher]
    <MSPY2002><C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Windows Publisher]
    <RfwMain><"C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup>  [Beijing Rising Technology Co., Ltd.]
    <runeip><C:\Program Files\Rising\AntiSpyware\runiep.exe>  [Beijing Rising Technology Co., Ltd.]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>  [NVIDIA Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    <RavStub><"C:\PROGRAM FILES\RISING\RAV\ravstub.exe" /RUNONCE>  [Beijing Rising Technology Co., Ltd.]
    <WoptiClean><rundll32.exe "C:\Program Files\Wom\WoptiCleanDll.dll",CleanNextBoot "C:\Program Files\Wom\WoptiClean">  [N/A]
    <uninsrest><C:\DOCUME~1\User\LOCALS~1\Temp\uninrest.exe>  []
    <xavyut97><%systemroot%\system32\Rundll32.exe %systemroot%\system32\xavyut97.dll,DllUnregisterServer>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\Userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070418.dll start>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
    <浏览器自定义组件><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    <Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    <Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe>  [(Verified)Microsoft Windows Publisher]

==================================
启动文件夹
[Adobe Gamma Loader]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Adobe Gamma Loader.lnk --> C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [Adobe Systems, Inc.]><N>

==================================
服务
[1E12B9DA / 1E12B9DA][Stopped/Disabled]
  <C:\WINDOWS\system32\1E12B9DA.EXE -service><N/A>
[4AB88F4B / 4AB88F4B][Stopped/Disabled]
  <C:\WINDOWS\system32\4AB88F4B.EXE -4AB88F4B><Microsoft Corporation>
[5759547E / 5759547E][Stopped/Disabled]
  <C:\WINDOWS\system32\5759547E.EXE -a><Microsoft Corporation>
[88756583 / 88756583][Stopped/Disabled]
  <C:\WINDOWS\system32\88756583.EXE -k><N/A>
[8FC2CAEC / 8FC2CAEC][Stopped/Disabled]
  <C:\WINDOWS\system32\8FC2CAEC.EXE -p><Microsoft Corporation>
[Application Layer Gateway Service / ALG][Stopped/Disabled]
  <C:\WINDOWS\System32\alg.exe><N/A>
[CoolWare / CoolWare][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\struts.dll><>
[error monitor / EmonSrv][Stopped/Disabled]
  <C:\WINDOWS\system32\b311.exe><N/A>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[kkdj3sdf3 / kkdj3sdf3][Stopped/Disabled]
  <C:\WINDOWS\system32\kkdj3sdf3.exe -j><Microsoft Corporation>
[Windows nunb RunThem / nunb][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\fpfw\sssg.dll>< >
[NVIDIA Display Driver Service / NVSvc][Stopped/Disabled]
  <C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[Remote Control Service / Remote Control Service][Stopped/Disabled]
  <C:\Program Files\Messenger\rundll32.dll><N/A>
[Rising Personal Firewall Service / RfwService][Stopped/Disabled]
  <c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter][Stopped/Disabled]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Stopped/Disabled]
  <"C:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

==================================
驱动程序
[Rising TDI Base Driver / BaseTDI][Stopped/Auto Start]
  <System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[eebbjeca / eebbjeca][Stopped/Boot Start]
  <\SystemRoot\system32\drivers\eebbjeca.sys><N/A>
[ExpScaner / ExpScaner][Stopped/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\ExpScan.sys><>
[HOOKAPI / HOOKAPI][Stopped/Manual Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\HOOKAPI.SYS><瑞星软件有限公司>
[HookCont / HookCont][Stopped/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\HOOKCONT.sys><Rising>
[HookReg / HookReg][Stopped/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\HookReg.sys><>
[HookSys / HookSys][Stopped/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\HookSys.sys><Rising>
[MEMSCAN / MEMSCAN][Stopped/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\MEMSCAN.sys><瑞星软件有限公司>
[mProcRs / mProcRs][Stopped/Auto Start]
  <\??\c:\program files\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[npkcrypt / npkcrypt][Stopped/Auto Start]
  <\??\C:\Program Files\qq\npkcrypt.sys><INCA Internet Co., Ltd.>
[nv / nv][Stopped/Manual Start]
  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Stopped/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[qprwrk7 / qprwrk73][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\qprwrk73.sys><Microsoft Corporation>
[Feitian ROCKEY4 Device Service / ROCKEYNT][Running/Manual Start]
  <system32\DRIVERS\Rockey4.sys><Feitian Technologies Co., Ltd.>
[Feitian ROCKEY4 USB Service / Rockey_USB][Stopped/Manual Start]
  <system32\DRIVERS\Rockey4USB.sys><Feitian Technologies Co., Ltd.>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
  <\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising>
[RsFwDrv / RsFwDrv][Stopped/Auto Start]
  <\??\C:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
  <\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Stopped/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\RSPPSYS.sys><Rising>
[Realtek 10/100/1000 NIC Family all in one NDIS XP Driver / RTL8023xp][Stopped/Manual Start]
  <system32\DRIVERS\Rtlnicxp.sys><Realtek Semiconductor Corporation>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><N/A>
[ViaIde / ViaIde][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\viaide.sys><Microsoft Corporation>
[VIA AC'97 Audio Controller (WDM) / VIAudio][Stopped/Manual Start]
  <system32\drivers\ac97via.sys><VIA Technologies, Inc.>
[xavyut9 / xavyut97][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\xavyut97.sys><N/A>

==================================
浏览器加载项
[QQ]
  {c95fe080-8f5d-11d2-a20b-00aa003c157b} <C:\Program Files\Tencent\QQ\QQ.EXE, TENCENT>
[FlashGet]
  {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <C:\PROGRA~1\FLASHGET\flashget.exe, Amaze Soft>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[上传到QQ网络硬盘]
  <C:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[使用网际快车下载]
  <C:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <C:\Program Files\FlashGet\jc_all.htm, N/A>
[添加到QQ自定义面板]
  <C:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
  <C:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <C:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

==================================

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================


[/CODE]

感觉这个日志蛮有意思
呵呵
我不是高手
所以不给你分析了

[CODE]

在桌面建立一个文件夹，再用WinRAR工具(即开始-->所有程序里的WinRAR)打开WinRAR-->点“查找”在磁盘和文件夹选 C: 。找到文件（或文件相关的程序），然后按解压到，选桌面刚建的文件夹，然后确定，然后等所有操作做完后再将那个文件夹压缩加密码123(即高级-->设置密码）给我，我的QQ是397005089或者油箱也行wuduyouli@yahoo.com.cn要找的文件如下:
C:\Progra~1\Eset\1explore.exe
C:\DOCUME~1\User\LOCALS~1\Temp\uninrest.exe
C:\WINDOWS\system32\b311.exe
C:\WINDOWS\system32\1E12B9DA.EXE
C:\WINDOWS\system32\5759547E.EXE
C:\WINDOWS\system32\kkdj3sdf3.exe
C:\WINDOWS\system32\4AB88F4B.EXE
C:\WINDOWS\system32\8FC2CAEC.EXE
C:\WINDOWS\system32\88756583.EXE
==============================================================================
关闭所有正在使用的应用程序包括QQ等等
然后关闭系统还原(WIN2000可以忽略）：按我的电脑右键的属性点系统还原，在所有驱动器上关闭系统还原 打勾。[等所有操作完成后再去打开]
用ATF清理工具点这里下载http://hzqedison.mm9mm.com/hanhua/ATF-Cleaner-cn.exe,在全选那打勾，然后点立即清理
然后按照我以下的方法做：
==============================================================================
使用XDelBox点这里下载http://www.i170.com/Attach/51FD704F-C0BD-41E7-B0E9-60673A888FD6
运行xdelbox前最好卸载所有可移动存储介质（包括U盘，MP3，手机存储卡等）。
复制以下所有要删除的文件路径,然后在"在待删除文件列表"下空白地方按右键选"从剪贴板导入"，然后勾选"抑制再生",对着要删除的文件上点击右键，选择立刻重启删除:
C:\Progra~1\Eset\1explore.exe
C:\DOCUME~1\User\LOCALS~1\Temp\uninrest.exe
C:\WINDOWS\system32\b311.exe
C:\WINDOWS\system32\1E12B9DA.EXE
C:\WINDOWS\system32\5759547E.EXE
C:\WINDOWS\system32\kkdj3sdf3.exe
C:\WINDOWS\system32\4AB88F4B.EXE
C:\WINDOWS\system32\8FC2CAEC.EXE
C:\WINDOWS\system32\88756583.EXE
C:\WINDOWS\system32\struts.dll
C:\WINDOWS\system32\xavyut97.dll
C:\WINDOWS\system32\winsys16_070418.dll
C:\PROGRA~1\fpfw\sssg.dll
==============================================================================
等XDelBox杀完后去安全模式进行如下操作（重启电脑 不断按F8 然后选安全模式）进不了安全模式,可以在SREng中 点系统修复 --> 点高级修复，再点修复安全模式
==============================================================================
用工具 SREng 删除如下各项
在SREng中 点 启动项目 --> 注册表  进入后 用鼠标左键在对应要修复的项上单击 然后点击"删除"
  删除如下项目：
<ravshell><C:\Progra~1\Eset\1explore.exe> []
<uninsrest><C:\DOCUME~1\User\LOCALS~1\Temp\uninrest.exe> []
<xavyut97><%systemroot%\system32\Rundll32.exe %systemroot%\system32\xavyut97.dll,DllUnregisterServer> [Microsoft Corporation]
编辑<Userinit><C:\WINDOWS\system32\Userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070418.dll start> [N/A]为
<Userinit><C:\WINDOWS\system32\Userinit.exe,> [N/A] 留意逗号后面全部删除，逗号保留

==============================================================================
在SERng中 点 启动项目 --> 服务 --> Win32服务应用程序 进入后（勾选 隐藏已认证的微软项目），用鼠标左键在对应要修复的项上单击 然后点“删除服务”，再点“设置”按钮即可（注意到最后弹出的窗口中要点 “NO 否”才是确认删除服务。）
删除如下项目：
[1E12B9DA / 1E12B9DA][Stopped/Disabled]
<C:\WINDOWS\system32\1E12B9DA.EXE -service><N/A>
[4AB88F4B / 4AB88F4B][Stopped/Disabled]
<C:\WINDOWS\system32\4AB88F4B.EXE -4AB88F4B><Microsoft Corporation>
[5759547E / 5759547E][Stopped/Disabled]
<C:\WINDOWS\system32\5759547E.EXE -a><Microsoft Corporation>
[88756583 / 88756583][Stopped/Disabled]
<C:\WINDOWS\system32\88756583.EXE -k><N/A>
[8FC2CAEC / 8FC2CAEC][Stopped/Disabled]
<C:\WINDOWS\system32\8FC2CAEC.EXE -p><Microsoft Corporation>
[CoolWare / CoolWare][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\struts.dll><>
[error monitor / EmonSrv][Stopped/Disabled]
<C:\WINDOWS\system32\b311.exe><N/A>
[kkdj3sdf3 / kkdj3sdf3][Stopped/Disabled]
<C:\WINDOWS\system32\kkdj3sdf3.exe -j><Microsoft Corporation>
[Windows nunb RunThem / nunb][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\fpfw\sssg.dll>< >
[Remote Control Service / Remote Control Service][Stopped/Disabled]
<C:\Program Files\Messenger\rundll32.dll><N/A>
==============================================================================
在SERng中 点 启动项目 --> 服务 --> 驱动程序 进入后 （勾选 隐藏已认证的微软项目），用鼠标左键在对应要修复的项上单击 然后点“设置” 按钮即可（注意到最后弹出的窗口中要点 “NO 否”才是确认删除驱动。）[注：有关可疑驱动如果你不知道的话建议删除，删除不了可以把类型设置为disabled ]
删除如下项目：
[eebbjeca / eebbjeca][Stopped/Boot Start]
<\SystemRoot\system32\drivers\eebbjeca.sys><N/A>
[xavyut9 / xavyut97][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\xavyut97.sys><N/A>

==============================================================================
在SREng中 点系统修复 --> 点Windows Shell/IE ,勾全选，点“修复”
==============================================================================
以上步骤做完就重启电脑,然后重装QQ(先卸载了，再安装),再用WINDOWS 清理助手点这里下载http://www.arswp.com/download/arswp/arswp.rar和恶意软件清理助手点这里下载http://www.tommsoft.com/products/rscleaner/roguecleaner.rar杀恶意软件,再重新修复一下你的瑞星杀毒软件然后升级杀毒软件全盘杀毒

                                                       
                                                                        分  析：無毒侑禮
                                                                        时 间：2007-4-21
                                                                          QQ：397005089
                                                              E-mail：wuduyouli@yahoo.com.cn