超级毒王,菜鸟慎入~` bbs.ikaka.com

ymmymm - 2007-4-27 1:29:00

想玩极品飞车10,搜个修改器,结果搜到一个网站有下,地址为
hxxp://www.baobei555.com/soft/3621.htm(病毒十分厉害,菜鸟请谨慎实验)
一打开网站瑞星就报有毒,但是要手动删除~我没理准备下好了再去手动删掉,把下面的软件下载下来.图标是个解压缩图标.我也没仔细看就点了,然后解出一个文件夹,文件夹一打开病毒发作
症状:
1:修改主版时间让瑞星残废(变成查毒版本不能杀毒)
2:植入流氓软件,打开NNN个流氓网站,关都来不及(超级兔子,瑞星网络助手都有装还是不行)
3:自动生成NNN个木马软件开始疯狂连接网络(装了瑞星防火墙,没有作用)

1分钟后机器瘫痪重起进安全模式系统损坏说缺少什么文件机器牛卡
断网重装系统,第一时间装好杀软,问题照旧

因为病毒是下在D盘的,我把D盘格了重装系统,问题照旧

挂上外盘准备转移资料,但是系统已经全面感染,此时杀毒软件一个毒都杀不出了,我只要一打开一个盘符,病毒就自动植入,所以资料也拯救不了~

现在是一点办法都没了~`在线等达人赐教了

2007-04-27,01:26:26

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
<bgswitch><C:\WINDOWS\system32\bgswitch.exe> []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<RavTask><"d:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<nwiz><nwiz.exe /install> []
<NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit> [NVIDIA Corporation]
<RTHDCPL><RTHDCPL.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<Alcmtr><ALCMTR.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<RfwMain><"d:\Program Files\Rising\Rfw\rfwmain.exe" -Startup> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows XP Publisher]
<Userinit><C:\WINDOWS\system32\UserInit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll> [Beijing Rising Technology Co., Ltd.]

==================================
启动文件夹
N/A

==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[NVIDIA Display Driver Service / NVSvc][Stopped/Auto Start]
<C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Proxy Service / RfwProxySrv][Stopped/Manual Start]
<d:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
<d:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
<"d:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
<"D:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Windows Accounts Driver / WindowsConnections][Stopped/Auto Start]
<C:\WINDOWS\system32\222.exe><N/A>
[Windows Media Connect Service / WMConnectCDS][Stopped/Manual Start]
<C:\Program Files\Windows Media Connect 2\wmccds.exe><Microsoft Corporation>

==================================
驱动程序
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
<System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[Intel(R) PRO/1000 PCI Express Network Connection Driver / e1express][Running/Manual Start]
<system32\DRIVERS\e1e5132.sys><Intel Corporation>
[ExpScaner / ExpScaner][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\ExpScan.sys><>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
<system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[HookCont / HookCont][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\HookSys.sys><Rising>
[HookUrl / HookUrl][Running/Auto Start]
<\??\d:\Program Files\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
<system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[ITEATAPI_Service_Install / iteatapi][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\iteatapi.sys><Integrated Technology Express, Inc.>
[ITERAID_Service_Install / iteraid][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\iteraid.sys><Integrated Technology Express, Inc.>
[MEMSCAN / MEMSCAN][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\MEMSCAN.sys><瑞星软件有限公司>
[mProcRs / mProcRs][Running/Auto Start]
<\??\d:\program files\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[ATK0110 ACPI UTILITY / MTsensor][Running/Manual Start]
<system32\DRIVERS\ASACPI.sys><>
[nv / nv][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsFwDrv / RsFwDrv][Running/Auto Start]
<\??\d:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
<\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\RSPPSYS.sys><Rising>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>

ymmymm - 2007-4-27 1:44:00

==================================
浏览器加载项
[雅虎助手]
{406F94F0-504F-4a40-8DFD-58B0666ABEBD} <C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll, Yahoo!>
[番茄花园]
{6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <http://www.tomatolei.com, N/A>
[易趣购物]
{BE9C13C3-9E46-4db1-BC05-BD8DA44599F2} <http://adfarm.mediaplex.com/ad/ck/4080-22910-9640-151?cn=song;icon;hp&mpro=http://www.ebay.com.cn, N/A>
[雅虎助手]
{406F94F0-504F-4a40-8DFD-58B0666ABEBD} <C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll, Yahoo!>
[Windows Genuine Advantage Validation Tool]
{17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\legitcheckcontrol.dll, Microsoft Corporation>
[DHTML Edit Control Safe for Scripting for IE5]
{2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
[雅虎助手]
{406F94F0-504F-4A40-8DFD-58B0666ABEBD} <C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll, Yahoo!>
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[RDS.DataSpace]
{BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\macromed\flash\flash.ocx, Macromedia, Inc.>
[雅虎搜索]
<res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246, N/A>

==================================
正在运行的进程
[PID: 564][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 648][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 680][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 724][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 736][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 888][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 980][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 1092][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\System32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 1208][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 1304][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 1644][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 1860][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2649 (xpsp.050406-1732)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\nvcpl.dll] [NVIDIA Corporation, 6.14.10.9291]
[C:\WINDOWS\system32\nvapi.dll] [N/A, ]
[C:\WINDOWS\system32\nvshell.dll] [, ]
[d:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[d:\Program Files\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[C:\WINDOWS\system32\msadp32.acm] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\msdmo.dll] [, ]
[C:\WINDOWS\system32\RavExt.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
[d:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\WINDOWS\system32\Audiodev.dll] [Microsoft Corporation, 5.2.3802.3802 built by: dnsrv(bld4act)]
[C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll] [Yahoo!, 2, 1, 0, 1038]
[PID: 1176][C:\WINDOWS\system32\RUNDLL32.EXE] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\WINDOWS\system32\NvMcTray.dll] [NVIDIA Corporation, 6.14.10.9291]
[C:\WINDOWS\system32\nvapi.dll] [N/A, ]
[PID: 1184][C:\WINDOWS\RTHDCPL.EXE] [Realtek Semiconductor Corp., 1.1.1.6]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1288][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 2988][d:\program files\rising\rfw\RfwMain.exe] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 70]
[d:\program files\rising\rfw\RsGuiLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 33]
[d:\program files\rising\rfw\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[d:\program files\rising\rfw\RfwCtrl.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 11]
[d:\program files\rising\rfw\RsXML.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
[d:\program files\rising\rfw\PngDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 2884][C:\Documents and Settings\Administrator\桌面\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
[D:\]
[autorun]
open=Rpgyh.exe
shellexecute=Rpgyh.exe
shell\Auto\command=Rpgyh.exe
shell=Auto
[E:\]
[autorun]
open=Rpgyh.exe
shellexecute=Rpgyh.exe
shell\Auto\command=Rpgyh.exe
shell=Auto
[F:\]
[autorun]
open=Rpgyh.exe
shellexecute=Rpgyh.exe
shell\Auto\command=Rpgyh.exe
shell=Auto
[G:\]
[autorun]
open=Rpgyh.exe
shellexecute=Rpgyh.exe
shell\Auto\command=Rpgyh.exe
shell=Auto
[I:\]
[autorun]
open=SAbwb.exe
shellexecute=SAbwb.exe
shell\Auto\command=SAbwb.exe
shell=Auto

==================================
HOSTS 文件
127.0.0.1 localhost

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================

[/CODE]

独孤剑客 - 2007-4-27 8:20:00

Autorun.inf
[D:\]
[autorun]
open=Rpgyh.exe
shellexecute=Rpgyh.exe
shell\Auto\command=Rpgyh.exe
shell=Auto
[E:\]
[autorun]
open=Rpgyh.exe
shellexecute=Rpgyh.exe
shell\Auto\command=Rpgyh.exe
shell=Auto
[F:\]
[autorun]
open=Rpgyh.exe
shellexecute=Rpgyh.exe
shell\Auto\command=Rpgyh.exe
shell=Auto
[G:\]
[autorun]
open=Rpgyh.exe
shellexecute=Rpgyh.exe
shell\Auto\command=Rpgyh.exe
shell=Auto
[I:\]
[autorun]
open=SAbwb.exe
shellexecute=SAbwb.exe
shell\Auto\command=SAbwb.exe
shell=Auto
[C:\WINDOWS\system32\nvapi.dll] [N/A, ]
[C:\WINDOWS\system32\nvshell.dll] [, ]
<"D:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Windows Accounts Driver / WindowsConnections][Stopped/Auto Start]
<C:\WINDOWS\system32\222.exe><N/A>
[Windows Media Connect Service / WMConnectCDS][Stopped/Manual Start]
<C:\Program Files\Windows Media Connect 2\wmccds.exe><Microsoft Corporation>

独孤剑客 - 2007-4-27 8:21:00

<"D:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
不是

孤狼野豹 - 2007-4-27 10:11:00

我的天啊好恐怖的症状
我觉得中国的互联网状况好糟糕
不知道以后能不能直接受理举报核实后直接关闭相关网站
看那些网站还牛吧你辛辛苦苦做的网站挂病毒是吧直接给你废了看你牛啥
比如这个举报受理直接就把hxxp://www.baobei555.com/给封了；
叫你牛气啊

ymmymm - 2007-4-27 10:19:00

【回复“独孤剑客”的帖子】
请问怎么清除呢~?我直接把生成的.exe木马文件删除,可是他还是又会出现~头找不到啊

ymmymm - 2007-4-27 10:20:00

【回复“独孤剑客”的帖子】
请问怎么清除呢~?我直接把生成的.exe木马文件删除,可是他还是又会出现~头找不到啊

姑苏残月 - 2007-4-27 10:31:00

使用SRENG删除服务：
[Windows Accounts Driver / WindowsConnections][Stopped/Auto Start]
<C:\WINDOWS\system32\222.exe><N/A>
使用SRENG删除驱动：
[ATK0110 ACPI UTILITY / MTsensor][Running/Manual Start]
<system32\DRIVERS\ASACPI.sys><>
删除文件：
[C:\WINDOWS\system32\nvapi.dll] [N/A, ]
[C:\WINDOWS\system32\nvshell.dll] [, ]
[C:\WINDOWS\system32\msdmo.dll] [, ]
删除各盘下文件：
Autorun.inf
[D:\]
[autorun]
open=Rpgyh.exe
shellexecute=Rpgyh.exe
shell\Auto\command=Rpgyh.exe
shell=Auto
[E:\]
[autorun]
open=Rpgyh.exe
shellexecute=Rpgyh.exe
shell\Auto\command=Rpgyh.exe
shell=Auto
[F:\]
[autorun]
open=Rpgyh.exe
shellexecute=Rpgyh.exe
shell\Auto\command=Rpgyh.exe
shell=Auto
[G:\]
[autorun]
open=Rpgyh.exe
shellexecute=Rpgyh.exe
shell\Auto\command=Rpgyh.exe
shell=Auto
[I:\]
[autorun]
open=SAbwb.exe
shellexecute=SAbwb.exe
shell\Auto\command=SAbwb.exe
shell=Auto
使用恶意软件清理助手清理3721等流氓

姑苏残月 - 2007-4-27 10:33:00

郁闷,又重复了

姑苏残月 - 2007-4-27 10:34:00

清理时请进安全模式操作.别双击打开盘,选择"右键->打开",这种方式,防止病毒反复感染

花飞影 - 2007-4-27 10:44:00

引用:

【ymmymm的贴子】想玩极品飞车10,搜个修改器,结果搜到一个网站有下,地址为
hxxp://www.baobei555.com/soft/3621.htm(病毒十分厉害,菜鸟请谨慎实验)
一打开网站瑞星就报有毒,但是要手动删除~我没理准备下好了再去手动删掉,把下面的软件下载下来.图标是个解压缩图标.我也没仔细看就点了,然后解出一个文件夹,文件夹一打开病毒发作
症状:
1:修改主版时间让瑞星残废(变成查毒版本不能杀毒)
2:植入流氓软件,打开NNN个流氓网站,关都来不及(超级兔子,瑞星网络助手都有装还是不行)
3:自动生成NNN个木马软件开始疯狂连接网络(装了瑞星防火墙,没有作用)

1分钟后机器瘫痪重起进安全模式系统损坏说缺少什么文件机器牛卡
断网重装系统,第一时间装好杀软,问题照旧

因为病毒是下在D盘的,我把D盘格了重装系统,问题照旧

挂上外盘准备转移资料,但是系统已经全面感染,此时杀毒软件一个毒都杀不出了,我只要一打开一个盘符,病毒就自动植入,所以资料也拯救不了~

现在是一点办法都没了~`在线等达人赐教了

2007-04-27,01:26:26

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
<bgswitch><C:\WINDOWS\system32\bgswitch.exe> []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<RavTask><"d:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<nwiz><nwiz.exe /install> []
<NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit> [NVIDIA Corporation]
<RTHDCPL><RTHDCPL.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<Alcmtr><ALCMTR.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<RfwMain><"d:\Program Files\Rising\Rfw\rfwmain.exe" -Startup> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows XP Publisher]
<Userinit><C:\WINDOWS\system32\UserInit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll> [Beijing Rising Technology Co., Ltd.]

==================================
启动文件夹
N/A

==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[NVIDIA Display Driver Service / NVSvc][Stopped/Auto Start]
<C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Proxy Service / RfwProxySrv][Stopped/Manual Start]
<d:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
<d:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
<"d:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
<"D:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Windows Accounts Driver / WindowsConnections][Stopped/Auto Start]
<C:\WINDOWS\system32\222.exe><N/A>
[Windows Media Connect Service / WMConnectCDS][Stopped/Manual Start]
<C:\Program Files\Windows Media Connect 2\wmccds.exe><Microsoft Corporation>

==================================
驱动程序
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
<System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[Intel(R) PRO/1000 PCI Express Network Connection Driver / e1express][Running/Manual Start]
<system32\DRIVERS\e1e5132.sys><Intel Corporation>
[ExpScaner / ExpScaner][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\ExpScan.sys><>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
<system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[HookCont / HookCont][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\HookSys.sys><Rising>
[HookUrl / HookUrl][Running/Auto Start]
<\??\d:\Program Files\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
<system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[ITEATAPI_Service_Install / iteatapi][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\iteatapi.sys><Integrated Technology Express, Inc.>
[ITERAID_Service_Install / iteraid][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\iteraid.sys><Integrated Technology Express, Inc.>
[MEMSCAN / MEMSCAN][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\MEMSCAN.sys><瑞星软件有限公司>
[mProcRs / mProcRs][Running/Auto Start]
<\??\d:\program files\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[ATK0110 ACPI UTILITY / MTsensor][Running/Manual Start]
<system32\DRIVERS\ASACPI.sys><>
[nv / nv][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsFwDrv / RsFwDrv][Running/Auto Start]
<\??\d:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
<\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\RSPPSYS.sys><Rising>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>

………………

你的系统补丁没打全，我上去看了下，没有任何反应。

附件: 2022152007427103419.jpg

花飞影 - 2007-4-27 10:47:00

附件: 2022152007427103732.jpg

过客2007 - 2007-4-27 11:47:00

[C:\WINDOWS\system32\nvshell.dll] [, ]
[C:\WINDOWS\system32\msdmo.dll] [, ]

故苏,貌似是系统文件.......

ymmymm - 2007-4-27 12:49:00

【回复“花飞影”的帖子】

网页有病毒我有报,但是拦截掉了.毒王是那个飞车10修改器的修改包
解压后,打开文件夹啥都没干就中毒了.杀毒软件和防火墙都挂掉

ymmymm - 2007-4-27 12:52:00

还有

删除文件：
[C:\WINDOWS\system32\nvapi.dll] [N/A, ]
[C:\WINDOWS\system32\nvshell.dll] [, ]
[C:\WINDOWS\system32\msdmo.dll]

这3个都是N显卡的驱动=..=~删了驱动坏了- -

ymmymm - 2007-4-27 12:56:00

清除后最新一次扫描结果,还是心有余悸啊,大侠们看看还有问题么-

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
<KavPFW><"C:\KAV2007\KPFW32.EXE"> [Kingsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<nwiz><nwiz.exe /install> []
<NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit> [NVIDIA Corporation]
<RTHDCPL><RTHDCPL.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<Alcmtr><ALCMTR.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<KavStart><"C:\KAV2007\KAVStart.exe" -startup> [Kingsoft Corporation]
<RfwMain><"d:\Program Files\Rising\Rfw\rfwmain.exe" -Startup> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows XP Publisher]
<Userinit><C:\WINDOWS\system32\UserInit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]

==================================
启动文件夹
N/A

==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Kingsoft Personal Firewall Service / KPfwSvc][Running/Auto Start]
<"C:\KAV2007\KPfwSvc.EXE"><Kingsoft Corporation>
[Kingsoft Antivirus KWatch Service / KWatchSvc][Running/Auto Start]
<C:\KAV2007\KWatch.EXE><Kingsoft Corporation>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
<C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Proxy Service / RfwProxySrv][Stopped/Manual Start]
<d:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
<d:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Windows Accounts Driver / WindowsConnections][Stopped/Auto Start]
<C:\WINDOWS\system32\222.exe><N/A>
[Windows Media Connect Service / WMConnectCDS][Stopped/Manual Start]
<C:\Program Files\Windows Media Connect 2\wmccds.exe><Microsoft Corporation>

==================================
驱动程序
[BaseTDI / BaseTDI][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\basetdi.sys><Beijing Rising Technology Co., Ltd.>
[Intel(R) PRO/1000 PCI Express Network Connection Driver / e1express][Running/Manual Start]
<system32\DRIVERS\e1e5132.sys><Intel Corporation>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
<system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[HookUrl / HookUrl][Running/Auto Start]
<\??\d:\Program Files\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
<system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[ITEATAPI_Service_Install / iteatapi][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\iteatapi.sys><Integrated Technology Express, Inc.>
[ITERAID_Service_Install / iteraid][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\iteraid.sys><Integrated Technology Express, Inc.>
[KNetWch / KNetWch][Running/System Start]
<\??\C:\KAV2007\KNetWch.SYS><Kingsoft Corporation>
[KWatch3 / KWatch3][Running/System Start]
<\??\C:\WINDOWS\system32\drivers\KWatch3.SYS><Kingsoft Corporation>
[mProcRs / mProcRs][Running/Auto Start]
<\??\d:\program files\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[ATK0110 ACPI UTILITY / MTsensor][Running/Manual Start]
<system32\DRIVERS\ASACPI.sys><>
[nv / nv][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsFwDrv / RsFwDrv][Running/Auto Start]
<\??\d:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>

ymmymm - 2007-4-27 12:56:00

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
<KavPFW><"C:\KAV2007\KPFW32.EXE"> [Kingsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<nwiz><nwiz.exe /install> []
<NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit> [NVIDIA Corporation]
<RTHDCPL><RTHDCPL.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<Alcmtr><ALCMTR.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<KavStart><"C:\KAV2007\KAVStart.exe" -startup> [Kingsoft Corporation]
<RfwMain><"d:\Program Files\Rising\Rfw\rfwmain.exe" -Startup> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows XP Publisher]
<Userinit><C:\WINDOWS\system32\UserInit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]

==================================
启动文件夹
N/A

==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Kingsoft Personal Firewall Service / KPfwSvc][Running/Auto Start]
<"C:\KAV2007\KPfwSvc.EXE"><Kingsoft Corporation>
[Kingsoft Antivirus KWatch Service / KWatchSvc][Running/Auto Start]
<C:\KAV2007\KWatch.EXE><Kingsoft Corporation>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
<C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Proxy Service / RfwProxySrv][Stopped/Manual Start]
<d:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
<d:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Windows Accounts Driver / WindowsConnections][Stopped/Auto Start]
<C:\WINDOWS\system32\222.exe><N/A>
[Windows Media Connect Service / WMConnectCDS][Stopped/Manual Start]
<C:\Program Files\Windows Media Connect 2\wmccds.exe><Microsoft Corporation>

==================================
驱动程序
[BaseTDI / BaseTDI][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\basetdi.sys><Beijing Rising Technology Co., Ltd.>
[Intel(R) PRO/1000 PCI Express Network Connection Driver / e1express][Running/Manual Start]
<system32\DRIVERS\e1e5132.sys><Intel Corporation>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
<system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[HookUrl / HookUrl][Running/Auto Start]
<\??\d:\Program Files\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
<system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[ITEATAPI_Service_Install / iteatapi][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\iteatapi.sys><Integrated Technology Express, Inc.>
[ITERAID_Service_Install / iteraid][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\iteraid.sys><Integrated Technology Express, Inc.>
[KNetWch / KNetWch][Running/System Start]
<\??\C:\KAV2007\KNetWch.SYS><Kingsoft Corporation>
[KWatch3 / KWatch3][Running/System Start]
<\??\C:\WINDOWS\system32\drivers\KWatch3.SYS><Kingsoft Corporation>
[mProcRs / mProcRs][Running/Auto Start]
<\??\d:\program files\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[ATK0110 ACPI UTILITY / MTsensor][Running/Manual Start]
<system32\DRIVERS\ASACPI.sys><>
[nv / nv][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsFwDrv / RsFwDrv][Running/Auto Start]
<\??\d:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>

ymmymm - 2007-4-27 12:57:00

==================================
浏览器加载项
[CBrowseStakeout Class]
{55302805-482E-470E-8A57-6795A1487F90} <C:\KAV2007\KAVAFish.DLL, Kingsoft Corporation>
[Windows Genuine Advantage Validation Tool]
{17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\legitcheckcontrol.dll, Microsoft Corporation>
[DHTML Edit Control Safe for Scripting for IE5]
{2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
[CBrowseStakeout Class]
{55302805-482E-470E-8A57-6795A1487F90} <C:\KAV2007\KAVAFish.DLL, Kingsoft Corporation>
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[SearchAssistantOC]
{B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[RDS.DataSpace]
{BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\KAV2007\Flash.OCX, Macromedia, Inc.>
[金山毒霸反钓鱼...]
<C:\KAV2007\KAF\ShowSet.htm, N/A>

==================================
正在运行的进程
[PID: 580][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 636][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 668][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 712][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 724][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 892][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 960][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[PID: 1672][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2649 (xpsp.050406-1732)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2006, 12, 21, 241]
[C:\KAV2007\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\nvcpl.dll] [NVIDIA Corporation, 6.14.10.9291]
[C:\WINDOWS\system32\nvapi.dll] [N/A, ]
[C:\WINDOWS\system32\nvshell.dll] [, ]
[C:\KAV2007\KAVEXT.DLL] [Kingsoft Corporation, 2005, 8, 5, 16]
[d:\Program Files\WinRAR\rarext.dll] [N/A, ]
[PID: 1864][d:\program files\rising\rfw\RfwMain.exe] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 70]
[d:\program files\rising\rfw\RsGuiLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 33]
[d:\program files\rising\rfw\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[d:\program files\rising\rfw\RfwCtrl.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 11]
[d:\program files\rising\rfw\RsXML.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
[d:\program files\rising\rfw\PngDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2006, 12, 21, 241]
[C:\KAV2007\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[PID: 1972][C:\WINDOWS\system32\RUNDLL32.EXE] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\WINDOWS\system32\NvMcTray.dll] [NVIDIA Corporation, 6.14.10.9291]
[C:\WINDOWS\system32\nvapi.dll] [N/A, ]
[C:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2006, 12, 21, 241]
[PID: 1984][C:\WINDOWS\RTHDCPL.EXE] [Realtek Semiconductor Corp., 1.1.1.6]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2006, 12, 21, 241]
[C:\KAV2007\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[PID: 2020][C:\KAV2007\KAVStart.exe] [Kingsoft Corporation, 2007, 4, 9, 269]
[C:\WINDOWS\system32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MFC71CHS.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\KAV2007\KAVIPC2.DLL] [Kingsoft Corporation, 2007, 1, 15, 30]
[C:\KAV2007\SvcTimer.DLL] [Kingsoft Corporation, 2006.12.22.84]
[C:\KAV2007\KAVPassp.dll] [Kingsoft Corporation, 2006, 12, 30, 271]
[C:\KAV2007\PopSprt3.dll] [Kingsoft Corporation, 2007, 1, 16, 45]
[C:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2006, 12, 21, 241]
[PID: 116][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2006, 12, 21, 241]
[PID: 128][C:\KAV2007\KPFW32.EXE] [Kingsoft Corporation, 2007, 2, 2, 687]
[C:\WINDOWS\system32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MFC71CHS.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\KAV2007\KAVIPC2.DLL] [Kingsoft Corporation, 2007, 1, 15, 30]
[C:\KAV2007\KAConfig.DLL] [Kingsoft Corporation, 2007, 1, 11, 41]
[C:\KAV2007\FiltList.dll] [N/A, ]
[C:\KAV2007\KAVPassp.DLL] [Kingsoft Corporation, 2006, 12, 30, 271]
[C:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2006, 12, 21, 241]
[C:\KAV2007\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\KAV2007\KAScript.DLL] [Kingsoft Corporation, 2007, 3, 6, 75]
[PID: 124][C:\KAV2007\KMailMon.EXE] [Kingsoft Corporation, 2007, 2, 25, 948]
[C:\KAV2007\KAntiSpm.dll] [Kingsoft Corporation, 2007, 2, 25, 129]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\KAV2007\KAVIPC2.DLL] [Kingsoft Corporation, 2007, 1, 15, 30]
[C:\KAV2007\KAECall2.DLL] [Kingsoft Corporation, 2004, 12, 28, 7]
[C:\KAV2007\KAEPlat.DLL] [Kingsoft Corp., 2007, 2, 4, 61]
[C:\KAV2007\KAEMem.DAT] [Kingsoft, 2006, 9, 25, 16]
[C:\KAV2007\KAEUnpack.DAT] [Kingsoft Corp., 2007, 3, 12, 114]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\KAV2007\KAConfig.DLL] [Kingsoft Corporation, 2007, 1, 11, 41]
[C:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2006, 12, 21, 241]
[C:\KAV2007\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[PID: 3712][C:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\KAV2007\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2006, 12, 21, 241]
[C:\KAV2007\KAVAFish.DLL] [Kingsoft Corporation, 2006, 10, 25, 27]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\KAV2007\KAScript.DLL] [Kingsoft Corporation, 2007, 3, 6, 75]
[C:\KAV2007\KAEPlat.DLL] [Kingsoft Corp., 2007, 2, 4, 61]
[C:\KAV2007\KAEMem.DAT] [Kingsoft, 2006, 9, 25, 16]
[C:\KAV2007\KAEUnpack.DAT] [Kingsoft Corp., 2007, 3, 12, 114]
[C:\KAV2007\Flash.OCX] [Macromedia, Inc., 7,0,19,0]
[PID: 4052][C:\Documents and Settings\Administrator\桌面\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.2523 (xpsp.040919-1030)]
[C:\KAV2007\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2006, 12, 21, 241]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. ["hh.exe" %1]
.HLP Error. [winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost

==================================
API HOOK
入口点错误：LoadLibraryExW (危险等级: 一般, 被下面模块所HOOK: C:\KAV2007\KASocket.dll)

==================================
隐藏进程
N/A

==================================

[/CODE]

瑞星卡卡安全论坛