C:\S.. V.. Inf..\_rest..\RP79 bbs.ikaka.com

weathing - 2007-4-30 0:51:00

C:\System Volume Information\_restore{EB8E4912-78B5-4466-9FC2-68F9F93D91C3}\RP79
在这文件夹中杀出个游戏木马Trojan.PSW.OnlineGames.alw和Trojan.DL.Agent.cjy过了5天杀还是有这次在RP82.下面是日志

Logfile of Kaka v2. 0. 3. 0 Scan Module v1. 0. 6. 1
Scan saved at 00:34:21, on 2007-04-30
Platform: Microsoft Windows XP Professional Service Pack 2 (Build 2600)
MSIE: Internet Explorer v6.00 SP2; (6.00.2900.2180 (xpsp_sp2_rtm.040803-2158))

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: Thunder Browser Helper - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_002.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [bgswitch] C:\WINDOWS\system32\bgswitch.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [runeip] C:\Program Files\Rising\AntiSpyware\runiep.exe
O4 - HKLM\..\Run: [RavTask] "D:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe
O4 - Startup: desktop.ini =
O4 - Global Startup: desktop.ini =
O8 - Extra context menu item: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra Button: 启动迅雷 - {0062C9BD-B349-40DE-91A0-755F37ACD559} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷 - {0062C9BD-B349-40DE-91A0-755F37ACD559} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra Button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra Button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150832215049
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/pcver2006new/OL2006.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O20 - Winlogon Notify: AtiExtEvent
O23 - Service: Ati HotKey Poller (Ati HotKey Poller) - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Help and Support (helpsvc) - - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Human Interface Device Access (HidServ) - - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - "D:\Program Files\Rising\Rav\CCenter.exe"
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Technology Co., Ltd. - "D:\Program Files\Rising\Rav\Ravmond.exe"
O23 - Service: User Privilege Service (usprserv) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe -k netsvcs

火影忍者 - 2007-4-30 1:02:00

关闭系统还原。。

火影忍者 - 2007-4-30 1:02:00

扫SRE日志上来吧。。

weathing - 2007-4-30 1:31:00

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
<bgswitch><C:\WINDOWS\system32\bgswitch.exe> []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<SoundMan><SOUNDMAN.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<ISUSPM Startup><C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup> [InstallShield Software Corporation]
<ISUSScheduler><"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start> [InstallShield Software Corporation]
<runeip><C:\Program Files\Rising\AntiSpyware\runiep.exe> [Beijing Rising Technology Co., Ltd.]
<RavTask><"D:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<KKDelay><C:\Program Files\Rising\AntiSpyware\RunOnce.exe> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll> [Beijing Rising Technology Co., Ltd.]

==================================
启动文件夹
N/A

weathing - 2007-4-30 1:31:00

==================================
服务
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
<C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[Help and Support / helpsvc][Stopped/Auto Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll><N/A>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
<"D:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
<"D:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

==================================

weathing - 2007-4-30 1:32:00

驱动程序
[2310_00 / 2310_00][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\2310_00.sys><HighPoint Technologies, Inc.>
[3WAREDRV / 3WAREDRV][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\3WAREDRV.SYS><N/A>
[3WAREGSM / 3WAREGSM][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\3waregsm.sys><N/A>
[3WDRV100 / 3WDRV100][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\3WDRV100.SYS><N/A>
[A320RAID / A320RAID][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\a320raid.sys><Adaptec, Inc.>
[AAC / AAC][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\aac.sys><Adaptec, Inc.>
[AACSAS / AACSAS][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\aacsas.sys><Adaptec, Inc.>
[AAR81XX / AAR81XX][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\aar81xx.sys><Adaptec, Inc.>
[AARSI3X / AARSI3X][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\aarsi3x.sys><Adaptec, Inc.>
[ADP94XX / ADP94XX][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\adp94xx.sys><Adaptec, Inc.>
[adpu160m / adpu160m][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\adpu160m.sys><Microsoft Corporation>
[ADPU320 / ADPU320][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\adpu320.sys><Adaptec, Inc.>
[AEC6210 / AEC6210][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\aec6210.sys><ACARD Technology Corp.>
[AEC6260 / AEC6260][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\aec6260.sys><ACARD Technology Corp.>
[AEC6280 / AEC6280][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\aec6280.sys><ACARD Technology Corp.>
[AEC67160 / AEC67160][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\aec67160.sys><ACARD Technology Corp.>
[AEC67162 / AEC67162][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\aec67162.sys><ACARD Technology Corp.>
[AEC671X / AEC671X][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\AEC671X.sys><ACARD Technology Corp.>
[AEC6880 / AEC6880][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\AEC6880.sys><ACARD Technology Corp.>
[AEC6897 / AEC6897][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\aec6897.sys><ACARD Technology Corp.>
[AEC68X5 / AEC68X5][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\aec68x5.sys><ACARD Technology Corp.>
[aic78u2 / aic78u2][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\aic78u2.sys><Microsoft Corporation>
[aic78xx / aic78xx][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\aic78xx.sys><Microsoft Corporation>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[ARCM_X86 / ARCM_X86][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\arcm_x86.sys><ARECA Technology Corporation>
[asc / asc][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\asc.sys><Advanced System Products, Inc.>
[ati2mtag / ati2mtag][Running/Manual Start]
<system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
<System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[BCHTSW32 / BCHTSW32][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\bchtsw32.sys><Broadcom Corporation>
[buslogic / buslogic][Stopped/Boot Start]
<\SystemRoot\System32\bird\buslogic.sys><Microsoft Corporation>
[CDA1000 / CDA1000][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\cda1000.sys><Adaptec, Inc.>
[CmdIde / CmdIde][Running/Boot Start]
<\SystemRoot\System32\BIRD\cmdide.sys><CMD Technology, Inc.>
[CPQARRY2 / CPQARRY2][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\cpqarry2.sys><Compaq Computer Corporation>
[CPQCISSM / CPQCISSM][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\cpqcissm.sys><Hewlett-Packard Company>
[CSB6IDE / CSB6IDE][Running/Boot Start]
<\SystemRoot\System32\BIRD\csb6ide.sys><ServerWorks Corporation>
[dac2w2k / dac2w2k][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\dac2w2k.sys><Mylex Corporation>
[DMX3191 / DMX3191][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\DMX3191.sys><Microsoft Corporation>
[DMX3194 / DMX3194][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\dmx3194.sys><Microsoft Corporation>
[dpti2o / dpti2o][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\dpti2o.sys><Microsoft Corporation>
[DPTSCSI / DPTSCSI][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\dptscsi.sys><Distributed Processing Technology Corp.>

weathing - 2007-4-30 1:32:00

[EagleNT / EagleNT][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\EagleNT.sys><N/A>
[ExpScaner / ExpScaner][Running/Auto Start]
<\??\D:\Program Files\Rising\Rav\ExpScan.sys><>
[FASTSX / FASTSX][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\fastsx.sys><Promise Technology, Inc.>
[FASTTRAK / FASTTRAK][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\fasttrak.sys><Promise Technology, Inc.>
[FASTTX2K / FASTTX2K][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\fasttx2k.sys><Promise Technology, Inc.>
[fd16_700 / fd16_700][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\fd16_700.sys><Microsoft Corporation>
[fireport / fireport][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\fireport.sys><Microsoft Corporation>
[flashpnt / flashpnt][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\flashpnt.sys><Mylex,Corp.>
[FT8300 / FT8300][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\ft8300.sys><Promise Technology, Inc.>
[FTSATA2 / FTSATA2][Stopped/Boot Start]
<\SystemRoot\System32\DRIVERS\ftsata2.sys><N/A>
[GD31244 / GD31244][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\gd31244.sys><Intel Corporation>
[HookCont / HookCont][Running/Auto Start]
<\??\D:\Program Files\Rising\Rav\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
<\??\D:\Program Files\Rising\Rav\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
<\??\D:\Program Files\Rising\Rav\HookSys.sys><Rising>
[HPCISSS2 / HPCISSS2][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\hpcisss2.sys><Hewlett-Packard Company>
[HPT371 / HPT371][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\HPT371.sys><HighPoint Technologies, Inc.>
[HPT374 / HPT374][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\hpt374.sys><HighPoint Technologies, Inc.>
[HPT3XX / HPT3XX][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\hpt3xx.sys><HighPoint Technologies, Inc.>
[IASTOR / IASTOR][Running/Boot Start]
<\SystemRoot\System32\BIRD\iaStor.sys><Intel Corporation>
[IFT2000 / IFT2000][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\ift2000.sys><Infortrend Technology, Inc.>
[ini910u / ini910u][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\ini910u.sys><Microsoft Corporation>
[INIA100 / INIA100][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\INIA100.sys><Initio corp.>
[IPSRAIDN / IPSRAIDN][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\ipsraidn.sys><IBM Corporation>
[ITERAID / ITERAID][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\iteraid.sys><Integrated Technology Express, Inc.>
[JRAID / JRAID][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\JRAID.SYS><JMicron Technology Corp.>
[M5228 / M5228][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\m5228.sys><ALi Corporation.>
[M5281 / M5281][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\m5281.sys><ALi Corporation>
[M5287 / M5287][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\m5287.sys><ULi Electronics Inc.>
[M5288 / M5288][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\m5288.sys><ULi Electronics Inc.>
[M5289 / M5289][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\m5289.sys><ULi Electronics Inc.>
[MEGAIDE / MEGAIDE][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\MegaIDE.sys><LSI Logic Corporation.>
[MEMSCAN / MEMSCAN][Running/Auto Start]
<\??\D:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件有限公司>
[mraid35x / mraid35x][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\mraid35x.sys><LSI Logic Corporation>
[NFRD960 / NFRD960][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\nfrd960.sys><IBM Corporation>
[npkcrypt / npkcrypt][Running/Auto Start]
<\??\C:\Program Files\Tencent\QQ\npkcrypt.sys><INCA Internet Co., Ltd.>
[nv / nv][Stopped/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[NVATABUS / NVATABUS][Running/Boot Start]
<\SystemRoot\System32\BIRD\NVATABUS.SYS><NVIDIA Corporation>
[NVRAID / NVRAID][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\NVRAID.SYS><NVIDIA Corporation>
[perc2 / perc2][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\perc2.sys><Adaptec, Inc.>
[PNP649R / PNP649R][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\pnp649r.sys><CMD Technology, Inc.>
[PNP680 / PNP680][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\pnp680.sys><Silicon Image, Inc.>
[PNP680R / PNP680R][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\pnp680r.sys><Silicon Image, Inc>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[ql1080 / ql1080][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\ql1080.sys><QLogic Corporation>
[Ql10wnt / Ql10wnt][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\ql10wnt.sys><Microsoft Corporation>
[ql12160 / ql12160][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\ql12160.sys><QLogic Corporation>
[ql1280 / ql1280][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\ql1280.sys><QLogic Corporation>
[RAIDSRC / RAIDSRC][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\raidsrc.sys><Intel/ICP>
[RR232X / RR232X][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\rr232x.sys><HighPoint Technologies, Inc.>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
<\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising>
[RsNTGDI / RsNTGDI][Running/Boot Start]
<\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
<\??\D:\Program Files\Rising\Rav\RSPPSYS.sys><Rising>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
<system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[S150SX8 / S150SX8][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\S150sx8.sys><Promise Technology, Inc.>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[SI3112 / SI3112][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\SI3112.sys><Silicon Image, Inc.>
[SI3112R / SI3112R][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\SI3112r.sys><Silicon Image, Inc>
[SI3114 / SI3114][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\SI3114.sys><Silicon Image, Inc.>
[SI3114R / SI3114R][Stopped/Boot Start]
<\SystemRoot\SYSTEM32\BIRD\SI3114R.sys><Silicon Image, Inc>
[SI3114R5 / SI3114R5][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\Si3114r5.sys><Silicon Image, Inc>
[SI3124 / SI3124][Stopped/Boot Start]
<\SystemRoot\SYSTEM32\BIRD\SI3124.sys><Silicon Image, Inc.>
[SI3124R / SI3124R][Stopped/Boot Start]
<\SystemRoot\SYSTEM32\BIRD\SI3124R.sys><Silicon Image, Inc>
[SI3124R5 / SI3124R5][Stopped/Boot Start]
<\SystemRoot\SYSTEM32\BIRD\Si3124r5.sys><Silicon Image, Inc>
[SI3132 / SI3132][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\SI3132.sys><Silicon Image, Inc.>
[SI3132R5 / SI3132R5][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\Si3132r5.sys><Silicon Image, Inc>
[SIS AGP Bus Filter / sisagp][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\sisagp.sys><Silicon Integrated Systems Corporation>

weathing - 2007-4-30 1:33:00

[SISRAID / SISRAID][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\SiSRaid.sys><Silicon Integrated Systems>
[SISRAID2 / SISRAID2][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\SiSRaid2.sys><Silicon Integrated Systems Corp>
[SISRAID4 / SISRAID4][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\SiSRaid4.sys><Silicon Integrated Systems>
[SPTRAK / SPTRAK][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\sptrak.sys><Promise Technology, Inc.>
[ST8350 / ST8350][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\st8350.sys><Promise Technology, Inc.>
[symc810 / symc810][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\symc810.sys><Symbios Logic Inc.>
[symc8xx / symc8xx][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\symc8xx.sys><LSI Logic>
[SYMMPI / SYMMPI][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\symmpi.sys><LSI Logic>
[sym_hi / sym_hi][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\sym_hi.sys><LSI Logic>
[sym_u3 / sym_u3][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\sym_u3.sys><LSI Logic>
[TRM3X5 / TRM3X5][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\trm3x5.sys><Tekram Technology Co., Ltd.>
[ULSATA / ULSATA][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\ulsata.sys><Promise Technology, Inc.>
[ULSATA2 / ULSATA2][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\ulsata2.sys><Promise Technology, Inc.>
[ULTIMA / ULTIMA][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\Ultima.sys><Aralion INC.>
[ULTIMARX / ULTIMARX][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\UltimaRX.sys><Aralion INC.>
[ultra / ultra][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\ultra.sys><Promise Technology, Inc.>
[VIAMRAID / VIAMRAID][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\viamraid.sys><VIA Technologies inc,.ltd>
[W2KADV / W2KADV][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\w2kadv.sys><ConnectCom Solutions, Inc.>
[WD7296A / WD7296A][Stopped/Boot Start]
<\SystemRoot\System32\BIRD\wd7296a.sys><Western Digital Corporation>
[NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter / yukonwxp][Running/Manual Start]
<system32\DRIVERS\yukonwxp.sys><Marvell Semiconductor Inc.>

weathing - 2007-4-30 1:33:00

==================================
浏览器加载项
[QQBrowserHelperObject Class]
{54EBD53A-9BC1-480B-966A-843A333CA162} <C:\Program Files\Tencent\QQ\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_002.dll, Thunder Networking Technologies,LTD>
[启动迅雷]
{0062C9BD-B349-40DE-91A0-755F37ACD559} <C:\Program Files\Thunder Network\Thunder\Thunder.exe, Thunder Networking Technologies,LTD>
[QQ]
{c95fe080-8f5d-11d2-a20b-00aa003c157b} <C:\Program Files\Tencent\QQ\QQ.EXE, TENCENT>
[QQIEFloatBarCfgCmd Class]
{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} <C:\Program Files\Tencent\QQ\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[Messenger]
{FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[Rising Web Scan Object]
{E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} <C:\WINDOWS\Downloaded Program Files\OL2005.dll, Beijing Rising Technology Co., Ltd.>
[QQBrowserHelperObject Class]
{54EBD53A-9BC1-480B-966A-843A333CA162} <C:\Program Files\Tencent\QQ\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_002.dll, Thunder Networking Technologies,LTD>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx, Macromedia, Inc.>
[&使用迅雷下载]
<C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm, N/A>
[&使用迅雷下载全部链接]
<C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm, N/A>
[上传到QQ网络硬盘]
<C:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[添加到QQ自定义面板]
<C:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
<C:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<C:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

==================================
正在运行的进程
[PID: 560][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 636][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 668][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Ati2evxx.dll] [ATI Technologies Inc., 6.14.10.4119]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 712][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 724][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 876][C:\WINDOWS\system32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4119]
[C:\WINDOWS\system32\Ati2edxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2497]
[PID: 888][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 972][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1084][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1232][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1332][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1572][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[PID: 1848][C:\WINDOWS\system32\wdfmgr.exe] [Microsoft Corporation, 5.2.3790.1230 built by: dnsrv(bld4act)]
[PID: 296][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1824][C:\WINDOWS\system32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4119]
[C:\WINDOWS\system32\Ati2edxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2497]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 1840][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\RavExt.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Media Player Classic\Codecs\mmfinfo.dll] [N/A, ]
[C:\Program Files\Media Player Classic\Codecs\mkunicode.dll] [N/A, ]
[C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_002.dll] [Thunder Networking Technologies,LTD, 5, 0, 0, 2]
[D:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[C:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\Program Files\Microsoft Office\OFFICE11\msohev.dll] [Microsoft Corporation, 11.0.5510]
[C:\WINDOWS\system32\Audiodev.dll] [Microsoft Corporation, 5.2.3802.3802 built by: dnsrv(bld4act)]
[PID: 916][C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe] [InstallShield Software Corporation, 3, 00, 100, 1161]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 1308][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 3556][D:\Program Files\Rising\Rav\RavStub.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 4]
[D:\Program Files\Rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[D:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[PID: 3880][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Tencent\QQ\QQIEHelper.dll] [深圳市腾讯计算机系统有限公司, 1, 1, 0, 5]
[C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_002.dll] [Thunder Networking Technologies,LTD, 5, 0, 0, 2]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\Program Files\Microsoft Office\OFFICE11\msohev.dll] [Microsoft Corporation, 11.0.5510]
[D:\Program Files\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx] [Macromedia, Inc., 8,0,24,0]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\WINWB86.IME] [Microsoft Corporation, 4.00.950]
[C:\WINDOWS\system32\UNISPIM.IME] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL] [Microsoft Corporation, 11.0.5510]
[C:\Program Files\Media Player Classic\Codecs\mmfinfo.dll] [N/A, ]
[C:\Program Files\Media Player Classic\Codecs\mkunicode.dll] [N/A, ]
[PID: 3056][D:\Program Files\Rising\Rav\RsAgent.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 12]
[D:\Program Files\Rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 2320][C:\WINDOWS\msagent\AgentSvr.exe] [Microsoft Corporation, 2.00.0.3422]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 2592][G:\新建文件夹\sre\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================

[/CODE]

瑞星卡卡安全论坛