【求助】中病毒，不知病毒名 bbs.ikaka.com

穷财神一 - 2007-6-4 13:09:00

电脑中毒了，但是瑞星查不出是什么病毒，AVG Anti－Spyware也查不出。

现象1、打开“我的电脑”，然后再点D、E等盘符会跳出个新的窗口，“文件夹选项”中全部默认设置，在各个盘中再打开文件夹时不会出现新的窗口。

现象2、打开有关杀毒/杀木马的软件的窗口（IE或文件夹）都会被强制关闭，杀毒/杀木马/流氓软件清理工具都不能打开。开机的随机启动的杀毒软件不能启动，在服务中被停止，手动启动，重启后又被停止。

现象3、不能下载。无论是用IE下载还是用工具下载，只要下载几秒钟后网络断线。因为我用路由器，整个小局域网全部断线。

现象4、WinXP SP2不能安装，无论是从网上升级还是下载单独的升级包都不能顺利安装，最后都会失败，不成功。

前几天因为这个病毒把系统重装，问题依旧。后来把硬盘上的数据全部移到另外一个硬盘，全部格式化硬盘，重装系统，重装杀毒软件，更新病毒库，然后把有数据的硬盘查毒，没能查出，所以复制回数据，第二天问题依旧。

望能尽快回复！谢谢！！

两个铁球 - 2007-6-4 13:12:00

扫SREng日志粘上来。杀毒不需要知道病毒名字的，记也没用。

天仙子 - 2007-6-4 13:12:00

估计是中了随机8位数病毒!

天仙子 - 2007-6-4 13:14:00

转自<清新阳光>博客>

http://hi.baidu.com/newcenturysun/blog/item/2ad3d7cedcea3c0292457e2c.html

1.确定那个8位随机数的dll的名称
这里我们选用winrar或者冰刃确定那个dll的名称
方法是：打开winrar.exe或冰刃(需重命名)
工具查看文件
在上面的地址栏中进入c:\program files\common files\microsoft shared\msinfo目录
___________________________________________________

天仙子 - 2007-6-4 13:15:00

2.使用强制删除工具删除那个dll文件
这里我们选用Xdelbox1.2这个软件
具体使用方法见http://hi.baidu.com/teyqiu/blog/item/291690efc3f3b5eece1b3e5a.html（里面有下载地址）

重起机器后
3.恢复被映像劫持的软件
这里我们使用autoruns这个软件 http://www.skycn.com/soft/17567.html
由于这个软件也被映像劫持了所以我们随便把他改个名字
打开这个软件后找到Image hijack (映像劫持）
删除除了Your Image File Name Here without a pathSymbolic Debugger for Windows 2000 Microsoft

Corporation c:\windows\system32\ntsd.exe
以外的所有项目

4.此时我们就可以打开sreng了呵呵
打开sreng
系统修复高级修复点击修复安全模式在弹出的对话框中点击是

5.恢复显示隐藏文件

把下面的代码拷入记事本中然后另存为1.reg文件
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"

双击1.reg把这个注册表项导入

好了此时病毒对于我们的所有限制已经解除了
下面就是清除其下载的木马了
重起机器进入安全模式

打开sreng 启动项目注册表删除如下项目
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]下的
<testrun><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\testexe.exe> []
<Kvsc><C:\WINDOWS\Kvsc3.exe> []

双击Userinit 把其键值改为C:\WINDOWS\system32\userinit.exe,

在“启动项目”-“服务”-“驱动程序”中点“隐藏经认证的微软项目”，
选中以下项目，点“删除服务”，再点“设置”，在弹出的框中点“否”：

[CelInDrv / CelInDrv][Stopped/Disabled]
<\??\C:\WINDOWS\system32\Drivers\CelInDriver.sys><N/A>

双击我的电脑，工具，文件夹选项，查看，单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件

（推荐）"前面的钩。在提示确定更改时，单击“是” 然后确定
然后删除
C:\Documents and Settings\Administrator\Local Settings\Temp\testexe.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\testexe.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\dl1.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\41115BDD.dat（随机8位数字字母组合）
C:\WINDOWS\Kvsc3.exe
C:\WINDOWS\testexe.exe
C:\WINDOWS\Help\41115BDD.chm（随机8位数字字母组合）
C:\WINDOWS\system32\DirectX\DirectX.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\msdebug.dll
C:\WINDOWS\system32\nwiztlbu.exe
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\RemoteDbg.dll
C:\WINDOWS\system32\testdll.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\win1ogo.exe
C:\WINDOWS\system32\windds32.dll
C:\WINDOWS\system32\winpcap.exe
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\xpdhcp.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\41115BDD.hlp（随机8位数字字母组合）
C:\WINDOWS\Kvsc3.exe
C:\WINDOWS\testexe.exe
C:\Program Files\Common Files\cssrs.exe
C:\Program files\ycnt1.exe~ycnt10.exe(如果有的话）

最后也是最重要的就是删除各个分区下面的autorun.inf和8位随机数的exe
一定不要双击也不能右键打开（因为那个autorun.inf编辑的比较巧妙，所以右键菜单无原先的auto等字样）所以一定用winrar或者冰刃删除!!!!

egomoo11 - 2007-6-4 13:29:00

近期坏事做尽恶性U盘病毒专杀指令

http://hi.baidu.com/egomoo/blog/item/f91b8b18979b0e0635fa4195.html

穷财神一 - 2007-6-4 13:47:00

我扫描下，马上贴上来。

穷财神一 - 2007-6-4 13:59:00

瑞星偶尔弹出窗口说发现病毒“C23E7B7F.EXE”,但是扫描时是发现不了的。

[CODE]

2007-06-04,13:39:06

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Home Edition Service Pack 1 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe> [(Verified)Microsoft Windows XP Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows XP Publisher]
<PHIME2002ASync><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows XP Publisher]
<PHIME2002A><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows XP Publisher]
<RavTask><"d:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<!AVG Anti-Spyware><"D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized> [Anti-Malware Development a.s.]
<SoundMAXPnP><C:\Program Files\Analog Devices\Core\smax4pnp.exe> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<BigDogPath><C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x> [N/A]
<Mysql><d:\Program Files\ecSolutions\SAFE\mysql\bin\winmysqladmin.exe> [MySQL AB]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup> [(Verified)Microsoft Windows XP Publisher]
<runeip><d:\Program Files\Rising\AntiSpyware\runiep.exe> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows XP Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
<WinlogonNotify: WgaLogon><WgaLogon.dll> [(Verified)Microsoft Corporation]

==================================
启动文件夹
N/A

==================================
服务
[Adobe LM Service / Adobe LM Service][Stopped/Manual Start]
<"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[Application Management / AppMgmt][Stopped/Manual Start]
<C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A>
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard][Running/Auto Start]
<d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe><Anti-Malware Development a.s.>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[HTTP SSL / HTTPFilter][Stopped/Manual Start]
<C:\WINDOWS\System32\svchost.exe -k HTTPFilter-->%SystemRoot%\System32\w3ssl.dll><N/A>
[MySql / MySql][Running/Auto Start]
<d:/Program Files/ecSolutions/SAFE/mysql/bin/mysqld-max-nt.exe><N/A>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
<C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
<"d:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
<"D:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

穷财神一 - 2007-6-4 14:00:00

==================================
驱动程序
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver][Running/System Start]
<\??\d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
<System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[BaseTDI / BaseTDI][Running/Auto Start]
<\??\C:\WINDOWS\System32\drivers\basetdi.sys><Beijing Rising Technology Co., Ltd.>
[Intel(R) PRO Adapter Driver / E100B][Running/Manual Start]
<System32\DRIVERS\e100b325.sys><Intel Corporation>
[ExpScaner / ExpScaner][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\ExpScan.sys><>
[HookReg / HookReg][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\HookSys.sys><Rising>
[HTTP / HTTP][Stopped/Manual Start]
<System32\Drivers\HTTP.sys><N/A>
[IPv6 Windows Firewall Driver / ip6fw][Stopped/Manual Start]
<system32\drivers\ip6fw.sys><N/A>
[MEMSCAN / MEMSCAN][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\MEMSCAN.sys><瑞星软件有限公司>
[nv / nv][Running/Manual Start]
<System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
<\SystemRoot\System32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
<\??\D:\PROGRAM FILES\RISING\RAV\RSPPSYS.sys><Rising>
[Secdrv / Secdrv][Stopped/Manual Start]
<System32\DRIVERS\secdrv.sys><N/A>
[senfilt / senfilt][Running/Manual Start]
<system32\drivers\senfilt.sys><Creative Technology Ltd.>
[smwdm / smwdm][Running/Manual Start]
<system32\drivers\smwdm.sys><Analog Devices, Inc.>
[sptd / sptd][Running/Boot Start]
<\SystemRoot\System32\Drivers\sptd.sys><N/A>
[TSP / TSP][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys><N/A>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<System32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
[VIMICRO USB PC Camera 301x / ZSMC301b][Running/Manual Start]
<System32\Drivers\usbVM31b.sys><VM>
[RsAntiSpyware / RsAntiSpyware][Stopped/Boot Start]
<\SystemRoot\System32\drivers\RsBoot.sys><Beijing Rising>

==================================
浏览器加载项
[ThunderAtOnce Class]
{01443AEC-0FD1-40fd-9C87-E93D1494C233} <D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
[Thunder Browser Helper]
{06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} <D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
[Adobe PDF Reader Link Helper]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[FGCatchUrl]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} <D:\Program Files\FlashGet\jccatch.dll, www.flashget.com>
[Windows Live Sign-in Helper]
{9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[FlashGet GetFlash Class]
{F156768E-81EF-470C-9057-481BA8380DBA} <d:\Program Files\FlashGet\getflash.dll, www.flashget.com>
[启动迅雷5]
{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <d:\Program Files\Thunder Network\Thunder\Thunder.exe, Thunder Networking Technologies,LTD>
[Web反病毒统计]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll, N/A>
[快车]
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <d:\Program Files\FlashGet\FlashGet.exe, FlashGet.com>
[易趣购物]
{EE60714F-AC17-427e-861A-FD60CBDF119A} <http://click2.ad4all.net/url2/urlmanage/url.asp?id=86, N/A>
[Messenger]
{FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\MSMSGS.EXE, N/A>
[电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\system32\msdxm.ocx, Microsoft Corporation>
[Thunder Agent Class]
{485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <D:\Program Files\Thunder Network\Thunder\ComDlls\ThunderAgent_Now.dll, Thunder Networking Technologies,LTD>
[FGAutoLive]
{F90D830D-C175-4bbe-82C7-FF94669A4C42} <d:\Program Files\FlashGet\fgupdate.dll, www.flashget.com>
[FGCatchUrl]
{FB5DA724-162B-11D3-8B9B-AA70B4B0B524} <D:\Program Files\FlashGet\jccatch.dll, www.flashget.com>
[&使用快车(FlashGet)下载]
<D:\Program Files\FlashGet\jc_link.htm, N/A>
[&使用快车(FlashGet)下载全部链接]
<D:\Program Files\FlashGet\jc_all.htm, N/A>
[使用迅雷下载]
<D:\Program Files\Thunder Network\Thunder\Program\geturl.htm, N/A>
[使用迅雷下载全部链接]
<D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm, N/A>
[导出到 Microsoft Office Excel(&X)]
<res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000, N/A>

穷财神一 - 2007-6-4 14:00:00

==================================
正在运行的进程
[PID: 612][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 668][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1564][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
[D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[d:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\WINDOWS\system32\RavExt.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll] [Anti-Malware Development a.s., 7, 5, 0, 49]
[d:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[PID: 1496][D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe] [Anti-Malware Development a.s., 7, 5, 0, 50]
[D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll] [Anti-Malware Development a.s., 4, 2, 0, 15]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 1728][C:\Program Files\Analog Devices\Core\smax4pnp.exe] [Analog Devices, Inc., 5, 2, 0, 5]
[C:\Program Files\Analog Devices\Core\SMWDMIF.dll] [Analog Devices, Inc., 5, 2, 3, 000]
[C:\WINDOWS\System32\EDCrypt.DLL] [Analog Devices Incorporated, 1.0.0.8]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 1756][C:\WINDOWS\VM_STI.EXE] [VM., 4.2.610.4]
[C:\WINDOWS\System32\msdmo.dll] [, ]
[C:\WINDOWS\System32\VM31bPrp.Ax] [VM, 4.2.711.31]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 1792][D:\Program Files\ecSolutions\SAFE\mysql\bin\winmysqladmin.exe] [MySQL AB, 1.0.0.0]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 1840][C:\WINDOWS\System32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 1992][C:\WINDOWS\System32\WgaTray.exe] [Microsoft Corporation, 1.7.0018.5]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 2644][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
[C:\WINDOWS\System32\Macromed\Flash\Flash9.ocx] [Adobe Systems, Inc., 9,0,16,0]
[C:\WINDOWS\System32\UNISPIM.IME] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll] [Thunder Networking Technologies,LTD, 1.0.0.4]
[D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll] [Thunder Networking Technologies,LTD, 5, 0, 1, 4]
[D:\Program Files\Thunder Network\Thunder\Components\ResWorker\DsBho_00.dll] [, 1, 0, 0, 2]
[D:\Program Files\Thunder Network\Thunder\Components\ResWorker\DataProcessor_00.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 4]
[D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 7.0.7.2006011200]
[C:\WINDOWS\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[D:\Program Files\FlashGet\jccatch.dll] [www.flashget.com, 1, 8, 4, 1007]
[d:\Program Files\FlashGet\getflash.dll] [www.flashget.com, 1, 8, 4, 1003]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\WINDOWS\System32\upengine.dll] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[PID: 3016][C:\Program Files\Outlook Express\msimn.exe] [Microsoft Corporation, 6.00.2800.1807]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 3504][C:\Program Files\MSN Messenger\msnmsgr.exe] [Microsoft Corporation, 8.1.0178.00]
[C:\WINDOWS\System32\msdmo.dll] [, ]
[C:\WINDOWS\System32\VM31bPrp.Ax] [VM, 4.2.711.31]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 3996][D:\Program Files\Skype\Phone\Skype.exe] [Skype Technologies S.A., 3.0.0.218]
[C:\WINDOWS\System32\dxdiagn.dll] [Microsoft Corporation, 5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)]
[C:\WINDOWS\System32\msdmo.dll] [, ]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 2840][C:\WINDOWS\System32\wuauclt.exe] [Microsoft Corporation, 5.8.0.2469 built by: lab01_n(wmbla)]
[PID: 2356][D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE] [Microsoft Corporation, 11.0.6355]
[D:\Program Files\Microsoft Office\OFFICE11\GdiPlus.DLL] [Microsoft Corporation, 6.0.3264.0]
[d:\Program Files\Rising\Rav\RsPlugIn.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 14]
[C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CAP3UIK.DLL] [Canon Inc., 1.00.0.007]
[C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CAP3K.DLL] [Canon Inc., 0.3.0.0]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 3956][C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe] [Microsoft Corporation, 4.100.313.1]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 2496][d:\Program Files\Rising\AntiSpyware\runiep.exe] [Beijing Rising Technology Co., Ltd., 1, 0, 1, 6]
[d:\Program Files\Rising\AntiSpyware\iep_ctrl.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 4]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 1572][G:\下載\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[d:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]

穷财神一 - 2007-6-4 14:01:00

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
[I:\]
[AutoRun]
open=C23E7B7F.exe
shell\open=打开(&O)
shell\open\Command=C23E7B7F.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=C23E7B7F.exe
[J:\]
[AutoRun]
open=C23E7B7F.exe
shell\open=打开(&O)
shell\open\Command=C23E7B7F.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=C23E7B7F.exe
[K:\]
[AutoRun]
open=C23E7B7F.exe
shell\open=打开(&O)
shell\open\Command=C23E7B7F.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=C23E7B7F.exe

==================================
HOSTS 文件
127.0.0.1 localhost

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================

[/CODE]

不能全部一次性贴上，还不能附件，只好如此贴了，凑合看吧。

瑞星卡卡安全论坛