Backdoor.PcClient.ej 这个怎么老出来 只要我 打字 它就出来 瑞星找不到 病根在那..

快帮我解决呀.. 还有 我以前 帐号 是 hyst 怎么说是 用户名 过短 不让使用呀...

先解决病毒吧 各位 大虾们...

用Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038

Process    PID    CPU    Description    Company Name
System Idle Process    0    73.13       
Interrupts    n/a        Hardware Interrupts   
DPCs    n/a    1.49    Deferred Procedure Calls   
System    4           
  smss.exe    412        Windows NT Session Manager    Microsoft Corporation
  csrss.exe    508    1.49    Client Server Runtime Process    Microsoft Corporation
  winlogon.exe    532        Windows NT Logon Application    Microsoft Corporation
    SERVICES.EXE    576    8.96    Services and Controller app    Microsoft Corporation
    SVCHOST.EXE    744        Generic Host Process for Win32 Services    Microsoft Corporation
      AgentSvr.exe    3176        Microsoft Agent Server    Microsoft Corporation
    SVCHOST.EXE    844        Generic Host Process for Win32 Services    Microsoft Corporation
    SVCHOST.EXE    884        Generic Host Process for Win32 Services    Microsoft Corporation
    SVCHOST.EXE    960        Generic Host Process for Win32 Services    Microsoft Corporation
    SVCHOST.EXE    980        Generic Host Process for Win32 Services    Microsoft Corporation
    rfwsrv.exe    1020        Rising Personal FireWall Service    Beijing Rising Technology Corporation Limited
      RfwMain.exe    1648        Rising Personal FireWall Main Program    Beijing Rising Technology Corporation Limited
    spoolsv.exe    1272        Spooler SubSystem App    Microsoft Corporation
    nvsvc32.exe    1472        NVIDIA Driver Helper Service, Version 61.72    NVIDIA Corporation
    CCenter.exe    1524        CCenter    rising
    SVCHOST.EXE    1612    2.99    Generic Host Process for Win32 Services    Microsoft Corporation
    alg.exe    460        Application Layer Gateway Service    Microsoft Corporation
    RavMonD.exe    1732    5.97    RavMon    Beijing Rising Technology Co., Ltd.
      RavStub.exe    3284        Rising Rav Stub    Beijing Rising Technology Co., Ltd.
    LSASS.EXE    596        LSA Shell (Export Version)    Microsoft Corporation
Explorer.EXE    1212        Windows Explorer    Microsoft Corporation
RavTimer.exe    1708        RavTimer    Beijing Rising Technology Co., Ltd.
ctfmon.exe    1824        CTF Loader    Microsoft Corporation
iexplore.exe    1892        Internet Explorer    Microsoft Corporation
  Thunder.exe    912            Thunder Networking Technologies,LTD
autoruns.exe    1856        Autostart program viewer    Sysinternals - www.sysinternals.com
Notepad.exe    3680        记事本    Microsoft Corporation
procexp.exe    1968    4.48    Sysinternals Process Explorer    Sysinternals
conime.exe    948        Console IME    Microsoft Corporation
RavMon.exe    2984    1.49    RavMon Rising realtime monitor     Beijing Rising Technology Co., Ltd.
Rav.exe    3320        Rising Antivirus Main exe    Beijing Rising Technology Co., Ltd.
RsAgent.exe    3360        RsAgent Application    Beijing Rising Technology Co., Ltd.

Process: Procexp Pid: -2

Type    Name

是Autoruns不是procexp的日志

autoruns 日字 太大了 我整理了一下.. 只是 粘贴到 Excel里了


点下面的连接下载日志..
ftp://yule:1234@210.73.87.95/temp/DVD/autoruns.xls

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ NvCplDaemonNVIDIA Display Properties ExtensionNVIDIA Corporationc:\windows\system32\nvcpl.dll

+ RavMonRavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmon.exe

+ RavTimerRavTimerBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravtimer.exe

+ RfwMainRising Personal FireWall Main ProgramBeijing Rising Technology Corporation Limitedc:\program files\rising\rfw\rfwmain.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Desktop ExplorerNVIDIA Desktop Explorer, Version 61.72 NVIDIA Corporationc:\windows\system32\nvshell.dll

+ Desktop Explorer MenuNVIDIA Desktop Explorer, Version 61.72 NVIDIA Corporationc:\windows\system32\nvshell.dll

+ Display Panning CPL ExtensionFile not found: deskpan.dll

+ HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\windows\system32\hticons.dll

+ NvCpl DesktopContext ClassNVIDIA Display Properties ExtensionNVIDIA Corporationc:\windows\system32\nvcpl.dll

+ nView Desktop Context MenuNVIDIA Desktop Explorer, Version 61.72 NVIDIA Corporationc:\windows\system32\nvshell.dll

+ Play on my TV helperNVIDIA Display Properties ExtensionNVIDIA Corporationc:\windows\system32\nvcpl.dll

+ RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

+ Shell Extensions for RealOne PlayerRealPlayer Shell ExtensionsRealNetworks, Inc.d:\realplayer\rpshell.dll

+ WinRAR shell extensiond:\winrar\rarext.dll

+ 属性的默认图像解压缩程序File not found: C:\WINDOWS\SYSTEM\THUMBVW.DLL

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

+ PDF Shell ExtensionPDF Shell ExtensionAdobe Systems, Inc.d:\acrobat 7.0\activex\pdfshell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ ThunderIEHelper Classxunleibho BHOc:\windows\system32\xunleibho_v8.dll

HKLM\System\CurrentControlSet\Services

+ NVSvcProvides system and desktop level support to the NVIDIA display driverNVIDIA Corporationc:\windows\system32\nvsvc32.exe

+ RfwServiceRising Personal Firewall ServiceBeijing Rising Technology Corporation Limitedc:\program files\rising\rfw\rfwsrv.exe

+ RsCCenterCCenterrisingc:\program files\rising\rav\ccenter.exe

+ RsRavMonRavMonBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmond.exe

HKLM\System\CurrentControlSet\Services

+ ALCXSENSSensaura WDM 3D Audio DriverSensaura Ltdc:\windows\system32\drivers\alcxsens.sys

+ ALCXWDMRealtek AC'97 Audio Driver (WDM)Realtek Semiconductor Corp.c:\windows\system32\drivers\alcxwdm.sys

+ BaseTDIbasetdiRisingc:\windows\system32\drivers\basetdi.sys

+ CnxEtPAccessRunner USB ADSL Modem/enumeratorConexant Systems, Inc.c:\windows\system32\drivers\cnxetp.sys

+ CnxEtUAccessRunner USB ADSL Modem loader/driverConexant Systems, Inc.c:\windows\system32\drivers\cnxetu.sys

+ CnxTgNWAccessRunner PPPoA NDIS WAN DriverConexant Systems, Inc.c:\windows\system32\drivers\cnxtgnw.sys

+ ExpScanerExpScan.sysc:\program files\rising\rav\expscan.sys

+ HookContTDI HOOK DriverRising tech Co. ltdc:\program files\rising\rav\hookcont.sys

+ HookRegc:\program files\rising\rav\hookreg.sys

+ HookSys瑞星c:\program files\rising\rav\hooksys.sys

+ HOSTNTc:\windows\system32\drivers\hostnt.sys

+ hotcoreHotbackup helper driverParagon Software Groupc:\windows\system32\drivers\hotcore.sys

+ kmsinputc:\windows\system32\drivers\kmsinput.sys

+ New0c:\windows\system32\new.sys

+ npkcryptFile not found: D:\QQ2005\npkcrypt.sys

+ nvNVIDIA Compatible Windows 2000 Miniport Driver, Version 61.72 NVIDIA Corporationc:\windows\system32\drivers\nv4_mini.sys

+ nv_agpNVIDIA nForce AGP FilterNVIDIA Corporationc:\windows\system32\drivers\nv_agp.sys

+ NVENETNVIDIA nForce MCP Networking Driver.NVIDIA Corporationc:\windows\system32\drivers\nvenet.sys

+ pnpsharkPnP BIOS Extension c:\windows\system32\drivers\pnpshark.sys

+ Ps2PS2 SYSHewlett-Packard Companyc:\windows\system32\drivers\ps2.sys

+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\windows\system32\drivers\ptilink.sys

+ PxHelp20Px Engine Device Driver for Windows 2000/XPSonic Solutionsc:\windows\system32\drivers\pxhelp20.sys

+ RsFwDrvnt_fwdrvRisingc:\program files\rising\rfw\rsfwdrv.sys

+ SecdrvSafeDisc driverc:\windows\system32\drivers\secdrv.sys

+ SunkFiltSunkFiltAlcor Micro Corp.c:\windows\system32\drivers\sunkfilt.sys

+ SVKPSVKP driver for NTAntiCrackingc:\windows\system32\svkp.sys

+ zntportc:\windows\system32\zntport.sys

+ ZSMC301bVideo streaming and Capture Device DriverVMc:\windows\system32\drivers\usbvm31b.sys

Logfile of HijackThis v1.99.0
Scan saved at 13:34:28, on 2005-12-7
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\WINDOWS\system32\svchost.exe
c:\program files\rising\rfw\RfwMain.exe
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
c:\program files\rising\rav\RAVMON.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\rising\rav\RsAgent.exe
C:\WINDOWS\msagent\AgentSvr.exe
c:\program files\rising\rav\Rav.exe
D:\Thunder\Thunder.exe
F:\CHINAZ\HijackThis\HijackThis.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &使用迅雷下载 - D:\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\Thunder\getallurl.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Tencent\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Tencent\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Tencent\SendMMS.htm
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {88734439-46D0-42C0-A13F-7E881EE550CF} - http://pimg.163.com/club/vchat/filetran.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F6523A2-D0B9-4631-8E3B-7DA0F0D1FFEA}: NameServer = 202.102.128.68 202.102.152.3
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rising Personal Firewall Service - Beijing Rising Technology Corporation Limited - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

最新版本木马客星 也显示 无木马 但 瑞星 还是 报 病毒

只要我打字 它就出来... 让瑞星给删除.. 是不是 盗号的病毒呀

我玩 传奇世界 游戏的.. 快 大虾 帮我解决掉 彻底删除掉呀..

+ HOSTNTc:\windows\system32\drivers\hostnt.sys
+ New0c:\windows\system32\new.sys

删除启动项
重启
删除c:\windows\system32\drivers\hostnt.sys；c:\windows\system32\new.sys试试

删除那2个 注册表里的东西之后 启动 了 但又有病毒了 还是有