刚刚用这种方法杀了顽固的病毒：LYLOADER.EXE LYMANGR.DLL MSDEG32.DLL病毒解决方案2007-08-10 08:50病毒别名：Trojan.PSW.Win32.XYOnline.ah（瑞星）, Trojan.PSW.Win32.OnlineGames.cwz（瑞星）
　　　　　 Win32.Troj.OnlineGames.nn.94208（毒霸）
病毒大小：16,384 字节
加壳方式：
样本MD5：6a8691aec2bb2537cbdc718bd53b1fbf
样本SHA1：99f3f161e0077d5bcefe9582007666b7d543ce84
发现时间：2007.6
更新时间：2007.7.3
关联病毒：
传播方式：通过恶意站传播，其它木马下载


技术分析
==========

木马运行后释放另一个exe到临时目录，并将其运行：
%temp%\LYLOADER.EXE
释放两个dll文件注入进程：
%temp%\LYMANGR.DLL
%temp%\MSDEG32.DLL

同事复制到系统目录下：
%system%\LYLOADER.EXE
%system%\LYMANGR.DLL
%system%\MSDEG32.DLL

创建启动项：

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"MSDEG32"="LYLoader.exe"
"MSDWG32"="LYLoadbr.exe"
"MSDCG32    "="LYLeador.exe"
"MSOG32"="LYLoador.exe"
"MSDSG32"="LYLoadar.exe"
"MSDMG32"="LYLoadmr.exe"
"MSDHG32"="LYLoadhr.exe"
"MSDQG32"="LYLoadqr.exe"


清除步骤
==========

1. 删除启动项(开始菜单－运行－输入“regedit”依次打开以下项,然后删除即可)：

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"MSDEG32"="LYLoader.exe"
"MSDWG32"="LYLoadbr.exe"
"MSDCG32    "="LYLeador.exe"
"MSDOG32"="LYLoador.exe"
"MSDSG32"="LYLoadar.exe"
"MSDMG32"="LYLoadmrexe"
"MSDHG32"="LYLoadhr.exe"
"MSDQG32"="LYLoadqr.exe"


2. 重新启动计算机

3. 删除文件(如遇提示无法删除文件，到down.45it.com下载费尔木马强制删除器工具进行强制删除)：
%temp%\LYLOADER.EXE
%temp%\LYMANGR.DLL
%temp%\MSDEG32.DLL
%system%\LYLOADER.EXE
%system%\LYMANGR.DLL
%system%\MSDEG32.DLL     


不知道还会有毒没？
下张帖子附日志：

[用户系统信息]Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

瑞星卡卡电脑诊断日志 v1.30 (2007-9-7 21:16:38)  北京瑞星科技股份有限公司

注释:[A]表示该文件存在自启动关联;
[M]表示该文件在内存中;

+ 注册表自运行项目
  + 系统服务
    + HKLM\System\CurrentControlSet\Services
      RfwProxySrv
        [A ] 1. d:\progra~1\rising\rfw\rfwproxy.exe
          Beijing Rising Technology Co., Ltd.
          Rising Personal Proxy Service
          .text,.rdata,.data,.rsrc,


      RfwService
        [A ] 2. d:\progra~1\rising\rfw\rfwsrv.exe
          Beijing Rising Technology Co., Ltd.
          Rising Personal FireWall Service
          .text,.rdata,.data,.rsrc,


      RsCCenter
        [A ] 3. d:\progra~1\rising\rav\ccenter.exe
          Beijing Rising Technology Co., Ltd.
          CCenter
          .text,.rdata,.data,.rsrc,


      RsRavMon
        [A ] 4. d:\progra~1\rising\rav\ravmond.exe
          Beijing Rising Technology Co., Ltd.
          RavMond
          .text,.rdata,.data,.rsrc,


      WmdmPmSN
        [A ] 5. c:\winnt\system32\mspmsnsv.dll
          Microsoft Corporation
          Microsoft Media Device Service Provider
          .text,.data,.rsrc,.reloc,




  + 内核驱动
    + HKLM\System\CurrentControlSet\Services
      ADM9X
        [A ] 6. c:\winnt\system32\drivers\adm9x.sys
          ADMtek Incorporated.
          ADMtek AN983/AN985/ADM951X NDIS5 Driver
          .text,.rdata,.data,PAGE,INIT,.rsrc,.reloc,


      BaseTDI
        [A ] 7. c:\winnt\system32\drivers\basetdi.sys
          Beijing Rising Technology Co., Ltd.
          basetdi
          .text,.rdata,.data,INIT,.rsrc,.reloc,


      Cdr4_2K
        [A ] 8. c:\winnt\system32\drivers\cdr4_2k.sys
          Roxio
          CDR4_2k CDR Helper
          .text,.rdata,.data,INIT,.rsrc,.reloc,


      Cdralw2k
        [A ] 9. c:\winnt\system32\drivers\cdralw2k.sys
          Roxio
          CDRAL for Windows 2000 Kernel Driver
          .text,.rdata,.data,INIT,.rsrc,.reloc,


      ExpScaner
        [A ] 10. d:\progra~1\rising\rav\expscan.sys
          ExpScan.sys
          .text,.rdata,.data,INIT,.rsrc,.reloc,


      HOOKAPI
        [A ] 11. d:\progra~1\rising\rav\hookapi.sys
          瑞星软件有限公司
          HOOKAPI Driver
          .text,.rdata,.data,.edata,INIT,.rsrc,.reloc,


      HookCont
        [A ] 12. d:\progra~1\rising\rav\hookcont.sys
          Rising
          HookCont
          .text,.rdata,.data,INIT,.rsrc,.reloc,


      HookReg
        [A ] 13. d:\progra~1\rising\rav\hookreg.sys
          .text,.rdata,.data,INIT,.rsrc,.reloc,


      HookSys
        [A ] 14. d:\progra~1\rising\rav\hooksys.sys
          Rising
          Hooksys
          .text,.rdata,.data,INIT,.rsrc,.reloc,


      HookUrl
        [A ] 15. d:\progra~1\rising\rfw\hookurl.sys
          Beijing Rising Technology Co., Ltd.
          HookUrl
          .text,.rdata,.data,INIT,.rsrc,.reloc,


      MEMSCAN
        [A ] 16. d:\progra~1\rising\rav\memscan.sys
          Beijing Rising Technology Co., Ltd.
          MemScan Driver
          .text,.rdata,.data,INIT,.rsrc,.reloc,


      MPE
        [A ] 17. c:\winnt\system32\drivers\mpe.sys
          Microsoft Corporation
          Microsoft MPE to IP Filter
          .text,.rdata,.data,PAGECONS,INIT,.rsrc,.reloc,


      mProcRs
        [A ] 18. d:\progra~1\rising\rfw\mprocrs.sys
          Beijing Rising Technology Co., Ltd.
          Rising Personal FireWall  mprocrs.sys
          .text,.rdata,.data,INIT,.rsrc,.reloc,

NABTSFEC
        [A ] 19. c:\winnt\system32\drivers\nabtsfec.sys
          Microsoft Corporation
          WDM NABTS/FEC VBI Codec
          .text,.rdata,.data,PAGECONS,INIT,.rsrc,.reloc,


      npkcrypt
        [A ] 20. d:\qq2006\qq\npkcrypt.sys


      nwupspx
        [A ] 21. c:\winnt\system32\drivers\nwupspx.sys


      RMSPPPOE
        [A ] 22. c:\winnt\system32\drivers\rmspppoe.sys
          Robert Schlabbach
          PPP over Ethernet Protocol NDIS Intermediate Driver
          .text,.rdata,.data,INIT,.rsrc,.reloc,


      RsAntiSpyware
        [A ] 23. c:\winnt\system32\drivers\rsboot.sys
          Beijing Rising Technology Co., Ltd.
          Anti-RootKit Driver
          .text,.rdata,.data,INIT,.rsrc,.reloc,


      RsFwDrv
        [A ] 24. d:\progra~1\rising\rfw\rsfwdrv.sys
          Beijing Rising Technology Co., Ltd.
          nt_fwdrv
          .text,.rdata,.data,INIT,.rsrc,.reloc,


      RsNTGDI
        [A ] 25. c:\winnt\system32\drivers\rsntgdi.sys
          Beijing Rising Technology Co., Ltd.
          RsNTGDI
          .text,.rdata,INIT,.rsrc,.reloc,


      RSPPSYS
        [A ] 26. d:\progra~1\rising\rav\rsppsys.sys
          Rising
          RSPPSYS.SYS
          .text,.rdata,.data,INIT,.rsrc,.reloc,


      RTL8023
        [A ] 27. c:\winnt\system32\drivers\rtlnic.sys
          Realtek Semiconductor Corporation                         
          Realtek 10/100/1000 NDIS 5.0 Driver                       
          .text,.rdata,.data,PAGE,INIT,.rsrc,.reloc,


      SLIP
        [A ] 28. c:\winnt\system32\drivers\slip.sys
          Microsoft Corporation
          Microsoft Slip Deframing Filter Minidriver
          .text,.rdata,.data,PAGECONS,INIT,.rsrc,.reloc,


      streamip
        [A ] 29. c:\winnt\system32\drivers\streamip.sys
          Microsoft Corporation
          Microsoft IP Driver
          .text,.rdata,.data,PAGECONS,INIT,.rsrc,.reloc,


      WSTCODEC
        [A ] 30. c:\winnt\system32\drivers\wstcodec.sys
          Microsoft Corporation
          WDM WST Codec Driver
          .text,.rdata,.data,INIT,.rsrc,.reloc,




  + IE浏览器加载模块
    + HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
      {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C}
        [A ] 31. c:\winnt\system32\kakatool.dll
          Beijing Rising Technology Co., Ltd.
          Rising AntiSpyware Toolbar
          .text,.rdata,.data,MonitorS,.rsrc,.reloc,



    + HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
      {01443AEC-0FD1-40fd-9C87-E93D1494C233}
        [A ] 32. e:\program files\thunder\comdlls\tdatonce_now.dll
          Thunder Networking Technologies,LTD
          迅雷浏览器高级特性支持模块
          .text,.rdata,.data,.rsrc,.reloc,


      {889D2FEB-5411-4565-8998-1DD2C5261283}
        [A ] 33. e:\program files\thunder\comdlls\xunleibho_now.dll
          Thunder Networking Technologies,LTD
          XunLeiBHO
          .text,.rdata,.data,.rsrc,.reloc,



    + HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
      Exec
        [A ] 34. e:\program files\thunder\thunder.exe
          Thunder Networking Technologies,LTD
          .text,.rdata,.data,.rsrc,


      Script
        [A ] 35. c:\winnt\web\related.htm




  + 资源管理器加载模块
    + HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
      {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
        [A ] 36. c:\winnt\system32\updcrl.exe
          Microsoft Corporation
          UPDCRL
          .text,.data,.rsrc,

        [A ] 37. c:\winnt\system32\verisignpub1.crl



    + HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
      RISING
        [AM] 38. c:\winnt\system32\ravext.dll
          Beijing Rising Technology Co., Ltd.
          Rising Shell Ext Module
          .text,.rdata,.data,.rsrc,.reloc,


      Yahoo Trojan Cleanner
        [A ] 39. d:\progra~1\ske\contmenu.dll
          UPX0,UPX1,.rsrc,



    + HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
      {32CD708B-60A7-4C00-9377-D73EAA495F0F}
        [AM] 38. c:\winnt\system32\ravext.dll
          Beijing Rising Technology Co., Ltd.
          Rising Shell Ext Module
          .text,.rdata,.data,.rsrc,.reloc,


      {AC2DC2EF-5165-40A3-8CDF-41DCA1B0901A}
        [AM] 40. c:\winnt\system32\shlhook.dll
          Beijing Rising Technology Co., Ltd.
          shlhook Module
          .text,.rdata,.data,.rsrc,.reloc,




  + 用户登陆自运行项目
    + HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      RavTask
        [A ] 41. d:\progra~1\rising\rav\ravtask.exe
          Beijing Rising Technology Co., Ltd.
          RavTimer
          .text,.rdata,.data,.rsrc,


      IgfxTray
        [A ] 42. c:\winnt\system32\igfxtray.exe
          Intel Corporation
          igfxTray Module
          .text,.rdata,.data,.rsrc,




  + 映像劫持
    + HKCR\.mp3
      RealPlayer.MP3.6\open\Command
        [A ] 43. c:\program files\real\realplayer\realplay.exe
          RealNetworks, Inc.
          RealPlayer
          .text,.rdata,.data,.rsrc,





+ 正在运行的进程
  + 0000008c(140) smss.exe

  + 000000a4(164) csrss.exe

  + 000000b8(184) winlogon.exe
    77520000[00008000]
      [ M] 44. c:\winnt\system32\wdmaud.drv
        Microsoft Corporation
        WDM Audio driver mapper
        .text,.data,.rsrc,.reloc,


    773C0000[00008000]
      [ M] 45. c:\winnt\system32\msacm32.drv
        Microsoft Corporation
        Microsoft Sound Mapper
        .text,.data,.rsrc,.reloc,



  + 000000d4(212) services.exe

  + 000000e0(224) lsass.exe

  + 0000011c(284) conime.exe
    10000000[0001B000]
      [ M] 46. d:\progra~1\卡卡\ieprot.dll
        Beijing Rising Technology Co., Ltd.
        IE Protector
        .text,.rdata,.data,.rsrc,.reloc,



  + 00000194(404) svchost.exe

  + 000001cc(460) Ras.exe
    00400000[0013F000]
      [ M] 47. d:\progra~1\卡卡\ras.exe
        Beijing Rising Technology Co., Ltd.
        Rising AntiSpyware
        .text,.rdata,.data,.rsrc,


    780C0000[00061000]
      [ M] 48. c:\winnt\system32\msvcp60.dll
        Microsoft Corporation
        Microsoft (R) C++ Runtime Library
        .text,.rdata,.data,.rsrc,.reloc,


    10000000[000A3000]
      [ M] 49. d:\progra~1\卡卡\rasgui.dll
        Beijing Rising Technology Co., Ltd.
        RasGUI
        .text,.rdata,.data,.rsrc,.reloc,


    01670000[0001B000]
      [ M] 46. d:\progra~1\卡卡\ieprot.dll
        Beijing Rising Technology Co., Ltd.
        IE Protector
        .text,.rdata,.data,.rsrc,.reloc,

379B0000[0008C000]
      [ M] 50. c:\program files\common files\microsoft shared\web folders\msonsext.dll
        .text,.data,.rsrc,.reloc,



  + 00000220(544) spoolsv.exe
    00DB0000[00005000]
      [ M] 51. c:\winnt\system32\spool\prtprocs\w32x86\vprproc.dll
        Windows (R) 2000 DDK provider
        Windows DDK Print DLL
        .text,.data,.rsrc,.reloc,



  + 00000248(584) svchost.exe
    63B50000[00034000]
      [ M] 52. c:\winnt\system32\unimdm.tsp
        Microsoft Corporation
        Unimodem 5 Service Provider
        .text,.data,.rsrc,.reloc,


    63BC0000[00008000]
      [ M] 53. c:\winnt\system32\kmddsp.tsp
        Microsoft Corporation
        TAPI Kernel-Mode Service Provider
        .text,.data,.rsrc,.reloc,


    63BB0000[0000C000]
      [ M] 54. c:\winnt\system32\ndptsp.tsp
        Microsoft Corporation
        NDIS Proxy TAPI Service Provider
        .text,.data,.rsrc,.reloc,


    63BD0000[00006000]
      [ M] 55. c:\winnt\system32\ipconf.tsp
        Microsoft Corporation
        Microsoft Multicast Conference TAPI Service Provider
        .text,.data,.rsrc,.reloc,


    63BE0000[00044000]
      [ M] 56. c:\winnt\system32\h323.tsp
        Microsoft Corporation
        Microsoft H.323 TAPI Service Provider
        .text,.data,.rsrc,.reloc,



  + 00000274(628) regsvc.exe

  + 00000288(648) MSTask.exe

  + 000002c4(708) WinMgmt.exe

  + 000002f4(756) svchost.exe

  + 000003a4(932) runiep.exe
    00400000[00013000]
      [ M] 57. d:\progra~1\卡卡\runiep.exe
        Beijing Rising Technology Co., Ltd.
        Rising AntiSpyware Monitor
        .text,.rdata,.data,.rsrc,


    00B20000[0001B000]
      [ M] 46. d:\progra~1\卡卡\ieprot.dll
        Beijing Rising Technology Co., Ltd.
        IE Protector
        .text,.rdata,.data,.rsrc,.reloc,



  + 000003ac(940) Explorer.EXE
    23000000[00056000]
      [ M] 58. c:\winnt\apppatch\aclayers.dll
        Microsoft Corporation
        Windows 2000 Shim Accessory DLL
        .text,.data,.CRT,.rsrc,.reloc,


    77520000[00008000]
      [ M] 44. c:\winnt\system32\wdmaud.drv
        Microsoft Corporation
        WDM Audio driver mapper
        .text,.data,.rsrc,.reloc,


    773C0000[00008000]
      [ M] 45. c:\winnt\system32\msacm32.drv
        Microsoft Corporation
        Microsoft Sound Mapper
        .text,.data,.rsrc,.reloc,


    10000000[00032000]
      [ M] 59. c:\winnt\system32\igfxpph.dll
        Intel Corporation
        igfxpph Module
        .text,.rdata,.data,.rsrc,.reloc,


    022A0000[0001D000]
      [ M] 60. c:\winnt\system32\hccutils.dll
        Intel Corporation
        hccutils Module
        .text,.rdata,.data,.rsrc,.reloc,


    022E0000[0008E000]
      [ M] 61. c:\winnt\system32\igfxres.dll
        Intel Corporation
        xxxxres Module
        .text,.rdata,.data,.rsrc,.reloc,


    02380000[00046000]
      [ M] 62. c:\winnt\system32\igfxsrvc.dll
        Intel Corporation
        igfxsrvc Module
        .text,.rdata,.data,.rsrc,.reloc,


    02810000[0001B000]
      [AM] 38. c:\winnt\system32\ravext.dll
        Beijing Rising Technology Co., Ltd.
        Rising Shell Ext Module
        .text,.rdata,.data,.rsrc,.reloc,


    02840000[00011000]
      [AM] 40. c:\winnt\system32\shlhook.dll
        Beijing Rising Technology Co., Ltd.
        shlhook Module
        .text,.rdata,.data,.rsrc,.reloc,


    02870000[0001B000]
      [ M] 46. d:\progra~1\卡卡\ieprot.dll
        Beijing Rising Technology Co., Ltd.
        IE Protector
        .text,.rdata,.data,.rsrc,.reloc,


    02BD0000[00019000]
      [ M] 63. d:\progra~1\rising\rav\ravscrch.dll
        Beijing Rising Technology Co., Ltd.
        RavScrCh Module
        .text,.rdata,.data,.rsrc,.reloc,


    69B10000[00115000]
      [ M] 64. c:\winnt\system32\msxml3.dll
        Microsoft Corporation
        MSXML 3.0 SP 3
        .text,.data,.rsrc,.reloc,


    23700000[0001A000]
      [ M] 65. d:\progra~1\rising\rav\rscommon.dll
        Beijing Rising Technology Co., Ltd.
        Rising Common Function Dynamic Link Library
        .text,.rdata,.data,.rsrc,.reloc,



  + 000003c8(968) RfwMain.exe
    00400000[00073000]
      [ M] 66. d:\progra~1\rising\rfw\rfwmain.exe
        Beijing Rising Technology Co., Ltd.
        Rising Personal FireWall Main Program
        .text,.rdata,.data,.rsrc,


    780C0000[00061000]
      [ M] 48. c:\winnt\system32\msvcp60.dll
        Microsoft Corporation
        Microsoft (R) C++ Runtime Library
        .text,.rdata,.data,.rsrc,.reloc,


    26600000[0007D000]
      [ M] 67. d:\progra~1\rising\rfw\rsguilib.dll
        Beijing Rising Technology Co., Ltd.
        Rising GUI Library Loader
        .text,.rdata,.data,.rsrc,.reloc,


    23700000[0001A000]
      [ M] 68. d:\progra~1\rising\rfw\rscommon.dll
        Beijing Rising Technology Co., Ltd.
        Rising Common Function Dynamic Link Library
        .text,.rdata,.data,.rsrc,.reloc,


    10000000[0000F000]
      [ M] 69. d:\progra~1\rising\rfw\rfwctrl.dll
        Beijing Rising Technology Co., Ltd.
        RfwCtrl DLL
        .text,.rdata,.data,.rsrc,.reloc,


    23800000[0001A000]
      [ M] 70. d:\progra~1\rising\rfw\rsxml.dll
        Beijing Rising Technology Co., Ltd.
        RsXML
        .text,.rdata,.data,.rsrc,.reloc,


    23900000[00031000]
      [ M] 71. d:\progra~1\rising\rfw\pngdll.dll
        Beijing Rising Technology Co., Ltd.
        Rising .Png File Loader Dynamic Link Library
        .text,.rdata,.data,.rsrc,.reloc,


    01860000[0001B000]
      [ M] 46. d:\progra~1\卡卡\ieprot.dll
        Beijing Rising Technology Co., Ltd.
        IE Protector
        .text,.rdata,.data,.rsrc,.reloc,



  + 000004ec(1260) internat.exe
    10000000[0001B000]
      [ M] 46. d:\progra~1\卡卡\ieprot.dll
        Beijing Rising Technology Co., Ltd.
        IE Protector
        .text,.rdata,.data,.rsrc,.reloc,

[CODE]

2007-09-07,21:20:52

System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195) - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件
    进程特权扫描


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <Internat.exe><internat.exe>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <Synchronization Manager><mobsync.exe /logon>  [(Verified)Microsoft Windows 2000 Publisher]
    <RavTask><"D:\PROGRA~1\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <IgfxTray><C:\WINNT\system32\igfxtray.exe>  [Intel Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows 2000 Publisher]
    <Userinit><C:\WINNT\system32\Userinit.exe,>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINNT\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
    <{AC2DC2EF-5165-40A3-8CDF-41DCA1B0901A}><C:\WINNT\system32\shlhook.dll>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer 访问><"%SystemRoot%\system32\shmgrate.exe" OCInstallUserConfigIE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express 访问><"%SystemRoot%\system32\shmgrate.exe" OCInstallUserConfigOE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <Address Book 5><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
    <CRLUpdate><%SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl>  [N/A]

==================================
启动文件夹
N/A

==================================
服务
[81117A72 / 81117A72][Stopped/]
  <2 - 系统找不到指定的文件。
><N/A>
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Rising Proxy  Service / RfwProxySrv][Running/Manual Start]
  <d:\progra~1\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
  <d:\progra~1\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
  <"D:\PROGRA~1\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
  <"D:\PROGRA~1\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
  <C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>

==================================
驱动程序
[TENDA TEL8139D 10/100Mbps Fast Ethernet Adapter / ADM9X][Running/Manual Start]
  <system32\DRIVERS\ADM9X.sys><ADMtek Incorporated.>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
  <System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[dmboot / dmboot][Stopped/Disabled]
  <System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[ExpScaner / ExpScaner][Running/Auto Start]
  <\??\D:\PROGRA~1\Rising\Rav\ExpScan.sys><>
[HOOKAPI / HOOKAPI][Stopped/Manual Start]
  <\??\D:\PROGRA~1\RISING\RAV\HOOKAPI.SYS><瑞星软件有限公司>
[HookCont / HookCont][Running/Auto Start]
  <\??\D:\PROGRA~1\Rising\Rav\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
  <\??\D:\PROGRA~1\Rising\Rav\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
  <\??\D:\PROGRA~1\Rising\Rav\HookSys.sys><Rising>
[HookUrl / HookUrl][Running/Auto Start]
  <\??\D:\PROGRA~1\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[i81x / i81x][Running/Manual Start]
  <system32\DRIVERS\i81xnt5.sys><Intel(R) Corporation>
[MEMSCAN / MEMSCAN][Running/Auto Start]
  <\??\D:\PROGRA~1\Rising\Rav\MEMSCAN.sys><Beijing Rising Technology Co., Ltd.>
[mProcRs / mProcRs][Running/Auto Start]
  <\??\d:\progra~1\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[npkcrypt / npkcrypt][Stopped/Auto Start]
  <\??\D:\QQ2006\qq\npkcrypt.sys><N/A>
[nwupspx / nwupspx][Stopped/Boot Start]
  <\SystemRoot\system32\drivers\nwupspx.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[WAN 微型端口 (PPP over Ethernet 协议) / RMSPPPOE][Running/Manual Start]
  <system32\DRIVERS\RMSPPPOE.SYS><Robert Schlabbach>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
  <\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising Technology Co., Ltd.>
[RsFwDrv / RsFwDrv][Running/Auto Start]
  <\??\D:\PROGRA~1\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
  <\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
  <\??\D:\PROGRA~1\Rising\Rav\RSPPSYS.sys><Rising>
[TENDA 10/100/1000 NIC Family all in one NDIS NT Driver / RTL8023][Stopped/Manual Start]
  <system32\DRIVERS\Rtlnic.sys><Realtek Semiconductor Corporation>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
  <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>

==================================

浏览器加载项
[ThunderAtOnce Class]
  {01443AEC-0FD1-40fd-9C87-E93D1494C233} <E:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
[Thunder Browser Helper]
  {889D2FEB-5411-4565-8998-1DD2C5261283} <E:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
[启动迅雷5]
  {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <E:\Program Files\Thunder\Thunder.exe, Thunder Networking Technologies,LTD>
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[卡卡上网安全助手]
  {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINNT\system32\kakatool.dll, Beijing Rising Technology Co., Ltd.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[CPasswordEditCtrl Object]
  {E787FD25-8D7C-4693-AE67-9406BC6E22DF} <C:\WINNT\system32\qqedit\qqedit.dll, 腾讯科技（深圳）有限公司>
[Thunder Agent Class]
  {485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <E:\Program Files\Thunder\ComDlls\ThunderAgent_Now.dll, Thunder Networking Technologies,LTD>
[Vod Class]
  {EEDD6FF9-13DE-496B-9A1C-D78B3215E266} <E:\Program Files\Thunder\Components\DownAndPlay\DapPlayer_Now.dll, XunLei>
[使用迅雷下载]
  <E:\Program Files\Thunder\Program\GetUrl.htm, N/A>
[使用迅雷下载全部链接]
  <E:\Program Files\Thunder\Program\GetAllUrl.htm, N/A>

==================================
正在运行的进程
[PID: 140][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.00.2195.6601]
[PID: 164][\??\C:\WINNT\system32\csrss.exe]  [Microsoft Corporation, 5.00.2195.6601]
[PID: 184][\??\C:\WINNT\system32\winlogon.exe]  [Microsoft Corporation, 5.00.2195.6898]
    [C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2195.6673]
    [C:\WINNT\system32\msacm32.drv]  [Microsoft Corporation, 5.00.2134.1]
[PID: 212][C:\WINNT\system32\services.exe]  [Microsoft Corporation, 5.00.2195.6700]
    [C:\WINNT\system32\dmserver.dll]  [VERITAS Software Corp., 2195.6605.297.3]
[PID: 224][C:\WINNT\system32\lsass.exe]  [Microsoft Corporation, 5.00.2195.6902]
[PID: 404][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
[PID: 544][C:\WINNT\system32\spoolsv.exe]  [Microsoft Corporation, 5.00.2195.6659]
    [C:\WINNT\system32\spool\PRTPROCS\W32X86\vprproc.dll]  [Windows (R) 2000 DDK provider, 5.00.2195.1620]
[PID: 584][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\unimdm.tsp]  [Microsoft Corporation, 5.00.2195.6601]
    [C:\WINNT\system32\kmddsp.tsp]  [Microsoft Corporation, 5.00.2150.1]
    [C:\WINNT\system32\ndptsp.tsp]  [Microsoft Corporation, 5.00.2143.1]
    [C:\WINNT\system32\ipconf.tsp]  [Microsoft Corporation, 5.00.2143.1]
    [C:\WINNT\system32\h323.tsp]  [Microsoft Corporation, 5.00.2195.6901]
[PID: 628][C:\WINNT\system32\regsvc.exe]  [Microsoft Corporation, 5.00.2195.6701]
[PID: 648][C:\WINNT\system32\MSTask.exe]  [Microsoft Corporation, 4.71.2195.6704]
[PID: 708][C:\WINNT\System32\WBEM\WinMgmt.exe]  [Microsoft Corporation, 1.50.1085.0100]
[PID: 756][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
[PID: 940][C:\WINNT\Explorer.EXE]  [Microsoft Corporation, 5.00.3700.6690]
    [C:\WINNT\AppPatch\AcLayers.DLL]  [Microsoft Corporation, 5.00.2195.6717]
    [C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2195.6673]
    [C:\WINNT\system32\msacm32.drv]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\igfxpph.dll]  [Intel Corporation, 3,0,0,1757]
    [C:\WINNT\system32\hccutils.DLL]  [Intel Corporation, 3,0,0,1757]
    [C:\WINNT\system32\igfxres.dll]  [Intel Corporation, 3,0,0,1757]
    [C:\WINNT\system32\igfxsrvc.dll]  [Intel Corporation, 3,0,0,1757]
    [C:\WINNT\system32\RavExt.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
    [C:\WINNT\system32\shlhook.dll]  [Beijing Rising Technology Co., Ltd., 4.0.0.9]
    [D:\PROGRA~1\卡卡\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
    [D:\PROGRA~1\Rising\Rav\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [C:\WINNT\system32\msxml3.dll]  [Microsoft Corporation, 8.30.9926.0]
    [D:\PROGRA~1\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
    [E:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll]  [Thunder Networking Technologies,LTD, 1.0.2.9]
    [E:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll]  [Thunder Networking Technologies,LTD, 5, 0, 3, 11]
    [E:\Program Files\Thunder\Components\ResWorker\DsBho_00.dll]  [, 1, 0, 0, 4]
    [C:\WINNT\system32\MSVCP60.dll]  [Microsoft Corporation, 6.00.8168.0]
    [E:\Program Files\Thunder\Components\ResWorker\DataProcessor_00.dll]  [Thunder Networking Technologies,LTD, 1, 0, 0, 6]
[PID: 968][d:\progra~1\rising\rfw\RfwMain.exe]  [Beijing Rising Technology Co., Ltd., 5, 0, 0, 72]
    [C:\WINNT\system32\MSVCP60.dll]  [Microsoft Corporation, 6.00.8168.0]
    [d:\progra~1\rising\rfw\RsGuiLib.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 33]
    [d:\progra~1\rising\rfw\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
    [d:\progra~1\rising\rfw\RfwCtrl.dll]  [Beijing Rising Technology Co., Ltd., 5, 0, 0, 11]
    [d:\progra~1\rising\rfw\RsXML.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
    [d:\progra~1\rising\rfw\PngDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
    [D:\PROGRA~1\卡卡\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
[PID: 1260][C:\WINNT\system32\internat.exe]  [Microsoft Corporation, 5.00.2920.0000]
    [D:\PROGRA~1\卡卡\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
[PID: 932][D:\PROGRA~1\卡卡\runiep.exe]  [Beijing Rising Technology Co., Ltd., 4.0.0.18]
    [D:\PROGRA~1\卡卡\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
[PID: 284][C:\WINNT\system32\conime.exe]  [Microsoft Corporation, 5.00.2195.6655]
    [D:\PROGRA~1\卡卡\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
[PID: 888][D:\下载专用包\sreng2\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
    [D:\PROGRA~1\卡卡\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 12]
    [D:\下载专用包\sreng2\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]
    [D:\下载专用包\sreng2\Plugins\NTFSTREAM.SRE]  [Smallfrogs Studio, 1, 0, 0, 5]
    [C:\WINNT\system32\MSISIP.DLL]  [Microsoft Corporation, 2.0.2600.1183]
    [C:\WINNT\system32\wshCHS.DLL]  [Microsoft Corporation, 5.6.0.6626]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
进程特权扫描
特殊特权被允许： SeLoadDriverPrivilege [PID = 932, D:\PROGRA~1\卡卡\RUNIEP.EXE]

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================


[/CODE]

没人告诉我?

快告诉我啊

斑竹帮忙下啊，我担心杀不干净啊

真的好冷漠啊，就算正常也跟我说以下啊