最近我想修改一下保存过的文档,可是就是无法编辑,想删掉一些字就会出现提示,“无法使用此命令 因为此文档已经锁定”;想移动一些字就会出现提示,“此命令无效 因为使用此应用程序的许可许可协议已经过期”,我百思不得其解,就询问相关人员,他们猜测有可能是震荡波。
我用的是盗版offce XP,其中一个文件夹里莫名其妙的多了一个名img的文件夹,还多了两个隐藏文件,文件名是“$”打头。
我已在安全模式下用震荡波专杀工具扫描过了,查不出来有什么病毒。
以下是我用瑞星听诊器扫描的结果
自启动项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\Currentversion\Run
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
IMEKRMIG6.1 = C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
MSPY2002 = C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
helper.dll = C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
CnsMin = Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
dl_accel = C:\Program Files\3721\Dlaccel\YDownloader.exe
RavTimer = C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
RavMon = C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
TkBellExe = rem "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
HKEY_CURRENT_USER Software\Microsoft\Windows\Currentversion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\Currentversion\RunOnce
3721AutoRepair = C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\Assist\repair.dll,Rundll32
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
shell32.dll =
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\ShellService
ObjectDelayLoad
PostBootReminder = %SystemRoot%\system32\SHELL32.dll
CDBurn = %SystemRoot%\system32\SHELL32.dll
WebCheck = %SystemRoot%\system32\webcheck.dll
SysTray = C:\WINDOWS\system32\st
object.dll
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
%SystemRoot%\system32\browseui.dll= Browseui 预加载程序
%SystemRoot%\system32\browseui.dll= 组件类别缓存程序
SYSTEM.INI BOOT SHELL Explorer.exe
SYSTEM.INI BOOT SCRNSAVE.EXE C:\WINDOWS\system32\RAVSS.SCR
其他相关项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon DefaultUserName ----> Berry Gordy
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon AltDefaultUserName ----> Berry Gordy
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit ----> C:\WINDOWS\system32\userinit.exe,
Hosts
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
进程列表
[System Process]
System
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3721\ske\TrojanAssistant.exe
D:\瑞星听诊器\RavDetect.exe
进程详细信息
C:\WINDOWS\system32\svchost.exe
c:\windows\system32\dmserver.dll (made by Microsoft Corp.)
附件:
5390842005731190808.gif