瑞星卡卡安全论坛

进程里services.exe 占用90%多，而且无法结束进程。
注册表里也找不到
只是在一个"imagepath"=%system%/system32/services.exe删不掉

ding !

用IceSword结束进程吧
这是最快最有效的办法了

结束了，就关机了！system id...cpu使用率0
service cpu使用率90-99，别的进程都低，
而且无法结束，注册表找不到

瑞星查了一遍，根本没反应，查不到。service 进程结束后，速度就快了，靠，但是1分钟后就关机了！找不到染毒文件，郁闷！

用HIJACKTHIS导出日志

不会弄，我中止了2个与services.exe有关的服务，eventlog和plug and play，机器好使了，就是设备管理器刷不出硬件，usb口用不了！help!!!!!瑞星查不出什么！根本没反应~

中止了2个与services.exe有关的服务，在扫出日志能看出问题么？
Logfile of HijackThis v1.99.1
Scan saved at 22:32:02, on 2005-12-26
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\Ravmond.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\program files\rising\rfw\RfwMain.exe
C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\TopGhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\桌面文件\工具\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {BB936323-19FA-4521-BA29-ECA6A121BC78} - (no file)
R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: yPhtb - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\Program Files\Yahoo!\Assistant\Assist\yphtb.dll
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\Program Files\Yahoo!\Assistant\Assist\yAngling.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
O2 - BHO: BHelper - {8A4280AD-9B37-4922-A51D-73F3C3A32AF7} - C:\WINDOWS\System32\msibm\cfsbho.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\System32\drivers\inf\bands.dll (file missing)
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O2 - BHO: Infofo 工具栏 - {D74EC18E-3DDD-4174-B1B1-949FE3B8366D} - C:\Program Files\Infofo Bar\infofobar.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Infofo 工具栏 - {D74EC18E-3DDD-4174-B1B1-949FE3B8366D} - C:\Program Files\Infofo Bar\infofobar.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SENS Keyboard V4 Launcher] "C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mscfs] RUNDLL32 C:\WINDOWS\System32\msibm\cfsys.DLL,cfs
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\RunServices: [SystemRunOn] C:\WINDOWS\system32\sysconfig.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [] TopGhost.exe
O8 - Extra context menu item: ★ Sooe创业投资指南 ★ - http://www.sooe.cn/shortcut/shortcut.asp
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\qq\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O8 - Extra context menu item: 雅虎搜索 - res://C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll/246
O9 - Extra button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm?pid=U_5460_5411 (file missing)
O9 - Extra button: 搜易网 - {0C70DDB5-C059-4FDC-9C86-08DDB82B2056} - http://www.sooe.cn/shortcut/shortcut.asp (file missing)
O9 - Extra button: 中文上网 - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O9 - Extra 'Tools' menuitem: 中文上网 - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1&sid=5042&show=ignore&url=?allyesPara=816 (file missing)
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/?source=Cns (file missing)
O9 - Extra button: Infofo 工具栏 - {8507326C-B5C1-4559-BB91-0919E753836F} - C:\Program Files\Infofo Bar\infofobar.dll
O9 - Extra 'Tools' menuitem: Infofo 工具栏 - {8507326C-B5C1-4559-BB91-0919E753836F} - C:\Program Files\Infofo Bar\infofobar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdnns.dll
O11 - Options group: [!CNS]  网络实名
O11 - Options group: [CDNCLIENT]  中文上网
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

eventlog和plug and play均是WinXP的基础服务，不可终止，否则会出现莫名其妙的问题。

问题应该出在这三个文件：
O4 - HKLM\..\Run: [mscfs] RUNDLL32 C:\WINDOWS\System32\msibm\cfsys.DLL,cfs
O4 - HKLM\..\RunServices: [SystemRunOn] C:\WINDOWS\system32\sysconfig.exe
O4 - HKCU\..\Run: [] TopGhost.exe
请备份后修复这三项并删除文件，请将备份的这三个文件打包发送至fangrensong@yahoo.com.cn

C:\WINDOWS\system32\sysconfig.exe
找不到这个文件

剩下的已打包发送

安全模式不行吗?

不行

请在dos下杀毒,但不知是否有用。我网盘上有瑞星18.07.02和江民12.25。

xp不带dos，我自己没有引导盘

【回复“天天泡泡”的帖子】
不好使，不管用

中止了1个与services.exe有关的服务，plug and play,好用，就是不能用usb接口

注意"imagepath"

实在解决不了，就上报瑞星吧

rocessPIDCPUDescriptionCompany Name
System Idle Process093.27
Interruptsn/aHardware Interrupts
DPCsn/aDeferred Procedure Calls
System40.96
  SMSS.EXE584Windows NT Session ManagerMicrosoft Corporation
  CSRSS.EXE652Client Server Runtime ProcessMicrosoft Corporation
  WINLOGON.EXE676Windows NT Logon ApplicationMicrosoft Corporation
    SERVICES.EXE7242.88Services and Controller appMicrosoft Corporation
    SVCHOST.EXE892Generic Host Process for Win32 ServicesMicrosoft Corporation
      TIMPlatform.exe184TIMPlatformtencent
    CCenter.exe992CCenterBeijing Rising Technology Co., Ltd.
    SVCHOST.EXE1008Generic Host Process for Win32 ServicesMicrosoft Corporation
    SVCHOST.EXE1216Generic Host Process for Win32 ServicesMicrosoft Corporation
    SVCHOST.EXE1248Generic Host Process for Win32 ServicesMicrosoft Corporation
    RavMonD.exe1260RavMondBeijing Rising Technology Co., Ltd.
      RavStub.exe1548Rising RavStubBeijing Rising Technology Co., Ltd.
    rfwsrv.exe1312Rising Personal FireWall ServiceBeijing Rising Technology Co., Ltd.
      RFWMAIN.EXE632Rising Personal FireWall Main ProgramBeijing Rising Technology Co., Ltd.
    SPOOLSV.EXE1624Spooler SubSystem AppMicrosoft Corporation
    ATI2EVXX.EXE1724
    SVCHOST.EXE1780Generic Host Process for Win32 ServicesMicrosoft Corporation
    LSASS.EXE736LSA Shell (Export Version)Microsoft Corporation
EXPLORER.EXE572Windows ExplorerMicrosoft Corporation
ATIPTAXX.EXE964ATI Desktop Control PanelATI Technologies, Inc.
SynTPLpr.exe972TouchPad Driver Helper ApplicationSynaptics, Inc.
SynTPEnh.exe980Synaptics TouchPad EnhancementsSynaptics, Inc.
RavTask.exe1028RavTimerBeijing Rising Technology Co., Ltd.
  RavMon.exe1072RavMonBeijing Rising Technology Co., Ltd.
  iexplore.exe1824Internet ExplorerMicrosoft Corporation
CTFMON.EXE1076CTF LoaderMicrosoft Corporation
MSMSGS.EXE1148MessengerMicrosoft Corporation
POWERPNT.EXE940
iexplore.exe196Internet ExplorerMicrosoft Corporation
regedit.exe636Registry EditorMicrosoft Corporation
procexp.exe16042.88Sysinternals Process ExplorerSysinternals
QQ.EXE524QQTENCENT

Process: SERVICES.EXE Pid: 724

TypeName
Desktop\Default
Directory\Windows
Directory\BaseNamedObjects
Directory\KnownDlls
Event\BaseNamedObjects\SC_AutoStartComplete
Event\BaseNamedObjects\SvcctrlStartEvent_A3752DX
Event\BaseNamedObjects\ScNetDrvMsg
Event\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event\BaseNamedObjects\userenv:  User Profile setup event
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\scerpc
File\Device\NamedPipe\scerpc
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\net\NtControlPipe1
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\net\NtControlPipe2
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\net\NtControlPipe3
File\Device\NamedPipe\net\NtControlPipe0
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\net\NtControlPipe4
File\Device\NamedPipe\net\NtControlPipe5
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\net\NtControlPipe6
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\net\NtControlPipe7
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\net\NtControlPipe8
File\Device\NamedPipe\net\NtControlPipe9
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\net\NtControlPipe10
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\ntsvcs
FileC:\WINDOWS\system32\
KeyHKLM\SYSTEM\ControlSet003\Control\NetworkProvider\Order
KeyHKLM\SYSTEM\ControlSet003\Control\ServiceGroupOrder
KeyHKLM
KeyHKLM\SYSTEM\ControlSet003\Control\ServiceCurrent
KeyHKU
KeyHKU\S-1-5-20
KeyHKU\S-1-5-19
KeyHKLM\SYSTEM\ControlSet003\Control\Nls\Locale
KeyHKLM\SYSTEM\ControlSet003\Control\Nls\Locale\Alternate Sorts
KeyHKLM\SYSTEM\ControlSet003\Control\Nls\Language Groups
KeyHKLM\SYSTEM\ControlSet003\Enum
KeyHKLM\SYSTEM\ControlSet003\Services
KeyHKLM\SYSTEM\ControlSet003\Control\Class
KeyHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage
KeyedEvent\KernelObjects\CritSecOutOfMemoryEvent
Mutant\BaseNamedObjects\ShimCacheMutex
Port\RPC Control\ntsvcs
ProcessSVCHOST.EXE(892)
ProcessCCenter.exe(992)
ProcessSVCHOST.EXE(1008)
ProcessSVCHOST.EXE(1216)
Process(1248)
ProcessRavMonD.exe(1260)
Process(1312)
Process(1624)
Process(1724)
ProcessSVCHOST.EXE(1780)
Section\BaseNamedObjects\ShimSharedMemory
ThreadSERVICES.EXE(724): 792
ThreadSERVICES.EXE(724): 800
ThreadSERVICES.EXE(724): 804
ThreadSERVICES.EXE(724): 868
ThreadSERVICES.EXE(724): 872
ThreadSERVICES.EXE(724): 876
ThreadSERVICES.EXE(724): 880
ThreadSERVICES.EXE(724): 864
ThreadSERVICES.EXE(724): 888
ThreadSERVICES.EXE(724): 1052
ThreadSERVICES.EXE(724): 1468
ThreadSERVICES.EXE(724): 2020
TokenNT AUTHORITY\NETWORK SERVICE
TokenNT AUTHORITY\LOCAL SERVICE
WindowStation\Windows\WindowStations\Service-0x0-3e7$
WindowStation\Windows\WindowStations\Service-0x0-3e7$

ProcessPIDCPUDescriptionCompany Name
System Idle Process086.54
Interruptsn/a0.96Hardware Interrupts
DPCsn/a1.92Deferred Procedure Calls
System4
  SMSS.EXE584Windows NT Session ManagerMicrosoft Corporation
  CSRSS.EXE652Client Server Runtime ProcessMicrosoft Corporation
  WINLOGON.EXE676Windows NT Logon ApplicationMicrosoft Corporation
    SERVICES.EXE7242.88Services and Controller appMicrosoft Corporation
    SVCHOST.EXE892Generic Host Process for Win32 ServicesMicrosoft Corporation
      TIMPlatform.exe184TIMPlatformtencent
    CCenter.exe992CCenterBeijing Rising Technology Co., Ltd.
    SVCHOST.EXE1008Generic Host Process for Win32 ServicesMicrosoft Corporation
    SVCHOST.EXE1216Generic Host Process for Win32 ServicesMicrosoft Corporation
    SVCHOST.EXE1248Generic Host Process for Win32 ServicesMicrosoft Corporation
    RavMonD.exe12600.96RavMondBeijing Rising Technology Co., Ltd.
      RavStub.exe1548Rising RavStubBeijing Rising Technology Co., Ltd.
    rfwsrv.exe1312Rising Personal FireWall ServiceBeijing Rising Technology Co., Ltd.
      RFWMAIN.EXE632Rising Personal FireWall Main ProgramBeijing Rising Technology Co., Ltd.
    SPOOLSV.EXE1624Spooler SubSystem AppMicrosoft Corporation
    ATI2EVXX.EXE1724
    SVCHOST.EXE1780Generic Host Process for Win32 ServicesMicrosoft Corporation
    LSASS.EXE736LSA Shell (Export Version)Microsoft Corporation
EXPLORER.EXE572Windows ExplorerMicrosoft Corporation
ATIPTAXX.EXE964ATI Desktop Control PanelATI Technologies, Inc.
SynTPLpr.exe972TouchPad Driver Helper ApplicationSynaptics, Inc.
SynTPEnh.exe9800.96Synaptics TouchPad EnhancementsSynaptics, Inc.
RavTask.exe1028RavTimerBeijing Rising Technology Co., Ltd.
  RavMon.exe1072RavMonBeijing Rising Technology Co., Ltd.
  iexplore.exe1824Internet ExplorerMicrosoft Corporation
CTFMON.EXE1076CTF LoaderMicrosoft Corporation
MSMSGS.EXE1148MessengerMicrosoft Corporation
POWERPNT.EXE940
iexplore.exe1960.96Internet ExplorerMicrosoft Corporation
regedit.exe636Registry EditorMicrosoft Corporation
procexp.exe16044.81Sysinternals Process ExplorerSysinternals
NOTEPAD.EXE1860记事本Microsoft Corporation
QQ.EXE524QQTENCENT

Process: SERVICES.EXE Pid: 724

NameDescriptionCompany NameVersion
advapi32.dllAdvanced Windows 32 Base APIMicrosoft Corporation5.01.2600.1106
authz.dllAuthorization FrameworkMicrosoft Corporation5.01.2600.0000
ctype.nls
gdi32.dllGDI Client DLLMicrosoft Corporation5.01.2600.1106
imm32.dllWindows XP IMM32 API Client DLLMicrosoft Corporation5.01.2600.1106
kernel32.dllWindows NT BASE API Client DLLMicrosoft Corporation5.01.2600.1106
locale.nls
lpk.dllLanguage PackMicrosoft Corporation5.01.2600.0000
msvcrt.dllWindows NT CRT DLLMicrosoft Corporation7.00.2600.1106
ncobjapi.dllMicrosoft Corporation5.01.2600.1106
netapi32.dllNet Win32 API DLLMicrosoft Corporation5.01.2600.1106
ntdll.dllNT Layer DLLMicrosoft Corporation5.01.2600.1106
rpcrt4.dllRemote Procedure Call RuntimeMicrosoft Corporation5.01.2600.1106
scesrv.dllWindows Security Configuration Editor EngineMicrosoft Corporation5.01.2600.1106
secur32.dllSecurity Support Provider InterfaceMicrosoft Corporation5.01.2600.1106
services.exeServices and Controller appMicrosoft Corporation5.01.2600.0000
sortkey.nls
sorttbls.nls
umpnpmgr.dllUser-mode Plug-and-Play ServiceMicrosoft Corporation5.01.2600.1106
unicode.nls
user32.dllWindows XP USER API Client DLLMicrosoft Corporation5.01.2600.1106
userenv.dllUserenvMicrosoft Corporation5.01.2600.1106
usp10.dllUniscribe Unicode script processorMicrosoft Corporation1.409.2600.1106
winsta.dllWinstation LibraryMicrosoft Corporation5.01.2600.1106

KeyHKLM\SYSTEM\ControlSet003\Control\Nls\Locale
KeyHKLM\SYSTEM\ControlSet003\Control\Nls\Locale\Alternate Sorts
KeyHKLM\SYSTEM\ControlSet003\Control\Nls\Language Groups
KeyHKLM\SYSTEM\ControlSet003\Enum
KeyHKLM\SYSTEM\ControlSet003\Services
KeyHKLM\SYSTEM\ControlSet003\Control\Class
我开了plugplay服务后，用process扫除与services.exe有关的handle文件在上面中间会跳出红色的
例如：
KeyHKLM\SYSTEM\ControlSet003\Enum\root\
KeyHKLM\SYSTEM\ControlSet003\Enum\usb\root
KeyHKLM\SYSTEM\ControlSet003\Enum\usbstore\root
以及KeyHKLM\SYSTEM\ControlSet003\Enum\usb\root目录下的注册表文件，
有时还有KeyHKLM\SYSTEM\ControlSet003\Enum\PIC或
KeyHKLM\SYSTEM\ControlSet003\Enum\API等

找了很长时间，瑞星没反应，我自己对这扫描找也没找出什么可以的文件，硬件问题会不会使进程里的services.exe
cpu占用达到90-99%
我开了plugplay服务后，cpu一直100%，电脑基本用不了，
关了之后基本正常，只是设备管理器列表刷不出来，usb有时能用，有时不能用
还有声音没了！

我是用98启动盘启动的,我网盘上有.

不行，只能顶！

结束下面的进程
C:\WINDOWS\System32\TopGhost.exe

修复
O2 - BHO: BHelper - {8A4280AD-9B37-4922-A51D-73F3C3A32AF7} - C:\WINDOWS\System32\msibm\cfsbho.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\System32\drivers\inf\bands.dll (file missing)
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O2 - BHO: Infofo 工具栏 - {D74EC18E-3DDD-4174-B1B1-949FE3B8366D} - C:\Program Files\Infofo Bar\infofobar.dll
O3 - Toolbar: Infofo 工具栏 - {D74EC18E-3DDD-4174-B1B1-949FE3B8366D} - C:\Program Files\Infofo Bar\infofobar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\RunServices: [SystemRunOn] C:\WINDOWS\system32\sysconfig.exe
O4 - HKCU\..\Run: [] TopGhost.exe
O9 - Extra button: Infofo 工具栏 - {8507326C-B5C1-4559-BB91-0919E753836F} - C:\Program Files\Infofo Bar\infofobar.dll
O9 - Extra 'Tools' menuitem: Infofo 工具栏 - {8507326C-B5C1-4559-BB91-0919E753836F} - C:\Program Files\Infofo Bar\infofobar.dll

卸载
C:\Program Files\Infofo Bar

删除
C:\Program Files\Infofo Bar文件夹
C:\WINDOWS\System32\msibm\cfsbho.dll
C:\WINDOWS\system32\sysconfig.exe
C:\WINDOWS\System32\TopGhost.exe