瑞星卡卡安全论坛

求助！病毒无法删除，见图。在线等，先谢了!

附件: 6708732006317151042.JPG

扫个SREng日志

【回复“liujun112”的帖子】
C:\Program Files\wwrvsxww\是什么软件？
若不是自己安装的
或许就是间谍程序了

加壳了,扫个日志看看

能进安全模式吗？能进的话：
暂时的办法：
-------------------------

在安全模式下，打开目录 C:\Program Files
找到wwrvsxww目录，在它上面点右键，属性，安全，高级，把“允许父项继承权”前的勾去掉，删除，确定。
重启。

这样谁都没有运行权了，你先用着，等杀毒软件升级了，再杀不迟。

日志
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <BitComet><; "e:\Program Files\BitComet\BitComet.exe">
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <load><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <HTpatch><C:\WINDOWS\htpatch.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <SiSUSBRG><C:\WINDOWS\SiSUSBrg.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <nwiz><nwiz.exe /install>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <Microsoft Update Machine><Winreg32.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <ats><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <eEVGV1Ew><C:\PROGRA~1\wwrvsxww\aEwDH8BM.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <Cmaudio><RunDll32 cmicnfg.cpl,CMICtrlWnd>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <TkBellExe><C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <PHIME2002ASync><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <PHIME2002A><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <MSPY2002><C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <IMEKRMIG6.1><C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <SKYNET Personal FireWall><E:\PROGRA~1\SKYNET\FIREWALL\pfw.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <BootSkin Startup Jobs><; "E:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <bwFGTo1x><; C:\PROGRA~1\wwrvsxww\aEwDH8BM.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <cFosSpeed><; E:\Program Files\cfosspeed\cFosSpeed.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <cgVGVcUw><; C:\PROGRA~1\wwrvsxww\aEwDH8BM.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <DAEMON Tools-2052><; "E:\Program Files\D-Tools\daemon.exe"  -lang 2052>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <helper.dll><; C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <NeroCheck><; C:\WINDOWS\System32\\NeroCheck.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <QgpHYsUw><; C:\PROGRA~1\wwrvsxww\aEwDH8BM.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <RQ0HQ9Ux><; C:\PROGRA~1\wwrvsxww\aEwDH8BM.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <VirtualDrive><; E:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore /Silence>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <winnet><; C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
  <Microsoft Update Machine><Winreg32.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <shell><Explorer.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <Userinit><C:\WINDOWS\system32\userinit.exe,>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <AppInit_DLLs><>

==================================
启动文件夹
服务
[cFosSpeed System Service / cFosSpeedS]
  <"E:\Program Files\cfosspeed\spd.exe" -service><cFos Software GmbH>
[CPUCooLServer Service / CPUCooLServer]
  <"E:\Program Files\CPUCooL\CooLSrv.exe"><N/A>
[kavsvc / kavsvc]
  <e:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe><Kaspersky Lab>
[NVIDIA Display Driver Service / NVSvc]
  <C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>
[PC-cillin PersonalFirewall / PCCPFW]
  <E:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe><N/A>
[Trend NT Realtime Service / Tmntsrv]
  <"E:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe"><N/A>

==================================
浏览器加载项
[BabeIE]
  {00000000-0000-0000-0000-000000000000} <C:\Program Files\CommonName\AddressBar\CNBabe.dll, N/A>
[MyWay Search Assistant BHO]
  {04079851-5845-4dea-848C-3ECD647AA554} <C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL, N/A>
[myBar BHO]
  {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} <C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL, N/A>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>

[]
  {724d43a9-0d85-11d4-9908-00400523e39a} <C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll, Siber Systems>
[IeCatch2 Class]
  {A5366673-E8CA-11D3-9CD9-0090271D075B} <E:\PROGRA~1\FLASHGET\jccatch.dll, Amaze Soft>

[填写表单]
  {320AF880-6646-11D3-ABEE-C5DBF3571F46} <, N/A>
[保存]
  {320AF880-6646-11D3-ABEE-C5DBF3571F49} <, N/A>
[RoboForm]
  {724d43aa-0d85-11d4-9908-00400523e39a} <, N/A>

[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\MSMSGS.EXE, Microsoft Corporation>
[&RoboForm]
  {724d43a0-0d85-11d4-9908-00400523e39a} <C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll, Siber Systems>

[&SearchBar]
  {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} <C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL, N/A>
[电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, Microsoft Corporation>
[BitCometBar]
  {3F1ABCDB-A875-46c1-8345-B72A4567E486} <e:\Program Files\BitComet\BitCometBar\BitCometBar0.2.dll, N/A>
[PowerPlr Control]
  {2354A44B-3CEB-4829-9940-545B03103538} <C:\WINDOWS\DOWNLO~1\PowerPlr.ocx, Powerise Digital>
[WebActivater Control]
  {3D8F74EE-8692-4F8F-B8D2-7522E732519E} <C:\WINDOWS\DOWNLO~1\WEBACT~1.OCX, QQ>
[AxInputControl Class]
  {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} <C:\WINDOWS\DOWNLO~1\INPUTC~1.DLL, >
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\macromed\flash\Flash.ocx, Macromedia, Inc.>
[PowerDld Control]
  {DF6FE46D-1D23-4668-AD3A-CDEA1262B282} <C:\WINDOWS\DOWNLO~1\PowerDld.ocx, Powerise Digital>
[!搜一搜(&S)]
  <res://C:\Program Files\yisou\yisou.dll/232, N/A>
[保存表单(&[)]
  <file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html, N/A>
[填写表单(&])]
  <file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html, N/A>

[自定义菜单 &M]
  <file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html, N/A>

==================================
正在运行的进程
[PID: 712][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 812][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 836][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.1557 (xpsp2_gdr.040517-1325)>
[PID: 880][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 892][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 1056][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1156][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1332][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1556][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1564][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll]  <Adobe Systems Incorporated><6.0.1.2003110300>
    [C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll]  <Siber Systems><6-1-4>
    [E:\PROGRA~1\FLASHGET\jccatch.dll]  <Amaze Soft><1, 1, 4, 0>
    [E:\PROGRA~1\DVDIDL~1\DVDShell.dll]  <Fengtao Software><3, 3, 5, 6>
[PID: 1688][C:\WINDOWS\system32\spoolsv.exe]  <Microsoft Corporation><5.1.2600.1699 (xpsp2.050610-1533)>
[PID: 1912][C:\WINDOWS\htpatch.exe]  <N/A><N/A>
    [C:\WINDOWS\WINIO.dll]  <http://www.internals.com><2.0>
[PID: 1952][C:\WINDOWS\System32\RunDll32.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\system\cmicnfg.cpl]  <C-Media Corporation><1, 0, 0, 17>
[PID: 1960][C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe]  <RealNetworks, Inc.><0.1.0.880>
[PID: 2032][E:\PROGRA~1\SKYNET\FIREWALL\pfw.exe]  <天网><2.7.3.1104>
    [E:\PROGRA~1\SKYNET\FIREWALL\SKYMISC.DLL]  <N/A><N/A>
    [E:\PROGRA~1\DVDIDL~1\DVDShell.dll]  <Fengtao Software><3, 3, 5, 6>
[PID: 176][C:\WINDOWS\System32\ctfmon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 212][C:\WINDOWS\System32\alg.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 232][E:\Program Files\cfosspeed\spd.exe]  <cFos Software GmbH><2.12.1034>
[PID: 260][E:\Program Files\CPUCooL\CooLSrv.exe]  <N/A><N/A>
[PID: 376][C:\WINDOWS\System32\nvsvc32.exe]  <NVIDIA Corporation><6.14.10.7184>
    [C:\WINDOWS\System32\NVRSZHC.DLL]  <NVIDIA Corporation><6.14.10.7184>
[PID: 608][C:\WINDOWS\System32\wdfmgr.exe]  <Microsoft Corporation><5.2.3790.1230 built by: dnsrv(bld4act)>
[PID: 304][C:\WINDOWS\System32\wuauclt.exe]  <Microsoft Corporation><5.8.0.2469 built by: lab01_n(wmbla)>
[PID: 580][C:\Documents and Settings\w\桌面\sreng2\SREng.exe]  <Smallfrogs Studio><2.0.12.350>
[PID: 780][E:\Program Files\Maxthon\Maxthon.exe]  <Maxthon International Ltd.><1, 5, 2, 21>
    [E:\Program Files\Maxthon\maxzlib.dll]  < ><1, 0, 0, 2>
    [C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll]  <Siber Systems><6-1-4>
    [E:\Program Files\Maxthon\Services\RealTime\real_time.dll]  <><1, 0, 0, 1>
    [e:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpscrch.dll]  <Kaspersky Lab><1.0.142.342>
    [C:\WINDOWS\System32\macromed\flash\Flash.ocx]  <Macromedia, Inc.><7,0,19,0>

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  Error. [AutoCADScriptFile]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

还有这个好像是随系统启动的：


附件: 6708732006317204841.jpg

引用:

【不饿的狼子野心的贴子】能进安全模式吗？能进的话： 暂时的办法： ------------------------- 在安全模式下，打开目录 C:\Program Files 找到wwrvsxww目录，在它上面点右键，属性，安全，高级，把“允许父项继承权”前的勾去掉，删除，确定。 重启。 这样谁都没有运行权了，你先用着，等杀毒软件升级了，再杀不迟。 ...........................

我用的是SP1 好像没有“允许父项继承权”，删不了。
另外 每次系统启动，天网都问是否允许LSASS.EXE访问网络。

附件: 6708732006317205545.JPG

请大侠们帮帮忙，否则就只能重装了！