瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 救命!
polomi - 2007-4-12 21:19:00
我的电脑自从插过一个优盘后,就出现只要一运行任何一个程序,就会弹出如下图示,还有无法关机,关机时总是重启,然后还会弹出如图所示的类似窗口!请各位救救我吧!我已经用毒霸杀过没有发现病毒,是4月6号的病毒库!

附件: 8060122007412210938.gif
火影忍者 - 2007-4-12 21:25:00
下载 System Repair Engineer,
http://www.kztechs.com/sreng/download.html
1 解压缩sreng2.zip
2 运行SREng.exe
3 智能扫描=》扫描=》保存报告
4 把日志中的报告完整拷贝贴上来,不要修改
polomi - 2007-4-12 21:46:00
明天才能贴上来,顶一下,看大家还有什么高招!
polomi - 2007-4-13 12:50:00
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><ctfmon.exe>  [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
    <run><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <internat.exe><internat.exe>  [(Verified)Microsoft Windows 2000 Publisher]
    <Media Services><; C:\Program Files\Windows Media Player\wmplayer.exe.exe>  [N/A]
    <KAVRUN><C:\KAV6\KAVRUN.EXE>  [kingsoft]
    <Super Rabbit Desktop Set><; C:\Program Files\Super Rabbit\MagicSet\DS.EXE /Load>  [Super Rabbit Software]
    <TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [RealNetworks, Inc.]
    <Super Rabbit SafeEdit><; C:\Program Files\Super Rabbit\MagicSet\SRFC.EXE /Load>  [Super Rabbit Soft]
    <Synchronization Manager><mobsync.exe /logon>  [(Verified)Microsoft Windows 2000 Publisher]
    <psojva><; C:\WINNT\system32\dsbjrn.exe>  [N/A]
    <SKYNET Personal FireWall><C:\Program Files\SkyNet\FireWall\PFWmain.exe>  [sky.net.cn]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows 2000 Publisher]
    <Userinit><C:\WINNT\system32\userinit.exe,>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <Network.ConnectionTray><C:\WINNT\system32\NETSHELL.dll>  [(Verified)Microsoft Windows 2000 Publisher]
    <WebCheck><>  [N/A]
    <SysTray><stobject.dll>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    <WinlogonNotify: wzcnotif><wzcdlg.dll>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Windows Media Player><C:\WINNT\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6A5110B5-E14B-4268-A065-EF89FF33C325}]
    <EnableRevocation><regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    <Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    <Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\WINNT\system32\ssflwbox.scr>  [(Verified)Microsoft Windows 2000 Publisher]
polomi - 2007-4-13 12:52:00
启动文件夹
[Microsoft Office]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~2\Office10\OSA.EXE [Microsoft Corporation]><H>

==================================
服务
[Creative Service for CDROM Access / Creative Service for CDROM Access][Stopped/Auto Start]
  <C:\WINNT\System32\CTSvcCDA.exe><Creative Technology Ltd>
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Kingsoft AntiVirus Service / KAVSvc][Stopped/Auto Start]
  <C:\KAV6\KAVSvc.EXE><kingsoft Antivirus>
[Machine Debug Manager / MDM][Stopped/Auto Start]
  <"C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"><Microsoft Corporation>
[NVIDIA Driver Helper Service / NVSvc][Stopped/Auto Start]
  <C:\WINNT\System32\nvsvc32.exe><NVIDIA Corporation>
[Network Connections Sharing / RpcTftpd][Stopped/Manual Start]
  <C:\WINNT\system32\wins\svchost.exe><Microsoft Corporation>
[U8管理软件 / UFNet][Stopped/Auto Start]
  <C:\WINNT\system32\ServerNT.exe><N/A>
[Windows Management NetWork Service Extensions / Windows Management NetWork Service Extensions][Stopped/Auto Start]
  <NetManager.exe -exe_start><N/A>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
  <C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\System32\mspmsnsv.dll><Microsoft Corporation>

==================================
驱动程序
[Legend DFE-530TX PCI Fast Ethernet Adapter / dlkfet][Stopped/Manual Start]
  <System32\DRIVERS\dlkfet.sys><Fast Ethernet PCI Adapter Manufacturer>
[dmboot / dmboot][Stopped/Disabled]
  <System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[Creative SB AudioPCI Audio Driver (WDM) / ev19x8mp][Stopped/Manual Start]
  <system32\drivers\ev19x8mp.sys><Creative Technology Ltd.>
[KNetWch / KNetWch][Stopped/System Start]
  <\??\C:\KAV6\KNetWch.SYS><金山电脑公司>
[KWATCH / KWATCH][Stopped/Manual Start]
  <\??\C:\WINNT\system32\drivers\KWatch.Sys><Kingsoft Corporation>
[KWatch2 / KWatch2][Stopped/Manual Start]
  <\??\C:\WINNT\system32\drivers\KWatch2.sys><Kingsoft Antivirus>
[nv / nv][Stopped/Manual Start]
  <System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[PCANDIS5 Protocol Driver / PCANDIS5][Stopped/Manual Start]
  <\??\C:\WINNT\system32\PCANDIS5.SYS><Printing Communications Assoc., Inc. (PCAUSA)>
[Padus ASPI Shell / pfc][Running/Manual Start]
  <system32\drivers\pfc.sys><Padus, Inc.>
[PfModNT / PfModNT][Stopped/Auto Start]
  <\??\C:\WINNT\System32\PfModNT.sys><Creative Technology Ltd.>
[Direct Parallel Link Driver / Ptilink][Stopped/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Sentinel / Sentinel][Stopped/Auto Start]
  <\SystemRoot\System32\Drivers\SENTINEL.SYS><>
[SKNFW / SKNFW][Stopped/System Start]
  <\??\C:\WINNT\System32\Drivers\SKNFW.sys><N/A>
[Sony Memory Stick Driver(SONYPVM1) / SONYPVM1][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\SONYPVM1.SYS><Sony Corporation>
[Sony USB Filter Driver (SONYPVU1) / SONYPVU1][Stopped/Manual Start]
  <system32\DRIVERS\SONYPVU1.SYS><Sony Corporation>
[Superk53 / Superk53][Stopped/Auto Start]
  <\SystemRoot\System32\drivers\superk53.sys><Microsoft Corporation>
[VNN VNC Virtual Network Adapter / vnndev][Stopped/Manual Start]
  <system32\DRIVERS\vnnvnic.sys><VNN B.J.>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
  <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>

==================================
浏览器加载项
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <C:\PROGRA~1\FLASHGET\fgiebar.dll, Amaze Soft>
[金山毒霸]
  {A9BE2902-C447-420A-BB7F-A5DE921E6138} <C:\KAV6\KAIEPlus.DLL, >
[电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[V3PROXL Control]
  {733652F9-53EF-4BF1-B391-375980675D6F} <C:\WINNT\DOWNLO~1\v3proxl.ocx, Ahnlab, Inc.>
[IEDown Class]
  {99888952-AC62-437C-AFC6-7B5CF05A7F2F} <C:\WINNT\system32\GLIEDown.dll, N/A>
[Update Class]
  {9F1C11AA-197B-4942-BA54-47A8489BB47F} <C:\WINNT\System32\iuctl.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\macromed\flash\Flash.ocx, Macromedia, Inc.>
[CHtmlIp1View Object]
  {D854FC15-D3EA-496A-B2A0-A772A3DE1D09} <C:\WINNT\Downloaded Program Files\Ip1HtmlView.dll, TODO: BTECK>
[使用网际快车下载]
  <C:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <C:\Program Files\FlashGet\jc_all.htm, N/A>
[导出到 Microsoft Excel(&x)]
  <res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000, N/A>
polomi - 2007-4-13 12:54:00
正在运行的进程
[PID: 112][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.00.2195.6601]
    [C:\WINNT\system32\ntdll.dll]  [Microsoft Corporation, 5.00.2195.6899]
    [C:\WINNT\System32\sfcfiles.dll]  [Microsoft Corporation, 5.00.2195.6894]
[PID: 140][\??\C:\WINNT\system32\csrss.exe]  [Microsoft Corporation, 5.00.2195.6601]
    [C:\WINNT\system32\ntdll.dll]  [Microsoft Corporation, 5.00.2195.6899]
    [C:\WINNT\system32\CSRSRV.dll]  [Microsoft Corporation, 5.00.2195.6601]
    [C:\WINNT\system32\basesrv.dll]  [Microsoft Corporation, 5.00.2195.6824]
    [C:\WINNT\system32\winsrv.dll]  [Microsoft Corporation, 5.00.2195.6826]
    [C:\WINNT\system32\USER32.dll]  [Microsoft Corporation, 5.00.2195.6897]
    [C:\WINNT\system32\KERNEL32.DLL]  [Microsoft Corporation, 5.00.2195.6897]
    [C:\WINNT\system32\GDI32.DLL]  [Microsoft Corporation, 5.00.2195.6898]
[PID: 160][\??\C:\WINNT\system32\winlogon.exe]  [Microsoft Corporation, 5.00.2195.6898]
    [C:\WINNT\system32\ntdll.dll]  [Microsoft Corporation, 5.00.2195.6899]
    [C:\WINNT\system32\MSVCRT.DLL]  [Microsoft Corporation, 6.10.9844.0]
    [C:\WINNT\system32\KERNEL32.dll]  [Microsoft Corporation, 5.00.2195.6897]
    [C:\WINNT\system32\ADVAPI32.DLL]  [Microsoft Corporation, 5.00.2195.6876]
    [C:\WINNT\system32\RPCRT4.DLL]  [Microsoft Corporation, 5.00.2195.6904]
    [C:\WINNT\system32\GDI32.DLL]  [Microsoft Corporation, 5.00.2195.6898]
    [C:\WINNT\system32\USER32.DLL]  [Microsoft Corporation, 5.00.2195.6897]
    [C:\WINNT\system32\USERENV.DLL]  [Microsoft Corporation, 5.00.2195.6794]
    [C:\WINNT\system32\NDDEAPI.DLL]  [Microsoft Corporation, 5.00.2195.6661]
    [C:\WINNT\system32\SFC.DLL]  [Microsoft Corporation, 5.00.2195.6673]
    [C:\WINNT\system32\sfcfiles.dll]  [Microsoft Corporation, 5.00.2195.6894]
    [C:\WINNT\system32\SECUR32.DLL]  [Microsoft Corporation, 5.00.2195.6695]
    [C:\WINNT\system32\PROFMAP.DLL]  [Microsoft Corporation, 5.00.2195.6610]
    [C:\WINNT\system32\NETAPI32.dll]  [Microsoft Corporation, 5.00.2195.6897]
    [C:\WINNT\system32\NETRAP.DLL]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\SAMLIB.DLL]  [Microsoft Corporation, 5.00.2195.6897]
    [C:\WINNT\system32\WS2_32.DLL]  [Microsoft Corporation, 5.00.2195.6601]
    [C:\WINNT\system32\WS2HELP.DLL]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\WLDAP32.DLL]  [Microsoft Corporation, 5.00.2195.6666]
    [C:\WINNT\system32\DNSAPI.DLL]  [Microsoft Corporation, 5.00.2195.6824]
    [C:\WINNT\system32\WSOCK32.DLL]  [Microsoft Corporation, 5.00.2195.6603]
    [C:\WINNT\system32\IMM32.DLL]  [Microsoft Corporation, 5.00.2195.6655]
    [C:\WINNT\system32\iphlpapi.dll]  [Microsoft Corporation, 5.00.2195.6602]
    [C:\WINNT\system32\ICMP.DLL]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\MPRAPI.DLL]  [Microsoft Corporation, 5.00.2181.1]
    [C:\WINNT\system32\OLE32.DLL]  [Microsoft Corporation, 5.00.2195.6906]
    [C:\WINNT\system32\OLEAUT32.DLL]  [Microsoft Corporation, 2.40.4522]
    [C:\WINNT\system32\ACTIVEDS.DLL]  [Microsoft Corporation, 5.00.2195.6601]
    [C:\WINNT\system32\ADSLDPC.DLL]  [Microsoft Corporation, 5.00.2195.6701]
    [C:\WINNT\system32\RTUTILS.DLL]  [Microsoft Corporation, 5.00.2168.1]
    [C:\WINNT\system32\SETUPAPI.DLL]  [Microsoft Corporation, 5.00.2195.6622]
    [C:\WINNT\system32\RASAPI32.DLL]  [Microsoft Corporation, 5.00.2195.6625]
    [C:\WINNT\system32\RASMAN.DLL]  [Microsoft Corporation, 5.00.2195.6604]
    [C:\WINNT\system32\TAPI32.DLL]  [Microsoft Corporation, 5.00.2195.6664]
    [C:\WINNT\system32\COMCTL32.DLL]  [Microsoft Corporation, 5.81]
    [C:\WINNT\system32\SHLWAPI.DLL]  [Microsoft Corporation, 6.00.2800.1106]
    [C:\WINNT\system32\DHCPCSVC.DLL]  [Microsoft Corporation, 5.00.2195.6685]
    [C:\WINNT\system32\msgina.dll]  [Microsoft Corporation, 5.00.2195.6895]
    [C:\WINNT\system32\SHELL32.DLL]  [Microsoft Corporation, 5.00.3700.6705]
    [C:\WINNT\system32\WINSTA.DLL]  [Microsoft Corporation, 5.00.2195.6701]
    [C:\WINNT\system32\WINMM.dll]  [Microsoft Corporation, 5.00.2161.1]
    [C:\WINNT\system32\cscdll.dll]  [Microsoft Corporation, 5.00.2195.6713]
    [C:\WINNT\system32\WlNotify.dll]  [Microsoft Corporation, 5.00.2195.6706]
    [C:\WINNT\system32\CERTCLI.DLL]  [Microsoft Corporation, 5.00.2195.6619]
    [C:\WINNT\system32\ATL.DLL]  [Microsoft Corporation, 3.00.9435]
    [C:\WINNT\system32\CRYPT32.DLL]  [Microsoft Corporation, 5.131.2195.6824]
    [C:\WINNT\system32\MSASN1.DLL]  [Microsoft Corporation, 5.00.2195.6905]
    [C:\WINNT\system32\WINSCARD.DLL]  [Microsoft Corporation, 5.00.2195.6609]
    [C:\WINNT\system32\WINSPOOL.DRV]  [Microsoft Corporation, 5.00.2195.6659]
    [C:\WINNT\system32\MPR.DLL]  [Microsoft Corporation, 5.00.2195.6824]
    [C:\WINNT\system32\cscui.dll]  [Microsoft Corporation, 5.00.2195.6705]
    [C:\WINNT\system32\wzcdlg.dll]  [Microsoft Corporation, 5.00.2195.6604]
    [C:\WINNT\system32\WZCSAPI.DLL]  [Microsoft Corporation, 5.00.2195.6604]
    [C:\WINNT\system32\CLBCATQ.DLL]  [Microsoft Corporation, 2000.2.3511.0]
[PID: 268][C:\WINNT\Explorer.EXE]  [Microsoft Corporation, 5.00.3700.6690]
    [C:\WINNT\system32\ntdll.dll]  [Microsoft Corporation, 5.00.2195.6899]
    [C:\WINNT\system32\ADVAPI32.DLL]  [Microsoft Corporation, 5.00.2195.6876]
    [C:\WINNT\system32\KERNEL32.DLL]  [Microsoft Corporation, 5.00.2195.6897]
    [C:\WINNT\system32\RPCRT4.DLL]  [Microsoft Corporation, 5.00.2195.6904]
    [C:\WINNT\system32\GDI32.DLL]  [Microsoft Corporation, 5.00.2195.6898]
    [C:\WINNT\system32\USER32.DLL]  [Microsoft Corporation, 5.00.2195.6897]
    [C:\WINNT\system32\SHLWAPI.DLL]  [Microsoft Corporation, 6.00.2800.1106]
    [C:\WINNT\system32\msvcrt.dll]  [Microsoft Corporation, 6.10.9844.0]
    [C:\WINNT\system32\COMCTL32.DLL]  [Microsoft Corporation, 5.81]
    [C:\WINNT\system32\IMM32.DLL]  [Microsoft Corporation, 5.00.2195.6655]
    [C:\WINNT\system32\shim.dll]  [Microsoft Corporation, 5.00.2195.6717]
    [C:\WINNT\AppPatch\AcLayers.DLL]  [Microsoft Corporation, 5.00.2195.6717]
    [C:\WINNT\system32\WS2_32.DLL]  [Microsoft Corporation, 5.00.2195.6601]
    [C:\WINNT\system32\WS2HELP.DLL]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\OLE32.DLL]  [Microsoft Corporation, 5.00.2195.6906]
    [C:\WINNT\system32\SHELL32.dll]  [Microsoft Corporation, 5.00.3700.6705]
    [C:\WINNT\system32\CLBCATQ.DLL]  [Microsoft Corporation, 2000.2.3511.0]
    [C:\WINNT\system32\OLEAUT32.dll]  [Microsoft Corporation, 2.40.4522]
    [C:\WINNT\system32\SHDOCVW.DLL]  [Microsoft Corporation, 6.00.2800.1106]
    [C:\WINNT\system32\browseui.dll]  [Microsoft Corporation, 6.00.2800.1106]
    [C:\WINNT\system32\MPR.DLL]  [Microsoft Corporation, 5.00.2195.6824]
    [C:\WINNT\system32\USERENV.DLL]  [Microsoft Corporation, 5.00.2195.6794]
    [C:\WINNT\system32\ntshrui.dll]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\ATL.DLL]  [Microsoft Corporation, 3.00.9435]
    [C:\WINNT\system32\NETAPI32.DLL]  [Microsoft Corporation, 5.00.2195.6897]
    [C:\WINNT\system32\SECUR32.DLL]  [Microsoft Corporation, 5.00.2195.6695]
    [C:\WINNT\system32\NETRAP.DLL]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\SAMLIB.DLL]  [Microsoft Corporation, 5.00.2195.6897]
    [C:\WINNT\system32\WLDAP32.DLL]  [Microsoft Corporation, 5.00.2195.6666]
    [C:\WINNT\system32\DNSAPI.DLL]  [Microsoft Corporation, 5.00.2195.6824]
    [C:\WINNT\system32\WSOCK32.DLL]  [Microsoft Corporation, 5.00.2195.6603]
    [C:\WINNT\system32\mydocs.dll]  [Microsoft Corporation, 5.00.3502.6601]
    [C:\WINNT\System32\ntlanman.dll]  [Microsoft Corporation, 5.00.2195.6601]
    [C:\WINNT\System32\NETUI0.DLL]  [Microsoft Corporation, 5.00.2195.6601]
    [C:\WINNT\System32\NETUI1.DLL]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\MSI.DLL]  [Microsoft Corporation, 2.0.2600.1183]
    [C:\WINNT\system32\WININET.dll]  [Microsoft Corporation, 6.00.2800.1106]
    [C:\WINNT\system32\CRYPT32.dll]  [Microsoft Corporation, 5.131.2195.6824]
    [C:\WINNT\system32\MSASN1.DLL]  [Microsoft Corporation, 5.00.2195.6905]
    [C:\WINNT\system32\CfgMgr32.dll]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\setupapi.dll]  [Microsoft Corporation, 5.00.2195.6622]
    [C:\Program Files\Microsoft Office\Office10\msohev.dll]  [Microsoft Corporation, 10.0.2609]
    [C:\WINNT\system32\browselc.dll]  [Microsoft Corporation, 6.00.2800.1106]
    [C:\WINNT\system32\urlmon.dll]  [Microsoft Corporation, 6.00.2800.1106]
    [C:\WINNT\system32\VERSION.dll]  [Microsoft Corporation, 5.00.2195.6623]
    [C:\WINNT\system32\LZ32.DLL]  [Microsoft Corporation, 5.00.2195.6611]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\WINNT\system32\LINKINFO.DLL]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\cscui.dll]  [Microsoft Corporation, 5.00.2195.6705]
    [C:\WINNT\system32\CSCDLL.DLL]  [Microsoft Corporation, 5.00.2195.6713]
    [C:\KAV6\KAVEXT.DLL]  [Kingsoft Corp., 2002, 5, 24, 6]
    [C:\WINNT\system32\WINMM.dll]  [Microsoft Corporation, 5.00.2161.1]
    [C:\WINNT\system32\MSCTF.dll]  [Microsoft Corporation, 1.00.2409.8 built by: Lab06_N]
[PID: 600][K:\sreng2\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]
    [C:\WINNT\system32\ntdll.dll]  [Microsoft Corporation, 5.00.2195.6899]
    [C:\WINNT\system32\kernel32.dll]  [Microsoft Corporation, 5.00.2195.6897]
    [C:\WINNT\system32\USER32.dll]  [Microsoft Corporation, 5.00.2195.6897]
    [C:\WINNT\system32\GDI32.DLL]  [Microsoft Corporation, 5.00.2195.6898]
    [C:\WINNT\system32\comdlg32.dll]  [Microsoft Corporation, 5.00.3700.6693]
    [C:\WINNT\system32\SHLWAPI.DLL]  [Microsoft Corporation, 6.00.2800.1106]
    [C:\WINNT\system32\msvcrt.dll]  [Microsoft Corporation, 6.10.9844.0]
    [C:\WINNT\system32\ADVAPI32.dll]  [Microsoft Corporation, 5.00.2195.6876]
    [C:\WINNT\system32\RPCRT4.DLL]  [Microsoft Corporation, 5.00.2195.6904]
    [C:\WINNT\system32\COMCTL32.DLL]  [Microsoft Corporation, 5.81]
    [C:\WINNT\system32\SHELL32.DLL]  [Microsoft Corporation, 5.00.3700.6705]
    [C:\WINNT\system32\WINSPOOL.DRV]  [Microsoft Corporation, 5.00.2195.6659]
    [C:\WINNT\system32\MPR.DLL]  [Microsoft Corporation, 5.00.2195.6824]
    [C:\WINNT\system32\oledlg.dll]  [Microsoft Corporation, 1.0]
    [C:\WINNT\system32\OLE32.DLL]  [Microsoft Corporation, 5.00.2195.6906]
    [C:\WINNT\system32\OLEAUT32.dll]  [Microsoft Corporation, 2.40.4522]
    [C:\WINNT\system32\VERSION.dll]  [Microsoft Corporation, 5.00.2195.6623]
    [C:\WINNT\system32\LZ32.DLL]  [Microsoft Corporation, 5.00.2195.6611]
    [C:\WINNT\system32\CRYPT32.dll]  [Microsoft Corporation,
polomi - 2007-4-13 12:56:00
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
[D:\]
[AutoRun]
open=sxs.exe
shellexecute=sxs.exe
shell\Auto\command=sxs.exe
[E:\]
[AutoRun]
open=sxs.exe
shellexecute=sxs.exe
shell\Auto\command=sxs.exe
[F:\]
[AutoRun]
open=sxs.exe
shellexecute=sxs.exe
shell\Auto\command=sxs.exe

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
API HOOK
RVA  错误: NtQueryInformationFile (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6B3E7)
RVA  错误: NtQuerySystemInformation (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6CA87)
RVA  错误: ZwQueryInformationFile (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6B3E7)
RVA  错误: RegEnumValueA (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6C490)
RVA  错误: RegEnumValueW (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6C4ED)
RegDeleteKeyA (危险等级: ,  被下面模块所HOOK: )
RegDeleteKeyW (危险等级: ,  被下面模块所HOOK: )
RegDeleteValueA (危险等级: ,  被下面模块所HOOK: )
RegDeleteValueW (危险等级: ,  被下面模块所HOOK: )
RVA  错误: FindFirstFileA (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6E3CF)
RVA  错误: FindFirstFileExA (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6A806)
RVA  错误: FindFirstFileExW (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6AA23)
RVA  错误: FindFirstFileW (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE693AD)
RVA  错误: FindNextFileA (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6BD9A)
RVA  错误: FindNextFileW (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6B4A1)
RVA  错误: LoadLibraryA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0x2AE66B20)
RVA  错误: LoadLibraryExA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0x2AE66C0E)
RVA  错误: LoadLibraryExW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0x2AE66D36)
RVA  错误: LoadLibraryW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0x2AE67113)
RVA  错误: Process32First (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6B4A1)
RVA  错误: Process32FirstW (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6CF58)
RVA  错误: Process32Next (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE69D1B)
Process32NextW (危险等级: ,  被下面模块所HOOK: )
RVA  错误: Module32First (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6B581)
RVA  错误: Module32FirstW (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE69917)
Module32Next (危险等级: ,  被下面模块所HOOK: )
RVA  错误: Module32NextW (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6B00A)
RVA  错误: MoveFileExA (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE63D36)
RVA  错误: MoveFileExW (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6B581)
RVA  错误: Thread32First (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6B8B6)
RVA  错误: Thread32Next (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6DC19)
RVA  错误: CreateFileA (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6C99C)
RVA  错误: CreateFileW (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6CBE0)
RVA  错误: Thread32First (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6B8B6)
RVA  错误: Thread32Next (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6DC19)
CreateProcessA (危险等级: ,  被下面模块所HOOK: )
RVA  错误: CreateProcessW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0x2AE65E0B)
RVA  错误: FreeLibrary (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0x2AE63109)
RVA  错误: GetFileAttributesA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0x2AE6ABFE)
RVA  错误: GetFileAttributesExA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0x2AE69888)
RVA  错误: GetFileAttributesExW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0x2AE6A5CB)
GetFileAttributesW (危险等级: ,  被下面模块所HOOK: )
RVA  错误: GetProcAddress (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE6571C)
RVA  错误: OpenProcess (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0x2AE64E30)

==================================
隐藏进程
N/A
polomi - 2007-4-13 22:07:00
今天我的电脑几乎瘫痪,已经无法使用OFFICE,输入法也用不成,只能用英语!
polomi - 2007-4-13 22:22:00
自己顶
天月来了 - 2007-4-14 8:49:00
首先断网,卸载杀毒软件。
————————————————
在安全模式下,尽量备份注册表和下面提到的对应文件。
————————————————————————
用冰刃(1.2版本的)禁止进程创建,用冰刃删除C、D、E、F、各盘根目录下的和下面同名文件:

Autorun.inf
sxs.exe
————————————————————————
可能的话继续用冰刃删除下面的注册表项和对应文件,

如果用冰刃不好查找注册表,就取消冰刃的禁止进程创建,用SRENG删除注册表项,用冰刃删除对应文件。

启动项目
注册表

<Media Services><; C:\Program Files\Windows Media Player\wmplayer.exe.exe> [N/A]
<Super Rabbit Desktop Set><; C:\Program Files\Super Rabbit\MagicSet\DS.EXE /Load> [Super Rabbit Software]

<Super Rabbit SafeEdit><; C:\Program Files\Super Rabbit\MagicSet\SRFC.EXE /Load> [Super Rabbit Soft]
<Synchronization Manager><mobsync.exe /logon> [(Verified)Microsoft Windows 2000 Publisher]
<psojva><; C:\WINNT\system32\dsbjrn.exe> [N/A]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6A5110B5-E14B-4268-A065-EF89FF33C325}]
<EnableRevocation><regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll> [(Verified)Microsoft Windows 2000 Publisher]

服务

[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>

[Network Connections Sharing / RpcTftpd][Stopped/Manual Start]
<C:\WINNT\system32\wins\svchost.exe><Microsoft Corporation>

[Windows Management NetWork Service Extensions / Windows Management NetWork Service Extensions][Stopped/Auto Start]
<NetManager.exe -exe_start><N/A>

浏览器加载项
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>

[V3PROXL Control]
{733652F9-53EF-4BF1-B391-375980675D6F} <C:\WINNT\DOWNLO~1\v3proxl.ocx, Ahnlab, Inc.>
[IEDown Class]
{99888952-AC62-437C-AFC6-7B5CF05A7F2F} <C:\WINNT\system32\GLIEDown.dll, N/A>
[Update Class]
{9F1C11AA-197B-4942-BA54-47A8489BB47F} <C:\WINNT\System32\iuctl.dll, Microsoft Corporation>

[CHtmlIp1View Object]
{D854FC15-D3EA-496A-B2A0-A772A3DE1D09} <C:\WINNT\Downloaded Program Files\Ip1HtmlView.dll, TODO: BTECK>
——————————————————————————————————
重启后再见以上文件,用冰刃或unlocker删除文件。
可能很多文件已感染,重启后不要打开任何文件,安装杀毒软件,升级到最新病毒库,全盘杀毒。碰运气吧。
天月来了 - 2007-4-14 8:52:00
建议全格重装系统。
polomi - 2007-4-14 20:47:00
我没有冰刀啊!是否可以用超级兔子恢复注册表
幼儿园的 - 2007-4-14 20:57:00
用Regdoctor注册表修复软件软件!!!!讯雷上搜!
subomaoming - 2007-4-14 21:49:00
请问天月,为什么要删[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]呀?
还有那些播放器之类的,总之你的操作可以解析一下给我听听吗?谢谢了!等待你的赐教,可以悄悄话……
还有那个过多进程的情况有个说法了吗?
baohe - 2007-4-14 22:03:00
【回复“polomi”的帖子】
用IceSword操作。
1、禁止进程创建。
2、结束系统核心进程以外的所有进程。
3、删除下列启动项、服务项:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<psojva><; C:\WINNT\system32\dsbjrn.exe> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<WebCheck><> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
<WinlogonNotify: crypt32chain><crypt32.dll> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
<WinlogonNotify: cryptnet><cryptnet.dll> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
<WinlogonNotify: cscdll><cscdll.dll> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
<WinlogonNotify: sclgntfy><sclgntfy.dll> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
<WinlogonNotify: SensLogn><WlNotify.dll> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
<WinlogonNotify: wzcnotif><wzcdlg.dll> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6A5110B5-E14B-4268-A065-EF89FF33C325}]
<EnableRevocation><regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
<Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
<Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe> [(Verified)Microsoft Windows Component Publisher]

[Network Connections Sharing / RpcTftpd][Stopped/Manual Start]
<C:\WINNT\system32\wins\svchost.exe><Microsoft Corporation>
[Windows Management NetWork Service Extensions / Windows Management NetWork Service Extensions][Stopped/Auto Start]
<NetManager.exe -exe_start><N/A>

4、删除下列文件:
C:\WINNT\system32\dsbjrn.exe
C:\WINNT\system32\wins\svchost.exe
NetManager.exe
各个分区根目录下的:
Autorun.inf
sxs.exe
5、取消IceSword的“禁止进程创建”。
天月来了 - 2007-4-14 22:21:00
引用:
【subomaoming的贴子】请问天月,为什么要删[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]呀?
还有那些播放器之类的,总之你的操作可以解析一下给我听听吗?谢谢了!等待你的赐教,可以悄悄话……
还有那个过多进程的情况有个说法了吗?
………………

呵呵!!!!!!!!!!!!!!!

这我错了。

当时怎没删除呢?我迷糊了吧??????
天月来了 - 2007-4-14 22:22:00
原本是想要他删除这个的:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<WebCheck><> [N/A]
polomi - 2007-4-14 22:23:00
IceSword是个什么东西,说得具体一点好吗?本人菜鸟,抱歉不董。是不是冰刀?如果是从哪里下?在线等!
天月来了 - 2007-4-14 22:25:00
是冰刃!!!

但是得下载1.2版本的。

网上多呢。

猫猫终于开始对那过多的.dll下手了。

我可不敢!!!!

但是也想!!!!

polomi - 2007-4-14 22:31:00
你们两个的我该听谁的?给点解释好吗?
polomi - 2007-4-15 22:52:00
谁能告诉我我中的是什么病毒?我按照斑竹说得做了,可还是不行,怎么办啊?
天月来了 - 2007-4-15 23:33:00
呵呵!!!!

还忘了告诉你了,出了那个异常提示的,大多没法的。

以后就会常出。

你按照他的做了以后,有没再扫个日志看看 ,他说的那些有没再出来的?
subomaoming - 2007-4-16 0:50:00
引用:
【天月来了的贴子】
呵呵!!!!!!!!!!!!!!!

这我错了。

当时怎没删除呢?我迷糊了吧??????

………………

看帖子多了,眼睛花了,出点差错很正常的哟……
1
查看完整版本: 救命!
© 2000 - 2026 Rising Corp. Ltd.