【求助】中了病毒SVCHOST.EXE怎么杀啊? bbs.ikaka.com

masket - 2007-4-24 20:55:00

木马克星查到几个可疑文件
C:\WINDOWS\system32\SVCHOST.EXE　
C:\WINDOWS\system32\gdipri.dll
C:\WINDOWS\system32\godpri.dll
C:\WINDOWS\system32\jpqpri.dll
安全模式下用瑞星查杀没有发现病毒
Hijack扫描
Logfile of HijackThis v1.99.1
Scan saved at 20:36:15, on 2007-4-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\Ravmond.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\rising\rfw\RfwMain.exe
C:\WINDOWS\system32\SVCHOST.EXE　
D:\TOOL\网络工具\代理\ProxyThorn\ProxyThorn.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Iparmor\iparmo.exe
D:\TOOL\网络工具\主页浏览\GreenBrowserGB-v3.9\GreenBrowser.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\TOOL\网络工具\网络安全\HijackThis V1[1].99.1汉化版\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - (no file)
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\KakaTool.dll
O4 - HKLM\..\Run: [ProxyThorn] D:\TOOL\网络工具\代理\ProxyThorn\ProxyThorn.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [runeip] C:\Program Files\Rising\KakaToolBar\runiep.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync 管理器.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\Tencent\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\SendMMS.htm
O9 - Extra button: 免费精彩视频超流畅在线观看 - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra 'Tools' menuitem: 播霸电视 - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Program Files\Tencent\QQIEHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Program Files\Tencent\QQIEHelper.dll (file missing)
O15 - Trusted Zone: easyabc.95599.cn
O15 - Trusted Zone: www.95599.cn
O16 - DPF: {18226BF8-DC0B-4D81-80E9-A41AE37BB73A} (EWA Control) - http://a1.51show.com.cn/SMGBBWebSetup.exe
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/1009/aliedit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {D0A29C6C-AA71-4423-8C4A-5998B774C448} (IEDown Class) - http://download.ourgame.com/IEDown4.cab
O16 - DPF: {E787FD25-8D7C-4693-AE67-9406BC6E22DF} (CPasswordEditCtrl Object) - https://www.tenpay.com/download/qqedit.cab
O16 - DPF: {EF6205C1-3F17-4829-BCB5-1336ED89E356} (KvScanOnline Control) - http://online.jiangmin.com/KvDown.cab
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} (pCastPanel Class) - http://ps.itv.mop.com/dn/files/pCastCtl_1.0.0.89_20060727.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02E2417D-FB1E-424A-A1E9-F76D9F7A5C8A}: NameServer = 202.96.128.86,202.96.128.166
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9FC90B-26EC-43EE-8453-EA85D2601F88}: NameServer = 202.96.128.86 202.96.128.166
O17 - HKLM\System\CS2\Services\Tcpip\..\{02E2417D-FB1E-424A-A1E9-F76D9F7A5C8A}: NameServer = 202.96.128.86,202.96.128.166
O17 - HKLM\System\CS3\Services\Tcpip\..\{02E2417D-FB1E-424A-A1E9-F76D9F7A5C8A}: NameServer = 202.96.128.86,202.96.128.166
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe

系统启动后自动弹出窗口说是否脱机运行网页

希望各位帮助一下

火影忍者 - 2007-4-24 21:25:00

C:\WINDOWS\system32\SVCHOST.EXE　
这个是正常的..

火影忍者 - 2007-4-24 21:26:00

扫SRE日志上来!

西门吹牛 - 2007-4-24 21:40:00

C:\WINDOWS\system32\SVCHOST.EXE
其中的0应该是零，不是字母O。这个病毒我有样本，是一个木马群病毒的下载文件。下载很多木马病毒，厉害！

看看这个
http://forum.ikaka.com/topic.asp?board=28&artid=8292744

masket - 2007-4-24 21:45:00

是啊非常厉害,只要连通网络就通过浏览器插件InprocServer32不断下载木马

szh223400 - 2007-4-24 21:50:00

灰鸽子2007吧~~~

masket - 2007-4-24 21:53:00

那怎样把这只鸽子煮了吃呢?请教上面这位大哥,这鸽子还自动招来很多伙伴呢
一会儿就多了一堆可疑文件
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\WINDOWS\system32\SVCHOST.EXE　
C:\WINDOWS\system32\gdipri.dll
C:\WINDOWS\system32\godpri.dll
C:\WINDOWS\system32\jpqpri.dll
C:\WINDOWS\system32\windhcp.ocx
C:\WINDOWS\system32\xpdhcp.dll
C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
C:\WINDOWS\system32\RealMediaSplitter.ax
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\hpz2ku07.dll
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\hpzntp07.dll

masket - 2007-4-25 12:58:00

难道没有高手知道如何清除吗?

火影忍者 - 2007-4-25 13:03:00

引用:

【西门吹牛的贴子】C:\WINDOWS\system32\SVCHOST.EXE
其中的0应该是零，不是字母O。这个病毒我有样本，是一个木马群病毒的下载文件。下载很多木马病毒，利害！

看看这个
http://forum.ikaka.com/topic.asp?board=28&artid=8292744
………………

那个是欧,不是零...如果分不清可以用记事本看.

火影忍者 - 2007-4-25 13:06:00

下载 System Repair Engineer，
http://www.kztechs.com/sreng/download.html
1 解压缩sreng2.zip
2 运行SREng.exe
3 智能扫描=》扫描=》保存报告
4 把日志中的报告完整拷贝贴上来，不要修改
日志一次发不完，请分次发上来
（扫日志前请尽可能的关闭能手动关闭的窗口如：QQ、音乐、网页...）

minok - 2007-4-25 13:49:00

【回复“西门吹牛”的帖子】
在记事本里显示得可是一清二楚的,那是字母,不是数字哦.别被自己忽悠了.具体还要慢慢分析.

masket - 2007-4-25 14:06:00

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [N/A]
<4y><C:\DOCUME~1\allen\LOCALS~1\Temp\crasos.exe> []
<fxh0df20><C:\DOCUME~1\allen\LOCALS~1\Temp\c0nime.exe> []
<xb><C:\DOCUME~1\allen\LOCALS~1\Temp\winlog0n.exe> []
<NvMediaCenter><; RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
<run><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<ProxyThorn><D:\TOOL\网络工具\代理\ProxyThorn\ProxyThorn.exe> [Huazhong University of Science and Technology]
<NvCplDaemon><; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<RfwMain><"C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup> [Beijing Rising Technology Co., Ltd.]
<RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<runeip><C:\Program Files\Rising\KakaToolBar\runiep.exe> [Beijing Rising Technology Co., Ltd.]
<AutoRun><; "G:\AUTORUN\AutoRun.exe" "/14"> [N/A]
<DAEMON Tools-1033><; "C:\Program Files\D-Tools\daemon.exe" -lang 1033> [N/A]
<HPDJ Taskbar Utility><; C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<McAfeeUpdaterUI><; > [N/A]
<NeroCheck><; C:\WINDOWS\system32\NeroCheck.exe> [Ahead Software Gmbh]
<nwiz><; nwiz.exe /install> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<ShStatEXE><; > [N/A]
<SoundMan><; SOUNDMAN.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<twin><C:\WINDOWS\system32\ctfnom.exe> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><EXPLORER.EXE> [(Verified)]
<Userinit><C:\WINDOWS\system32\UserInit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll> [Beijing Rising Technology Co., Ltd.]
<{A6011F8F-A7F8-49AA-9ADA-49127D43138F}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.vxd> []
<{2133B3FD-315E-4523-BD1A-22F723DFBCA3}><C:\WINDOWS\system32\jpqpri.dll> []
<{31F612A3-3223-3313-3123-31161A31A125}><C:\WINDOWS\system32\godpri.dll> []
<{131AB311-16F1-F13B-1E43-11A24B51AFD1}><C:\WINDOWS\system32\gdipri.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll> [(Verified)Microsoft Windows Component Publisher]

masket - 2007-4-25 14:07:00

启动文件夹
[HotSync 管理器]
<C:\Documents and Settings\allen\「开始」菜单\程序\启动\HotSync 管理器.lnk --> C:\PROGRA~1\palmOne\HOTSYNC.EXE [Palm, Inc.]><N>

==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
<C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Proxy Service / RfwProxySrv][Stopped/Manual Start]
<c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
<c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
<"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
<"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Windows DHCP Service / WinDHCPsvc][Stopped/Auto Start]
<C:\WINDOWS\system32\rundll32.exe windhcp.ocx,start><Microsoft Corporation>
[WinXP DHCP Service / WinXPDHCPsvc][Stopped/Auto Start]
<C:\WINDOWS\system32\rundll32.exe xpdhcp.dll,start><Microsoft Corporation>

==================================
驱动程序
[ahejihag / ahejihag][Stopped/Boot Start]
<\SystemRoot\system32\drivers\ahejihag.sys><N/A>
[Service for WDM 3D Audio Driver / ALCXSENS][Running/Manual Start]
<system32\drivers\ALCXSENS.SYS><Sensaura>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
<System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[bhhijjec / bhhijjec][Stopped/Boot Start]
<\SystemRoot\system32\drivers\bhhijjec.sys><N/A>
[DriverLINX Port I/O Driver / DLPortIO][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\DRIVERS\DLPortIO.SYS><N/A>
[ExpScaner / ExpScaner][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\ExpScan.sys><>
[GWIOPM / GWIOPM][Stopped/Manual Start]
<\??\C:\Program Files\Windows优化大师\GWIOPM.sys><N/A>
[HookCont / HookCont][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\HookSys.sys><Rising>
[HookUrl / HookUrl][Running/Auto Start]
<\??\C:\Program Files\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[kmsinput / kmsinput][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\kmsinput.sys><N/A>
[MEMSCAN / MEMSCAN][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件有限公司>
[mProcRs / mProcRs][Running/Auto Start]
<\??\c:\program files\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[npkcrypt / npkcrypt][Running/Auto Start]
<\??\C:\WINDOWS\system32\qqedit\npkcrypt.sys><INCA Internet Co., Ltd.>
[nv / nv][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[nvatabus / nvatabus][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\nvatabus.sys><NVIDIA Corporation>
[NVIDIA nForce MCP Networking Controller Driver / NVENET][Running/Manual Start]
<system32\DRIVERS\NVENET.sys><NVIDIA Corporation>
[NVIDIA nForce AGP Bus Filter / nv_agp][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\nv_agp.sys><NVIDIA Corporation>
[PalmUSBD / PalmUSBD][Stopped/Manual Start]
<system32\drivers\PalmUSBD.sys><Palm, Inc.>
[Psx Hid to Gamepad Port Enabler / PSXGamepadEnabler][Running/Manual Start]
<system32\drivers\psxpad.sys><Y.Kimura>
[Psx Port Enumerator / PsxPortEnumerator][Running/Manual Start]
<System32\Drivers\psxenum.sys><Y.Kimura>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[QKeyServiceDisplay / QKeyService][Running/Boot Start]
<\SystemRoot\system32\KeyCrypt.sys><>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
<\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising>
[RsFwDrv / RsFwDrv][Running/Auto Start]
<\??\C:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
<\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
<\??\C:\PROGRAM FILES\RISING\RAV\RSPPSYS.sys><Rising>
[Secdrv / Secdrv][Running/Auto Start]
<system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[Sentinel / Sentinel][Running/Auto Start]
<\SystemRoot\System32\Drivers\SENTINEL.SYS><Rainbow Technologies, Inc.>
[SkyProcs / SkyProcs][Stopped/Manual Start]
<\??\C:\Program Files\SkyNet\FireWall\SkyProcs.sys><N/A>
[sptd / sptd][Running/Boot Start]
<\SystemRoot\System32\Drivers\sptd.sys><N/A>
[VCD VNC Virtual Network Adapter / vcddev][Running/Manual Start]
<system32\DRIVERS\vcdvnic.sys><VNN B.J.>
[BuddyVM / {09BB444F-B2E2-4009-BAF2-7B727681223E}][Stopped/Auto Start]
<\??\C:\Program Files\VMLaunch\BuddyVM.sys><N/A>

masket - 2007-4-25 14:10:00

浏览器加载项
[QQBrowserHelperObject Class]
{54EBD53A-9BC1-480B-966A-843A333CA162} <, N/A>
[免费精彩视频超流畅在线观看]
{022C4009-5283-4365-97BF-144054B40E2E} <http://itv.mop.com, N/A>
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[QQ]
{c95fe080-8f5d-11d2-a20b-00aa003c157b} <D:\Program Files\Tencent\QQ.EXE, TENCENT>
[QQIEFloatBarCfgCmd Class]
{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} <D:\Program Files\Tencent\QQIEHelper.dll, N/A>
[卡卡上网安全助手]
{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINDOWS\system32\KakaTool.dll, Beijing Rising Technology Co., Ltd.>
[EWA Control]
{18226BF8-DC0B-4D81-80E9-A41AE37BB73A} <C:\PROGRA~1\COMMON~1\Synacast\SynaLive\SYNACA~1.OCX, Synacast>
[WebActivater Control]
{3D8F74EE-8692-4F8F-B8D2-7522E732519E} <C:\WINDOWS\system32\WEBACT~1.OCX, QQ>
[CEditCtrl Object]
{488A4255-3236-44B3-8F27-FA1AECAA8844} <C:\WINDOWS\system32\aliedit\AliEdit.dll, www.alipay.com>
[AxInputControl Class]
{73E4740C-08EB-4133-896B-8D0A7C9EE3CD} <C:\WINDOWS\DOWNLO~1\INPUTC~1.DLL, >
[Java Plug-in]
{8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in]
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_06]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll, Sun Microsystems, Inc.>
[IEDown Class]
{D0A29C6C-AA71-4423-8C4A-5998B774C448} <C:\WINDOWS\system32\GLIEDown2.dll, N/A>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[CPasswordEditCtrl Object]
{E787FD25-8D7C-4693-AE67-9406BC6E22DF} <C:\WINDOWS\system32\qqedit\qqedit.dll, 腾讯科技（深圳）有限公司>
[KvScanOnline Control]
{EF6205C1-3F17-4829-BCB5-1336ED89E356} <C:\WINDOWS\system32\KvDown.ocx, dreamersoft>
[pCastPanel Class]
{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} <C:\WINDOWS\Downloaded Program Files\CONFLICT.2\pCastCtl.dll, N/A>
[Microsoft 外壳 UI 帮助程序]
{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1} <%SystemRoot%\system32\shdocvw.dll, N/A>
[Active Desktop Mover]
{72267F6A-A6F9-11D0-BC94-00C04FB67863} <%SystemRoot%\system32\SHELL32.dll, N/A>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[上传到QQ网络硬盘]
<D:\Program Files\Tencent\AddToNetDisk.htm, N/A>
[添加到QQ自定义面板]
<D:\Program Files\Tencent\AddPanel.htm, N/A>
[添加到QQ表情]
<D:\Program Files\Tencent\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<D:\Program Files\Tencent\SendMMS.htm, N/A>

masket - 2007-4-25 14:11:00

正在运行的进程
[PID: 896][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 976][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1000][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1044][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\AppPatch\AcAdProc.dll] [Microsoft Corporation, 5.1.2600.3008 (xpsp.061004-0027)]
[C:\WINDOWS\system32\LYMANGR.DLL] [N/A, ]
[PID: 2020][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.vxd] [N/A, ]
[C:\WINDOWS\system32\jpqpri.dll] [N/A, ]
[C:\WINDOWS\system32\godpri.dll] [N/A, ]
[C:\WINDOWS\system32\gdipri.dll] [N/A, ]
[C:\Program Files\Rising\KakaToolBar\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\windhcp.ocx] [N/A, ]
[C:\WINDOWS\system32\xpdhcp.dll] [N/A, ]
[C:\WINDOWS\system32\WPDShServiceObj.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\PortableDeviceTypes.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\PortableDeviceApi.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\RavExt.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Kavs1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Msxo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Gjzo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\LgSy1.dll] [N/A, ]
[C:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[C:\WINDOWS\system32\INDICDLL.dll] [Microsoft Corporation, 5.00.2920.0000]
[C:\WINDOWS\system32\icm32.dll] [Microsoft Corporation, 5.1.2600.2709 (xpsp_sp2_gdr.050628-1518)]
[C:\WINDOWS\system32\wpdshext.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\Audiodev.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[PID: 628][C:\WINDOWS\system32\SVCHOST.EXE　] [b, 1.00]
[C:\WINDOWS\system32\MSVBVM60.DLL] [Microsoft Corporation, 6.00.9690]
[C:\WINDOWS\system32\vb6chs.dll] [Microsoft Corporation, 6.00.8988]
[C:\Program Files\Rising\KakaToolBar\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\DOCUME~1\allen\LOCALS~1\Temp\LgSy1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Gjzo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Msxo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Kavs1.dll] [N/A, ]
[C:\WINDOWS\system32\INDICDLL.dll] [Microsoft Corporation, 5.00.2920.0000]
[PID: 652][D:\TOOL\网络工具\代理\ProxyThorn\ProxyThorn.exe] [Huazhong University of Science and Technology, 1, 8, 0, 1]
[C:\Program Files\Rising\KakaToolBar\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 668][C:\Program Files\Rising\Rfw\rfwmain.exe] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 70]
[C:\Program Files\Rising\Rfw\RsGuiLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 33]
[C:\Program Files\Rising\Rfw\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[C:\Program Files\Rising\Rfw\RfwCtrl.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 11]
[C:\Program Files\Rising\Rfw\RsXML.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
[C:\Program Files\Rising\Rfw\PngDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[C:\Program Files\Rising\KakaToolBar\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\WINDOWS\system32\INDICDLL.dll] [Microsoft Corporation, 5.00.2920.0000]
[C:\DOCUME~1\allen\LOCALS~1\Temp\LgSy1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Gjzo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Msxo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Kavs1.dll] [N/A, ]
[PID: 676][C:\Program Files\Rising\Rav\RavTask.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[C:\Program Files\Rising\Rav\RSAPPMGR.DLL] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
[C:\Program Files\Rising\Rav\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
[C:\Program Files\Rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[C:\Program Files\Rising\KakaToolBar\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 832][C:\Program Files\palmOne\HOTSYNC.EXE] [Palm, Inc., 4.0.4]
[C:\Program Files\palmOne\CMDS21.dll] [Palm, Inc., 4.0.1]
[C:\Program Files\palmOne\HSLOG20.dll] [Palm, Inc., 4.0]
[C:\Program Files\palmOne\PalmCmn.dll] [Palm, Inc., 4.0]
[C:\Program Files\palmOne\CONDMGR.dll] [Palm, Inc., 4.0.1.0]
[C:\Program Files\palmOne\SYNC20.dll] [Palm, Inc., 4.0]
[C:\Program Files\palmOne\INSTAIDE.dll] [Palm, Inc., 4.0.1]
[C:\Program Files\palmOne\Subs30.dll] [Palm, Inc., 4.0.0]
[C:\Program Files\palmOne\UserData.dll] [Palm, Inc., 4.0]
[C:\Program Files\palmOne\VFSAPI.dll] [Palm, Inc., 4.0]
[C:\Program Files\palmOne\HSLGLANG.DLL] [Palm, Inc., 4.0]
[C:\Program Files\palmOne\CMDSLANG.DLL] [Palm, Inc., 4.0]
[C:\Program Files\palmOne\INSDLANG.DLL] [Palm, Inc., 4.0.1]
[C:\Program Files\palmOne\SUBSLANG.DLL] [Palm, Inc., 4.0.0]
[C:\Program Files\palmOne\USDTLANG.DLL] [Palm, Inc., 4.0]
[C:\Program Files\palmOne\HSLANG.DLL] [Palm, Inc., 4.1.0]
[C:\Program Files\palmOne\SHW32.DLL] [MicroQuill Software Publishing, Inc., 6.02.29]
[C:\Program Files\palmOne\USBTransport.dll] [Palm, Inc., 4.0.1]
[C:\Program Files\palmOne\USBPort.dll] [Palm, Inc., 4, 4, 0, 0]
[C:\Program Files\palmOne\USBTLang.DLL] [Palm, Inc., 4, 0, 0, 0]
[C:\Program Files\Rising\KakaToolBar\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]

masket - 2007-4-25 14:12:00

[PID: 2680][C:\Program Files\Iparmor\iparmo.exe] [luosoft.com, 5.5.0.0]
[C:\Program Files\Iparmor\getportlistxp.dll] [, 1, 0, 0, 1]
[C:\Program Files\Iparmor\hookhookdll.dll] [N/A, ]
[C:\Program Files\Rising\KakaToolBar\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Kavs1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Msxo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\LgSy1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Gjzo1.dll] [N/A, ]
[C:\WINDOWS\system32\INDICDLL.dll] [Microsoft Corporation, 5.00.2920.0000]
[PID: 2956][C:\WINDOWS\system32\NOTEPAD.EXE] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Rising\KakaToolBar\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\DOCUME~1\allen\LOCALS~1\Temp\LgSy1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Gjzo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Msxo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Kavs1.dll] [N/A, ]
[C:\WINDOWS\system32\INDICDLL.dll] [Microsoft Corporation, 5.00.2920.0000]
[PID: 1100][D:\TOOL\网络工具\主页浏览\GreenBrowserGB-v3.9\GreenBrowser.exe] [MoreQuick, 1, 0, 0, 0]
[C:\Program Files\Rising\KakaToolBar\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\Program Files\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Kavs1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Msxo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\LgSy1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Gjzo1.dll] [N/A, ]
[C:\WINDOWS\system32\jpqpri.dll] [N/A, ]
[C:\WINDOWS\system32\godpri.dll] [N/A, ]
[C:\WINDOWS\system32\gdipri.dll] [N/A, ]
[C:\WINDOWS\system32\INDICDLL.dll] [Microsoft Corporation, 5.00.2920.0000]
[C:\WINDOWS\system32\MFPlat.DLL] [Microsoft Corporation, 11.0.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\PortableDeviceApi.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\msdmo.dll] [, ]
[C:\WINDOWS\system32\l3codeca.acm] [Fraunhofer Institut Integrierte Schaltungen IIS, 1, 9, 0, 0305]
[C:\Program Files\AC3Filter\ac3filter.ax] [, 1.01a]
[C:\Program Files\K-Lite Codec Pack\ffdshow\ffdshow.ax] [, 1.0.2.2033]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Easy RealMedia Tools\common\VSFilter.dll] [Gabest, 1, 0, 0, 9]
[C:\WINDOWS\system32\wmpeffects.dll] [Microsoft Corporation, 11.0.5721.5145 (WMP_11.061018-2006)]
[PID: 2492][C:\Program Files\Rising\Rav\RavMon.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 45]
[C:\Program Files\Rising\Rav\RsGuiLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 33]
[C:\Program Files\Rising\Rav\BWList.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 10]
[C:\Program Files\Rising\Rav\RSAPPMGR.DLL] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
[C:\Program Files\Rising\Rav\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[C:\Program Files\Rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[C:\Program Files\Rising\Rav\RsXML.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
[C:\Program Files\Rising\Rav\PngDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[C:\Program Files\Rising\KakaToolBar\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 2240][C:\WINDOWS\system32\internat.exe] [Microsoft Corporation, 5.00.2920.0000]
[C:\WINDOWS\system32\INDICDLL.dll] [Microsoft Corporation, 5.00.2920.0000]
[C:\Program Files\Rising\KakaToolBar\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\DOCUME~1\allen\LOCALS~1\Temp\LgSy1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Gjzo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Msxo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Kavs1.dll] [N/A, ]
[PID: 1420][D:\TOOL\网络工具\网络安全\sreng22.4.12.806\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\WINDOWS\system32\INDICDLL.dll] [Microsoft Corporation, 5.00.2920.0000]
[C:\Program Files\Rising\KakaToolBar\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\DOCUME~1\allen\LOCALS~1\Temp\LgSy1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Gjzo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Msxo1.dll] [N/A, ]
[C:\DOCUME~1\allen\LOCALS~1\Temp\Kavs1.dll] [N/A, ]
[D:\TOOL\网络工具\网络安全\sreng22.4.12.806\Plugins\NWMON.SRE] [Smallfrogs Studio, 1, 0, 0, 8]

==================================
文件关联
.TXT Error. [NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================

[/CODE]

火影忍者 - 2007-4-25 15:30:00

运行SREng-在"启动项目->注册表->删以下启动项目
<4y><C:\DOCUME~1\allen\LOCALS~1\Temp\crasos.exe> []
<fxh0df20><C:\DOCUME~1\allen\LOCALS~1\Temp\c0nime.exe> []
<xb><C:\DOCUME~1\allen\LOCALS~1\Temp\winlog0n.exe> []
<AutoRun><; "G:\AUTORUN\AutoRun.exe" "/14"> [N/A]
<{2133B3FD-315E-4523-BD1A-22F723DFBCA3}><C:\WINDOWS\system32\jpqpri.dll> []
<{31F612A3-3223-3313-3123-31161A31A125}><C:\WINDOWS\system32\godpri.dll> []
<{131AB311-16F1-F13B-1E43-11A24B51AFD1}><C:\WINDOWS\system32\gdipri.dll> []

运行SREng-在"启动项目->服务->"Win32服务应用程序"选中"隐藏已认证的微软服务" 然后将下面名称的服务删除（选中有问题的服务后，点“删除服务”，点“设置”按钮即可。注意弹出的窗口中要点 “NO 否”才是确认删除服务）(不能删除的就禁用:启动类型改为disabled,点中修改启动类型，点设置):
[Windows DHCP Service / WinDHCPsvc][Stopped/Auto Start]
<C:\WINDOWS\system32\rundll32.exe windhcp.ocx,start><Microsoft Corporation>
[WinXP DHCP Service / WinXPDHCPsvc][Stopped/Auto Start]
<C:\WINDOWS\system32\rundll32.exe xpdhcp.dll,start><Microsoft Corporation>

运行SREng-在"启动项目->服务->驱动程序"选中"隐藏已认证的微软服务" 然后将下面名称的服务删除（选中有问题的服务后，点“删除服务”，点“设置”按钮即可。注意弹出的窗口中要点 “NO 否”才是确认删除服务）(不能删除的就禁用:启动类型改为disabled,点中修改启动类型，点设置):
[ahejihag / ahejihag][Stopped/Boot Start]
<\SystemRoot\system32\drivers\ahejihag.sys><N/A>
bhhijjec / bhhijjec][Stopped/Boot Start]
<\SystemRoot\system32\drivers\bhhijjec.sys><N/A>

冰刃下载
http://www.ttian.net/website/2005/0829/391.html
删除以下文件:
C:\WINDOWS\system32\windhcp.ocx
C:\WINDOWS\system32\xpdhcp.dll
G:\AUTORUN\AutoRun.exe（这个是什么，不认识就删掉）
C:\WINDOWS\system32\jpqpri.dll
C:\WINDOWS\system32\godpri.dll
C:\WINDOWS\system32\gdipri.dll
C:\WINDOWS\system32\drivers\bhhijjec.sys
C:\WINDOWS\system32\drivers\ahejihag.sys
C:\DOCUME~1\allen\LOCALS~1\Temp\清空这个文件夹

SRE--系统修复--修复文件关联
.TXT Error. [NOTEPAD.EXE %1]

ripl - 2007-4-25 15:49:00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<twin><C:\WINDOWS\system32\ctfnom.exe> [Microsoft Corporation]
貌似这项也不是什么好东西，楼主应该注意一下qq了

masket - 2007-4-25 15:54:00

多谢各位的指教,等我试一下

天月来了 - 2007-4-25 16:21:00

火影哦！！！！

他的启动项里：
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<twin><C:\WINDOWS\system32\ctfnom.exe> [Microsoft Corporation]

他的QQ安装目录下不知会不会有个隐藏的文件TIMPlatform.EXE，

正常QQ调用的是TIMPlatfrom.exe已不是原来的了。

这个我也等看楼主的结果哦。

masket - 2007-4-25 19:14:00

好象不行开机后木马克星扫描
C:\WINDOWS\system32\jpqpri.dll文件被系统注入: C:\WINDOWS\Explorer.EXE 程序
扫描浏览器插件:
发现无效的浏览器插件位置:HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsCLSID\{54EBD53A-9BC1-480B-966A-843A333CA162}\InprocServer32
IsDrv120 程序设置为系统服务
\SystemRoot\System32\Drivers\IsDrv120.sys 程序设置为系统服务
xoybkv 程序设置为系统服务
\SystemRoot\System32\Drivers\xoybkv.sys 程序设置为系统服务
新建文件: C:\Documents and Settings\allen\Local Settings\Temp\1.exe 2007-4-25 18:58:19
扫描了 24个进程，
木马克星扫描结束.
没有发现木马，系统安全!

C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx文件被系统注入: D:\TOOL\网络工具\主页浏览\GreenBrowserGB-v3.9\GreenBrowser.exe 程序
扫描浏览器插件:
发现无效的浏览器插件位置:HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsCLSID\{54EBD53A-9BC1-480B-966A-843A333CA162}\InprocServer32
新建文件: C:\Documents and Settings\allen\Local Settings\Temp\4.exe 2007-4-25 18:58:37
扫描了 24个进程，
木马克星扫描结束.
没有发现木马，系统安全!

新建文件: C:\Documents and Settings\allen\Local Settings\Temp\Gjzo1.dll 2007-4-25 18:58:38
扫描了 24个进程，
木马克星扫描结束.
没有发现木马，系统安全!

扫描浏览器插件:
发现无效的浏览器插件位置:HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsCLSID\{54EBD53A-9BC1-480B-966A-843A333CA162}\InprocServer32
扫描浏览器插件:
发现无效的浏览器插件位置:HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsCLSID\{54EBD53A-9BC1-480B-966A-843A333CA162}\InprocServer32
新建文件: C:\Documents and Settings\allen\Local Settings\Temp\5.exe 2007-4-25 18:58:43
扫描了 24个进程，
木马克星扫描结束.
没有发现木马，系统安全!

萨达姆哈哈 - 2007-4-25 19:16:00

百分百杀灭全部Temp_OrignalA.exe病毒，我也是 Temp_OrignalA.exe的受害者，苦苦在网上奋斗了3天3夜，才找到这个软件，虽然是试用-个月，但是能完全，彻底绞杀 Temp_OrignalA.exe，希望能和大家分享这份快乐！[象咔吧，瑞星，金山，江民，还有全球排名前几位的杀毒软件根本查杀不了！！赶快行动吧！有什么问题请在我的博客上留言，我会第一时间尽我的所能告诉您！！！！]
软件的链结：http:/blog.sina.com.cn/yangfeng68681680

请大家看看：广州市驱逐软件有限公司于2003年8月在中国广州设立的一个全资公司，是国际上最大的信息安全技术开发商与服务提供商之一，是少数几家获得Virus Bulletin 100%认证的公司之一，亚洲反病毒协会会员企业，俄罗斯Dr.Web亚太地区核心合作开发商。公司以研发、生产及销售计算机反病毒产品和网络安全产品为主，拥有多项自主知识产权。本着“技术是企业的生命”原则，集合韩国、俄罗斯和中国一批反病毒专家，开发出了具有革命性的反病毒产品——“Virus Chaser”(中文名为“Virus驱逐舰”)。“Virus驱逐舰”打破传统杀毒理念，将“防病毒”的理念贯穿于产品设计、研发之中。“Virus驱逐舰”的诞生是反病毒领域的里程碑。产品包括单机版(VC Client)、服务器版(VC Server)、网络版反病毒软件(VCMS)，在线杀毒(VC ASP)和USB杀毒(VC USB)等一系列信息安全软件。“Virus驱逐舰”以优越的产品性能和完善的服务体系深受大众好评.同时在全球各地拥有23个办事机构，营销服务网络遍布全球各地。公司全球员工共有2000多人，其中专业技术人才多达300余位，全球用户超过2600万。目前公司正以每年超过30%的用户增长率健康成长。

瑞星卡卡安全论坛