【求助】为haol23搞上了....（注："l"是L的小写不是"1"） bbs.ikaka.com

一元钱雷斯 - 2007-6-5 8:36:00

服务
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
<C:\WINDOWS\System32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart][Stopped/Auto Start]
<C:\WINDOWS\system32\ati2sgag.exe><>
[Symantec AntiVirus Definition Watcher / DefWatch][Running/Auto Start]
<"C:\Program Files\Symantec AntiVirus\DefWatch.exe"><Symantec Corporation>
[SavRoam / SavRoam][Stopped/Manual Start]
<"C:\Program Files\Symantec AntiVirus\SavRoam.exe"><symantec>
[Symantec AntiVirus / Symantec AntiVirus][Running/Auto Start]
<"C:\Program Files\Symantec AntiVirus\Rtvscan.exe"><Symantec Corporation>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\System32\mspmsnsv.dll><Microsoft Corporation>

==================================
驱动程序
[Intel(r) 82801 Audio Driver Install Service (WDM) / ac97intc][Running/Manual Start]
<system32\drivers\ac97intc.sys><Intel Corporation>
[标准 IDE/ESDI 硬盘控制器 / atapi][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\atapi.sys><N/A>
[ati2mtag / ati2mtag][Running/Manual Start]
<System32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[CdaC15BA / CdaC15BA][Running/Auto Start]
<\??\C:\WINDOWS\System32\drivers\CdaC15BA.SYS><Macrovision Europe Ltd>
[d346bus / d346bus][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\d346bus.sys><>
[d346prt / d346prt][Running/Boot Start]
<\SystemRoot\System32\Drivers\d346prt.sys><>
[Intel(R) PRO Adapter Driver / E100B][Running/Manual Start]
<System32\DRIVERS\e100b325.sys><Intel Corporation>
[NAVENG / NAVENG][Running/Manual Start]
<\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070529.034\naveng.sys><Symantec Corporation>
[NAVEX15 / NAVEX15][Running/Manual Start]
<\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070529.034\navex15.sys><Symantec Corporation>
[npkcrypt / npkcrypt][Running/Auto Start]
<\??\E:\qq\npkcrypt.sys><INCA Internet Co., Ltd.>
[nv / nv][Stopped/Manual Start]
<System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
<\SystemRoot\System32\drivers\RsBoot.sys><Beijing Rising>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
<System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[SAVRT / SAVRT][Running/System Start]
<\??\C:\Program Files\Symantec AntiVirus\savrt.sys><Symantec Corporation>
[SAVRTPEL / SAVRTPEL][Running/Auto Start]
<\??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys><Symantec Corporation>
[Secdrv / Secdrv][Running/Auto Start]
<System32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[shivm / shivmc][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\shivmc.sys><N/A>
[SIS AGP Bus Filter / sisagp][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\sisagp.sys><Silicon Integrated Systems Corporation>
[SymEvent / SymEvent][Running/Manual Start]
<\??\C:\Program Files\Symantec\SYMEVENT.SYS><Symantec Corporation>
[ugec / ugecu][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\ugecu.sys><N/A>

一元钱雷斯 - 2007-6-5 8:36:00

浏览器加载项
[卡卡上网安全助手]
{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINDOWS\System32\KakaTool.dll, Beijing Rising Technology Co., Ltd.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[&使用迷你迅雷下载]
<C:\Program Files\Thunder Network\ThunderMini\Program\GetUrl.htm, N/A>

==================================
正在运行的进程
[PID: 560][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 624][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 648][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.1557 (xpsp2_gdr.040517-1325)]
[C:\WINDOWS\system32\Ati2evxx.dll] [ATI Technologies Inc., 6.14.10.4114]
[C:\WINDOWS\system32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 692][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 704][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 852][C:\WINDOWS\System32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4114]
[C:\WINDOWS\System32\Ati2edxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2496]
[PID: 888][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 988][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\System32\wups.dll] [Microsoft Corporation, 5.8.0.2469 built by: lab01_n(wmbla)]
[PID: 1128][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1228][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1496][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
[C:\WINDOWS\system32\rcybl.dll] [N/A, ]
[C:\WINDOWS\system32\shivmc.dll] [N/A, ]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[C:\WINDOWS\System32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
[C:\WINDOWS\System32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll] [Symantec Corporation, 9.0.0.338]
[C:\Program Files\7-Zip\7-zip.dll] [N/A, ]
[PID: 1780][C:\PROGRA~1\SYMANT~1\VPTray.exe] [Symantec Corporation, 9.0.0.338]
[C:\Program Files\Symantec AntiVirus\SAVRT32.DLL] [Symantec Corporation, 9.3.0.28]
[C:\Program Files\Symantec AntiVirus\Cliscan.dll] [Symantec Corporation, 9.0.0.338]
[C:\PROGRA~1\SYMANT~1\NAVNTUTL.DLL] [Symantec Corporation, 9.0.0.338]
[C:\Program Files\Symantec AntiVirus\Cliproxy.dll] [Symantec Corporation, 9.0.0.338]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1812][C:\Program Files\Rising\AntiSpyware\runiep.exe] [Beijing Rising Technology Co., Ltd., 1, 0, 1, 6]
[C:\Program Files\Rising\AntiSpyware\iep_ctrl.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 4]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1820][C:\WINDOWS\System32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 1840][C:\Program Files\Thunder Network\ThunderMini\program\ThunderMini.exe] [Thunder Networking Technologies,LTD, 2, 0, 1, 30]
[C:\Program Files\Thunder Network\ThunderMini\program\download_interface.dll] [N/A, ]
[C:\Program Files\Thunder Network\ThunderMini\program\UpdateDownload.dll] [Thunder Networking Technologies,LTD, 1, 0, 1, 6]
[C:\Program Files\Thunder Network\ThunderMini\Components\InMedia\iEmbedShell.dll] [　, 1, 0, 0, 6]
[C:\Program Files\Thunder Network\ThunderMini\Components\InMedia\iEmbed.dll] [　, 2, 1, 0, 30]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[PID: 2156][C:\Program Files\Maxthon\Maxthon.exe] [Maxthon International Ltd., 1, 6, 1, 22]
[C:\Program Files\Maxthon\maxzlib.dll] [ , 1, 0, 0, 2]
[C:\WINDOWS\System32\odbcbcp.dll] [Microsoft Corporation, 2000.081.9030.00]
[C:\WINDOWS\System32\mscoree.dll] [Microsoft Corporation, 2.0.50727.42 (RTM.050727-4200)]
[C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\perfcounter.dll] [Microsoft Corporation, 2.0.50727.42 (RTM.050727-4200)]
[C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll] [Microsoft Corporation, 2.0.50727.42 (RTM.050727-4200)]
[C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CorperfmonExt.dll] [Microsoft Corporation, 2.0.50727.42 (RTM.050727-4200)]
[C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_perf.dll] [Microsoft Corporation, 2.0.50727.42 (RTM.050727-4200)]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
[C:\Program Files\Maxthon\Services\RealTime\real_time.dll] [, 1, 0, 0, 1]
[C:\WINDOWS\System32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
[C:\WINDOWS\System32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0]
[PID: 2576][E:\tools\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]

一元钱雷斯 - 2007-6-5 8:38:00

文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================

[/CODE]

*注：俺比较懒，所以XP还是SP1滴...不过该打的补丁都打了

燃烧远征 - 2007-6-5 8:39:00

我的也是一样，用了各种修复IE的软件都无效，此病毒修改安装系统后系统在桌面上IE属性的设置，设置为"C:\Program Files\Internet Explorer\IEXPLORE.EXE" www.haol23.net/?a30// 删除后重启又会出现，如果把此快捷删除，在重启后又将自动生成。
附
Logfile of Kaka v2. 0. 3. 0 Scan Module v1. 0. 6. 1
Scan saved at 08:23:17, on 2005-06-05
Platform: Microsoft Windows XP Professional Service Pack 2 (Build 2600)
MSIE: Internet Explorer v6.00 SP2; (6.00.2900.2180 (xpsp_sp2_rtm.040803-2158))

R3 - Default URLSearchHook is missing
O2 - BHO: ThunderAtOnce Class - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Thunder Browser Helper - {109B111B-371B-4267-AF19-BDEB6EDA0970} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Flash Object Class - {109B111C-371B-4267-AF19-BDEB6EDA0970} - C:\WINDOWS\Flash9c.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [runeip] C:\Program Files\Rising\AntiSpyware\runiep.exe
O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe
O4 - Startup: desktop.ini =
O4 - Global Startup: desktop.ini =
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/windows/ie_intl/cn/start/
O16 - DPF: DirectAnimation Java Classes - file://C:\WINDOWS\system32\dajava.cab
O16 - DPF: Internet Explorer Classes for Java - file://C:\WINDOWS\system32\iejava.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E848E858-FE80-452C-8FD5-28480F854373}: NameServer = 202.103.96.112
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: Human Interface Device Access (HidServ) - - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 (Pml Driver HPZ12) - HP - C:\WINDOWS\system32\hpzipm12.exe

附件: 88215620076582920.bmp

一元钱雷斯 - 2007-6-5 15:36:00

看来这个haol23真是难倒众“高手”喽...

希望有喜欢挑战滴老鸟以身试毒...

可爱的泡泡糖 - 2007-6-5 16:30:00

重装下ie行不行咯

红夜鬼1 - 2007-6-5 16:51:00

运行(双击)SRENG2，点“启动项目，服务，点“驱动程序”
勾选“隐藏微软服务”选中病毒服务
shivm
ugec
，选择“删除服务”
点“设置”选择“否”
重启按F８进入安全模式下
显示隐藏文件
删除：
\SystemRoot\System32\DRIVERS\shivmc.sys
SystemRoot\System32\DRIVERS\ugecu.sys

一元钱雷斯 - 2007-6-5 22:38:00

大虾果然还是有的...感谢楼上鬼兄

不过要修改一下处理方式

去下一个金山清理专家吧，等下有用。

首先这两个文件就是病毒文件，和我原来想的一样，不过我原来用autoruns禁掉过这两个驱动，结果重启后蓝屏，懒了一下没有去安全模式删文件就将子滴后果。。。

那两个文件基本在安全模式下也是删不了的，因为是和explorer一起启动的，而且正常关机的时候貌似为重新回复

所以我的处理方式是，用autoruns删了两上服务，然后直接按reset重启电脑...是有点过份，不过没办法，这是不让关机过程重新中毒的一个好方法，除非你强行结束explorer进程-.-!

然后按F8进去安全模式...很慢，没办法...去小个便吃个泡面吧

安全模式下直接删两个文件也是删不掉滴，所以现在用上金山清理专家了，说实话这软件一般，但有个不错的功能：传说中的“文件粉碎机”！OK，直接把那两个文件粉碎了，灰飞烟灭了，再想复活就难啦。

现在去掉桌面上的IE快捷方式和快速驱动栏里的IE快捷方式后面那个小尾巴吧，重启电脑~~

一切恢复正常~~HOHO

这里再BS一下做这个恶意程序的家伙，没事找抽么

正常重启电脑，OK~

wwww1986 - 2007-6-12 17:14:00

我的也是，但网站不同www.haol23.net/?a05，病毒文件也不同，请问那个是病毒？
[CODE]

2007-06-12,16:40:35

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<ccApp><; "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"> [(Verified)Symantec Corporation]
<vptray><; C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe> [(Verified)Symantec Corporation]
<WebThunder><; "C:\Program Files\Thunder Network\WebThunder\WebThunder.exe"> [(Verified)ShenZhen Thunder Networking Technologies Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<zchpjd><%systemroot%\system32\Rundll32.exe %systemroot%\system32\zchpjd.dll,DllUnregisterServer> []
<xynxmy><%systemroot%\system32\Rundll32.exe %systemroot%\system32\xynxmy.dll,DllUnregisterServer> []
<wzocob><%systemroot%\system32\Rundll32.exe %systemroot%\system32\wzocob.dll,DllUnregisterServer> []
<tmdydk><%systemroot%\system32\Rundll32.exe %systemroot%\system32\tmdydk.dll,DllUnregisterServer> []
<saopim><%systemroot%\system32\Rundll32.exe %systemroot%\system32\saopim.dll,DllUnregisterServer> []
<qrxmoe><%systemroot%\system32\Rundll32.exe %systemroot%\system32\qrxmoe.dll,DllUnregisterServer> []
<ksmvom><%systemroot%\system32\Rundll32.exe %systemroot%\system32\ksmvom.dll,DllUnregisterServer> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\UserInit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]

==================================
启动文件夹
N/A

==================================
服务
[7A12C566 / 7A12C566][Stopped/Auto Start]
<C:\WINDOWS\system32\A8DC84A4.EXE -d><Microsoft Corporation>
[C-DillaCdaC11BA / C-DillaCdaC11BA][Running/Auto Start]
<C:\WINDOWS\system32\drivers\CDAC11BA.EXE><Macrovision>
[Symantec Event Manager / ccEvtMgr][Running/Auto Start]
<"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"><Symantec Corporation>
[Symantec Network Proxy / ccProxy][Running/Auto Start]
<"C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"><Symantec Corporation>
[Symantec Password Validation / ccPwdSvc][Stopped/Manual Start]
<"C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"><Symantec Corporation>
[Symantec Settings Manager / ccSetMgr][Running/Auto Start]
<"C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"><Symantec Corporation>
[Symantec AntiVirus Definition Watcher / DefWatch][Running/Auto Start]
<"C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe"><Symantec Corporation>
[DameWare Mini Remote Control / DWMRCS][Running/Auto Start]
<C:\WINDOWS\SYSTEM32\DWRCS.EXE -service><DameWare Development LLC>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[IS Service / ISSVC][Stopped/Auto Start]
<C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe><Symantec Corporation>
[Multi-user Cleanup Service / Multi-user Cleanup Service][Running/Auto Start]
<C:\Program Files\lotus\notes\ntmulti.exe><IBM Corp>
[Intel(R) NMS / NMSSvc][Stopped/Auto Start]
<C:\WINDOWS\System32\NMSSvc.exe><Intel Corporation>
[SavRoam / SavRoam][Running/Auto Start]
<"C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe"><symantec>
[Symantec Network Drivers Service / SNDSrvc][Running/Auto Start]
<"C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"><Symantec Corporation>
[SoundMAX Agent Service / SoundMAX Agent Service (default)][Running/Auto Start]
<C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe><Analog Devices, Inc.>
[Symantec SPBBCSvc / SPBBCSvc][Stopped/Manual Start]
<C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe><Symantec Corporation>
[Symantec AntiVirus / Symantec AntiVirus][Running/Auto Start]
<"C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe"><Symantec Corporation>
[Symantec SecurePort / SymSecurePort][Stopped/Auto Start]
<"C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe"><Symantec Corporation>
[windows clint1 / wc1][Running/Auto Start]
<c:\windows\system\wc1\wdfmgr.exe><>

wwww1986 - 2007-6-12 17:16:00

==================================
驱动程序
[abp480n5 / abp480n5][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\ABP480N5.SYS><Microsoft Corporation>
[Intel(r) 82801 Audio Driver Install Service (WDM) / ac97intc][Stopped/Manual Start]
<system32\drivers\ac97intc.sys><Intel Corporation>
[adpu160m / adpu160m][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\adpu160m.sys><Microsoft Corporation>
[aeaudio / aeaudio][Running/Manual Start]
<system32\drivers\aeaudio.sys><Andrea Electronics Corporation>
[Aha154x / Aha154x][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\aha154x.sys><Microsoft Corporation>
[aic78u2 / aic78u2][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\aic78u2.sys><Microsoft Corporation>
[aic78xx / aic78xx][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\aic78xx.sys><Microsoft Corporation>
[AliIde / AliIde][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\aliide.sys><Acer Laboratories Inc.>
[AMD AGP Bus Filter Driver / amdagp][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\amdagp.sys><Advanced Micro Devices, Inc.>
[asc / asc][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\asc.sys><Advanced System Products, Inc.>
[asc3350p / asc3350p][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\asc3350p.sys><Microsoft Corporation>
[asc3550 / asc3550][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\asc3550.sys><Advanced System Products, Inc.>
[cd20xrnt / cd20xrnt][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\cd20xrnt.sys><Microsoft Corporation>
[CdaC15BA / CdaC15BA][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\CDAC15BA.SYS><Macrovision Europe Ltd>
[CmdIde / CmdIde][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\cmdide.sys><CMD Technology, Inc.>
[dac2w2k / dac2w2k][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\dac2w2k.sys><Mylex Corporation>
[dpti2o / dpti2o][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\dpti2o.sys><Microsoft Corporation>
[Intel(R) PRO Adapter Driver / E100B][Running/Manual Start]
<System32\DRIVERS\e100b325.sys><Intel Corporation>
[Symantec Eraser Control driver / eeCtrl][Running/System Start]
<\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys><Symantec Corporation>
[IBM Access Support / EGATHDRV][Stopped/Manual Start]
<\??\C:\WINDOWS\System32\EGATHDRV.SYS><N/A>
[GWIOPM / GWIOPM][Stopped/Manual Start]
<\??\C:\Program Files\Wopti\GWIOPM.sys><N/A>
[ialm / ialm][Running/Manual Start]
<System32\DRIVERS\ialmnt5.sys><Intel Corporation>
[ini910u / ini910u][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\ini910u.sys><Microsoft Corporation>
[ksmvo / ksmvom][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\ksmvom.sys><N/A>
[mraid35x / mraid35x][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\mraid35x.sys><American Megatrends Inc.>
[NAVENG / NAVENG][Running/Manual Start]
<\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070611.022\naveng.sys><Symantec Corporation>
[NAVEX15 / NAVEX15][Running/Manual Start]
<\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070611.022\navex15.sys><Symantec Corporation>
[nmxhyd / nmxhyd][Running/Boot Start]
<\SystemRoot\system32\drivers\nmxhyd.sys><N/A>
[nv / nv][Stopped/Manual Start]
<System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[PMEM / PMEM][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\PMEMNT.SYS><Microsoft Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[ql1080 / ql1080][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\ql1080.sys><QLogic Corporation>
[Ql10wnt / Ql10wnt][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\ql10wnt.sys><Microsoft Corporation>
[ql12160 / ql12160][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\ql12160.sys><QLogic Corporation>
[ql1280 / ql1280][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\ql1280.sys><QLogic Corporation>
[qrxmo / qrxmoe][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\qrxmoe.sys><N/A>
[saopi / saopim][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\saopim.sys><N/A>
[SAVRT / SAVRT][Running/System Start]
<\??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys><Symantec Corporation>
[SAVRTPEL / SAVRTPEL][Running/System Start]
<\??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys><Symantec Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
<System32\DRIVERS\secdrv.sys><N/A>
[SIS AGP Bus Filter / sisagp][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\sisagp.sys><Silicon Integrated Systems Corporation>
[smwdm / smwdm][Running/Manual Start]
<system32\drivers\smwdm.sys><Analog Devices, Inc.>
[Sony USB Filter Driver (SONYPVU1) / SONYPVU1][Stopped/Manual Start]
<system32\DRIVERS\SONYPVU1.SYS><Sony Corporation>
[Sparrow / Sparrow][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\sparrow.sys><Adaptec, Inc.>
[SPBBCDrv / SPBBCDrv][Stopped/Manual Start]
<\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys><Symantec Corporation>
[symc810 / symc810][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\symc810.sys><Symbios Logic Inc.>
[symc8xx / symc8xx][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\symc8xx.sys><LSI Logic>
[SYMDNS / SYMDNS][Stopped/Manual Start]
<\SystemRoot\System32\Drivers\SYMDNS.SYS><Symantec Corporation>
[SymEvent / SymEvent][Running/Manual Start]
<\??\C:\Program Files\Symantec\SYMEVENT.SYS><Symantec Corporation>
[SYMFW / SYMFW][Stopped/Manual Start]
<\SystemRoot\System32\Drivers\SYMFW.SYS><Symantec Corporation>
[SYMIDS / SYMIDS][Stopped/Manual Start]
<\SystemRoot\System32\Drivers\SYMIDS.SYS><Symantec Corporation>
[SYMIDSCO / SYMIDSCO][Stopped/Manual Start]
<\??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20070607.003\symidsco.sys><Symantec Corporation>
[SYMNDIS / SYMNDIS][Stopped/Manual Start]
<\SystemRoot\System32\Drivers\SYMNDIS.SYS><Symantec Corporation>
[SYMREDRV / SYMREDRV][Stopped/Manual Start]
<\SystemRoot\System32\Drivers\SYMREDRV.SYS><Symantec Corporation>
[SYMTDI / SYMTDI][Stopped/System Start]
<\SystemRoot\System32\Drivers\SYMTDI.SYS><Symantec Corporation>
[sym_hi / sym_hi][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\sym_hi.sys><LSI Logic>
[sym_u3 / sym_u3][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\sym_u3.sys><LSI Logic>
[tmdyd / tmdydk][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\tmdydk.sys><N/A>
[TosIde / TosIde][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\toside.sys><Microsoft Corporation>
[ultra / ultra][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\ultra.sys><Promise Technology, Inc.>
[ViaIde / ViaIde][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\viaide.sys><Microsoft Corporation>
[wzoco / wzocob][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\wzocob.sys><N/A>
[xynxm / xynxmy][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\xynxmy.sys><N/A>
[zchpj / zchpjd][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\zchpjd.sys><N/A>
[Intel(R) Graphics Platform (SoftBIOS) Driver / {6080A529-897E-4629-A488-ABA0C29B635E}][Running/System Start]
<system32\drivers\ialmsbw.sys><Intel Corporation>
[Intel(R) Graphics Chipset (KCH) Driver / {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}][Running/Manual Start]
<system32\drivers\ialmkchw.sys><Intel Corporation>

==================================
浏览器加载项
[WebThunder Browser Helper]
{00000AAA-A363-466E-BEF5-9BB68697AA7F} <C:\Program Files\Thunder Network\WebThunder\WebThunderBHO_Now.dll, Thunder Networking Technologies,LTD>
[启动Web迅雷]
{962EFB8E-2683-42d4-AC74-AAA4C759B9C6} <http://my.xunlei.com, N/A>
[WebThunder Browser Helper]
{00000AAA-A363-466E-BEF5-9BB68697AA7F} <C:\Program Files\Thunder Network\WebThunder\WebThunderBHO_Now.dll, Thunder Networking Technologies,LTD>
[WebThunder Class]
{03507A1A-E0C5-4404-AA26-205385C0892D} <, N/A>
[Web Browser Applet Control]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\WINDOWS\system32\msjava.dll, Microsoft Corporation>
[Windows Media Player]
{22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[HTML Document]
{25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\mshtml.dll, N/A>
[DHTML Edit Control Safe for Scripting for IE5]
{2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
[Windows Media Player]
{6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Microsoft Web 浏览器]
{8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\System32\shdocvw.dll, Microsoft Corporation>
[Microsoft Scriptlet Component]
{AE24FDAE-03C6-11D1-8B76-0080C744F389} <C:\WINDOWS\system32\mshtml.dll, Microsoft Corporation>
[SearchAssistantOC]
{B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\System32\shdocvw.dll, N/A>
[RDS.DataSpace]
{BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation

wwww1986 - 2007-6-12 17:17:00

>
[Adobe Acrobat Control for ActiveX]
{CA8A9780-280D-11CF-A24D-444553540000} <C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\ActiveX\pdf.ocx, Adobe Systems Incorporated>
[AUDIO__MID Moniker Class]
{CD3AFA74-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[RealPlayer G2 Control]
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} <C:\WINDOWS\system32\rmoc3260.dll, RealNetworks, Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[E&xport to Microsoft Excel]
<res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000, N/A>
[使用Web迅雷下载]
<C:\Program Files\Thunder Network\WebThunder\GetUrl.htm, N/A>
[使用Web迅雷下载全部链接]
<C:\Program Files\Thunder Network\WebThunder\GetAllUrl.htm, N/A>

==================================
正在运行的进程
[PID: 596][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 660][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 684][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 728][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[PID: 740][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[PID: 2416][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[C:\WINDOWS\system32\AcSignIcon.dll] [Autodesk, 16.0.0.86]
[C:\WINDOWS\system32\zchpjd.dll] [N/A, ]
[C:\WINDOWS\system32\xynxmy.dll] [N/A, ]
[C:\WINDOWS\system32\wzocob.dll] [N/A, ]
[C:\WINDOWS\system32\tmdydk.dll] [N/A, ]
[C:\WINDOWS\system32\saopim.dll] [N/A, ]
[C:\WINDOWS\system32\qrxmoe.dll] [N/A, ]
[C:\WINDOWS\system32\ksmvom.dll] [N/A, ]
[C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll] [Autodesk, 16.0.0.86]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\System32\igfxpph.dll] [Intel Corporation, 3,0,0,1915]
[C:\WINDOWS\System32\hccutils.DLL] [Intel Corporation, 3,0,0,1915]
[C:\WINDOWS\system32\igfxres.dll] [Intel Corporation, 3,0,0,1915]
[C:\Program Files\Microsoft Office\Office10\msohev.dll] [Microsoft Corporation, 10.0.2609]
[C:\PROGRA~1\WinZip\wzshlext.dll] [, ]
[C:\PROGRA~1\WINZIP\WZCAB2.DLL] [Nico Mak Computing, Inc., 2, 0, 0, 0]
[C:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll] [Symantec Corporation, 10.0.2.2000]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[PID: 2620][C:\WINDOWS\system32\conime.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[PID: 2696][C:\WINDOWS\SYSTEM32\DWRCST.exe] [DameWare Development, 5, 1, 3, 0]
[C:\WINDOWS\SYSTEM32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[PID: 3008][C:\Program Files\Thunder Network\WebThunder\WebThunder.exe] [深圳市迅雷网络技术有限公司, 1, 8, 4, 130]
[C:\Program Files\Thunder Network\WebThunder\RegisterDll.dll] [Thunder Networking Technologies,LTD, 2, 13, 4, 58]
[C:\Program Files\Thunder Network\WebThunder\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[C:\Program Files\Thunder Network\WebThunder\TaskManager.dll] [Thunder Networking Technologies,LTD, 1, 1, 1, 24]
[C:\Program Files\Thunder Network\WebThunder\download_interface.dll] [Thunder Networking Technologies,LTD, 2, 15, 2, 98]
[C:\Program Files\Thunder Network\WebThunder\stlport_vc646.dll] [STLport Consulting, Inc., 4.6.2003.1031]
[C:\Program Files\Thunder Network\WebThunder\asyn_dns.dll] [Thunder Networking Technologies,LTD, 2, 15, 2, 98]
[C:\Program Files\Thunder Network\WebThunder\Inmedia\iEmbedShell.dll] [　, 1, 0, 0, 19]
[C:\Program Files\Thunder Network\WebThunder\InMedia\iEmbed10.dll] [　, 3, 3, 1, 83]
[C:\Program Files\Thunder Network\WebThunder\CacheServer.dll] [, 1, 0, 0, 1]
[PID: 3052][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[PID: 3644][C:\Program Files\Microsoft Office\Office10\WINWORD.EXE] [Microsoft Corporation, 10.0.6818]
[C:\Program Files\Common Files\Microsoft Shared\office10\mso.dll] [Microsoft Corporation, 10.0.6817]
[C:\Program Files\Common Files\Microsoft Shared\office10\riched20.dll] [Microsoft Corporation, 5.40.11.2212]
[C:\WINDOWS\system32\UNISPIM5.IME] [北京紫光华宇软件股份有限公司, 5.0.0.5076]
[C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3SC.DLL] [Microsoft Corporation, 3.0.1707.0]
[C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBF322E.DLL] [Hewlett-Packard Company, 4.3.2.192]
[C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBF322G.DLL] [Hewlett-Packard Company, 4.3.2.192]
[PID: 2100][D:\王\测试\其它\SOFE\杀毒\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\WINDOWS\system32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[PID: 3708][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\AcSignIcon.dll] [Autodesk, 16.0.0.86]
[C:\Program Files\Microsoft Office\Office10\msohev.dll] [Microsoft Corporation, 10.0.2609]
[C:\WINDOWS\system32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\Macromed\Common\SwSupport.dll] [Macromedia, Inc., 8.5r321]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
N/A

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================

[/CODE]

红夜鬼1 - 2007-6-12 17:57:00

运行SREng2,使用“启动项目”－－注册表－－删除
<zchpjd><%systemroot%\system32\Rundll32.exe %systemroot%\system32\zchpjd.dll,DllUnregisterServer> []
<xynxmy><%systemroot%\system32\Rundll32.exe %systemroot%\system32\xynxmy.dll,DllUnregisterServer> []
<wzocob><%systemroot%\system32\Rundll32.exe %systemroot%\system32\wzocob.dll,DllUnregisterServer> []
<tmdydk><%systemroot%\system32\Rundll32.exe %systemroot%\system32\tmdydk.dll,DllUnregisterServer> []
<saopim><%systemroot%\system32\Rundll32.exe %systemroot%\system32\saopim.dll,DllUnregisterServer> []
<qrxmoe><%systemroot%\system32\Rundll32.exe %systemroot%\system32\qrxmoe.dll,DllUnregisterServer> []
<ksmvom><%systemroot%\system32\Rundll32.exe %systemroot%\system32\ksmvom.dll,DllUnregisterServer> []

运行(双击)SRENG2，点“启动项目，服务，点“Win32服务应用程序”
勾选“隐藏微软服务”选中病毒服务
7A12C566
windows clint1
，选择“删除服务”
点“设置”选择“否”

运行(双击)SRENG2，点“启动项目，服务，点“驱动程序”
勾选“隐藏微软服务”选中病毒服务
ksmvo
nmxhyd
qrxmo
saopi
tmdyd
wzoco
xynxm
zchpj
，选择“删除服务”
点“设置”选择“否”

重启按F８进入安全模式下
显示隐藏文件
删除：
\SystemRoot\System32\DRIVERS\wzocob.sys
\SystemRoot\System32\DRIVERS\xynxmy.sys
SystemRoot\System32\DRIVERS\zchpjd.sys
SystemRoot\System32\DRIVERS\tmdydk.sys
SystemRoot\System32\DRIVERS\saopim.sys
SystemRoot\System32\DRIVERS\qrxmoe.sys
SystemRoot\system32\drivers\nmxhyd.sys
SystemRoot\System32\DRIVERS\ksmvom.sys
c:\windows\system\wc1\wdfmgr.exe
C:\WINDOWS\system32\A8DC84A4.EXE
在安全模式下结束Explorer.EXE进程,再删除
C:\WINDOWS\system32\zchpjd.dll
[C:\WINDOWS\system32\xynxmy.dll
[C:\WINDOWS\system32\wzocob.dll
[C:\WINDOWS\system32\tmdydk.dll
[C:\WINDOWS\system32\saopim.dll
[C:\WINDOWS\system32\qrxmoe.dll
[C:\WINDOWS\system32\ksmvom.dll

普小京工作室 - 2007-6-12 20:48:00

kaka助手扛不住啊！阻止不了！还是病毒站了上风！

wwww1986 - 2007-6-13 9:59:00

多谢红夜鬼1 指导，不过目前有一个问题，当我把Explorer.EXE进程结束后系统就当机，只剩下鼠标和任务管理器，桌面不能显示，见不到我的电脑也没办法删除那些.dll和.sys文件。如果不关闭Explorer.EXE进程，.dll和.sys文件也删不掉，系统提示文件正在使用。郁闷中。。。。

wwww1986 - 2007-6-13 10:03:00

请高手继续指导，我在这谢过了

快乐K毒 - 2007-6-13 15:20:00

++++++++ 这个是我的诊断证明，敬请下药。。。。

[复制到剪贴板]

CODE:

2007-06-12,16:20:18

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
Autorun.inf

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
<MSMSGS><; "C:\Program Files\Messenger\msmsgs.exe" /background> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<AGRSMMSG><AGRSMMSG.exe> [(Verified)Microsoft Windows Publisher]
<Zone Labs Client><"C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"> [(Verified)Check Point Software Technologies Inc.]
<IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<IMSCMig><; C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload> [(Verified)Microsoft Corporation]
<PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<TrackPointSrv><; tp4mon.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\UserInit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]

==================================
启动文件夹
[1]
<C:\Documents and Settings\xubo\「开始」菜单\程序\启动\1.reg --> [N/A]><N>

==================================
服务
[Adobe LM Service / Adobe LM Service][Stopped/Manual Start]
<"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[ASP.NET State Service / aspnet_state][Stopped/Manual Start]
<C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[Ati HotKey Poller / Ati HotKey Poller][Stopped/Manual Start]
<C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Windows lhgd RunThem / lhgd][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\gcby\qmli.dll><N/A>
[OracleMTSRecoveryService / OracleMTSRecoveryService][Stopped/Manual Start]
<C:\oracle\ora92\bin\omtsreco.exe "OracleMTSRecoveryService"><Oracle Corporation>
[OracleOraHome92Agent / OracleOraHome92Agent][Stopped/Manual Start]
<C:\oracle\ora92\bin\agntsrvc.exe><Oracle Corporation>
[OracleOraHome92ClientCache / OracleOraHome92ClientCache][Stopped/Manual Start]
<C:\oracle\ora92\BIN\ONRSD.EXE><N/A>
[OracleOraHome92HTTPServer / OracleOraHome92HTTPServer][Stopped/Manual Start]
<"C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice><N/A>
[OracleOraHome92PagingServer / OracleOraHome92PagingServer][Stopped/Manual Start]
<C:\oracle\ora92/bin/pagntsrv.exe><N/A>
[OracleOraHome92SNMPPeerEncapsulator / OracleOraHome92SNMPPeerEncapsulator][Stopped/Manual Start]
<C:\oracle\ora92\BIN\ENCSVC.EXE><N/A>
[OracleOraHome92SNMPPeerMasterAgent / OracleOraHome92SNMPPeerMasterAgent][Stopped/Manual Start]
<C:\oracle\ora92\BIN\AGNTSVC.EXE><N/A>
[OracleOraHome92TNSListener / OracleOraHome92TNSListener][Stopped/Manual Start]
<C:\oracle\ora92\BIN\TNSLSNR ><N/A>
[OracleServiceORA9I / OracleServiceORA9I][Stopped/Manual Start]
<c:\oracle\ora92\bin\ORACLE.EXE ORA9I><Oracle Corporation>
[TrueVector Internet Monitor / vsmon][Running/Auto Start]
<C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service><Zone Labs, LLC>
[WebPrint / WebPrint][Stopped/Disabled]
<c:\windows\system32\webprint.exe><N/A>

==================================
驱动程序
[Agere Systems Soft Modem / AgereSoftModem][Running/Manual Start]
<system32\DRIVERS\AGRSM.sys><Agere Systems>
[ALi Audio Accelerator WDM driver / aliadwdm][Running/Manual Start]
<system32\drivers\ac97ali.sys><Acer Laboratories Inc.>
[AliIde / AliIde][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\aliide.sys><Acer Laboratories Inc.>
[arp8023 / arp8023][Stopped/Manual Start]
<\SystemRoot\system32\drivers\arp8023.sys><N/A>
[ati2mtag / ati2mtag][Running/Manual Start]
<system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[Broadcom NetXtreme Fast Ethernet / b57w2k][Running/Manual Start]
<system32\DRIVERS\b57xp32.sys><Broadcom Corporation>
[fmqeqm / fmqeqm][Running/Boot Start]
<\SystemRoot\system32\drivers\fmqeqm.sys><N/A>

==================================
浏览器加载项
[Thunder Browser Helper]
{06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_006.dll, Thunder Networking Technologies,LTD>
[Thunder Browser Helper]
{06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_006.dll, Thunder Networking Technologies,LTD>
[ActiveFormX Control]
{18AFF9A5-2934-4827-8466-67167BCB2B3E} <C:\WINDOWS\DOWNLO~1\fileup.ocx, >
[HTML Document]
{25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\mshtml.dll, N/A>
[DHTML Edit Control Safe for Scripting for IE5]
{2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
[Shell Name Space]
{55136805-B2DE-11D1-B9F2-00A0C98BC547} <%SystemRoot%\system32\shdocvw.dll, N/A>
[Windows Media Player]
{6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[工程1.UserControl1]
{7672411B-9C43-4848-98F2-9D3FFC442968} <C:\WINDOWS\Downloaded Program Files\code_pdf.ocx, huadi>
[Microsoft Web 浏览器]
{8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_006.dll, Thunder Networking Technologies,LTD>
[CreateGBForm]
{996F9C89-E3D7-11D5-A167-00A0C9984BED} <C:\WINDOWS\DOWNLO~1\CREATE~1.OCX, Founder>
[SearchAssistantOC]
{B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[RDS.DataSpace]
{BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\system\msadc\msadco.dll, Microsoft Corporation>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx, Adobe Systems, Inc.>

==================================
正在运行的进程
[PID: 592][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 660][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 684][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Ati2evxx.dll] [ATI Technologies Inc., 6.14.10.4115]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1624][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\vdcqfa.dll] [N/A, ]
[C:\WINDOWS\AppPatch\AcLue.dll] [N/A, ]
[C:\WINDOWS\AppPatch\AcLuo.dll] [N/A, ]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_006.dll] [Thunder Networking Technologies,LTD, 5, 0, 0, 3]
[C:\Program Files\Microsoft Office\OFFICE11\msohev.dll] [Microsoft Corporation, 11.0.5510]
[C:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\Program Files\UltraEdit\ue32ctmn.dll] [, 1, 0, 0, 1]
[PID: 1288][C:\WINDOWS\system32\wscntfy.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1668][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1144][C:\WINDOWS\system32\mstsc.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1548][C:\Program Files\Outlook Express\msimn.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1076][E:\tools\systemtools\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
N/A

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================

瑞星卡卡安全论坛