瑞星卡卡安全论坛

首页 » 综合娱乐区 » 活动专区 » 历史活动 » 论坛9周年活动专区 » [Simple Lions]第三关闯关3
mopery - 2010-3-28 16:46:00
从日志中可以看出以下问题项:

启动项:
    <virustrj><C:\WINDOWS\temp\b.bat>  []
    <{45694105-5108-9405-3695-954187462154}><C:\WINDOWS\system32\mpwddapi.dll>  [N/A]
    <{6A041F13-A111-12A3-B0CF-F99818AA68A6}><C:\WINDOWS\system32\zxmscwin.dll>  [N/A]
    <{4C648541-1025-9650-9057-6541258720C4}><C:\WINDOWS\system32\mndhddwd.dll>  [N/A]
    <{4629FF4F-ACDB-5C90-A098-FACB3456A264}><C:\WINDOWS\system32\mpmydapi.dll>  [N/A]
    <{57FD640A-158F-48AC-FD14-1597F14A9775}><C:\WINDOWS\system32\mndsesrv.dll>  [N/A]
    <{8490415F-65F8-B5C5-D8BA-9405FB120548}><C:\WINDOWS\system32\yzzthmsn.dll>  [N/A]
    <{50940F85-F015-14F1-A05F-F69858AC6D05}><C:\WINDOWS\system32\zptlcsys.dll>  [N/A]
    <{4FD45A54-9875-698F-E56E-65102358FDF4}><C:\WINDOWS\system32\apsgdjba.dll>  [N/A]
    <{5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5}><C:\WINDOWS\system32\oohxdbyt.dll>  [N/A]
    <{2D698451-2015-6358-9871-2015987452D2}><C:\WINDOWS\system32\apzhbtde.dll>  [N/A]
    <{14698742-2059-3025-9058-954023874141}><C:\WINDOWS\system32\jkhxaklo.dll>  [N/A]
    <{35671234-7890-ABCD-CDEF-567801237653}><C:\WINDOWS\system32\yxcschlp.dll>  [N/A]
    <{528DF602-9541-A985-210A-984A698C6F25}><C:\WINDOWS\system32\ptjhehlp.dll>  [N/A]
    <{4A698102-5904-AFD0-20DF-CD1A65829CA4}><C:\WINDOWS\system32\zycbdime.dll>  [N/A]
    <{6C8D1401-A58D-A81C-CD24-A5915C4517C6}><C:\WINDOWS\system32\mnmhfsrv.dll>  [N/A]
    <{22596546-2036-9451-6058-658402589722}><C:\WINDOWS\system32\opshbbty.dll>  [N/A]
    <{81954FAC-1023-154F-895A-1458258AD818}><C:\WINDOWS\system32\ypdjfbmp.dll>  [N/A]
    <{4A069845-2036-6084-9054-6087502480A4}><C:\WINDOWS\system32\ozfydbyt.dll>  [N/A]
    <{1AB1F65A-964F-4AE7-B254-05146A0E602E}><C:\Program Files\Internet Explorer\PLUGINS\WinSys48.Sys>  []
    <{6319A1F1-9410-9654-3201-345FFA349136}><C:\WINDOWS\system32\zywmfime.dll>  [N/A]
    <{9A59145F-315D-BC23-AC1F-145DF81A34A9}><C:\WINDOWS\system32\zyzxiime.dll>  [N/A]
    <{44FAE856-AD58-20CB-A025-CD4895FA6E44}><C:\WINDOWS\system32\pjjxddwd.dll>  [N/A]
    <{17AC9076-C898-B098-D098-A18319080971}><C:\WINDOWS\system32\nhmxajkl.dll>  []
    <{2A095412-A568-B258-C587-D148E148F0A2}><C:\WINDOWS\system32\cdwsbkop.dll>  [N/A]
    <{28EB3777-3E23-4E72-8449-A992D09D24C3}><C:\WINDOWS\system32\zgfdet.dll>  []
    <{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}><C:\WINDOWS\system32\hhrdxd.dll>  [N/A]
    <{45AADFAA-DD36-42AB-83AD-0521BBF58C24}><C:\WINDOWS\system32\zdesfx.dll>  []
    <{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}><C:\WINDOWS\system32\wyrsdj.dll>  [N/A]
    <{C0595A7E-2E2F-4B34-A83A-019270A0A464}><C:\WINDOWS\system32\tdffdl.dll>  [N/A]
    <{84143967-B645-4BFF-B873-DA1DC886E9A7}><C:\WINDOWS\system32\cedafb.dll>  [N/A]
    <{8C41B7F7-3168-400D-A702-0E7EFE0BA304}><C:\WINDOWS\system32\sgrefg.dll>  []
    <SCRNSAVE.EXE><C:\WINDOWS\18be.scr>  []

Image File Execution Options 项,劫持安全软件
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
    <IFEO[360rpt.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe]
    <IFEO[360safe.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe]
    <IFEO[360safebox.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
    <IFEO[360tray.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe]
    <IFEO[adam.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe]
    <IFEO[AgentSvr.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe]
    <IFEO[AppSvc32.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ati2evxx.exe]
    <IFEO[ati2evxx.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe]
    <IFEO[autoruns.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe]
    <IFEO[avconsol.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe]
    <IFEO[avgrssvc.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe]
    <IFEO[AvMonitor.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com]
    <IFEO[avp.com]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
    <IFEO[avp.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
    <IFEO[CCenter.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe]
    <IFEO[ccSvcHst.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]
    <IFEO[egui.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esafe.exe]
    <IFEO[esafe.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe]
    <IFEO[FileDsty.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe]
    <IFEO[FTCleanerShell.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe]
    <IFEO[HijackThis.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
    <IFEO[IceSword.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idag.exe]
    <IFEO[idag.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe]
    <IFEO[Iparmor.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe]
    <IFEO[isPwdSvc.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe]
    <IFEO[kabaload.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kaccore.exe]
    <IFEO[kaccore.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR]
    <IFEO[KaScrScn.SCR]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe]
    <IFEO[KASMain.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe]
    <IFEO[KASTask.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe]
    <IFEO[KAV32.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe]
    <IFEO[KAVDX.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe]
    <IFEO[KAVPF.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe]
    <IFEO[KAVPFW.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe]
    <IFEO[KAVSetup.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe]
    <IFEO[KAVStart.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe]
    <IFEO[kavsvc.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVsvcUI.exe]
    <IFEO[KAVsvcUI.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe]
    <IFEO[KISLnchr.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe]
    <IFEO[kissvc.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe]
    <IFEO[KMailMon.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe]
    <IFEO[KMFilter.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe]
    <IFEO[KPFW32.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe]
    <IFEO[kpfwsvc.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPPMain.exe]
    <IFEO[KPPMain.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe]
    <IFEO[KRegEx.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com]
    <IFEO[KRepair.com]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe]
    <IFEO[KsLoader.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp]
    <IFEO[KVCenter.kxp]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe]
    <IFEO[KvDetect.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.EXE]
    <IFEO[KVFW.EXE]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe]
    <IFEO[KvfwMcl.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp]
    <IFEO[KVMonXP_1.kxp]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe]
    <IFEO[kvol.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe]
    <IFEO[kvolself.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp]
    <IFEO[KvReport.kxp]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp]
    <IFEO[KVScan.kxp]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVsrvXP.exe]
    <IFEO[KVsrvXP.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp]
    <IFEO[KVStub.kxp]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe]
    <IFEO[kvupload.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe]
    <IFEO[KVwsc.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe]
    <IFEO[kwatch.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe]
    <IFEO[KWatch9x.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe]
    <IFEO[KWatchX.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe]
    <IFEO[MagicSet.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe]
    <IFEO[mcconsol.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe]
    <IFEO[mmqczj.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe]
    <IFEO[mmsk.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe]
    <IFEO[navapsvc.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe]
    <IFEO[Navapw32.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe]
    <IFEO[nod32krn.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe]
    <IFEO[NPFMntor.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE]
    <IFEO[OllyDBG.EXE]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyICE.EXE]
    <IFEO[OllyICE.EXE]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
    <IFEO[PFW.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe]
    <IFEO[PFWLiveUpdate.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]
    <IFEO[procexp.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe]
    <IFEO[QHSET.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]


用户系统信息:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
mopery - 2010-3-28 16:48:00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qqdoctor.exe]
    <IFEO[qqdoctor.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qqkav.exe]
    <IFEO[qqkav.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qqsc.exe]
    <IFEO[qqsc.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe]
    <IFEO[Ras.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe]
    <IFEO[rav.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe]
    <IFEO[RAVmon.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe]
    <IFEO[RAVmonD.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravstub.exe]
    <IFEO[ravstub.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtask.exe]
    <IFEO[ravtask.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtimer.exe]
    <IFEO[ravtimer.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtool.exe]
    <IFEO[ravtool.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe]
    <IFEO[RegClean.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe]
    <IFEO[regtool.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe]
    <IFEO[rfwmain.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exeFYFireWall.exe]
    <IFEO[rfwproxy.exeFYFireWall.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]
    <IFEO[rfwsrv.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe]
    <IFEO[rfwstub.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rising.exe]
    <IFEO[rising.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe]
    <IFEO[Rsaupd.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
    <IFEO[runiep.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safebank.exe]
    <IFEO[safebank.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxtray.exe]
    <IFEO[safeboxtray.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe]
    <IFEO[safelive.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe]
    <IFEO[scan32.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe]
    <IFEO[shcfg32.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe]
    <IFEO[SmartUp.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE]
    <IFEO[SREng.EXE]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe]
    <IFEO[symlcsvc.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe]
    <IFEO[SysSafe.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe]
    <IFEO[TrojanDetector.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe]
    <IFEO[Trojanwall.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp]
    <IFEO[TrojDie.kxp]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe]
    <IFEO[UIHost.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe]
    <IFEO[UmxAgent.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe]
    <IFEO[UmxAttachment.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe]
    <IFEO[UmxCfg.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe]
    <IFEO[UmxFwHlp.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe]
    <IFEO[UmxPol.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe]
    <IFEO[UpLive.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe]
    <IFEO[vsstat.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe]
    <IFEO[webscanx.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinDbg.exe]
    <IFEO[WinDbg.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe]
    <IFEO[WoptiClean.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Publisher]

驱动服务
[4zj64ds / 4zj64ds9][Stopped/Boot Start]
  <\SystemRoot\System32\DRIVERS\4zj64ds9.sys><>
[Atixeve29218 / Atixeve29218][Stopped/Manual Start]
  <\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~wxp2ins.78.tmp><N/A>
[HBKernel Driver / HBKernel][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\HBKernel.sys><N/A>
[zvee57 / zvee57][Stopped/Boot Start]
  <\SystemRoot\system32\drivers\zvee57.sys><N/A>

可疑驱动服务
[npkcrypt / npkcrypt][Running/Auto Start]
  <\??\D:\Program Files\Tencent\QQ\npkcrypt.sys><INCA Internet Co., Ltd.>
[npkycryp / npkycryp][Stopped/Manual Start]
  <\??\D:\Program Files\Tencent\QQ\npkycryp.sys><N/A>

早期QQ存在这俩个键盘保护驱动,但也有可能是病毒,建议将文件上传"在线扫描"监测,依据情况作出处理

[XPROTECTOR / XPROTECTOR][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\Xprotector.sys><N/A>
这个文件可能跟国外的一款加壳软件有关,如果求助者没使用过,请按照对应方法解决

浏览器加载项
[]
  {44FAE856-AD58-20CB-A025-CD4895FA6E44} <C:\WINDOWS\system32\pjjxddwd.dll, N/A>
[]
  {45694105-5108-9405-3695-954187462154} <C:\WINDOWS\system32\mpwddapi.dll, N/A>
[]
  {4629FF4F-ACDB-5C90-A098-FACB3456A264} <C:\WINDOWS\system32\mpmydapi.dll, N/A>
[]
  {4A069845-2036-6084-9054-6087502480A4} <C:\WINDOWS\system32\ozfydbyt.dll, N/A>
[]
  {4A698102-5904-AFD0-20DF-CD1A65829CA4} <C:\WINDOWS\system32\zycbdime.dll, N/A>
[]
  {4C648541-1025-9650-9057-6541258720C4} <C:\WINDOWS\system32\mndhddwd.dll, N/A>
[]
  {4FD45A54-9875-698F-E56E-65102358FDF4} <C:\WINDOWS\system32\apsgdjba.dll, N/A>
[]
  {50940F85-F015-14F1-A05F-F69858AC6D05} <C:\WINDOWS\system32\zptlcsys.dll, N/A>
[]
  {528DF602-9541-A985-210A-984A698C6F25} <C:\WINDOWS\system32\ptjhehlp.dll, N/A>
[]
  {57FD640A-158F-48AC-FD14-1597F14A9775} <C:\WINDOWS\system32\mndsesrv.dll, N/A>
[]
  {5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5} <C:\WINDOWS\system32\oohxdbyt.dll, N/A>
[]
  {6319A1F1-9410-9654-3201-345FFA349136} <C:\WINDOWS\system32\zywmfime.dll, N/A>
[]
  {6A041F13-A111-12A3-B0CF-F99818AA68A6} <C:\WINDOWS\system32\zxmscwin.dll, N/A>
[]
  {6C8D1401-A58D-A81C-CD24-A5915C4517C6} <C:\WINDOWS\system32\mnmhfsrv.dll, N/A>
[]
  {81954FAC-1023-154F-895A-1458258AD818} <C:\WINDOWS\system32\ypdjfbmp.dll, N/A>
[]
  {8490415F-65F8-B5C5-D8BA-9405FB120548} <C:\WINDOWS\system32\yzzthmsn.dll, N/A>
[]
  {9A59145F-315D-BC23-AC1F-145DF81A34A9} <C:\WINDOWS\system32\zyzxiime.dll, N/A>
[]
  {14698742-2059-3025-9058-954023874141} <C:\WINDOWS\system32\jkhxaklo.dll, N/A>
[]
  {17AC9076-C898-B098-D098-A18319080971} <C:\WINDOWS\system32\nhmxajkl.dll, N/A>
[]
  {1AB1F65A-964F-4AE7-B254-05146A0E602E} <C:\Program Files\Internet Explorer\PLUGINS\WinSys48.Sys, N/A>
[]
  {22596546-2036-9451-6058-658402589722} <C:\WINDOWS\system32\opshbbty.dll, N/A>
[]
  {2D698451-2015-6358-9871-2015987452D2} <C:\WINDOWS\system32\apzhbtde.dll, N/A>
[]
  {35671234-7890-ABCD-CDEF-567801237653} <C:\WINDOWS\system32\yxcschlp.dll, N/A>
[]
  {44FAE856-AD58-20CB-A025-CD4895FA6E44} <C:\WINDOWS\system32\pjjxddwd.dll, N/A>
[]
  {45694105-5108-9405-3695-954187462154} <C:\WINDOWS\system32\mpwddapi.dll, N/A>
[]
  {4629FF4F-ACDB-5C90-A098-FACB3456A264} <C:\WINDOWS\system32\mpmydapi.dll, N/A>
[]
  {4A069845-2036-6084-9054-6087502480A4} <C:\WINDOWS\system32\ozfydbyt.dll, N/A>
[]
  {4A698102-5904-AFD0-20DF-CD1A65829CA4} <C:\WINDOWS\system32\zycbdime.dll, N/A>
[]
  {4C648541-1025-9650-9057-6541258720C4} <C:\WINDOWS\system32\mndhddwd.dll, N/A>
[]
  {4FD45A54-9875-698F-E56E-65102358FDF4} <C:\WINDOWS\system32\apsgdjba.dll, N/A>
[]
  {50940F85-F015-14F1-A05F-F69858AC6D05} <C:\WINDOWS\system32\zptlcsys.dll, N/A>
[]
  {528DF602-9541-A985-210A-984A698C6F25} <C:\WINDOWS\system32\ptjhehlp.dll, N/A>
[]
  {57FD640A-158F-48AC-FD14-1597F14A9775} <C:\WINDOWS\system32\mndsesrv.dll, N/A>
[]
  {5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5} <C:\WINDOWS\system32\oohxdbyt.dll, N/A>
[]
  {6319A1F1-9410-9654-3201-345FFA349136} <C:\WINDOWS\system32\zywmfime.dll, N/A>
[]
  {6A041F13-A111-12A3-B0CF-F99818AA68A6} <C:\WINDOWS\system32\zxmscwin.dll, N/A>
[]
  {6C8D1401-A58D-A81C-CD24-A5915C4517C6} <C:\WINDOWS\system32\mnmhfsrv.dll, N/A>
[]
  {81954FAC-1023-154F-895A-1458258AD818} <C:\WINDOWS\system32\ypdjfbmp.dll, N/A>
[]
  {8490415F-65F8-B5C5-D8BA-9405FB120548} <C:\WINDOWS\system32\yzzthmsn.dll, N/A>
[]
  {9A59145F-315D-BC23-AC1F-145DF81A34A9} <C:\WINDOWS\system32\zyzxiime.dll, N/A>

进程项
[PID: 636 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\mfc40u.dll]  [N/A, ]
lsass.exe 和 mfc40u.dll 被病毒替换
mopery - 2010-3-28 16:50:00
解决方法:
由于多个病毒文件插入系统进程, 需要借助 xdelbox 来处理
xdelbox: http://bbs.ikaka.com/showtopic-8442813.aspx  三楼可以下载到
xdelbox使用方法: http://forum.ikaka.com/topic.asp?board=28&artid=8381032

下载完xdelbox后,断网,打开 xdelbox 添加以下文件路径
C:\WINDOWS\temp\b.bat
C:\WINDOWS\system32\mpwddapi.dll
C:\WINDOWS\system32\zxmscwin.dll
C:\WINDOWS\system32\mndhddwd.dll
C:\WINDOWS\system32\mpmydapi.dll
C:\WINDOWS\system32\mndsesrv.dll
C:\WINDOWS\system32\yzzthmsn.dll
C:\WINDOWS\system32\zptlcsys.dll
C:\WINDOWS\system32\apsgdjba.dll
C:\WINDOWS\system32\oohxdbyt.dll
C:\WINDOWS\system32\apzhbtde.dll
C:\WINDOWS\system32\jkhxaklo.dll
C:\WINDOWS\system32\yxcschlp.dll
C:\WINDOWS\system32\ptjhehlp.dll
C:\WINDOWS\system32\zycbdime.dll
C:\WINDOWS\system32\mnmhfsrv.dll
C:\WINDOWS\system32\opshbbty.dll
C:\WINDOWS\system32\ypdjfbmp.dll
C:\WINDOWS\system32\ozfydbyt.dll
C:\Program Files\Internet Explorer\PLUGINS\WinSys48.Sys
C:\WINDOWS\system32\zywmfime.dll
C:\WINDOWS\system32\zyzxiime.dll
C:\WINDOWS\system32\pjjxddwd.dll
C:\WINDOWS\system32\nhmxajkl.dll
C:\WINDOWS\system32\cdwsbkop.dll
C:\WINDOWS\system32\zgfdet.dll
C:\WINDOWS\system32\hhrdxd.dll
C:\WINDOWS\system32\zdesfx.dll
C:\WINDOWS\system32\wyrsdj.dll
C:\WINDOWS\system32\tdffdl.dll
C:\WINDOWS\system32\cedafb.dll
C:\WINDOWS\system32\sgrefg.dll
C:\WINDOWS\18be.scr
C:\WINDOWS\System32\DRIVERS\4zj64ds9.sys
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~wxp2ins.78.tmp
C:\WINDOWS\system32\drivers\HBKernel.sys
C:\WINDOWS\system32\drivers\zvee57.sys

添加完毕,选择 立即重启执行删除. 等待系统重新启动

打开 SREng - 启动项目 - 注册表 - 将下列项删除
    <virustrj><C:\WINDOWS\temp\b.bat>  []
    <{45694105-5108-9405-3695-954187462154}><C:\WINDOWS\system32\mpwddapi.dll>  [N/A]
    <{6A041F13-A111-12A3-B0CF-F99818AA68A6}><C:\WINDOWS\system32\zxmscwin.dll>  [N/A]
    <{4C648541-1025-9650-9057-6541258720C4}><C:\WINDOWS\system32\mndhddwd.dll>  [N/A]
    <{4629FF4F-ACDB-5C90-A098-FACB3456A264}><C:\WINDOWS\system32\mpmydapi.dll>  [N/A]
    <{57FD640A-158F-48AC-FD14-1597F14A9775}><C:\WINDOWS\system32\mndsesrv.dll>  [N/A]
    <{8490415F-65F8-B5C5-D8BA-9405FB120548}><C:\WINDOWS\system32\yzzthmsn.dll>  [N/A]
    <{50940F85-F015-14F1-A05F-F69858AC6D05}><C:\WINDOWS\system32\zptlcsys.dll>  [N/A]
    <{4FD45A54-9875-698F-E56E-65102358FDF4}><C:\WINDOWS\system32\apsgdjba.dll>  [N/A]
    <{5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5}><C:\WINDOWS\system32\oohxdbyt.dll>  [N/A]
    <{2D698451-2015-6358-9871-2015987452D2}><C:\WINDOWS\system32\apzhbtde.dll>  [N/A]
    <{14698742-2059-3025-9058-954023874141}><C:\WINDOWS\system32\jkhxaklo.dll>  [N/A]
    <{35671234-7890-ABCD-CDEF-567801237653}><C:\WINDOWS\system32\yxcschlp.dll>  [N/A]
    <{528DF602-9541-A985-210A-984A698C6F25}><C:\WINDOWS\system32\ptjhehlp.dll>  [N/A]
    <{4A698102-5904-AFD0-20DF-CD1A65829CA4}><C:\WINDOWS\system32\zycbdime.dll>  [N/A]
    <{6C8D1401-A58D-A81C-CD24-A5915C4517C6}><C:\WINDOWS\system32\mnmhfsrv.dll>  [N/A]
    <{22596546-2036-9451-6058-658402589722}><C:\WINDOWS\system32\opshbbty.dll>  [N/A]
    <{81954FAC-1023-154F-895A-1458258AD818}><C:\WINDOWS\system32\ypdjfbmp.dll>  [N/A]
    <{4A069845-2036-6084-9054-6087502480A4}><C:\WINDOWS\system32\ozfydbyt.dll>  [N/A]
    <{1AB1F65A-964F-4AE7-B254-05146A0E602E}><C:\Program Files\Internet Explorer\PLUGINS\WinSys48.Sys>  []
    <{6319A1F1-9410-9654-3201-345FFA349136}><C:\WINDOWS\system32\zywmfime.dll>  [N/A]
    <{9A59145F-315D-BC23-AC1F-145DF81A34A9}><C:\WINDOWS\system32\zyzxiime.dll>  [N/A]
    <{44FAE856-AD58-20CB-A025-CD4895FA6E44}><C:\WINDOWS\system32\pjjxddwd.dll>  [N/A]
    <{17AC9076-C898-B098-D098-A18319080971}><C:\WINDOWS\system32\nhmxajkl.dll>  []
    <{2A095412-A568-B258-C587-D148E148F0A2}><C:\WINDOWS\system32\cdwsbkop.dll>  [N/A]
    <{28EB3777-3E23-4E72-8449-A992D09D24C3}><C:\WINDOWS\system32\zgfdet.dll>  []
    <{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}><C:\WINDOWS\system32\hhrdxd.dll>  [N/A]
    <{45AADFAA-DD36-42AB-83AD-0521BBF58C24}><C:\WINDOWS\system32\zdesfx.dll>  []
    <{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}><C:\WINDOWS\system32\wyrsdj.dll>  [N/A]
    <{C0595A7E-2E2F-4B34-A83A-019270A0A464}><C:\WINDOWS\system32\tdffdl.dll>  [N/A]
    <{84143967-B645-4BFF-B873-DA1DC886E9A7}><C:\WINDOWS\system32\cedafb.dll>  [N/A]
    <{8C41B7F7-3168-400D-A702-0E7EFE0BA304}><C:\WINDOWS\system32\sgrefg.dll>  []
    <SCRNSAVE.EXE><C:\WINDOWS\18be.scr>  []

打开 SREng - 启动项目 - 注册表 - 将所有 Image File Execution Options 项删除

打开 SREng - 启动项目 - 驱动服务 - 将下列项删除
[4zj64ds / 4zj64ds9][Stopped/Boot Start]
  <\SystemRoot\System32\DRIVERS\4zj64ds9.sys><>
[Atixeve29218 / Atixeve29218][Stopped/Manual Start]
  <\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~wxp2ins.78.tmp><N/A>
[HBKernel Driver / HBKernel][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\HBKernel.sys><N/A>
[zvee57 / zvee57][Stopped/Boot Start]
  <\SystemRoot\system32\drivers\zvee57.sys><N/A>

打开SREng - 系统修复 - 浏览器加载项 - 将下列项删除
[]
  {44FAE856-AD58-20CB-A025-CD4895FA6E44} <C:\WINDOWS\system32\pjjxddwd.dll, N/A>
[]
  {45694105-5108-9405-3695-954187462154} <C:\WINDOWS\system32\mpwddapi.dll, N/A>
[]
  {4629FF4F-ACDB-5C90-A098-FACB3456A264} <C:\WINDOWS\system32\mpmydapi.dll, N/A>
[]
  {4A069845-2036-6084-9054-6087502480A4} <C:\WINDOWS\system32\ozfydbyt.dll, N/A>
[]
  {4A698102-5904-AFD0-20DF-CD1A65829CA4} <C:\WINDOWS\system32\zycbdime.dll, N/A>
[]
  {4C648541-1025-9650-9057-6541258720C4} <C:\WINDOWS\system32\mndhddwd.dll, N/A>
[]
  {4FD45A54-9875-698F-E56E-65102358FDF4} <C:\WINDOWS\system32\apsgdjba.dll, N/A>
[]
  {50940F85-F015-14F1-A05F-F69858AC6D05} <C:\WINDOWS\system32\zptlcsys.dll, N/A>
[]
  {528DF602-9541-A985-210A-984A698C6F25} <C:\WINDOWS\system32\ptjhehlp.dll, N/A>
[]
  {57FD640A-158F-48AC-FD14-1597F14A9775} <C:\WINDOWS\system32\mndsesrv.dll, N/A>
[]
  {5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5} <C:\WINDOWS\system32\oohxdbyt.dll, N/A>
[]
  {6319A1F1-9410-9654-3201-345FFA349136} <C:\WINDOWS\system32\zywmfime.dll, N/A>
[]
  {6A041F13-A111-12A3-B0CF-F99818AA68A6} <C:\WINDOWS\system32\zxmscwin.dll, N/A>
[]
  {6C8D1401-A58D-A81C-CD24-A5915C4517C6} <C:\WINDOWS\system32\mnmhfsrv.dll, N/A>
[]
  {81954FAC-1023-154F-895A-1458258AD818} <C:\WINDOWS\system32\ypdjfbmp.dll, N/A>
[]
  {8490415F-65F8-B5C5-D8BA-9405FB120548} <C:\WINDOWS\system32\yzzthmsn.dll, N/A>
[]
  {9A59145F-315D-BC23-AC1F-145DF81A34A9} <C:\WINDOWS\system32\zyzxiime.dll, N/A>
[]
  {14698742-2059-3025-9058-954023874141} <C:\WINDOWS\system32\jkhxaklo.dll, N/A>
[]
  {17AC9076-C898-B098-D098-A18319080971} <C:\WINDOWS\system32\nhmxajkl.dll, N/A>
[]
  {1AB1F65A-964F-4AE7-B254-05146A0E602E} <C:\Program Files\Internet Explorer\PLUGINS\WinSys48.Sys, N/A>
[]
  {22596546-2036-9451-6058-658402589722} <C:\WINDOWS\system32\opshbbty.dll, N/A>
[]
  {2D698451-2015-6358-9871-2015987452D2} <C:\WINDOWS\system32\apzhbtde.dll, N/A>
[]
  {35671234-7890-ABCD-CDEF-567801237653} <C:\WINDOWS\system32\yxcschlp.dll, N/A>
[]
  {44FAE856-AD58-20CB-A025-CD4895FA6E44} <C:\WINDOWS\system32\pjjxddwd.dll, N/A>
[]
  {45694105-5108-9405-3695-954187462154} <C:\WINDOWS\system32\mpwddapi.dll, N/A>
[]
  {4629FF4F-ACDB-5C90-A098-FACB3456A264} <C:\WINDOWS\system32\mpmydapi.dll, N/A>
[]
  {4A069845-2036-6084-9054-6087502480A4} <C:\WINDOWS\system32\ozfydbyt.dll, N/A>
[]
  {4A698102-5904-AFD0-20DF-CD1A65829CA4} <C:\WINDOWS\system32\zycbdime.dll, N/A>
[]
  {4C648541-1025-9650-9057-6541258720C4} <C:\WINDOWS\system32\mndhddwd.dll, N/A>
[]
  {4FD45A54-9875-698F-E56E-65102358FDF4} <C:\WINDOWS\system32\apsgdjba.dll, N/A>
[]
  {50940F85-F015-14F1-A05F-F69858AC6D05} <C:\WINDOWS\system32\zptlcsys.dll, N/A>
[]
  {528DF602-9541-A985-210A-984A698C6F25} <C:\WINDOWS\system32\ptjhehlp.dll, N/A>
[]
  {57FD640A-158F-48AC-FD14-1597F14A9775} <C:\WINDOWS\system32\mndsesrv.dll, N/A>
[]
  {5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5} <C:\WINDOWS\system32\oohxdbyt.dll, N/A>
[]
  {6319A1F1-9410-9654-3201-345FFA349136} <C:\WINDOWS\system32\zywmfime.dll, N/A>
[]
  {6A041F13-A111-12A3-B0CF-F99818AA68A6} <C:\WINDOWS\system32\zxmscwin.dll, N/A>
[]
  {6C8D1401-A58D-A81C-CD24-A5915C4517C6} <C:\WINDOWS\system32\mnmhfsrv.dll, N/A>
[]
  {81954FAC-1023-154F-895A-1458258AD818} <C:\WINDOWS\system32\ypdjfbmp.dll, N/A>
[]
  {8490415F-65F8-B5C5-D8BA-9405FB120548} <C:\WINDOWS\system32\yzzthmsn.dll, N/A>
[]
  {9A59145F-315D-BC23-AC1F-145DF81A34A9} <C:\WINDOWS\system32\zyzxiime.dll, N/A>

处理完上述项目后,请将下列文件重命名, 删除扩展名
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\mfc40u.dll

待重命名完毕后,系统将自动修复这俩个文件
如果没有恢复,请前往路径 C:\WINDOWS\system32\dllcache 复制 lsass.exe 和 mfc40u.dll ,并覆盖到对应路径

再次重启后检查系统是否正常
lqqk7 - 2010-3-30 16:21:00
看出lsass.exe也有问题的很少,赞一个:kaka12:

另外两个加载项值得注意:
[Info cache]
  {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll, 明勋科技有限公司>

[知识库]
  {06926B30-424E-4f1c-8EE3-543CD96573DC} <http://blank.la/?h, N/A>
辛达星郁 - 2010-4-5 20:33:00
回帖子学习:kaka12:
菜菜万岁 - 2010-4-5 22:50:00
:kaka4: 看看
1
查看完整版本: [Simple Lions]第三关闯关3
© 2000 - 2024 Rising Corp. Ltd.