瑞星卡卡安全论坛

从日志中可以看出以下问题项:

启动项:
    <MPKrnl><rundll32 "C:\WINDOWS\MPKrnl.dll",KrnlMsgProc>  []
    <MPMKrnl><rundll32 "C:\WINDOWS\MKMKrnl.dll",KMainProc>  []
    <{22A11E32-1FCB-4F54-A511-34253CB09A1A}><C:\WINDOWS\fonts\aBwruKPXHdP.fon>  []
    <{91F5C9DB-ACD1-4812-BAB9-6F5AE433930A}><C:\WINDOWS\fonts\MbsV2QQJe.fon>  []
    <{3816D07B-D6F9-403B-B7D7-EDE52959341B}><C:\WINDOWS\system32\b4QcUJ5wmqh8wJCk.dll>  []
    <{6EB6B154-5D10-4505-A998-E71419B05BE1}><C:\WINDOWS\system32\Hzs3R95W.dll>  []
    <{E11FB24A-F766-4D0F-ADF5-237958FFA262}><C:\WINDOWS\fonts\f13ERxR2Urh.fon>  []
    <{6101B532-3E30-49FB-8594-F9B22338FF4A}><C:\WINDOWS\system32\DcXb7abe.dll>  []
    <{02845FCC-2BF4-4191-888D-18030FAA2074}><C:\WINDOWS\system32\UnsrA8Hec.dll>  []
    <{A0C86020-5935-4B87-B20E-0B656D450264}><C:\WINDOWS\system32\A0C86020.dll>  []
    <{737858A9-9AEA-4838-9B49-54DA731F7F37}><C:\WINDOWS\system32\BMsg6pdMD4ht.dll>  []
    <{76B9BA7A-81D0-4979-8598-8471F2AB5186}><C:\WINDOWS\system32\76B9BA7A.dll>  []
    <{08223B03-1B38-4A33-A83A-A4D3CC1D6E4E}><C:\WINDOWS\system32\08223B03.dll>  []
    <{CD95107F-52A5-42A4-9914-18949993E798}><C:\WINDOWS\fonts\tY5UFS434YYd.fon>  []
    <{36AC68E6-0C26-4D39-B98E-54B49DAB6BAA}><C:\WINDOWS\system32\dhDhwS7fFW.dll>  []
    <{8708994F-1758-4C2C-9A3F-FA22D6CCCB41}><C:\WINDOWS\fonts\A97CRaCB.fon>  []
    <{704C3595-DB85-40F6-A601-8D6F346907BD}><C:\WINDOWS\system32\704C3595.dll>  []
    <{EA25F4E7-8B67-452A-B9DD-B38C526250D3}><C:\WINDOWS\fonts\Q9UnbAWWNuSv4.fon>  []
    <{C722AD57-35DA-4460-8353-328372F32AB2}><C:\WINDOWS\system32\ufQCU5.dll>  []
    <{91AA45D0-4D9E-4EC4-ABAE-AE30F7FCCD3D}><C:\WINDOWS\system32\JTsfDEXY4s.dll>  []
    <{1EBA4EB0-24EE-4310-8F6C-7F5D6EDC19F4}><C:\WINDOWS\system32\EQdXwe4STmqp.dll>  []
    <{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}><C:\WINDOWS\system32\122B901E.dll>  []
    <{B82E7FC1-A1BC-48ED-A977-53BAD6207AA5}><C:\WINDOWS\system32\GaZ2AKyYG.dll>  []
    <{76CBCF38-0583-44C7-A1AE-D463DFE625EC}><C:\WINDOWS\system32\skcfujQ5EDN.dll>  []
    <{3D490B56-425C-4B8F-889E-0E391AD54DE8}><C:\WINDOWS\system32\wrGwvaDRB6M.dll>  []
    <{0FA40B34-8B9B-44ED-B85C-60A83F2C5D24}><C:\WINDOWS\system32\RV2MbKrHA.dll>  []
    <{93DA1E7D-7C46-4F90-8674-EC90511FCA72}><C:\WINDOWS\system32\CDuAUVkGy9.dll>  []
    <{11B10F7F-FB23-466D-BDC3-9591CF02EC17}><C:\WINDOWS\fonts\uXUsF2RrQy.fon>  []
    <{E4814792-EFA3-4C20-93D0-8B130A59F9A8}><C:\WINDOWS\system32\E4814792.dll>  []
    <{4E5CFE74-700B-4A8B-B0BF-A6B47D896C18}><C:\WINDOWS\system32\GrTZqH5SnRhAt.dll>  []
    <{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}><C:\WINDOWS\system32\A1A6BC2E.dll>  []
    <{1F71CA42-7E7B-4A47-A923-B5F4231617E2}><C:\WINDOWS\fonts\CTCTq658tW.fon>  []
    <{FCA4D3BE-C6C7-4F4D-9CBD-CB2666647ACA}><C:\WINDOWS\system32\EN7hzSreCat8.dll>  []

    <shell><Explorer.exe>  [Microsoft Corporation]
explorer.exe 被病毒替换,过不了认证

    <WinlogonNotify: WgaLogon><WgaLogon.dll>  [N/A]
微软反盗版软件,数字签名丢失,怀疑被替换

Image File Execution Options 项,劫持安全软件
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arvmon.exe]
    <IFEO[arvmon.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe]
    <IFEO[AST.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe]
    <IFEO[AvMonitor.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpSvc.exe]
    <IFEO[HelpSvc.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killhidepid.exe]
    <IFEO[killhidepid.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe]
    <IFEO[KPFWSvc.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe]
    <IFEO[KvDetect.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvfw.exe]
    <IFEO[kvfw.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe]
    <IFEO[KvfwMcl.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe]
    <IFEO[kvol.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe]
    <IFEO[kvolself.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe]
    <IFEO[KVSrvXP.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe]
    <IFEO[kvupload.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe]
    <IFEO[kvwsc.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe]
    <IFEO[KWatch.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe]
    <IFEO[KWatchX.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe]
    <IFEO[loaddll.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe]
    <IFEO[MagicSet.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe]
    <IFEO[mcconsol.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe]
    <IFEO[mmqczj.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe]
    <IFEO[mmsk.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe]
    <IFEO[NAVSetup.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe]
    <IFEO[nod32krn.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe]
    <IFEO[nod32kui.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
    <IFEO[PFW.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe]
    <IFEO[PFWLiveUpdate.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe]
    <IFEO[QHSET.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe]
    <IFEO[Ras.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
    <IFEO[Rav.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
    <IFEO[RavMon.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe]
    <IFEO[RavMonD.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStore.exe]
    <IFEO[RavStore.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe]
    <IFEO[RavStub.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravt08.exe]
    <IFEO[ravt08.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe]
    <IFEO[RavTask.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe]
    <IFEO[RegClean.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe]
    <IFEO[rfwcfg.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe]
    <IFEO[rfwProxy.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]
    <IFEO[rfwsrv.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe]
    <IFEO[RsAgent.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe]
    <IFEO[Rsaupd.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
    <IFEO[runiep.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe]
    <IFEO[safelive.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe]
    <IFEO[scan32.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe]
    <IFEO[SREng.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngPS.exe]
    <IFEO[SREngPS.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe]
    <IFEO[symlcsvc.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Syscheck2.exe]
    <IFEO[Syscheck2.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe]
    <IFEO[SysSafe.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe]
    <IFEO[TrojanDetector.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe]
    <IFEO[Trojanwall.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp]
    <IFEO[TrojDie.kxp]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.kxp]
    <IFEO[UIHost.kxp]><ntsd -d>  [N/A]

系统服务项(过不了微软数字签名认证,怀疑文件被替换)
[DHCP Client / Dhcp][Running/Auto Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\dhcpcsvc.dll><Microsoft Corporation>
[DNS Client / Dnscache][Running/Auto Start]
  <C:\WINDOWS\system32\svchost.exe -k NetworkService-->%SystemRoot%\System32\dnsrslvr.dll><Microsoft Corporation>
[Fast User Switching Compatibility / FastUserSwitchingCompatibility][Stopped/Manual Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\shsvcs.dll><Microsoft Corporation>
[Server / lanmanserver][Running/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\srvsvc.dll><Microsoft Corporation>
[Network Connections / Netman][Running/Manual Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\netman.dll><Microsoft Corporation>
[Remote Access Connection Manager / RasMan][Running/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\rasmans.dll><Microsoft Corporation>
[Shell Hardware Detection / ShellHWDetection][Running/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\shsvcs.dll><Microsoft Corporation>
[Windows Image Acquisition (WIA) / stisvc][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k imgsvc-->%SystemRoot%\system32\wiaservc.dll><Microsoft Corporation>
[Telephony / TapiSrv][Running/Manual Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\tapisrv.dll><Microsoft Corporation>
[Themes / Themes][Running/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\shsvcs.dll><Microsoft Corporation>
[Universal Plug and Play Device Host / upnphost][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k LocalService-->%SystemRoot%\System32\upnphost.dll><Microsoft Corporation>
[WebClient / WebClient][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k LocalService-->%SystemRoot%\System32\webclnt.dll><Microsoft Corporation>

[Print Spooler / Spooler][Running/Auto Start]
  <C:\WINDOWS\system32\spoolsv.exe><Microsoft Corporation>
此文件被病毒替换

进程项:
    [C:\WINDOWS\system32\COMRes.dll]  [N/A, ]
此文件插入主要进程,文件被病毒替换,原此文件为系统组建

    [C:\WINDOWS\fonts\aBwruKPXHdP.fon]  [N/A, ]
    [C:\WINDOWS\fonts\MbsV2QQJe.fon]  [N/A, ]
    [C:\WINDOWS\system32\b4QcUJ5wmqh8wJCk.dll]  [N/A, ]
    [C:\WINDOWS\system32\Hzs3R95W.dll]  [N/A, ]
    [C:\WINDOWS\fonts\f13ERxR2Urh.fon]  [N/A, ]
    [C:\WINDOWS\system32\DcXb7abe.dll]  [N/A, ]
    [C:\WINDOWS\system32\UnsrA8Hec.dll]  [N/A, ]
    [C:\WINDOWS\system32\A0C86020.dll]  [N/A, ]
    [C:\WINDOWS\system32\BMsg6pdMD4ht.dll]  [N/A, ]
    [C:\WINDOWS\system32\76B9BA7A.dll]  [N/A, ]
    [C:\WINDOWS\system32\08223B03.dll]  [N/A, ]
    [C:\WINDOWS\fonts\tY5UFS434YYd.fon]  [N/A, ]
    [C:\WINDOWS\system32\dhDhwS7fFW.dll]  [N/A, ]
    [C:\WINDOWS\fonts\A97CRaCB.fon]  [N/A, ]
    [C:\WINDOWS\system32\704C3595.dll]  [N/A, ]
    [C:\WINDOWS\fonts\Q9UnbAWWNuSv4.fon]  [N/A, ]
    [C:\WINDOWS\system32\ufQCU5.dll]  [N/A, ]
    [C:\WINDOWS\system32\JTsfDEXY4s.dll]  [N/A, ]
    [C:\WINDOWS\system32\EQdXwe4STmqp.dll]  [N/A, ]
    [C:\WINDOWS\system32\122B901E.dll]  [N/A, ]
    [C:\WINDOWS\system32\GaZ2AKyYG.dll]  [N/A, ]
    [C:\WINDOWS\system32\skcfujQ5EDN.dll]  [N/A, ]
    [C:\WINDOWS\system32\wrGwvaDRB6M.dll]  [N/A, ]
    [C:\WINDOWS\system32\RV2MbKrHA.dll]  [N/A, ]
    [C:\WINDOWS\system32\CDuAUVkGy9.dll]  [N/A, ]
    [C:\WINDOWS\fonts\uXUsF2RrQy.fon]  [N/A, ]
    [C:\WINDOWS\system32\E4814792.dll]  [N/A, ]
    [C:\WINDOWS\system32\GrTZqH5SnRhAt.dll]  [N/A, ]
    [C:\WINDOWS\system32\A1A6BC2E.dll]  [N/A, ]
    [C:\WINDOWS\fonts\CTCTq658tW.fon]  [N/A, ]
    [C:\WINDOWS\system32\EN7hzSreCat8.dll]  [N/A, ]

解决方法:

由于多个病毒文件插入系统进程, 需要借助 xdelbox 来处理
xdelbox: http://bbs.ikaka.com/showtopic-8442813.aspx  三楼可以下载到
xdelbox使用方法: http://forum.ikaka.com/topic.asp?board=28&artid=8381032

下载完xdelbox后，断网，打开 xdelbox 添加以下文件路径
C:\WINDOWS\MPKrnl.dll
C:\WINDOWS\fonts\aBwruKPXHdP.fon
C:\WINDOWS\fonts\MbsV2QQJe.fon
C:\WINDOWS\system32\b4QcUJ5wmqh8wJCk.dll
C:\WINDOWS\system32\Hzs3R95W.dll
C:\WINDOWS\fonts\f13ERxR2Urh.fon
C:\WINDOWS\system32\DcXb7abe.dll
C:\WINDOWS\system32\UnsrA8Hec.dll
C:\WINDOWS\system32\A0C86020.dll
C:\WINDOWS\system32\BMsg6pdMD4ht.dll
C:\WINDOWS\system32\76B9BA7A.dll
C:\WINDOWS\system32\08223B03.dll
C:\WINDOWS\fonts\tY5UFS434YYd.fon
C:\WINDOWS\system32\dhDhwS7fFW.dll
C:\WINDOWS\fonts\A97CRaCB.fon
C:\WINDOWS\system32\704C3595.dll
C:\WINDOWS\fonts\Q9UnbAWWNuSv4.fon
C:\WINDOWS\system32\ufQCU5.dll
C:\WINDOWS\system32\JTsfDEXY4s.dll
C:\WINDOWS\system32\EQdXwe4STmqp.dll
C:\WINDOWS\system32\122B901E.dll
C:\WINDOWS\system32\GaZ2AKyYG.dll
C:\WINDOWS\system32\skcfujQ5EDN.dll
C:\WINDOWS\system32\wrGwvaDRB6M.dll
C:\WINDOWS\system32\RV2MbKrHA.dll
C:\WINDOWS\system32\CDuAUVkGy9.dll
C:\WINDOWS\fonts\uXUsF2RrQy.fon
C:\WINDOWS\system32\E4814792.dll
C:\WINDOWS\system32\GrTZqH5SnRhAt.dll
C:\WINDOWS\system32\A1A6BC2E.dll
C:\WINDOWS\fonts\CTCTq658tW.fon
C:\WINDOWS\system32\EN7hzSreCat8.dll

添加完毕后，不要关闭xdelbox窗口，将"C:\Windows\Explorer.exe" "C:\WINDOWS\system32\spoolsv.exe" 和 "C:\WINDOWS\system32\COMRes.dll" 重命名（比如删除后缀名），一般情况下系统会自动恢复正常的文件，如果没有，在C:\WINDOWS\system32\dllcache中，找到 "Explorer.exe" "spoolsv.exe" 和 "COMRes.dll" ，复制这三个文件，粘贴到原来的位置。
之后马上在xdelbox窗口中选择立即重启执行删除. 等待系统重新启动


用户系统信息：Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

打开 SREng - 启动项目 - 注册表 - 将下列项删除
    <MPKrnl><rundll32 "C:\WINDOWS\MPKrnl.dll",KrnlMsgProc>  []
    <MPMKrnl><rundll32 "C:\WINDOWS\MKMKrnl.dll",KMainProc>  []
    <{22A11E32-1FCB-4F54-A511-34253CB09A1A}><C:\WINDOWS\fonts\aBwruKPXHdP.fon>  []
    <{91F5C9DB-ACD1-4812-BAB9-6F5AE433930A}><C:\WINDOWS\fonts\MbsV2QQJe.fon>  []
    <{3816D07B-D6F9-403B-B7D7-EDE52959341B}><C:\WINDOWS\system32\b4QcUJ5wmqh8wJCk.dll>  []
    <{6EB6B154-5D10-4505-A998-E71419B05BE1}><C:\WINDOWS\system32\Hzs3R95W.dll>  []
    <{E11FB24A-F766-4D0F-ADF5-237958FFA262}><C:\WINDOWS\fonts\f13ERxR2Urh.fon>  []
    <{6101B532-3E30-49FB-8594-F9B22338FF4A}><C:\WINDOWS\system32\DcXb7abe.dll>  []
    <{02845FCC-2BF4-4191-888D-18030FAA2074}><C:\WINDOWS\system32\UnsrA8Hec.dll>  []
    <{A0C86020-5935-4B87-B20E-0B656D450264}><C:\WINDOWS\system32\A0C86020.dll>  []
    <{737858A9-9AEA-4838-9B49-54DA731F7F37}><C:\WINDOWS\system32\BMsg6pdMD4ht.dll>  []
    <{76B9BA7A-81D0-4979-8598-8471F2AB5186}><C:\WINDOWS\system32\76B9BA7A.dll>  []
    <{08223B03-1B38-4A33-A83A-A4D3CC1D6E4E}><C:\WINDOWS\system32\08223B03.dll>  []
    <{CD95107F-52A5-42A4-9914-18949993E798}><C:\WINDOWS\fonts\tY5UFS434YYd.fon>  []
    <{36AC68E6-0C26-4D39-B98E-54B49DAB6BAA}><C:\WINDOWS\system32\dhDhwS7fFW.dll>  []
    <{8708994F-1758-4C2C-9A3F-FA22D6CCCB41}><C:\WINDOWS\fonts\A97CRaCB.fon>  []
    <{704C3595-DB85-40F6-A601-8D6F346907BD}><C:\WINDOWS\system32\704C3595.dll>  []
    <{EA25F4E7-8B67-452A-B9DD-B38C526250D3}><C:\WINDOWS\fonts\Q9UnbAWWNuSv4.fon>  []
    <{C722AD57-35DA-4460-8353-328372F32AB2}><C:\WINDOWS\system32\ufQCU5.dll>  []
    <{91AA45D0-4D9E-4EC4-ABAE-AE30F7FCCD3D}><C:\WINDOWS\system32\JTsfDEXY4s.dll>  []
    <{1EBA4EB0-24EE-4310-8F6C-7F5D6EDC19F4}><C:\WINDOWS\system32\EQdXwe4STmqp.dll>  []
    <{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}><C:\WINDOWS\system32\122B901E.dll>  []
    <{B82E7FC1-A1BC-48ED-A977-53BAD6207AA5}><C:\WINDOWS\system32\GaZ2AKyYG.dll>  []
    <{76CBCF38-0583-44C7-A1AE-D463DFE625EC}><C:\WINDOWS\system32\skcfujQ5EDN.dll>  []
    <{3D490B56-425C-4B8F-889E-0E391AD54DE8}><C:\WINDOWS\system32\wrGwvaDRB6M.dll>  []
    <{0FA40B34-8B9B-44ED-B85C-60A83F2C5D24}><C:\WINDOWS\system32\RV2MbKrHA.dll>  []
    <{93DA1E7D-7C46-4F90-8674-EC90511FCA72}><C:\WINDOWS\system32\CDuAUVkGy9.dll>  []
    <{11B10F7F-FB23-466D-BDC3-9591CF02EC17}><C:\WINDOWS\fonts\uXUsF2RrQy.fon>  []
    <{E4814792-EFA3-4C20-93D0-8B130A59F9A8}><C:\WINDOWS\system32\E4814792.dll>  []
    <{4E5CFE74-700B-4A8B-B0BF-A6B47D896C18}><C:\WINDOWS\system32\GrTZqH5SnRhAt.dll>  []
    <{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}><C:\WINDOWS\system32\A1A6BC2E.dll>  []
    <{1F71CA42-7E7B-4A47-A923-B5F4231617E2}><C:\WINDOWS\fonts\CTCTq658tW.fon>  []
    <{FCA4D3BE-C6C7-4F4D-9CBD-CB2666647ACA}><C:\WINDOWS\system32\EN7hzSreCat8.dll>  []

打开 SREng - 启动项目 - 注册表 - 将所有 Image File Execution Options 项删除

将 C:\WINDOWS\system32 文件夹下的 "dhcpcsvc.dll" "dnsrslvr.dll" "shsvcs.dll" "srvsvc.dll" "netman.dll" "rasmans.dll" "shsvcs.dll" "wiaservc.dll" "tapisrv.dll" "shsvcs.dll" "upnphost.dll" "webclnt.dll" "WgaLogon.dll" 这些文件重命名，一般情况下系统也会自动从 dllcache 中恢复正常的文件，如果没有则手动到 C:\WINDOWS\system32\dllcache 中，找到相应的文件并复制粘贴到 C:\WINDOWS\system32 文件夹中。

重启电脑以查看效果。

如果以上操作手动处理有问题，建议下载金山急救箱进行处理,安装一个杀毒软件,将杀毒软件升级到最新版本全盘查杀。

我看重做系统还是王道:kaka5:

我刚看也是这么想的, 不过毕竟是写处理方法, 所以这话不能说..

其实日志都是网上挑的，这个确实比较头疼，本来只从里面挑了几个相对比较明显的地方作为考点，能把异常看得这么全的还真不多，挑不出啥问题了:kaka12:

:kaka5: 回帖子，慢慢看

膜拜学习

:kaka12: 回帖好习惯，...看了就知道