Logfile of HijackThis v1.97.2
Scan saved at 21:07:38, on 2005-11-16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HEROSOFT\Hero3000\SYSEXPLR.EXE
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\WINDOWS\WNILOGON.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MwIE\MwIE.exe
C:\Program Files\Tencent\qq\QQ.exe
C:\Program Files\Tencent\qq\TIMPlatform.exe
C:\Program Files\Tencent\qq\QQ.exe
D:\孙\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0C7C23EF-A848-485B-873C-0ED954731014} - (no file)
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ????? - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\System32\kakatool.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SysExplr] C:\HEROSOFT\Hero3000\SYSEXPLR.EXE
O4 - HKLM\..\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AddrPlus2] RUNDLL32.EXE C:\PROGRA~1\TENCENT\AddrPlus\QAHook.dll,Rundll32
O4 - HKCU\..\Run: [SonudMan] C:\WINDOWS\WNILOGON.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: dbisam.lck
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\qq\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O11 - Options group: [TBH]  QQ
O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll

重新启动到安全模式（进入安全模式的方法:重新启动电脑, 开机自动检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式(Safe Mode)进入Windows。）

先终止下面的进程（关闭所有窗口，同时按下CTRL+ALT+DELETE，在打开的窗口中选中要终止的进程，然后按下“结束任务”或者“结束进程”，最后关闭该窗口。
C:\WINDOWS\WNILOGON.exe

请关闭所有IE界面，重新使用HijackThis扫描一次，选中下面建议修复的项目，让HijackThis修复，修复前请允许HijackThis保留备份。（如果楼主知道是安全的可以不必勾选）
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0C7C23EF-A848-485B-873C-0ED954731014} - (no file)

然后打开我的电脑→再点工具→打开文件夹选项→查看→把隐藏受保护的系统文件（推荐）和隐藏已知文件类型的扩展名的勾去掉→再显示所有文件→找到以下文件并删除：(如果有的话)
O4 - HKCU\..\Run: [SonudMan] C:\WINDOWS\WNILOGON.exe


问题仍请用新版HijackThis1.99.1 扫个日志上来

HijackThis下载地址请参考：
【必读】本版说明及常用小软件下载
http://forum.ikaka.com/topic.asp?board=67&artid=5188931

文件删除不了,还是不行呀!!!!!
HijackThis_815汉化版扫描日志 V1.99.1
保存于      21:06:24, 日期 2005-11-17
操作系统：  Windows XP SP1 (WinNT 5.01.2600)
浏览器：    Internet Explorer v6.00 SP1 (6.00.2800.1106)

当前运行的进程：         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HEROSOFT\Hero3000\SYSEXPLR.EXE
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\WNILOGON.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
D:\孙\扫描\HijackThis1991zww.exe

O2 - BHO: (no name) - {0C7C23EF-A848-485B-873C-0ED954731014} - (no file)
O3 - IE工具栏增项: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - IE工具栏增项: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\System32\kakatool.dll
O4 - 启动项HKLM\\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - 启动项HKLM\\Run: [SysExplr] C:\HEROSOFT\Hero3000\SYSEXPLR.EXE
O4 - 启动项HKLM\\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - 启动项HKLM\\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - 启动项HKLM\\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [AddrPlus2] RUNDLL32.EXE C:\PROGRA~1\TENCENT\AddrPlus\QAHook.dll,Rundll32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SonudMan] C:\WINDOWS\WNILOGON.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - C:\Program Files\Tencent\qq\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O9 - 浏览器额外的按钮: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - 浏览器额外的“工具”菜单项: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O11 - Options group: [TBH]  QQ地址栏搜索插件
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - NT 服务: SDAgent Service (SDAgentService) - 北京兴华基业软件技术有限公司 - C:\Program Files\Common Files\smartde\sde.exe
O23 - NT 服务: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

重新启动到安全模式（进入安全模式的方法:重新启动电脑, 开机自动检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式(Safe Mode)进入Windows。）

开始→控制面板→性能和维护→管理工具→服务→查找SDAgent Service→右击→属性→启动类型→禁止→应用→停止→确定。

先终止下面的进程（关闭所有窗口，同时按下CTRL+ALT+DELETE，在打开的窗口中选中要终止的进程，然后按下“结束任务”或者“结束进程”，最后关闭该窗口。
C:\WINDOWS\WNILOGON.exe

请关闭所有IE界面，重新使用HijackThis扫描一次，选中下面建议修复的项目，让HijackThis修复，修复前请允许HijackThis保留备份。（如果楼主知道是安全的可以不必勾选）
O2 - BHO: (no name) - {0C7C23EF-A848-485B-873C-0ED954731014} - (no file)
O4 - HKCU\..\Run: [SonudMan] C:\WINDOWS\WNILOGON.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - NT 服务: SDAgent Service (SDAgentService) - 北京兴华基业软件技术有限公司 - C:\Program Files\Common Files\smartde\sde.exe

然后打开我的电脑→再点工具→打开文件夹选项→查看→把隐藏受保护的系统文件（推荐）和隐藏已知文件类型的扩展名的勾去掉→再显示所有文件→找到以下文件并删除：(如果有的话)
C:\WINDOWS\WNILOGON.exe
删除文件夹C:\Program Files\Common Files\smartde

按照以上步骤完成后问题仍没有解决呀!!!!急!!!!!!!

ijackThis_815汉化版扫描日志 V1.99.1
保存于      23:43:31, 日期 2005-11-17
操作系统：  Windows XP SP1 (WinNT 5.01.2600)
浏览器：    Internet Explorer v6.00 SP1 (6.00.2800.1106)

当前运行的进程：         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HEROSOFT\Hero3000\SYSEXPLR.EXE
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\WNILOGON.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
D:\孙\扫描\HijackThis1991zww.exe

O2 - BHO: (no name) - {0C7C23EF-A848-485B-873C-0ED954731014} - (no file)
O3 - IE工具栏增项: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - IE工具栏增项: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\System32\kakatool.dll
O4 - 启动项HKLM\\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - 启动项HKLM\\Run: [SysExplr] C:\HEROSOFT\Hero3000\SYSEXPLR.EXE
O4 - 启动项HKLM\\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - 启动项HKLM\\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - 启动项HKLM\\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [AddrPlus2] RUNDLL32.EXE C:\PROGRA~1\TENCENT\AddrPlus\QAHook.dll,Rundll32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SonudMan] C:\WINDOWS\WNILOGON.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - C:\Program Files\Tencent\qq\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O9 - 浏览器额外的按钮: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - 浏览器额外的“工具”菜单项: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O11 - Options group: [TBH]  QQ地址栏搜索插件
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - NT 服务: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

【回复“高山流水sun”的帖子】



请楼主使用下面的两个多引擎扫描器扫描下列文件：
C:\WINDOWS\WNILOGON.exe
多引擎扫描之Virustotal：

http://www.virustotal.com/
多引擎扫描之Jotti：

http://virusscan.jotti.org/


请务必将报告贴全。

【回复“高山流水sun”的帖子】



请上报以下这个这个可疑文件：
C:\WINDOWS\WNILOGON.exe

http://up.rising.com.cn/webmail/uploadnew.htm


谢谢配合。

Scanner results 
AntiVir  Found Trojan/PSW.Lmir.A.1.B 
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found DLOADER.Trojan (probable variant) 
F-Prot Antivirus  Found unknown virus (probable variant) 
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found probably a variant of Win32/Lewor (probable variant) 
Norman Virus Control  Found Sandbox: W32/Downloader; [ General information ]

* File might be compressed.
* **Locates window "HK [class HK]" on desktop.
* Creating several executable files on hard-drive.
* **Locates window "NULL [class NULL]" on desktop.
* **Locates window "NULL [class TKillqqvir]" on desktop.
* **Locates window "qqav [class TApplication]" on desktop.
* File length: 17734 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\WNILOGON.exe.
* Creates file C:\WINDOWS\SYSTEM32\impai.exe.
* Creates file C:\WINDOWS\SYSTEM32\tmdown.exe.

[ Changes to registry ]
* Creates value "SonudMan"="C:\WINDOWS\WNILOGON.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Modifies value "default"="C:\WINDOWS\SYSTEM32\impai.exe "%1"" in key "HKCR\txtfile\shell\open\command".
* Modifies value "Start Page"="http://www.610dy.com" in key "HKCU\Software\Microsoft\Internet Explorer\Main".
* Creates key "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel".
* Sets value "HomePage"="1" in key "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel".

[ Network services ]
* Looks for an Internet connection.
* Downloads file from http://www.ak147.com/xxx.exe as C:\WINDOWS\SYSTEM32\tmdown.exe.

[ Security issues ]
* Starting downloaded file - potential security problem.

[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Creates a mutex KingsoftAntivirusScanProgram7Mutex.
* Creates a mutex SKYNET_PERSONAL_FIREWALL.
* Creates a mutex ASSISTSHELLMUTEX.
* Creates a mutex AntiTrojan3721.
* Attemps to open Explorer.exe http://www.k9595.com/vv/66.htm. 
UNA  Found nothing
VBA32  Found Trojan-PSW.Lmir.31 (probable variant) 

This is a report processed by VirusTotal on 11/17/2005 at 16:58:59 (CET) after scanning the file "WNILOGON.exe" file.
Antivirus Version Update Result
AntiVir 6.32.0.6 11.17.2005 TR/PSW.Lmir.A.1.B
Avast 4.6.695.0 11.16.2005 no virus found
AVG 718 11.15.2005 no virus found
Avira 6.32.0.6 11.17.2005 TR/PSW.Lmir.A.1.B
BitDefender 7.2 11.17.2005 no virus found
CAT-QuickHeal 8.00 11.17.2005 (Suspicious) - DNAScan
ClamAV devel-20051108 11.17.2005 no virus found
DrWeb 4.33 11.17.2005 DLOADER.Trojan
eTrust-Iris 7.1.194.0 11.16.2005 no virus found
eTrust-Vet 11.9.1.0 11.17.2005 no virus found
Fortinet 2.48.0.0 11.17.2005 suspicious
F-Prot 3.16c 11.15.2005 could be infected with an unknown virus
Ikarus 0.2.59.0 11.17.2005 no virus found
Kaspersky 4.0.2.24 11.17.2005 no virus found
McAfee 4630 11.17.2005 no virus found
NOD32v2 1.1289 11.16.2005 probably a variant of Win32/Lewor 
Norman 5.70.10 11.17.2005 W32/Downloader
Panda 8.02.00 11.17.2005 no virus found
Sophos 3.99.0 11.17.2005 no virus found
Symantec 8.0 11.17.2005 no virus found
TheHacker 5.9.1.036 11.16.2005 no virus found
VBA32 3.10.5 11.16.2005 suspected of Trojan-PSW.Lmir.31



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004,05 :: e-mail info@virustotal.com

【回复“高山流水sun”的帖子】



感谢高山流水sun朋友的配合！
修改注册表：
1、展开至HKCU\Software\Microsoft\Windows\CurrentVersion\Run，删除"SonudMan"="C:\WINDOWS\WNILOGON.exe"；
2、展开至HKCR\txtfile\shell\open\command，将原来键值更改为"default"="C:\WINDOWS\SYSTEM32\notepad.exe "%1""；
3、展开至HKCU\Software\Microsoft\Internet Explorer\Main，删除"Start Page"="http://www.610dy.com"。
删除文件：
C:\WINDOWS\WNILOGON.exe.
C:\WINDOWS\SYSTEM32\impai.exe.
C:\WINDOWS\SYSTEM32\tmdown.exe
使用HijackThis修复：
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
待修复完成，如果问题依旧，请继续跟帖说明情况。
以上建议仅供参考，如果您认识其中的一些设置抑或是您的手动设置，就不必执行。