最近开机有点慢, 开机后反映也有点慢, 关机时出现 "MSRundll.exe" 关不掉.
  用杀软恶意软件扫描提示:" Ruango" "万能搜索变种C" 发现安装, 更新杀软,清除后重起仍提示,这两个东西存在,安全模式下清除失败.
  开机后打开进程觉得有三个奇怪的东西"shualai.exe""4201.EXE""tchigkg.exe" 占的资源到是不多,附图.
  看了 baohe 斑竹的<shualai.exe病毒及手工查杀流程> 有些迷糊...我的软件工具差不多都是装在D盘(系统在C), 那被shualai感染的话,是不是所有的东西都得从新装呢?
SRENG扫份日志如下: 还需要其它软件的扫描么?
[CODE]

2007-04-25,23:23:47

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
<run><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<SoundMan><; SOUNDMAN.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<StormCodec_Helper><"C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti> []
<IMSCMIG40W><C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log> [Microsoft Corporation]
<KavStart><"D:\KAV2006\KAVStart.exe" -startup> [Kingsoft Corporation]
<RfwMain><"D:\Rising\Rfw\rfwmain.exe" -Startup> [Beijing Rising Technology Co., Ltd.]
<shualai><C:\WINDOWS\shualai.exe /i> []
<tchigkg><C:\Program Files\Winamp\tchigkg.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<KASTask><D:\KAV2006\KASTask.EXE> [Kingsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]

==================================
启动文件夹
[河南网通宽带用户客户端]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\河南网通宽带用户客户端.lnk --> C:\PROGRA~1\RACER-~1\racer.exe [Putian Runway]><N>
[Microsoft Office]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~2\Office10\OSA.EXE [Microsoft Corporation]><H>
[腾讯QQ]
<C:\Documents and Settings\HJF\「开始」菜单\程序\启动\腾讯QQ.lnk --> C:\PROGRA~1\Tencent\QQ\QQ.exe [TENCENT]><N>

==================================
服务
[7D05B92E / 7D05B92E][Stopped/Auto Start]
<C:\WINDOWS\system32\7D05B92E.EXE -d><Microsoft Corporation>
[Fast Client / fast][Running/Auto Start]
<C:\WINDOWS\system32\4201.exe><N/A>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Kingsoft Antivirus KWatch Service / KWatchSvc][Running/Auto Start]
<D:\KAV2006\KWatch.EXE><Kingsoft Corporation>
[Rising Proxy Service / RfwProxySrv][Stopped/Manual Start]
<d:\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
<d:\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
==================================
驱动程序
[Service for WDM 3D Audio Driver / ALCXSENS][Running/Manual Start]
<system32\drivers\ALCXSENS.SYS><Sensaura Ltd>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter / AN983][Running/Manual Start]
<system32\DRIVERS\AN983.sys><ADMtek Incorporated.>
[BaseTDI / BaseTDI][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\basetdi.sys><Beijing Rising Technology Co., Ltd.>
[dump_wmimmc / dump_wmimmc][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\dump_wmimmc.sys><N/A>
[ENUS_NDIS_DRIVER / ENUS_NDIS_DRIVER][Running/Boot Start]
<\SystemRoot\system32\enusndis.sys><N/A>
[HookUrl / HookUrl][Running/Auto Start]
<\??\D:\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[KWatch3 / KWatch3][Running/System Start]
<\??\C:\WINDOWS\system32\drivers\KWatch3.SYS><Kingsoft Corporation>
[mProcRs / mProcRs][Running/Auto Start]
<\??\d:\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[NetGroup Packet Filter Driver / NPF][Running/Manual Start]
<system32\drivers\npf.sys><Politecnico di Torino>
[npkcrypt / npkcrypt][Running/Auto Start]
<\??\C:\Program Files\Tencent\QQ\npkcrypt.sys><INCA Internet Co., Ltd.>
[NPPTNT2 / NPPTNT2][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\npptNT2.sys><INCA Internet Co., Ltd.>
[nv / nv][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsFwDrv / RsFwDrv][Running/Auto Start]
<\??\D:\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>

==================================
浏览器加载项
[BitComet Helper]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} <D:\BitComet\tools\BitCometBHO_1.1.3.19.dll, BitComet>
[Jpeg Class]
{4970DA77-DB06-4EB9-AAB5-77AF0CC77310} <C:\WINDOWS\system32\1420.dll, TODO: <公司名>>
[QQ]
{c95fe080-8f5d-11d2-a20b-00aa003c157b} <C:\Program Files\Tencent\QQ\QQ.EXE, TENCENT>
[易趣购物]
{DE60714F-AC17-427e-861A-FD60CBDF119A} <http://click2.ad4all.net/url2/urlmanage/url.asp?id=1, N/A>
[QQIEFloatBarCfgCmd Class]
{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} <C:\Program Files\Tencent\QQ\QQIEHelper.dll, N/A>
[Messenger]
{FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[&Google]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar2.dll, N/A>
[BitComet Helper]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} <D:\BitComet\tools\BitCometBHO_1.1.3.19.dll, BitComet>
[Jpeg Class]
{4970DA77-DB06-4EB9-AAB5-77AF0CC77310} <C:\WINDOWS\system32\1420.dll, TODO: <公司名>>
[ExtentIE Class]
{66C2C482-D4EE-42A5-AEF7-0B124F278D47} <C:\WINDOWS\system32\3579.dll, N/A>
[WangWangObj Class]
{6E213FC7-DD5A-4115-B7E6-D4C7838C361E} <D:\淘宝旺旺\WangWangX4.dll, 阿里软件（中国）有限公司>
[&使用BitComet下载]
<res://D:\BitComet\BitComet.exe/AddLink.htm, N/A>
[&使用BitComet下载全部链接]
<res://D:\BitComet\BitComet.exe/AddAllLink.htm, N/A>
[&使用BitComet下载本页视频]
<res://D:\BitComet\BitComet.exe/AddVideo.htm, N/A>
[&使用迅雷下载]
<D:\Thunder Network\Thunder\Program\GetUrl.htm, N/A>
[&使用迅雷下载全部链接]
<D:\Thunder Network\Thunder\Program\GetAllUrl.htm, N/A>
[Google 搜索(&G)]
<res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html, N/A>
[上传到QQ网络硬盘]
<C:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[导出到 Microsoft Excel(&x)]
<res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000, N/A>
[添加到QQ自定义面板]
<C:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
<C:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<C:\Program Files\Tencent\QQ\SendMMS.htm, N/A>
[金山毒霸反钓鱼...]
<D:\KAV2006\KAF\ShowSet.htm, N/A>

今天用了注册表权限限制，终天有效了！

==================================
正在运行的进程
[PID: 424][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 476][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\7D05B92E.DLL] [Microsoft Corporation, ]
[PID: 508][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\7D05B92E.DLL] [Microsoft Corporation, ]
[PID: 552][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\7D05B92E.DLL] [Microsoft Corporation, ]
[PID: 564][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\7D05B92E.DLL] [Microsoft Corporation, ]
[PID: 1124][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\7D05B92E.DLL] [Microsoft Corporation, ]
[C:\WINDOWS\system32\mp3infp.dll] [win32lab.com, 2.50.5.0]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[D:\KAV2006\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[D:\KAV2006\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\msdmo.dll] [, ]
[C:\WINDOWS\system32\ffdshow.ax] [, 1, 0, 0, 1]
[C:\Program Files\Ringz Studio\Storm Codec\Codecs\VSFilter.dll] [Gabest, 1, 0, 1, 2]
[C:\Program Files\Ringz Studio\Storm Codec\Codecs\TTL2Dec.dll] [N/A, ]
[C:\Program Files\Ringz Studio\Storm Codec\Codecs\mlcom.ax] [Moonlight Cordless Ltd, 1, 5, 156, 40706]
[C:\Program Files\Ringz Studio\Storm Codec\Codecs\OGGSplt.ax] [Gabest, 1, 0, 0, 0]
[PID: 1348][d:\rising\rfw\RfwMain.exe] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 70]
[d:\rising\rfw\RsGuiLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 33]
[d:\rising\rfw\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[d:\rising\rfw\RfwCtrl.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 11]
[d:\rising\rfw\RsXML.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
[d:\rising\rfw\PngDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[C:\WINDOWS\system32\7D05B92E.DLL] [Microsoft Corporation, ]
[C:\WINDOWS\system32\201a.dll] [N/A, ]
[C:\WINDOWS\system32\c142.dll] [ , 1, 0, 0, 3]
[D:\KAV2006\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\KAV2006\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[PID: 224][C:\WINDOWS\system32\wscntfy.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\201a.dll] [N/A, ]
[C:\WINDOWS\system32\c142.dll] [ , 1, 0, 0, 3]
[D:\KAV2006\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[PID: 328][D:\KAV2006\KAVStart.exe] [Kingsoft Corporation, 2007, 2, 1, 257]
[C:\WINDOWS\system32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MFC71CHS.DLL] [Microsoft Corporation, 7.10.3077.0]
[D:\KAV2006\KAVIPC2.DLL] [Kingsoft Corporation, 2004, 12, 28, 20]
[D:\KAV2006\SvcTimer.DLL] [Kingsoft Corporation, 2006.12.22.84]
[D:\KAV2006\KAVPassp.dll] [Kingsoft Corporation, 2006, 12, 30, 271]
[D:\KAV2006\PopSprt3.dll] [Kingsoft Corporation, 2007, 1, 16, 45]
[C:\WINDOWS\system32\201a.dll] [N/A, ]
[C:\WINDOWS\system32\c142.dll] [ , 1, 0, 0, 3]
[D:\KAV2006\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[PID: 672][C:\WINDOWS\shualai.exe] [N/A, ]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\shualai.dll] [N/A, ]
[C:\WINDOWS\system32\201a.dll] [N/A, ]
[C:\WINDOWS\system32\c142.dll] [ , 1, 0, 0, 3]
[PID: 796][C:\Program Files\Winamp\tchigkg.exe] [N/A, ]
[C:\WINDOWS\system32\201a.dll] [N/A, ]
[C:\WINDOWS\system32\c142.dll] [ , 1, 0, 0, 3]
[PID: 804][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\201a.dll] [N/A, ]
[C:\WINDOWS\system32\c142.dll] [ , 1, 0, 0, 3]
[D:\KAV2006\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[PID: 968][C:\Program Files\racer-henan-cnc\racer.exe] [Putian Runway, 2, 0, 49, 90]
[C:\Program Files\racer-henan-cnc\rwxre.dll] [Mozilla Foundation, 1.7.3: 2005040616]
[C:\Program Files\racer-henan-cnc\nspr4.dll] [Netscape Communications Corporation, 4.5 Beta]
[C:\Program Files\racer-henan-cnc\xpcom.dll] [Mozilla Foundation, 1.7.3: 2005040616]
[C:\Program Files\racer-henan-cnc\nss3.dll] [Netscape Communications Corporation, 3.9.1]
[C:\Program Files\racer-henan-cnc\softokn3.dll] [Netscape Communications Corporation, 3.9.1]
[C:\Program Files\racer-henan-cnc\gkgfx.dll] [Mozilla Foundation, 1.7.3: 2005040616]
[C:\Program Files\racer-henan-cnc\js3250.dll] [Netscape Communications Corporation, 4.0]
[D:\KAV2006\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[C:\Program Files\racer-henan-cnc\components\racer_base_comp.dll] [Putian Runway, 2,0,47,87]
[C:\Program Files\racer-henan-cnc\xpcom_compat.dll] [Mozilla Foundation, 1.7.3: 2005040616]
[C:\Program Files\racer-henan-cnc\racer_base.dll] [Putian Runway, 2,0,47,87]
[D:\KAV2006\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\racer-henan-cnc\components\pipnss.dll] [Mozilla Foundation, 1.7.3: 2005040616]
[C:\Program Files\racer-henan-cnc\components\gklayout.dll] [Mozilla Foundation, 1.7.3: 2005040616]
[C:\Program Files\racer-henan-cnc\components\jar50.dll] [Mozilla Foundation, 1.7.3: 2005040616]
[C:\Program Files\racer-henan-cnc\components\xpcom_compat_c.dll] [Mozilla Foundation, 1.7.3: 2005040616]
[C:\Program Files\racer-henan-cnc\components\racer_ad_comp.dll] [Putian Runway, 2,0,47,87]
[C:\Program Files\racer-henan-cnc\components\racer_access_dhcpplus.dll] [Putian Runway, 2,0,47,87]
[C:\Program Files\racer-henan-cnc\dhcpplus.dll] [北京润汇科技有限公司, 0, 12, 20, 44]
[C:\Program Files\racer-henan-cnc\components\racer_nss4_comp.dll] [Putian Runway, 2,0,47,87]
[C:\Program Files\racer-henan-cnc\nss4.dll] [北京普天润汇科技有限公司, 1, 0, 0, 3]
[C:\Program Files\racer-henan-cnc\wpcap.dll] [Politecnico di Torino, 3, 0, 0, 18]
[C:\Program Files\racer-henan-cnc\pthreadVC.dll] [N/A, ]
[C:\Program Files\racer-henan-cnc\packet.dll] [Politecnico di Torino, 3, 0, 0, 18]
[C:\WINDOWS\system32\201a.dll] [N/A, ]
[C:\WINDOWS\system32\c142.dll] [ , 1, 0, 0, 3]
[PID: 1384][D:\KAV2006\KMailMon.EXE] [Kingsoft Corporation, 2007, 2, 25, 948]
[D:\KAV2006\KAntiSpm.dll] [Kingsoft Corporation, 2007, 2, 25, 129]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]

[D:\KAV2006\KAVIPC2.DLL] [Kingsoft Corporation, 2004, 12, 28, 20]
[D:\KAV2006\KAECall2.DLL] [Kingsoft Corporation, 2004, 12, 28, 7]
[D:\KAV2006\KAEPlat.DLL] [Kingsoft Corp., 2006, 8, 29, 60]
[D:\KAV2006\KAEMem.DAT] [Kingsoft, 2006, 9, 25, 16]
[D:\KAV2006\KAEUnpack.DAT] [Kingsoft Corp., 2007, 3, 12, 114]
[D:\KAV2006\KAConfig.DLL] [Kingsoft Corporation, 2007, 1, 11, 41]
[D:\KAV2006\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[D:\KAV2006\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\201a.dll] [N/A, ]
[C:\WINDOWS\system32\c142.dll] [ , 1, 0, 0, 3]
[PID: 2408][C:\Program Files\racer-henan-cnc\RacerKp.exe] [北京润汇科技有限公司, 1, 0, 0, 1]
[D:\KAV2006\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\KAV2006\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[C:\WINDOWS\system32\201a.dll] [N/A, ]
[C:\WINDOWS\system32\c142.dll] [ , 1, 0, 0, 3]
[PID: 2904][C:\WINDOWS\system32\MSRundll.exe] [N/A, ]
[C:\WINDOWS\system32\c142.dll] [ , 1, 0, 0, 3]
[D:\KAV2006\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\KAV2006\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[PID: 3020][D:\Maxthon\Maxthon.exe] [Maxthon International Ltd., 1, 5, 9, 80]
[D:\Maxthon\maxzlib.dll] [ , 1, 0, 0, 2]
[D:\KAV2006\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\KAV2006\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[D:\BitComet\tools\BitCometBHO_1.1.3.19.dll] [BitComet, 20070319]
[C:\WINDOWS\system32\odbcbcp.dll] [Microsoft Corporation, 2000.085.1117.00 (xpsp_sp2_rtm.040803-2158)]
[D:\Maxthon\Services\RealTime\real_time.dll] [, 1, 0, 0, 1]
[D:\KAV2006\KAScript.DLL] [Kingsoft Corporation, 2006, 12, 11, 72]
[D:\KAV2006\KAEPlat.DLL] [Kingsoft Corp., 2006, 8, 29, 60]
[D:\KAV2006\KAEMem.DAT] [Kingsoft, 2006, 9, 25, 16]
[D:\KAV2006\KAEUnpack.DAT] [Kingsoft Corp., 2007, 3, 12, 114]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[D:\KAV2006\Flash.OCX] [Macromedia, Inc., 7,0,19,0]
[PID: 2656][D:\KAV2006\KAV32.EXE] [Kingsoft Corporation, 2007, 4, 3, 123]
[D:\KAV2006\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\KAV2006\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[D:\KAV2006\KAV32Res.dll] [Kingsoft Corporation, 2007, 3, 26, 108]
[D:\KAV2006\KAEPlat.DLL] [Kingsoft Corp., 2006, 8, 29, 60]
[D:\KAV2006\KAEMem.DAT] [Kingsoft, 2006, 9, 25, 16]
[D:\KAV2006\KAEUnpack.DAT] [Kingsoft Corp., 2007, 3, 12, 114]
[D:\KAV2006\KAConfig.DLL] [Kingsoft Corporation, 2007, 1, 11, 41]
[D:\KAV2006\KAVIPC2.DLL] [Kingsoft Corporation, 2004, 12, 28, 20]
[D:\KAV2006\KAVPassp.DLL] [Kingsoft Corporation, 2006, 12, 30, 271]
[D:\KAV2006\DBAgent.DLL] [Kingsoft Corporation, 2005, 10, 27, 9]
[C:\WINDOWS\system32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MFC71CHS.DLL] [Microsoft Corporation, 7.10.3077.0]
[D:\KAV2006\KAScript.DLL] [Kingsoft Corporation, 2006, 12, 11, 72]
[D:\KAV2006\KWindUp.DLL] [Kingsoft Corp., 2006, 1, 10, 18]
[D:\KAV2006\KAEPrev.dll] [Kingsoft Corporation, 2006, 12, 7, 20]
[D:\KAV2006\KAEMemEx.dll] [, 2006, 10, 17, 16]
[D:\KAV2006\KAEMalDt.dll] [, 2006, 12, 7, 20]
[D:\KAV2006\KAERemov.dll] [, 2006, 12, 7, 20]
[PID: 1104][D:\BitComet\BitComet.exe] [www.BitComet.com, 0.85]
[D:\BitComet\dbghelp.dll] [Microsoft Corporation, 6.3.0011.3 (DbgBuild.040120-1256)]
[D:\KAV2006\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\KAV2006\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[D:\KAV2006\KAScript.DLL] [Kingsoft Corporation, 2006, 12, 11, 72]
[D:\KAV2006\Flash.OCX] [Macromedia, Inc., 7,0,19,0]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 2836][C:\DOCUME~1\HJF\LOCALS~1\Temp\Rar$EX04.328\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[D:\KAV2006\KMailOEBand.dll] [Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\KAV2006\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[C:\DOCUME~1\HJF\LOCALS~1\Temp\Rar$EX04.328\Plugins\NWMON.SRE] [Smallfrogs Studio, 1, 0, 0, 8]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. ["hh.exe" %1]
.HLP Error. [winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost
127.0.0.1 popwin.9983.com
61.152.169.246 www.npjxjy.com
61.152.169.246 quxiuu.com
61.152.169.246 www.23b.cn
61.152.169.246 www.baidulink.com
61.152.169.246 www.ookkw.com
61.152.169.246 www.97725.com
61.152.169.246 www.54699.com
61.152.169.246 www.wu7x.cn
61.152.169.246 d.qbbd.com
61.152.169.246 w.qbbd.com
61.152.169.246 web.77276.com
61.152.169.246 www.77276.com
61.152.169.246 www.npjxjy.com
61.152.169.246 www.baidulink.com
61.152.169.246 www.ookkw.com
61.152.169.246 www.wu7x.cn
61.152.169.246 www.wwwlm.net
61.152.169.246 dm1.yiall.com
61.152.169.246 www.my6688.cn
61.152.169.246 www.union123.com
61.152.169.246 www.ktan.cn
61.152.169.246 www.2t2t.cn
61.152.169.246 www.cq530.com
61.152.169.246 www.365tc.com
61.152.169.246 ad.qucha.net
61.152.169.246 www.tan8.cn
61.152.169.246 www.itjj.net
61.152.169.246 www.start188.com
61.152.169.246 www.at58.cn
61.152.169.246 union.yxad.com
61.152.169.246 www.iptan.com
61.152.169.246 www.ip2008.net
61.152.169.246 www.yqif.com
61.152.169.246 www.2t2t.cn
61.152.169.246 www.688ip.com
61.152.169.246 www.17tc.com
61.152.169.246 www1.6tan.com
61.152.169.246 www2.6tan.com
61.152.169.246 www.6tan.com
61.152.169.246 www.zztan.com
61.152.169.246 www.5tanip.com
61.152.169.246 www.16tc.com
61.152.169.246 www.163se.net
61.152.169.246 www.168080.com
61.152.169.246 www.baidu8.org
61.152.169.246 www.qqwei.com
61.152.169.246 qz.magforum.net
61.152.169.246 www.nze21.com
61.152.169.246 www.437799.com
61.152.169.246 www.168080.com
61.152.169.246 new2.jixie123.cn
61.152.169.246 www.18dmm.com
61.152.169.246 www.souxse.cn
61.152.169.246 x.vvcyin.com
61.152.169.246 dm1.yiall.com
61.152.169.246 www.168080.com
61.152.169.246 www.nze21.com
61.152.169.246 www.puma163.com
61.152.169.246 www.138505.com
61.152.169.246 www.hyap98.com
61.152.169.246 x.vvcyin.com
61.152.169.246 www.puma163.com
61.152.169.246 www.51liulan.cn

==================================
API HOOK
入口点错误：LoadLibraryExW (危险等级: 一般, 被下面模块所HOOK: D:\KAV2006\KASocket.dll)

==================================
隐藏进程
N/A

==================================


[/CODE]
好长啊。...~!~ 谢谢.辛苦您了

【回复“ADL”的帖子】


???????????????????????

进到安全模式下[安全模式进入方法:重启电脑时按住F8 选择进入安全模式],
运行SREng-在"启动项目->注册表->删以下启动项目
<shualai><C:\WINDOWS\shualai.exe /i> []
<tchigkg><C:\Program Files\Winamp\tchigkg.exe> []


运行SREng-在"启动项目->服务->"Win32服务应用程序"选中"隐藏已认证的微软服务" 然后将下面名称的服务删除（选中有问题的服务后，点“删除服务”，点“设置”按钮即可。  注意弹出的窗口中要点 “NO 否”才是确认删除服务）(不能删除的就禁用:启动类型改为disabled,点中修改启动类型，点设置):
[7D05B92E / 7D05B92E][Stopped/Auto Start]
<C:\WINDOWS\system32\7D05B92E.EXE -d><Microsoft Corporation>
[Fast Client / fast][Running/Auto Start]
<C:\WINDOWS\system32\4201.exe><N/A>

删除以下文件:
C:\WINDOWS\system32\201a.dll
C:\WINDOWS\system32\c142.dll
C:\WINDOWS\system32\7D05B92E.DLL
C:\WINDOWS\system32\4201.exe
C:\WINDOWS\system32\shualai.dll
C:\WINDOWS\shualai.exe
C:\Program Files\Winamp\tchigkg.exe


打开SRE--系统修复--文件关联--修复以下几项错误
.CHM Error. ["hh.exe" %1]
.HLP Error. [winhlp32.exe %1]

SRE--系统修复--hosts文件--重置

安全模式下除C:\WINDOWS\system32\4201.exe不能删除外,其它都已经删除,Unlock删不掉4201,用Pocket KillBox删除后,重起还是出现4201.exe  究竟它是什么东西啊?