这几天运行软件的时候老报错,多种杀毒软件也查不出来病毒,后来发现windows文件目录下面有个xp.exe文件可疑,在安全模式下删除xp.exe和temp文件夹里面的tz.dll文件一切正常,但是过断时间有出现了,不知道如何解决

【回复“我就是吹风”的帖子】
http://forum.ikaka.com/topic.asp?board=28&artid=6979213
下载System Repair Engineer 2.0.12.350
导出全部日志

看看哦
我原来用的hijackthis,查出来的023里面有个xp.exe文件,我修复了,后来还是会出现

2006-05-15,09:13:35

System Repair Engineer 2.0.12.350 (2.0 RC 1)
    Windows 2000 Professional Service Pack 4 - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <Internat.exe><internat.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <load><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <Synchronization Manager><mobsync.exe /logon>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <KAVPersonal50><"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
  <CRKAVPP><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <shell><explorer.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <Userinit><C:\WINNT\system32\userinit.exe,>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <AppInit_DLLs><KB759762.LOG>

==================================
启动文件夹
[快捷方式 快捷方式 rout]
  <C:\Documents and Settings\liulu\「开始」菜单\程序\启动\快捷方式 快捷方式 rout.lnk><N>

==================================
服务
[Alerter / Alerter]
  <%SystemRoot%\System32\svchost.exe -k LocalService><N/A>
[C-DillaCdaC11BA / C-DillaCdaC11BA]
  <C:\WINNT\system32\drivers\CDAC11BA.EXE><N/A>
[Symantec Event Manager / ccEvtMgr]
  <><N/A>
[Symantec Password Validation Service / ccPwdSvc]
  <><N/A>
[Logical Disk Manager Administrative Service / dmadmin]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Graeon_Server / GreonServer]
  <><N/A>
[Norton AntiVirus 自动防护服务 / navapsvc]
  <><N/A>
[NetDogService / NetDogService]
  <><N/A>
[NetWorker Backup and Recover Server / nsrd]
  <><N/A>
[NetWorker Remote Exec Service / nsrexecd]
  <><N/A>
[OracleAgent80 / OracleAgent80]
  <C:\orant\agentbin\DBSNMP.EXE><oracle>
[OracleClientCache80 / OracleClientCache80]
  <C:\orant\BIN\ONRSD80.EXE><N/A>
[OracleDataGatherer / OracleDataGatherer]
  <C:\orant\bin\vppdc.exe><N/A>
[OracleExtprocAgent / OracleExtprocAgent]
  <C:\orant\BIN\EXTPROCT.EXE extproc><N/A>
[OracleNamesService80 / OracleNamesService80]
  <C:\orant\BIN\NAMES80.EXE><N/A>
[OracleServiceORCL / OracleServiceORCL]
  <c:\orant\bin\oracle80.exe ORCL><Oracle Corporation>
[OracleStartORCL / OracleStartORCL]
  <C:\orant\BIN\strtdb80.exe><N/A>
[OracleTNSListener80 / OracleTNSListener80]
  <C:\orant\BIN\TNSLSNR80.EXE><N/A>
[OracleWebAssistant / OracleWebAssistant]
  <C:\orant\bin\OWASTsvr.exe><Oracle Corporation>
[Storage Management Portmapper / portmap]
  <><N/A>
[ScriptBlocking Service / SBService]
  <><N/A>
[StdService / StdService]
  <C:\WINNT\system32\rundll32.exe C:\WINNT\System32\STDSVER.DLL,Service><N/A>
[windos installer / windos installer]
  <C:\WINNT\xp.exe><N/A>
[Windows Terminator Services / Windows Terminator Services]
  <C:\WINNT\iexplore.exe><N/A>

==================================
浏览器加载项
[ThunderIEHelper Class]
  {0005A87D-D626-4B3A-84F9-1D9571695F55} <C:\WINNT\system32\xunleibho_v13.dll, Thunder Networking Technologies,LTD>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx, >
[QQBrowserHelperObject Class]
  {54EBD53A-9BC1-480B-966A-843A333CA162} <C:\Program Files\Tencent\qq\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[std software]
  {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} <C:\WINNT\SYSTEM32\stdup.dll, N/A>
[]
  {A9930D97-9CF0-42A0-A10D-4F28836579D5} <D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX, N/A>
[免费精彩视频超流畅在线观看]
  {022C4009-5283-4365-97BF-144054B40E2E} <http://itv.mop.com, N/A>
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[QQ]
  {c95fe080-8f5d-11d2-a20b-00aa003c157b} <C:\Program Files\Tencent\qq\QQ.EXE, TENCENT>
[QQIEFloatBarCfgCmd Class]
  {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} <C:\Program Files\Tencent\qq\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[@msdxmLC.dll,-1@2052,电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\System32\msdxm.ocx, Microsoft Corporation>
[Checkers Class]
  {00B71CFB-6864-4346-A978-C0A14556272C} <C:\WINNT\Downloaded Program Files\msgrchkr.dll, Microsoft Corporation>
[VTPlug3 Class]
  {0400AC1C-EEF0-4638-A501-31D5A0DC2002} <C:\WINNT\system32\gxd\VTrans3.dll, >
[Edit Class]
  {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} <C:\WINNT\system32\CMBEdit.dll, >
[PowerPlr Control]
  {2354A44B-3CEB-4829-9940-545B03103538} <C:\PROGRA~1\Powerise\REAL2A~1\PowerPlr.ocx, N/A>
[Minesweeper Flags Class]
  {2917297F-F02B-4B9D-81DF-494B6333150B} <C:\WINNT\Downloaded Program Files\minesweeper.dll, Microsoft Corporation>
[WebActivater Control]
  {3D8F74EE-8692-4F8F-B8D2-7522E732519E} <C:\WINNT\system32\WEBACT~1.OCX, QQ>
[CEditCtrl Object]
  {488A4255-3236-44B3-8F27-FA1AECAA8844} <C:\WINNT\system32\aliedit\AliEdit.dll, www.alipay.com>
[RdxIE Class]
  {56336BCB-3D8A-11D6-A00B-0050DA18DE71} <C:\WINNT\Downloaded Program Files\RdxIE.dll, RealNetworks, Inc.>
[XINTVClientAuthX Control]
  {65A2AF26-BF84-49FA-B0AA-BC57B7B656A5} <C:\WINNT\system32\XINTVC~1\XINTVC~1.OCX, ctc>
[IMCv1 Control]
  {6924091F-CD97-41E1-B1D4-D9079409D413} <C:\PROGRA~1\LtUcx\1003\c0.dll, N/A>
[MUWebControl Class]
  {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} <C:\WINNT\system32\muweb.dll, Microsoft Corporation>
[AxInputControl Class]
  {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} <C:\WINNT\DOWNLO~1\INPUTC~1.DLL, >
[pcastup Class]
  {87CCFDB0-C4BE-4BC2-A78C-9EAA7CF96667} <C:\WINNT\Downloaded Program Files\vodupdate.dll, >
[AxSubmitControl Class]
  {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} <C:\WINNT\DOWNLO~1\SUBMIT~1.DLL, >
[MessengerStatsClient Class]
  {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} <C:\WINNT\Downloaded Program Files\messengerstatsclient.dll, Microsoft Corporation>
[Update Class]
  {9F1C11AA-197B-4942-BA54-47A8489BB47F} <C:\WINNT\System32\iuctl.dll, Microsoft Corporation>
[Qzone Media Tools]
  {AC3A36A8-9BFF-410A-A33D-2279FFEB69D2} <C:\PROGRA~1\Tencent\qq\VQQPLA~1.OCX, Tencent Technology (Shenzhen) Company Limited>
[MsnMessengerSetupDownloadControl Class]
  {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} <C:\WINNT\Downloaded Program Files\MsnMessengerSetupDownloader.ocx, Microsoft Corporation>
[WebActivater Control]
  {C661F36D-DF85-4EF4-83C7-E107B83D04B1} <C:\WINNT\system32\3DShowVM.ocx, QQ>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>
[AxUSBKey Class]
  {DA215190-98B2-47DE-AE24-DA95481DFFBA} <C:\WINNT\DOWNLO~1\USBKey.dll, >
[pCastPanel Class]
  {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} <C:\WINNT\Downloaded Program Files\pCastCtl.dll, >
[iChatX Object]
  {FEEC6798-0E56-4037-829E-FD18E5BADE8C} <C:\WINNT\Downloaded Program Files\ichatx.dll, 深圳市东方博雅科技有限公司>
[&使用迅雷下载]
  <C:\Program Files\Thunder Network\Thunder\geturl.htm, N/A>
[上传到QQ网络硬盘]
  <C:\Program Files\Tencent\qq\AddToNetDisk.htm, N/A>
[添加到QQ自定义面板]
  <C:\Program Files\Tencent\qq\AddPanel.htm, N/A>
[添加到QQ表情]
  <C:\Program Files\Tencent\qq\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <C:\Program Files\Tencent\qq\SendMMS.htm, N/A>

==================================
正在运行的进程
[PID: 168][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.00.2195.6601>
[PID: 120][\??\C:\WINNT\system32\csrss.exe]  <Microsoft Corporation><5.00.2195.6601>
    [C:\WINNT\TEMP\tz.dll]  <N/A><N/A>
[PID: 208][\??\C:\WINNT\system32\winlogon.exe]  <Microsoft Corporation><5.00.2195.6898>
[PID: 236][C:\WINNT\system32\services.exe]  <Microsoft Corporation><5.00.2195.6700>
    [C:\WINNT\system32\dmserver.dll]  <VERITAS Software Corp.><2195.6605.297.3>
[PID: 248][C:\WINNT\system32\lsass.exe]  <Microsoft Corporation><5.00.2195.6902>
[PID: 420][C:\WINNT\System32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
[PID: 524][C:\WINNT\system32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
[PID: 648][C:\WINNT\Explorer.EXE]  <Microsoft Corporation><5.00.3700.6690>
    [C:\WINNT\system32\AcSignIcon.dll]  <Autodesk><16.0.0.86>
    [C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll]  <Autodesk><16.0.0.86>
    [C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx]  <><1, 0, 0, 1>
    [D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX]  <N/A><N/A>
    [C:\WINNT\system32\igfxpph.dll]  <Intel Corporation><3.0.0.3943>
    [C:\WINNT\system32\hccutils.DLL]  <Intel Corporation><3.0.0.3943>
    [C:\WINNT\system32\igfxres.dll]  <Intel Corporation><3.0.0.3943>
    [C:\WINNT\system32\igfxsrvc.dll]  <Intel Corporation><3.0.0.3943>
    [C:\WINNT\system32\igfxdev.dll]  <Intel Corporation><3.0.0.3943>
    [C:\Program Files\WinRAR\rarext.dll]  <N/A><N/A>
    [C:\WINNT\TEMP\tz.dll]  <N/A><N/A>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\scrchpg.dll]  <Kaspersky Lab><5.0.1.18>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\scrch_ag.dll]  <Kaspersky Lab><5.0.388.1>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\FSSync.dll]  <Kaspersky Lab><5.0.388.0>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\pr_rmt.dll]  <Kaspersky Lab><5.0.388.0>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ccclient.dll]  <Kaspersky Lab><5.0.388.1>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\klipc.dll]  <Kaspersky Lab><5.0.388.0>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\KLUtil.dll]  <Kaspersky Lab><5.0.388.1>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\rpt.dll]  <Kaspersky Lab><5.0.388.2>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\CCIFACE.dll]  <Kaspersky Lab><5.0.388.1>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\prloader.dll]  <Kaspersky Lab><5.0.388.0>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\prkernel.ppl]  <Kaspersky Lab><5.0.388.0>
    [c:\program files\kaspersky lab\kaspersky anti-virus personal pro\prstring.ppl]  <Kaspersky Lab><5.0.388.0>
    [c:\program files\kaspersky lab\kaspersky anti-virus personal pro\pr_srv.ppl]  <Kaspersky Lab><5.0.388.0>
    [c:\program files\kaspersky lab\kaspersky anti-virus personal pro\pr_clnt.ppl]  <Kaspersky Lab><5.0.388.0>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll]  <Kaspersky Lab><5.0.388.1>
[PID: 728][C:\WINNT\system32\internat.exe]  <Microsoft Corporation><5.00.2920.0000>
[PID: 748][C:\WINNT\system32\conime.exe]  <Microsoft Corporation><5.00.2195.6655>
[PID: 656][C:\Program Files\Internet Explorer\IEXPLORE.EXE]  <Microsoft Corporation><6.00.2800.1106>
    [C:\WINNT\system32\AcSignIcon.dll]  <Autodesk><16.0.0.86>
    [C:\WINNT\system32\xunleibho_v13.dll]  <Thunder Networking Technologies,LTD><4, 6, 0, 48>
    [C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx]  <><1, 0, 0, 1>
    [C:\Program Files\Tencent\qq\QQIEHelper.dll]  <深圳市腾讯计算机系统有限公司><1, 1, 0, 5>
    [D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX]  <N/A><N/A>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\scrchpg.dll]  <Kaspersky Lab><5.0.1.18>
    [C:\WINNT\system32\Macromed\Flash\Flash8.ocx]  <Macromedia, Inc.><8,0,22,0>
    [C:\WINNT\system32\JJN.IME]  <加加在线><3.11.0.0>
    [C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll]  <Autodesk><16.0.0.86>
[PID: 556][C:\Program Files\JJOL\IME\JJSvr.EXE]  <加加在线><3.11.0.1>
[PID: 1020][D:\download\sreng2\SREng.exe]  <Smallfrogs Studio><2.0.12.350>

==================================
文件关联
.TXT  Error. [NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  Error. [C:\WINNT\system32\WScript.exe "%1" %*]
.JS  Error. [C:\WINNT\system32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================

【回复“我就是吹风”的帖子】

开始－－控制面板－－性能和维护－－管理工具－－服务
禁用如下服务：
[Symantec Event Manager / ccEvtMgr]
<><N/A>

[Symantec Password Validation Service / ccPwdSvc]
<><N/A>

[Graeon_Server / GreonServer]
<><N/A>

[Norton AntiVirus 自动防护服务 / navapsvc]
<><N/A>

[NetDogService / NetDogService]
<><N/A>

[NetWorker Backup and Recover Server / nsrd]
<><N/A>

[NetWorker Remote Exec Service / nsrexecd]
<><N/A>

[Storage Management Portmapper / portmap]
<><N/A>

[ScriptBlocking Service / SBService]
<><N/A>

[StdService / StdService]
<C:\WINNT\system32\rundll32.exe C:\WINNT\System32\STDSVER.DLL,Service><N/A>

[windos installer / windos installer]
<C:\WINNT\xp.exe><N/A>

[Windows Terminator Services / Windows Terminator Services]
<C:\WINNT\iexplore.exe><N/A>

＝＝＝＝＝＝＝＝＝＝＝＝＝＝

开始－－运行
输入regedit
确定
进入注册表
展开[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]
找到后删除如下文件夹：
ccEvtMgr文件夹
ccPwdSvc文件夹
GreonServer文件夹
navapsvc文件夹
NetDogService文件夹
nsrd文件夹
nsrexecd文件夹
portmap文件夹
SBService文件夹
StdService文件夹
windos installer文件夹
Windows Terminator Services文件夹

＝＝＝＝＝＝＝＝＝＝＝＝＝

http://www.syssafety.com/
下载安装SSM(支持中文)

在SSM中添加规则
禁止如下文件加载
C:\WINNT\System32\KB759762.LOG
C:\WINNT\TEMP\tz.dll

并将SSM设置为“自动加载”

重启后删除
C:\WINNT\TEMP\tz.dll
C:\WINNT\System32\KB759762.LOG

提示：
SSM的使用方法参考http://forum.ikaka.com/topic.asp?board=28&artid=7990675

＝＝＝＝＝＝＝＝＝＝＝＝＝＝

删除
C:\WINNT\xp.exe
C:\WINNT\iexplore.exe
C:\WINNT\SYSTEM32\stdup.dll
C:\WINNT\System32\STDSVER.DLL

若能找到如下文件
同样删除之
C:\WINNT\xp.dll
C:\WINNT\iexplore.dll
C:\WINNT\xpkey.dll
C:\WINNT\iexplorekey.dll
C:\WINNT\xp_hook.dll
C:\WINNT\iexplore_hook.dll

＝＝＝＝＝＝＝＝＝＝＝＝

其中
C:\WINDOWS\SYSTEM32\stdup.dll是间谍广告插件
具体操作参考
http://forum.ikaka.com/topic.asp?board=28&artid=7971417

好的,我已经照这个方法做了,呵呵,又学一招