兔子不能清除IE插件smflash.ocx!!!1, 感染过程：执行这个下载程序就会中招：http://down.138.org.cn/setup.exe【警告】劫持程序和诺干木马病毒样本下载仅供高手研究，好奇者下载中毒造成电脑瘫痪，后果自负！！！【警告】另外下载后还会感染包括10几种流行恶意网页劫持程序和7、8种木马以及downloader等若干其他病毒程序，但是其他病毒程序都可用超级兔子和正版瑞星清除，唯独smflash.ocx清除不了。

2, 问题：用超级兔子无法下载，截图见附件图片； 另外IE启动会自动导向www.5xznt.com\list.htm，用超级兔子的IE全面修复工具也无法修复。
UploadFile/20068614444125111.jpg

3, 系统：Win2000. IE6.0








Logfile of HijackThis v1.99.1
Scan saved at 2:15:28 PM, on 8/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Suss.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\MsgSys.EXE
C:\winnt\ECM4\Remote\CSIRemoteCSvc.exe
C:\WINNT\system32\MicrosoftLive.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\Explorer.exe
C:\Program Files\Sony Ericsson\GC79 Manager\GC79 Manager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\zhoum\Desktop\bkp\杀毒软件\Hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\system32\MicrosoftLive.exe
O2 - BHO: Shockwave Flash Object - {14A21378-5BB1-4BC4-95D5-5D3F51527F6F} - C:\WINNT\system32\smflash.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] ; Ati2mdxx.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QCWLICON] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [Super Rabbit Desktop Set] C:\Program Files\Super Rabbit\MagicSet\DS.EXE /Load
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ap.cpchem.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ap.cpchem.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ap.cpchem.net
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Configuresoft ECM Remote Client (CSIRemoteC) - Configuresoft Inc. - C:\winnt\ECM4\Remote\CSIRemoteCSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Intel File Transfer - Intel? Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel? Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe

运行Hijackthis，扫描结束后在下列选项前打上勾，然后选"修复
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\system32\MicrosoftLive.exe
删除
C:\WINNT\system32\MicrosoftLive.exe

这年头病毒真是越来越毒，按楼上方法，没有办法删除。

于是：

用hijackthis的杂项里的删除程序后重启电脑的功能先删除了microsoftlive.exe,重启后用hijackthis复检，已经成功删除。http://down.138.org.cn/setup.exe网页不再弹出

但是超级兔子和hijackthis扫描还是有msflash.ocx插件，惨。。。。。。。

【回复“sunsubway1”的帖子】

必须同时删除(以系统在c:\windows\为例)
c:\windows\system32\sql32.dll
c:\windows\system32\group.dll
c:\windows\system32\smflash.ocx

前面两个是在"系统服务"里面加载的