瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 中了不知名病毒,一开机进程里有个大写IEXPLORE.EXE,

1   1  /  1  页   跳转

中了不知名病毒,一开机进程里有个大写IEXPLORE.EXE,

收藏
simple1209
头像
初生襁褓狮
  • 帖子:6
  • 注册: 2006-09-25
  • 来自:
发表于: 2006-09-25 10:09 | 只看楼主 短消息 资料
字号: 1楼

中了不知名病毒,一开机进程里有个大写IEXPLORE.EXE,

今天一时大意,关了瑞星的实时监控,就不小心中了不知名病毒,别的全手动清理干净了,现在就是每次开机进程里会有个大写的IEXPLORE.EXE,查找后发现是在WINDOWS的$NtUninstallKB901190$目录下,但每次删除后再启动系统都会在$ NtUninstallKBxxxxx$目录下随机生成并在进程里出现,在注册表里的run和msconfig里都没发现,想问一下它是通过什么启动的?如何查?谢谢!
最后编辑2006-09-25 12:13:03
分享到:
gototop
 
水树雨下
头像
横据古稀狮
  • 帖子:8397
  • 注册: 2006-07-26
  • 来自:
发表于: 2006-09-25 10:11 | 短消息 资料
字号: 2楼

用Hijackthis扫个日志上来
gototop
 
simple1209
头像
初生襁褓狮
  • 帖子:6
  • 注册: 2006-09-25
  • 来自:
发表于: 2006-09-25 10:38 | 只看楼主 短消息 资料
字号: 3楼

重启了下进程里又有了,用瑞星听诊器结果如下:

附件附件:

下载次数:869
文件类型:image/pjpeg
文件大小:
上传时间:2006-9-25 10:38:46
描述:
预览信息:EXIF信息
gototop
 
simple1209
头像
初生襁褓狮
  • 帖子:6
  • 注册: 2006-09-25
  • 来自:
发表于: 2006-09-25 10:41 | 只看楼主 短消息 资料
字号: 4楼

进程里关了它,能扫描了.


系统活动进程
C:\PROGRAM FILES\INTEL\INTEL MATRIX STORAGE MANAGER\IAANTMON.EXE

C:\PROGRA~1\CEBAS\IP-CLAMP\IPCLAMP.EXE

C:\WINDOWS\SYSTEM32\NVSVC32.EXE

C:\WINDOWS\SYSTEM32\SVCHOST.EXE

C:\WINDOWS\SYSTEM32\SMSS.EXE

C:\WINDOWS\SYSTEM32\CSRSS.EXE

C:\WINDOWS\SYSTEM32\WINLOGON.EXE

    C:\WINDOWS\SYSTEM32\MSACM32.DRV

C:\WINDOWS\SYSTEM32\SERVICES.EXE

C:\WINDOWS\SYSTEM32\LSASS.EXE

C:\WINDOWS\SYSTEM32\SVCHOST.EXE

C:\WINDOWS\SYSTEM32\SVCHOST.EXE

C:\DOCUMENTS AND SETTINGS\JACK1209\桌面\RSDETECT.EXE

C:\WINDOWS\SYSTEM32\SVCHOST.EXE

C:\PROGRAM FILES\ACD SYSTEMS\ACDSEE\ACDSEE.EXE

    C:\PROGRAM FILES\ACD SYSTEMS\ACDSEE\LICENSE.DLL
    C:\WINDOWS\SYSTEM32\INTOUCHCOMCLIENT.DLL
    C:\WINDOWS\SYSTEM32\SOAPACTOR.DLL
    C:\WINDOWS\SYSTEM32\XMLPARSER.DLL
    C:\WINDOWS\SYSTEM32\DBSOCK.DLL
    C:\PROGRAM FILES\ACD SYSTEMS\PLUGINS\IDE_ACDSTD.APL

C:\WINDOWS\SYSTEM32\SVCHOST.EXE

C:\WINDOWS\SYSTEM32\SVCHOST.EXE

C:\WINDOWS\EXPLORER.EXE

    C:\WINDOWS\SYSTEM32\WPDSHSERVICEOBJ.DLL
    C:\WINDOWS\SYSTEM32\PORTABLEDEVICETYPES.DLL
    C:\WINDOWS\SYSTEM32\PORTABLEDEVICEAPI.DLL
    C:\WINDOWS\SYSTEM32\MSACM32.DRV
    C:\WINDOWS\SYSTEM32\RAVEXT.DLL
    C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\ACTIVEX\PDFSHELL.DLL
    C:\PROGRAM FILES\WINRAR\RAREXT.DLL
    C:\WINDOWS\SYSTEM32\NVCPL.DLL
    C:\WINDOWS\SYSTEM32\NVRSZHC.DLL
    C:\WINDOWS\SYSTEM32\NVSHELL.DLL
    C:\PROGRAM FILES\RISING\RAV\RSCOMMON.DLL

C:\PROGRAM FILES\DAEMON TOOLS\DAEMON.EXE

    C:\PROGRAM FILES\DAEMON TOOLS\DAEMON.DLL
    C:\PROGRAM FILES\DAEMON TOOLS\PFCTOC.DLL
    C:\PROGRAM FILES\DAEMON TOOLS\PLUGINS\IMAGES\BW5MOUNT.DLL
    C:\PROGRAM FILES\DAEMON TOOLS\PLUGINS\IMAGES\CCDMOUNT.DLL
    C:\PROGRAM FILES\DAEMON TOOLS\PLUGINS\IMAGES\MDSMOUNT.DLL
    C:\PROGRAM FILES\DAEMON TOOLS\PLUGINS\IMAGES\NRGMOUNT.DLL
    C:\PROGRAM FILES\DAEMON TOOLS\PLUGINS\IMAGES\PDIMOUNT.DLL

C:\PROGRAM FILES\INTEL\INTEL MATRIX STORAGE MANAGER\IAANOTIF.EXE

    C:\PROGRAM FILES\INTEL\INTEL MATRIX STORAGE MANAGER\ISDI.DLL
    C:\PROGRAM FILES\INTEL\INTEL MATRIX STORAGE MANAGER\IAAMON_CHS.DLL

C:\PROGRAM FILES\CLOCX\CLOCX.EXE

C:\PROGRAM FILES\RISING\RAV\RAVTASK.EXE

    C:\PROGRAM FILES\RISING\RAV\RSCOMMON.DLL
    C:\PROGRAM FILES\RISING\RAV\RSAPPMGR.DLL
    C:\PROGRAM FILES\RISING\RAV\CFGDLL.DLL
    C:\PROGRAM FILES\RISING\RAV\RSCOMMX.DLL

C:\WINDOWS\SYSTEM32\CTFMON.EXE

C:\PROGRAM FILES\COMMON FILES\AUTODESK SHARED\SERVICE\ADSKSCSRV.EXE

C:\WINDOWS\SYSTEM32\DRIVERS\CDANTSRV.EXE

C:\PROGRAM FILES\DCPFLICS\DCPFLICS.EXE

C:\WINDOWS\SYSTEM32\ALG.EXE

C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL
    C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\ACTIVEX\ACROIEHELPER.DLL
    C:\WINDOWS\SYSTEM32\MSVCR71.DLL
    C:\PROGRA~1\FLASHGET\JCCATCH.DLL
    C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\MSOHEV.DLL
    C:\PROGRAM FILES\RISING\RAV\RAVSCRCH.DLL
    C:\WINDOWS\SYSTEM32\MACROMED\FLASH\FLASH9.OCX
    C:\WINDOWS\SYSTEM32\MSACM32.DRV
    C:\WINDOWS\SYSTEM32\XPSP3RES.DLL


普通自启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    IMJPMIG8.1 = "C:\WINDOWS\IME\IMJP8_1\IMJPMIG.EXE" /SPOIL /REMADVDEF /MIGRATION32
    PHIME2002ASync = C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    PHIME2002A = C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTSETP.EXE /IMENAME
    DAEMON Tools = "C:\PROGRAM FILES\DAEMON TOOLS\DAEMON.EXE" -LANG 1033
    IMSCMIG40W = C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SETPRELOAD /LOG
    IAAnotif = C:\PROGRAM FILES\INTEL\INTEL MATRIX STORAGE MANAGER\IAANOTIF.EXE
    ClocX = C:\PROGRAM FILES\CLOCX\CLOCX.EXE
    IMSCMig = C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /PRELOAD
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVCPL.DLL,NVSTARTUP
    nwiz = NWIZ.EXE /INSTALL
    NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVMCTRAY.DLL,NVTASKBARINIT

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\SYSTEM32\CTFMON.EXE


AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    AppInit_DLLs =


系统文件关联
.exe ==> exefile = "%1" %*
.com ==> comfile = "%1" %*
.cmd ==> cmdfile = "%1" %*
.bat ==> batfile = "%1" %*
.txt ==> txtfile = %SystemRoot%\system32\NOTEPAD.EXE %1
.scr ==> scrfile = "%1" /S
.reg ==> regfile = regedit.exe "%1"
.doc ==> Word.Document.8 = "C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" /n /dde

其它启动项
WIN.INI

    无信息

SYSTEM.INI

    SHELL = Explorer.exe


Winlogon 启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

    crypt32chain = CRYPT32.DLL
    cryptnet = CRYPTNET.DLL
    cscdll = CSCDLL.DLL
    ScCertProp = WLNOTIFY.DLL
    Schedule = WLNOTIFY.DLL
    sclgntfy = SCLGNTFY.DLL
    SensLogn = WLNOTIFY.DLL
    termsrv = WLNOTIFY.DLL
    wlballoon = WLNOTIFY.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Userinit = C:\WINDOWS\SYSTEM32\USERINIT.EXE,
    shell = EXPLORER.EXE


IE - BHO
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} = C:\PROGRA~1\FlashGet\jccatch.dll
    {46F194EB-B7DB-4B7A-BD42-5FF39FD17664} = NULL
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    {A697BC46-BC93-4833-93F5-1E365011E88A} = NULL
    {AA58ED58-01DD-4d91-8333-CF10577473F7} = c:\program files\google\googletoolbar1.dll


Winsock SPI
MSAFD Tcpip [TCP/IP] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD Tcpip [UDP/IP] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD Tcpip [RAW/IP] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
RSVP UDP Service Provider = C:\WINDOWS\SYSTEM32\RSVPSP.DLL
RSVP TCP Service Provider = C:\WINDOWS\SYSTEM32\RSVPSP.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{A4E20FE6-A92F-463B-95F9-1912772E25DC}] SEQPACKET 7 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{A4E20FE6-A92F-463B-95F9-1912772E25DC}] DATAGRAM 7 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{6301CA92-D539-4DE1-A52B-8F5D493DA5CC}] SEQPACKET 6 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{6301CA92-D539-4DE1-A52B-8F5D493DA5CC}] DATAGRAM 6 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{AE73BB81-5E33-4AFB-A23F-8427C247688E}] SEQPACKET 0 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{AE73BB81-5E33-4AFB-A23F-8427C247688E}] DATAGRAM 0 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4585DFCD-575A-4FF9-A0AE-7757D907AF02}] SEQPACKET 1 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4585DFCD-575A-4FF9-A0AE-7757D907AF02}] DATAGRAM 1 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{098AB1B1-470C-44A4-AB9F-42EE3B11D82D}] SEQPACKET 2 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{098AB1B1-470C-44A4-AB9F-42EE3B11D82D}] DATAGRAM 2 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{CCB56770-086F-4E9D-82DB-1BE49F9D7284}] SEQPACKET 3 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{CCB56770-086F-4E9D-82DB-1BE49F9D7284}] DATAGRAM 3 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{3B8DFCBE-2D87-4821-A02F-415370597733}] SEQPACKET 4 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{3B8DFCBE-2D87-4821-A02F-415370597733}] DATAGRAM 4 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{2F9CE7F3-29A4-448A-B135-8E8691F7FE91}] SEQPACKET 5 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{2F9CE7F3-29A4-448A-B135-8E8691F7FE91}] DATAGRAM 5 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL

系统服务项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    Adobe LM Service = "C:\PROGRAM FILES\COMMON FILES\ADOBE SYSTEMS SHARED\SERVICE\ADOBELMSVC.EXE"
    Alerter = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
    ALG = C:\WINDOWS\SYSTEM32\ALG.EXE
    AppMgmt = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    AudioSrv = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    Autodesk Licensing Service = "C:\PROGRAM FILES\COMMON FILES\AUTODESK SHARED\SERVICE\ADSKSCSRV.EXE"
    BITS = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    Browser = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    C-DillaSrv = C:\WINDOWS\SYSTEM32\DRIVERS\CDANTSRV.EXE
    CiSvc = C:\WINDOWS\SYSTEM32\CISVC.EXE
    ClipSrv = C:\WINDOWS\SYSTEM32\CLIPSRV.EXE
    COM+ Alerter Service = C:\WINDOWS\SYSTEM32\ALTSVC.EXE
    COMSysApp = C:\WINDOWS\SYSTEM32\DLLHOST.EXE /PROCESSID:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    CryptSvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    DcomLaunch = C:\WINDOWS\SYSTEM32\SVCHOST -K DCOMLAUNCH
    DCPFLICS = C:\PROGRAM FILES\DCPFLICS\DCPFLICS.EXE
    Dhcp = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    DirectZavz = C:\WINDOWS\SYSTEM32\DIRECTX.EXE
    dmadmin = C:\WINDOWS\SYSTEM32\DMADMIN.EXE /COM
    dmserver = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    Dnscache = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETWORKSERVICE
    ERSvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    Eventlog = C:\WINDOWS\SYSTEM32\SERVICES.EXE
    EventSystem = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    FastUserSwitchingCompatibility = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    helpsvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    HidServ = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    HTTPFilter = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K HTTPFILTER
    IAANTMON = C:\PROGRAM FILES\INTEL\INTEL MATRIX STORAGE MANAGER\IAANTMON.EXE
    IDriverT = "C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\DRIVER\1050\INTEL 32\IDRIVERT.EXE"
    ImapiService = C:\WINDOWS\SYSTEM32\IMAPI.EXE
    IPClampService = C:\PROGRA~1\CEBAS\IP-CLAMP\IPCLAMP.EXE
    lanmanserver = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    lanmanworkstation = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    LmHosts = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
    Messenger = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    mnmsrvc = C:\WINDOWS\SYSTEM32\MNMSRVC.EXE
    MSDTC = C:\WINDOWS\SYSTEM32\MSDTC.EXE
    MSIServer = C:\WINDOWS\SYSTEM32\MSIEXEC.EXE /V
    NetDDE = C:\WINDOWS\SYSTEM32\NETDDE.EXE
    NetDDEdsdm = C:\WINDOWS\SYSTEM32\NETDDE.EXE
    Netlogon = C:\WINDOWS\SYSTEM32\LSASS.EXE
    Netman = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    Nla = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    NtLmSsp = C:\WINDOWS\SYSTEM32\LSASS.EXE
    NtmsSvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    NVSvc = C:\WINDOWS\SYSTEM32\NVSVC32.EXE
    ose = "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\SOURCE ENGINE\OSE.EXE"
    PlugPlay = C:\WINDOWS\SYSTEM32\SERVICES.EXE
    PolicyAgent = C:\WINDOWS\SYSTEM32\LSASS.EXE
    ProtectedStorage = C:\WINDOWS\SYSTEM32\LSASS.EXE
gototop
 
simple1209
头像
初生襁褓狮
  • 帖子:6
  • 注册: 2006-09-25
  • 来自:
发表于: 2006-09-25 10:42 | 只看楼主 短消息 资料
字号: 5楼

RasAuto = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    RasMan = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    RDSessMgr = C:\WINDOWS\SYSTEM32\SESSMGR.EXE
    RemoteAccess = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    RemoteRegistry = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
    RpcLocator = C:\WINDOWS\SYSTEM32\LOCATOR.EXE
    RpcSs = C:\WINDOWS\SYSTEM32\SVCHOST -K RPCSS
    RsCCenter = "C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE"
    RsRavMon = "C:\PROGRAM FILES\RISING\RAV\RAVMOND.EXE"
    RSVP = C:\WINDOWS\SYSTEM32\RSVP.EXE
    SamSs = C:\WINDOWS\SYSTEM32\LSASS.EXE
    SCardSvr = C:\WINDOWS\SYSTEM32\SCARDSVR.EXE
    Schedule = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    seclogon = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    SENS = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    SharedAccess = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    ShellHWDetection = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    Spooler = C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
    srservice = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    SSDPSRV = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
    stisvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K IMGSVC
    SwPrv = C:\WINDOWS\SYSTEM32\DLLHOST.EXE /PROCESSID:{CEA04559-0231-4594-AB2C-DCC37F544CBF}
    SysmonLog = C:\WINDOWS\SYSTEM32\SMLOGSVC.EXE
    TapiSrv = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    TermService = C:\WINDOWS\SYSTEM32\SVCHOST -K DCOMLAUNCH
    Themes = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    TlntSvr = C:\WINDOWS\SYSTEM32\TLNTSVR.EXE
    TrkWks = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    upnphost = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
    UPS = C:\WINDOWS\SYSTEM32\UPS.EXE
    usnsvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K USNSVC
    VSS = C:\WINDOWS\SYSTEM32\VSSVC.EXE
    W32Time = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    WebClient = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
    winmgmt = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    WmdmPmSN = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    Wmi = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    WmiApSrv = C:\WINDOWS\SYSTEM32\WBEM\WMIAPSRV.EXE
    WMPNetworkSvc = C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPNETWK.EXE
    wscsvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    wuauserv = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    WudfSvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K WUDFSERVICEGROUP
    WZCSVC = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
    xmlprov = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS


文件驱动
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    FltMgr = C:\WINDOWS\SYSTEM32\DRIVERS\FLTMGR.SYS
    MRxDAV = C:\WINDOWS\SYSTEM32\DRIVERS\MRXDAV.SYS
    MRxSmb = C:\WINDOWS\SYSTEM32\DRIVERS\MRXSMB.SYS
    NetBIOS = C:\WINDOWS\SYSTEM32\DRIVERS\NETBIOS.SYS
    Rdbss = C:\WINDOWS\SYSTEM32\DRIVERS\RDBSS.SYS
    sr = C:\WINDOWS\SYSTEM32\DRIVERS\SR.SYS
    Srv = C:\WINDOWS\SYSTEM32\DRIVERS\SRV.SYS


系统驱动项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    61883 = C:\WINDOWS\SYSTEM32\DRIVERS\61883.SYS
    ACPI = C:\WINDOWS\SYSTEM32\DRIVERS\ACPI.SYS
    aec = C:\WINDOWS\SYSTEM32\DRIVERS\AEC.SYS
    AFD = C:\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS
    Arp1394 = C:\WINDOWS\SYSTEM32\DRIVERS\ARP1394.SYS
    ASAPIW2K = C:\WINDOWS\SYSTEM32\DRIVERS\ASAPIW2K.SYS
    AsIO = C:\WINDOWS\SYSTEM32\DRIVERS\ASIO.SYS
    AsyncMac = C:\WINDOWS\SYSTEM32\DRIVERS\ASYNCMAC.SYS
    atapi = C:\WINDOWS\SYSTEM32\DRIVERS\ATAPI.SYS
    Atmarpc = C:\WINDOWS\SYSTEM32\DRIVERS\ATMARPC.SYS
    audstub = C:\WINDOWS\SYSTEM32\DRIVERS\AUDSTUB.SYS
    Avc = C:\WINDOWS\SYSTEM32\DRIVERS\AVC.SYS
    BaseTDI = C:\WINDOWS\SYSTEM32\DRIVERS\BASETDI.SYS
    C-Dilla = C:\WINDOWS\SYSTEM32\DRIVERS\CDANT.SYS
    CCDECODE = C:\WINDOWS\SYSTEM32\DRIVERS\CCDECODE.SYS
    Cdrom = C:\WINDOWS\SYSTEM32\DRIVERS\CDROM.SYS
    Disk = C:\WINDOWS\SYSTEM32\DRIVERS\DISK.SYS
    dmboot = C:\WINDOWS\SYSTEM32\DRIVERS\DMBOOT.SYS
    dmio = C:\WINDOWS\SYSTEM32\DRIVERS\DMIO.SYS
    dmload = C:\WINDOWS\SYSTEM32\DRIVERS\DMLOAD.SYS
    DMusic = C:\WINDOWS\SYSTEM32\DRIVERS\DMUSIC.SYS
    drmkaud = C:\WINDOWS\SYSTEM32\DRIVERS\DRMKAUD.SYS
    dtscsi = C:\WINDOWS\SYSTEM32\DRIVERS\DTSCSI.SYS
    ExpScaner = C:\PROGRAM FILES\RISING\RAV\EXPSCAN.SYS
    Fdc = C:\WINDOWS\SYSTEM32\DRIVERS\FDC.SYS
    Flpydisk = C:\WINDOWS\SYSTEM32\DRIVERS\FLPYDISK.SYS
    FsVga = C:\WINDOWS\SYSTEM32\DRIVERS\FSVGA.SYS
    Ftdisk = C:\WINDOWS\SYSTEM32\DRIVERS\FTDISK.SYS
    Gpc = C:\WINDOWS\SYSTEM32\DRIVERS\MSGPC.SYS
    hardlock = C:\WINDOWS\SYSTEM32\DRIVERS\HARDLOCK.SYS
    HdAudAddService = C:\WINDOWS\SYSTEM32\DRIVERS\HDAUDIO.SYS
    HDAudBus = C:\WINDOWS\SYSTEM32\DRIVERS\HDAUDBUS.SYS
    hidusb = C:\WINDOWS\SYSTEM32\DRIVERS\HIDUSB.SYS
    HOOKAPI = C:\PROGRAM FILES\RISING\RAV\HOOKAPI.SYS
    HookCont = C:\PROGRAM FILES\RISING\RAV\HOOKCONT.SYS
    HookReg = C:\PROGRAM FILES\RISING\RAV\HOOKREG.SYS
    HookSys = C:\PROGRAM FILES\RISING\RAV\HOOKSYS.SYS
    HTTP = C:\WINDOWS\SYSTEM32\DRIVERS\HTTP.SYS
    iaStor = C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS
    Imapi = C:\WINDOWS\SYSTEM32\DRIVERS\IMAPI.SYS
    IntcAzAudAddService = C:\WINDOWS\SYSTEM32\DRIVERS\RTKHDAUD.SYS
    IntelIde = C:\WINDOWS\SYSTEM32\DRIVERS\INTELIDE.SYS
    intelppm = C:\WINDOWS\SYSTEM32\DRIVERS\INTELPPM.SYS
    Ip6Fw = C:\WINDOWS\SYSTEM32\DRIVERS\IP6FW.SYS
    IpFilterDriver = C:\WINDOWS\SYSTEM32\DRIVERS\IPFLTDRV.SYS
    IpInIp = C:\WINDOWS\SYSTEM32\DRIVERS\IPINIP.SYS
    IpNat = C:\WINDOWS\SYSTEM32\DRIVERS\IPNAT.SYS
    IPSec = C:\WINDOWS\SYSTEM32\DRIVERS\IPSEC.SYS
    IRENUM = C:\WINDOWS\SYSTEM32\DRIVERS\IRENUM.SYS
    isapnp = C:\WINDOWS\SYSTEM32\DRIVERS\ISAPNP.SYS
    Kbdclass = C:\WINDOWS\SYSTEM32\DRIVERS\KBDCLASS.SYS
    kbdhid = C:\WINDOWS\SYSTEM32\DRIVERS\KBDHID.SYS
    kmixer = C:\WINDOWS\SYSTEM32\DRIVERS\KMIXER.SYS
    kmsinput = C:\WINDOWS\SYSTEM32\DRIVERS\KMSINPUT.SYS
    MarvinBus = C:\WINDOWS\SYSTEM32\DRIVERS\MARVINBUS.SYS
    MEMSCAN = C:\PROGRAM FILES\RISING\RAV\MEMSCAN.SYS
    Mouclass = C:\WINDOWS\SYSTEM32\DRIVERS\MOUCLASS.SYS
    mouhid = C:\WINDOWS\SYSTEM32\DRIVERS\MOUHID.SYS
    MSDV = C:\WINDOWS\SYSTEM32\DRIVERS\MSDV.SYS
    MSKSSRV = C:\WINDOWS\SYSTEM32\DRIVERS\MSKSSRV.SYS
    MSPCLOCK = C:\WINDOWS\SYSTEM32\DRIVERS\MSPCLOCK.SYS
    MSPQM = C:\WINDOWS\SYSTEM32\DRIVERS\MSPQM.SYS
    mssmbios = C:\WINDOWS\SYSTEM32\DRIVERS\MSSMBIOS.SYS
    MSTEE = C:\WINDOWS\SYSTEM32\DRIVERS\MSTEE.SYS
    MTsensor = C:\WINDOWS\SYSTEM32\DRIVERS\ASACPI.SYS
    NABTSFEC = C:\WINDOWS\SYSTEM32\DRIVERS\NABTSFEC.SYS
    NdisIP = C:\WINDOWS\SYSTEM32\DRIVERS\NDISIP.SYS
    NdisTapi = C:\WINDOWS\SYSTEM32\DRIVERS\NDISTAPI.SYS
    Ndisuio = C:\WINDOWS\SYSTEM32\DRIVERS\NDISUIO.SYS
    NdisWan = C:\WINDOWS\SYSTEM32\DRIVERS\NDISWAN.SYS
    NetBT = C:\WINDOWS\SYSTEM32\DRIVERS\NETBT.SYS
    NIC1394 = C:\WINDOWS\SYSTEM32\DRIVERS\NIC1394.SYS
    npkcrypt = C:\PROGRAM FILES\TENCENT\QQ\NPKCRYPT.SYS
    npkcusb = C:\PROGRAM FILES\TENCENT\QQ\NPKCUSB.SYS
    nv = C:\WINDOWS\SYSTEM32\DRIVERS\NV4_MINI.SYS
    nvport = C:\WINDOWS\SYSTEM32\DRIVERS\NVPORT.SYS
    NwlnkFlt = C:\WINDOWS\SYSTEM32\DRIVERS\NWLNKFLT.SYS
    NwlnkFwd = C:\WINDOWS\SYSTEM32\DRIVERS\NWLNKFWD.SYS
    ohci1394 = C:\WINDOWS\SYSTEM32\DRIVERS\OHCI1394.SYS
    Parport = C:\WINDOWS\SYSTEM32\DRIVERS\PARPORT.SYS
    PCI = C:\WINDOWS\SYSTEM32\DRIVERS\PCI.SYS
    PCIIde = C:\WINDOWS\SYSTEM32\DRIVERS\PCIIDE.SYS
    pfc = C:\WINDOWS\SYSTEM32\DRIVERS\PFC.SYS
    PptpMiniport = C:\WINDOWS\SYSTEM32\DRIVERS\RASPPTP.SYS
    PSched = C:\WINDOWS\SYSTEM32\DRIVERS\PSCHED.SYS
    Ptilink = C:\WINDOWS\SYSTEM32\DRIVERS\PTILINK.SYS
    PxHelp20 = C:\WINDOWS\SYSTEM32\DRIVERS\PXHELP20.SYS
    RasAcd = C:\WINDOWS\SYSTEM32\DRIVERS\RASACD.SYS
    Rasl2tp = C:\WINDOWS\SYSTEM32\DRIVERS\RASL2TP.SYS
    RasPppoe = C:\WINDOWS\SYSTEM32\DRIVERS\RASPPPOE.SYS
    Raspti = C:\WINDOWS\SYSTEM32\DRIVERS\RASPTI.SYS
    RDPCDD = C:\WINDOWS\SYSTEM32\DRIVERS\RDPCDD.SYS
    rdpdr = C:\WINDOWS\SYSTEM32\DRIVERS\RDPDR.SYS
    redbook = C:\WINDOWS\SYSTEM32\DRIVERS\REDBOOK.SYS
    RivaTuner32 = C:\PROGRAM FILES\RIVATUNER V2.0 RC 16\RIVATUNER32.SYS
    rtl8139 = C:\WINDOWS\SYSTEM32\DRIVERS\RTL8139.SYS
    Secdrv = C:\WINDOWS\SYSTEM32\DRIVERS\SECDRV.SYS
    serenum = C:\WINDOWS\SYSTEM32\DRIVERS\SERENUM.SYS
    Serial = C:\WINDOWS\SYSTEM32\DRIVERS\SERIAL.SYS
    SLIP = C:\WINDOWS\SYSTEM32\DRIVERS\SLIP.SYS
    splitter = C:\WINDOWS\SYSTEM32\DRIVERS\SPLITTER.SYS
    sptd = C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
    streamip = C:\WINDOWS\SYSTEM32\DRIVERS\STREAMIP.SYS
    swenum = C:\WINDOWS\SYSTEM32\DRIVERS\SWENUM.SYS
    swmidi = C:\WINDOWS\SYSTEM32\DRIVERS\SWMIDI.SYS
    sysaudio = C:\WINDOWS\SYSTEM32\DRIVERS\SYSAUDIO.SYS
    Tcpip = C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS
    TermDD = C:\WINDOWS\SYSTEM32\DRIVERS\TERMDD.SYS
    Update = C:\WINDOWS\SYSTEM32\DRIVERS\UPDATE.SYS
    usbccgp = C:\WINDOWS\SYSTEM32\DRIVERS\USBCCGP.SYS
    usbehci = C:\WINDOWS\SYSTEM32\DRIVERS\USBEHCI.SYS
    usbhub = C:\WINDOWS\SYSTEM32\DRIVERS\USBHUB.SYS
    USBSTOR = C:\WINDOWS\SYSTEM32\DRIVERS\USBSTOR.SYS
    usbuhci = C:\WINDOWS\SYSTEM32\DRIVERS\USBUHCI.SYS
    VgaSave = C:\WINDOWS\SYSTEM32\DRIVERS\VGA.SYS
    Wanarp = C:\WINDOWS\SYSTEM32\DRIVERS\WANARP.SYS
    wdmaud = C:\WINDOWS\SYSTEM32\DRIVERS\WDMAUD.SYS
    WSTCODEC = C:\WINDOWS\SYSTEM32\DRIVERS\WSTCODEC.SYS
    WudfPf = C:\WINDOWS\SYSTEM32\DRIVERS\WUDFPF.SYS
    WudfRd = C:\WINDOWS\SYSTEM32\DRIVERS\WUDFRD.SYS
    ZSMC301b = C:\WINDOWS\SYSTEM32\DRIVERS\USBVM31B.SYS
gototop
 
simple1209
头像
初生襁褓狮
  • 帖子:6
  • 注册: 2006-09-25
  • 来自:
发表于: 2006-09-25 10:48 | 只看楼主 短消息 资料
字号: 6楼

这次目标文件生成在C:\WINDOWS\$NtUninstallKB911927$下了.
gototop
 
simple1209
头像
初生襁褓狮
  • 帖子:6
  • 注册: 2006-09-25
  • 来自:
发表于: 2006-09-25 12:21 | 只看楼主 短消息 资料
字号: 7楼

哈哈,已搞定,通过查看这个IEXPLORE.EXE文件的修改日期,在WINDOWS\system32目录下找到了一个同年同月同日同时的directx.exe,删掉就OK了,原来每次都是靠它启动IEXPLORE.EXE的啊.
gototop
 
<<上一主题|下一主题>>
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT