C:\WINNT\system32\fp8203loe.dll（已改名）
C:\WINNT\system32\jkklm.dll
C:\WINNT\system32\mllml.dll
这三个删除不掉，用killbox也无法删除，但c:\!submit\jkklm.dll 和 mllml.dll倒是可以删除。现在办公室电脑的问题都是如此——无法删除！
请问该如何处理？谢谢。
安模下再次扫描如下：
——————————————
Logfile of HijackThis v1.99.1
Scan saved at 11:08:30, on 2005-10-31
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Rising\Rav\RavTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
c:\program files\rising\rav\RAVMON.EXE
C:\Program Files\Rising\Rav\RAVTRAY.EXE
C:\Program Files\Rising\Rav\RavService.exe
C:\Documents and Settings\Administrator\桌面\HijackThis.exe

日志继续：
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\jkklm.dll
O2 - BHO: KillObj Class - {66C28884-4E5D-494B-80C9-CAA27528FD6D} - C:\WINNT\Downlo~1\ddtkillw.ocx
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINNT\system32\mllml.dll
O3 - Toolbar: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: 新浪点点通 - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - C:\WINNT\Downlo~1\DDTONG~1.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RavTimer] C:\Program Files\Rising\Rav\RavTimer.exe
O4 - HKLM\..\Run: [RavTray] C:\Program Files\Rising\Rav\RavTray.exe
O4 - HKLM\..\Run: [RavMon] C:\Program Files\Rising\Rav\RavMon.exe -system
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\qq\QQ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: 使用彩信超级自写发送到手机 - http://mms.sina.com.cn/mmsnews.html
O8 - Extra context menu item: 使用新浪下载助手下载 - C:\WINNT\Downlo~1\sinadl.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 发送图片到手机(&M) - http://sms.sina.com.cn/diy/send.html?from=467
O8 - Extra context menu item: 收藏此页到ViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt
O8 - Extra context menu item: 收藏此页到新浪ViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt
O8 - Extra context menu item: 新浪搜索 - http://cha.sina.com.cn/ddt.html
O8 - Extra context menu item: 添加QQ网络收藏夹 - C:\Program Files\Tencent\qq\NAF.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - C:\Program Files\浩方对战平台\GameClient.exe
O9 - Extra button: 情景聊天 - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra button: 新浪点点通 - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - C:\WINNT\Downlo~1\DDTONG~1.DLL
O9 - Extra button: (no name) - {974AD624-EA50-4831-A6C0-3040F6665396} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O9 - Extra 'Tools' menuitem: 新浪点点通阅读器 - {974AD624-EA50-4831-A6C0-3040F6665396} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O9 - Extra button: 新浪点点通阅读器 - {F0646DC8-58CD-4C64-8F6B-525043914685} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (VGAPlayer Control) - http://www.jxedu.com.cn/gwy/ggglx/01/VGAPlayer.cab
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} ({5DD731E6-D4F0-11D3-BE3F-00105A6FDA50}) - http://218.108.248.143/zvc/plugin/myv3na.cab
O16 - DPF: {D083891E-C11A-11D6-9A01-0010D7094A99} (bfdown Class) - http://www.gameabc.com/Gameintro/inc/bfinst.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab
O20 - Winlogon Notify: jkklm - C:\WINNT\SYSTEM32\jkklm.dll
O20 - Winlogon Notify: mllml - C:\WINNT\system32\mllml.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\fp8203loe.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: RavService - Unknown owner - C:\Program Files\Rising\Rav\RavService.exe" /service (file missing)
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

Logfile of HijackThis v1.99.1
Scan saved at 16:38:30, on 2005-10-31
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\Documents and Settings\Administrator\桌面\HijackThis.exe

O3 - Toolbar: 新浪点点通 - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - C:\WINNT\Downlo~1\DDTONG~1.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\qq\QQ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: 使用彩信超级自写发送到手机 - http://mms.sina.com.cn/mmsnews.html
O8 - Extra context menu item: 使用新浪下载助手下载 - C:\WINNT\Downlo~1\sinadl.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 发送图片到手机(&M) - http://sms.sina.com.cn/diy/send.html?from=467
O8 - Extra context menu item: 收藏此页到ViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt
O8 - Extra context menu item: 收藏此页到新浪ViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt
O8 - Extra context menu item: 新浪搜索 - http://cha.sina.com.cn/ddt.html
O8 - Extra context menu item: 添加QQ网络收藏夹 - C:\Program Files\Tencent\qq\NAF.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - C:\Program Files\浩方对战平台\GameClient.exe
O9 - Extra button: 情景聊天 - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra button: 新浪点点通 - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - C:\WINNT\Downlo~1\DDTONG~1.DLL
O9 - Extra button: (no name) - {974AD624-EA50-4831-A6C0-3040F6665396} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O9 - Extra 'Tools' menuitem: 新浪点点通阅读器 - {974AD624-EA50-4831-A6C0-3040F6665396} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O9 - Extra button: 新浪点点通阅读器 - {F0646DC8-58CD-4C64-8F6B-525043914685} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (VGAPlayer Control) - http://www.jxedu.com.cn/gwy/ggglx/01/VGAPlayer.cab
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} ({5DD731E6-D4F0-11D3-BE3F-00105A6FDA50}) - http://218.108.248.143/zvc/plugin/myv3na.cab
O16 - DPF: {D083891E-C11A-11D6-9A01-0010D7094A99} (bfdown Class) - http://www.gameabc.com/Gameintro/inc/bfinst.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab
O20 - Winlogon Notify: SharedDLLs - C:\WINNT\system32\n86q0ij5e8o.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

http://virusscan.jotti.org/扫描后制订为特若依木马，卡巴斯基能杀。卸载rav，安装卡巴斯基，升级，能查不能杀。进dos，del C:\WINNT\system32\jkklm.dll 和 C:\WINNT\system32\mllml.dll。那个变名dll不能查，找到个可疑的变名dll，备份，del
重启，Hj扫描显示n86q0ij5e8o.dll存在，用vundofix删除C:\WINNT\system32\n86q0ij5e8o.dll，重启，Hj扫描如下：cleanup在学，问题仍然存在：）
————————
Logfile of HijackThis v1.99.1
Scan saved at 16:38:30, on 2005-10-31
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\Documents and Settings\Administrator\桌面\HijackThis.exe

O3 - Toolbar: 新浪点点通 - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - C:\WINNT\Downlo~1\DDTONG~1.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\qq\QQ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: 使用彩信超级自写发送到手机 - http://mms.sina.com.cn/mmsnews.html
O8 - Extra context menu item: 使用新浪下载助手下载 - C:\WINNT\Downlo~1\sinadl.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 发送图片到手机(&M) - http://sms.sina.com.cn/diy/send.html?from=467
O8 - Extra context menu item: 收藏此页到ViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt
O8 - Extra context menu item: 收藏此页到新浪ViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt
O8 - Extra context menu item: 新浪搜索 - http://cha.sina.com.cn/ddt.html
O8 - Extra context menu item: 添加QQ网络收藏夹 - C:\Program Files\Tencent\qq\NAF.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - C:\Program Files\浩方对战平台\GameClient.exe
O9 - Extra button: 情景聊天 - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra button: 新浪点点通 - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - C:\WINNT\Downlo~1\DDTONG~1.DLL
O9 - Extra button: (no name) - {974AD624-EA50-4831-A6C0-3040F6665396} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O9 - Extra 'Tools' menuitem: 新浪点点通阅读器 - {974AD624-EA50-4831-A6C0-3040F6665396} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O9 - Extra button: 新浪点点通阅读器 - {F0646DC8-58CD-4C64-8F6B-525043914685} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (VGAPlayer Control) - http://www.jxedu.com.cn/gwy/ggglx/01/VGAPlayer.cab
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} ({5DD731E6-D4F0-11D3-BE3F-00105A6FDA50}) - http://218.108.248.143/zvc/plugin/myv3na.cab
O16 - DPF: {D083891E-C11A-11D6-9A01-0010D7094A99} (bfdown Class) - http://www.gameabc.com/Gameintro/inc/bfinst.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab
O20 - Winlogon Notify: SharedDLLs - C:\WINNT\system32\n86q0ij5e8o.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

Dir *.dll（找到这个变名的链接库）

这步太难了，进入dos下就变名了，实在难找。

再慢慢看看有没可疑的，呵呵

另用木马工具扫描出：tro2005-5-31-spyware-hooldll,73728;
c：\winnt\system32\rpcns4.dll怀疑为木马广告，这个已经del。

O20 - Winlogon Notify: SharedDLLs - C:\WINNT\system32\n86q0ij5e8o.dll
每次开机这个Winlogon Notify 都会改变  请问就上面的log 帮我分析下

请问去属性并反注册这个文件该如何操作：）

修复：
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} ({5DD731E6-D4F0-11D3-BE3F-00105A6FDA50}) - http://218.108.248.143/zvc/plugin/myv3na.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab
HijackThis扫描，O20项为n86q0ij5e8o.dll
进入DOS，至c;\winnt\SYSTEM32下，每次进入dos，这个n86q0ij5e8o.dll都变名，这次居然没有，
Dir n86q0ij5e8o.dll
Attrib -r -s -h n86q0ij5e8o.dll；无法应用，提示正在运行；
Regsvr32 /u n86q0ij5e8o.dll，无法反注册，提示正在运行；
Del n86q0ij5e8o.dll，居然成功
重启，进入安全模式，没找到n86q0ij5e8o.dll，运行HijackThis修复020项。重启进入系统～～～晕倒～～～还在！！！又变名！！！（灰溜溜回家去￥＃◎……％）

谢天使之剑，报告如下：
——————————————
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\h62olgf3162.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read        BUILTIN\Users
(ID-IO) ALLOW  Read        BUILTIN\Users
(ID-NI) ALLOW  Read        BUILTIN\Power Users
(ID-IO) ALLOW  Read        BUILTIN\Power Users
(ID-NI) ALLOW  Full access BUILTIN\Administrators
(ID-IO) ALLOW  Full access BUILTIN\Administrators
(ID-NI) ALLOW  Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{AAECDE91-21A9-1DAA-AEDC-7FD436232186}"=""

**********************************************************************************
Shell Extension key:
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
Invalid keyboard code specified

C:\WINNT\SYSTEM32\
  wghext.dll    Wed  2005-10-26  16:36:22  ..S.R        234,272  228.78 K
  nvtman.dll    Mon  2005-10-31  15:57:18  ..S.R        234,033  228.55 K
  tvpi32.dll    Mon  2005-10-31  12:18:28  ..S.R        237,008  231.45 K
  glgiftga.dll  Tue  2005-08-23  17:15:14  A....        32,768    32.00 K
  gljpg.dll      Tue  2005-08-23  17:15:14  A....        94,208    92.00 K
  glpng.dll      Tue  2005-08-23  17:15:14  A....        94,208    92.00 K
  czrsrv.dll    Wed  2005-10-26  14:56:04  ..S.R        234,272  228.78 K
  dhcompos.dll  Thu  2005-10-27  9:02:30  ..S.R        235,569  230.05 K
  drsrslvr.dll  Wed  2005-11-02  9:01:24  .....        235,585  230.06 K
  enn8l1~1.dll  Wed  2005-10-26  16:20:44  ..S.R        234,458  228.96 K
  wvspdmod.dll  Wed  2005-10-26  16:44:02  ..S.R        234,272  228.78 K
  oaethk32.dll  Mon  2005-10-31  11:02:14  ..S.R        235,283  229.77 K
  wvpasf.dll    Mon  2005-10-31  14:28:42  ..S.R        234,033  228.55 K
  atmtd.dll      Tue  2005-10-25  9:40:56  A....        687,592  671.48 K
  nydskcc.dll    Wed  2005-10-26  16:00:06  ..S.R        234,458  228.96 K
  lv4s09~1.dll  Tue  2005-11-01  14:02:50  ..S.R        234,259  228.77 K
  glzip.dll      Tue  2005-08-23  17:15:12  A....        69,632    68.00 K
  glcards.dll    Tue  2005-08-23  17:15:12  A....        807,424  788.50 K
  glmpdll.dll    Tue  2005-08-23  17:15:12  A....        94,208    92.00 K
  glsocks.dll    Tue  2005-08-23  17:15:12  A....        10,240    10.00 K
  glmpeg.dll    Tue  2005-08-23  17:15:14  A....        57,344    56.00 K
  gliedo~1.dll  Tue  2005-08-23  17:15:14  A....        106,496  104.00 K
  glcomp~1.dll  Tue  2005-08-23  17:15:12  A....        57,344    56.00 K
  ywriin~1.dll  Wed  2005-10-26  16:18:44  ..S.R        234,458  228.96 K
  kt66l7~1.dll  Fri  2005-10-28  16:33:32  ..S.R        235,483  229.96 K
  epfpix~1.dll  Mon  2005-10-31  12:38:34  ..S.R        234,033  228.55 K
  h62olg~1.dll  Tue  2005-11-01  11:03:48  ..S.R        235,585  230.06 K

27 items found:  27 files (15 H/S), 0 directories.
  Total of file sizes:  5,868,525 bytes      5.59 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
  guard.tmp      Wed  2005-11-02  9:03:24  ..S.R        235,585  230.06 K

1 item found:  1 file (1 H/S), 0 directories.
  Total of file sizes:  235,585 bytes    230.06 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 0D25-160A

Directory of C:\WINNT\System32

2005-11-02  09:03              235,585 guard.tmp
2005-11-01  14:02              234,259 lv4s09h7e.dll
2005-11-01  11:03              235,585 h62olgf3162.dll
2005-10-31  15:57              234,033 nvtman.dll
2005-10-31  14:41              165,624 lmllm.ini
2005-10-31  14:28              234,033 wvpasf.dll
2005-10-31  12:38              234,033 epfpixpsets.dll
2005-10-31  12:18              237,008 TVPI32.DLL
2005-10-31  11:02              162,974 lmllm.bak2
2005-10-31  11:02              235,283 oaethk32.dll
2005-10-28  16:33              235,483 kt66l7js1.dll
2005-10-28  11:56              162,351 lmllm.bak1
2005-10-27  09:02              235,569 dhcompos.dll
2005-10-26  16:44              234,272 wvspdmod.dll
2005-10-26  16:36              234,272 wghext.dll
2005-10-26  16:20              234,458 enn8l15u1.dll
2005-10-26  16:18              234,458 ywriinsert.dll
2005-10-26  16:00              234,458 nydskcc.dll
2005-10-26  14:56              234,272 CZRSRV.DLL
2004-04-13  15:17      <DIR>          dllcache
              19 File(s)      4,248,010 bytes
              1 Dir(s)  6,210,830,336 bytes free
————————————————

coolweb报告如下：
————————
Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read        BUILTIN\Users
(ID-IO) ALLOW  Read        BUILTIN\Users
(ID-NI) ALLOW  Read        BUILTIN\Power Users
(ID-IO) ALLOW  Read        BUILTIN\Power Users
(ID-NI) ALLOW  Full access BUILTIN\Administrators
(ID-IO) ALLOW  Full access BUILTIN\Administrators
(ID-NI) ALLOW  Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access CREATOR OWNER
——————

HiJackThis报告如下：
————————————————
Logfile of HijackThis v1.99.1
Scan saved at 12:17:25, on 2005-11-2
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SKYNET\FIREWALL\pfw.exe
C:\Documents and Settings\Administrator\桌面\HijackThis.exe

O3 - Toolbar: 新浪点点通 - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - C:\WINNT\Downlo~1\DDTONG~1.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SKYNET Personal FireWall] C:\PROGRA~1\SKYNET\FIREWALL\pfw.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\qq\QQ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: 使用彩信超级自写发送到手机 - http://mms.sina.com.cn/mmsnews.html
O8 - Extra context menu item: 使用新浪下载助手下载 - C:\WINNT\Downlo~1\sinadl.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 发送图片到手机(&M) - http://sms.sina.com.cn/diy/send.html?from=467
O8 - Extra context menu item: 收藏此页到ViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt
O8 - Extra context menu item: 收藏此页到新浪ViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt
O8 - Extra context menu item: 新浪搜索 - http://cha.sina.com.cn/ddt.html
O8 - Extra context menu item: 添加QQ网络收藏夹 - C:\Program Files\Tencent\qq\NAF.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - C:\Program Files\浩方对战平台\GameClient.exe
O9 - Extra button: 情景聊天 - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra button: 新浪点点通 - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - C:\WINNT\Downlo~1\DDTONG~1.DLL
O9 - Extra button: (no name) - {974AD624-EA50-4831-A6C0-3040F6665396} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O9 - Extra 'Tools' menuitem: 新浪点点通阅读器 - {974AD624-EA50-4831-A6C0-3040F6665396} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O9 - Extra button: 新浪点点通阅读器 - {F0646DC8-58CD-4C64-8F6B-525043914685} - C:\WINNT\Downlo~1\rssband.dll (HKCU)
O20 - Winlogon Notify: NetCache - C:\WINNT\system32\j22q0cf5ef2.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
————————————