前天看系统进程,发现无故多出两个sysresrv.exe,giou028.exe的东西,再用优化大师看启动项,里面有两个"?"的自动启动,将其取消后一刷新又有.在注册表里却看不到.
用任务管理器禁用giou028,然后找到将其删掉,一刷新它又自动生成了
尝试禁用sysresrv.exe,居然不能.用卡卡禁用,删掉后重启又出现了,而且这东西还试图访问网络被我用戴尔防火墙截止.
本来想进安全模式里试试杀一下,结果进不去,给几句英文字符就死在哪里了
以为升升瑞星或许能行(24号刚升过)结果一升就说网络有故障,上瑞星网也不能上,于是找到HOSTS打开一看,里头是这样的:

125.91.14.230 www.kzdh.com
125.91.14.230 www.7255.com
125.91.14.230 www.7322.com
125.91.14.230 www.7939.com
125.91.14.230 www.piaoxue.com
125.91.14.230 www.feixu.net
125.91.14.230 www.6781.com
125.91.14.230 www.7b.com.cn
125.91.14.230 7b.com.cn
125.91.14.230 www.918188.com
125.91.14.230 hao.allxue.com
125.91.14.230 good.allxue.com
125.91.14.230 baby.allxue.com
125.91.14.230 www.allxue.com
125.91.14.230 about.lank.la
125.91.14.230 www.x114x.com
125.91.14.230 www.37ss.com
125.91.14.230 www.7k.cc
125.91.14.230 www.73ss.com
125.91.14.230 www.hao123.com
125.91.14.230 www.81915.com
125.91.14.230 222.88.90.22
125.91.14.230 www.9991.com
125.91.14.230 www.my123.com
125.91.14.230 www.haokan123.com
125.91.14.230 www.5566.net
125.91.14.230 www.gjj.cc
125.91.14.230 www.2345.com
127.0.0.1 dl.hao318.com
125.91.14.230 www.123wa.com
125.91.14.230 www.ku886.com
125.91.14.230 www.5icrack.com
125.91.14.230 www.jjol.cn
127.0.0.1 www.rising.com.cn
127.0.0.1 tool.ikaka.com
127.0.0.1 www.ikaka.com
127.0.0.1 update.rising.com.cn
127.0.0.1 online.rising.com.cn
127.0.0.1 up.rising.com.cn
127.0.0.1 go.rising.com.cn
127.0.0.1 it.rising.com.cn
127.0.0.1 rising.com.cn
127.0.0.1 ikaka.com
125.91.14.230 www.xinhai168.com
125.91.14.230 ooooos.com
125.91.14.230 www.ooooos.com
125.91.14.230 www.8757.com
-------------------------------
被它屏蔽了,怎么能上去呢,清空保存,将HOSTS属性改为只读,好了这下能上了,一会又不行了,返回再一看,那些字都好好的在那里呢,而且HOSTS属性又被改回来了!
请问应当怎么办啊?请达人们帮帮我

【回复“空袭警报”的帖子】2006-11-30,08:33:15

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <Synchronization Manager><mobsync.exe /logon>  [Microsoft Corporation]
    <RavTask><"d:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <XFILTER><"d:\Program Files\Filseclab\xfilter\xfilter.exe" -a>  [费尔安全实验室]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [Microsoft Corporation]
    <Userinit><C:\WINNT\system32\userinit.exe,,"D:\Program Files\HFEE\SVOHOST.EXE" un userinit.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  []

==================================
启动文件夹
服务
[Logical Disk Manager Administrative Service / dmadmin]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[NVIDIA Driver Helper Service / NVSvc]
  <C:\WINNT\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Process Communication Center / RsCCenter]
  <"d:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon]
  <"d:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[System Recover Servic / SysreSrv]
  <sysresrv.exe><N/A>

==================================
浏览器加载项
[]
  {A9930D97-9CF0-42A0-A10D-4F28836579D5} <D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX, N/A>
[Google Toolbar Helper]
  {AA58ED58-01DD-4d91-8333-CF10577473F7} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[免费精彩视频超流畅在线观看]
  {022C4009-5283-4365-97BF-144054B40E2E} <http://itv.mop.com, N/A>
[番茄花园]
  {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <http://www.tomatolei.com, N/A>
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[&Google]
  {2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[Shockwave ActiveX Control]
  {166B1BCA-3F9C-11CF-8075-444553540000} <C:\WINNT\system32\macromed\Director\SwDir.dll, Adobe Systems, Inc.>
[KooPlayer Control]
  {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} <C:\WINNT\DOWNLO~1\KOOPLA~1.OCX, viviMedia>
[CCtInf Class]
  {6DBB2904-082D-4DB0-944A-21C22BA121F4} <C:\WINNT\system32\BANKCE~1.DLL, >
[clienttime.client]
  {C5D0DFF5-6D39-4F98-88CD-12E8430A6300} <C:\WINNT\Downloaded Program Files\client.ocx, NTSC>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[上传到QQ网络硬盘]
  <D:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[使用KuGoo3下载(&K)]
  <D:\Program Files\KuGoo3\KuGoo3DownX.htm, N/A>
[使用网际快车下载]
  <D:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <D:\Program Files\FlashGet\jc_all.htm, N/A>
[添加到QQ自定义面板]
  <D:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
  <D:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <D:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

==================================
正在运行的进程
[PID: 140][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.00.2195.6601>
[PID: 164][\??\C:\WINNT\system32\csrss.exe]  <Microsoft Corporation><5.00.2195.6601>
[PID: 160][\??\C:\WINNT\system32\winlogon.exe]  <Microsoft Corporation><5.00.2195.6997>
[PID: 212][C:\WINNT\system32\services.exe]  <Microsoft Corporation><5.00.2195.7035>
    [C:\WINNT\system32\dmserver.dll]  <VERITAS Software Corp.><2195.6605.297.3>
    [d:\Program Files\Filseclab\xfilter\XFILTER.DLL]  <Filseclab Corporation><3, 0, 0, 3644>
[PID: 224][C:\WINNT\system32\lsass.exe]  <Microsoft Corporation><5.00.2195.7011>
    [d:\Program Files\Filseclab\xfilter\XFILTER.DLL]  <Filseclab Corporation><3, 0, 0, 3644>
[PID: 384][C:\WINNT\system32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
    [d:\Program Files\Filseclab\xfilter\XFILTER.DLL]  <Filseclab Corporation><3, 0, 0, 3644>
[PID: 412][d:\Program Files\Rising\Rav\CCenter.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[PID: 472][C:\WINNT\system32\spoolsv.exe]  <Microsoft Corporation><5.00.2195.7059>
    [d:\Program Files\Filseclab\xfilter\XFILTER.DLL]  <Filseclab Corporation><3, 0, 0, 3644>
[PID: 504][C:\WINNT\system32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
[PID: 532][C:\WINNT\system32\nvsvc32.exe]  <NVIDIA Corporation><6.13.10.2720>
[PID: 572][C:\WINNT\system32\regsvc.exe]  <Microsoft Corporation><5.00.2195.6701>
[PID: 592][C:\WINNT\system32\MSTask.exe]  <Microsoft Corporation><4.71.2195.6972>
    [d:\Program Files\Filseclab\xfilter\XFILTER.DLL]  <Filseclab Corporation><3, 0, 0, 3644>
[PID: 636][C:\WINNT\system32\stisvc.exe]  <Microsoft Corporation><5.00.2195.6656>
    [C:\WINNT\system32\VM303STI.dll]  <VM><4.2.510.21>
[PID: 708][C:\WINNT\system32\sysresrv.exe]  <N/A><N/A>
[PID: 744][C:\WINNT\System32\WBEM\WinMgmt.exe]  <Microsoft Corporation><1.50.1085.0100>
[PID: 820][C:\WINNT\system32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
    [d:\Program Files\Filseclab\xfilter\XFILTER.DLL]  <Filseclab Corporation><3, 0, 0, 3644>
[PID: 1080][C:\WINNT\Explorer.EXE]  <Microsoft Corporation><5.00.3700.6690>
    [C:\WINNT\system32\flntz.dll]  <N/A><N/A>
    [C:\WINNT\system32\drivers\w24agio.sys]  <N/A><N/A>
    [d:\Program Files\Filseclab\xfilter\XFILTER.DLL]  <Filseclab Corporation><3, 0, 0, 3644>
    [C:\WINNT\system32\RavExt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 21>
    [D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX]  <N/A><N/A>
[PID: 296][D:\Program Files\HFEE\SVOHOST.EXE]  <><3000.0.0.0>
    [C:\WINNT\system32\flntz.dll]  <N/A><N/A>
    [C:\WINNT\system32\drivers\w24agio.sys]  <N/A><N/A>
[PID: 1196][D:\Program Files\Filseclab\xfilter\xfilter.exe]  <费尔安全实验室><3.0>
    [d:\Program Files\Filseclab\xfilter\XFILTER.DLL]  <Filseclab Corporation><3, 0, 0, 3644>
    [C:\WINNT\system32\drivers\w24agio.sys]  <N/A><N/A>
    [C:\WINNT\system32\flntz.dll]  <N/A><N/A>
    [d:\Program Files\Rising\Rav\RavScrCh.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[PID: 1204][C:\WINNT\system32\rundll32.exe]  <Microsoft Corporation><5.00.2134.1>
    [C:\WINNT\system32\flntz.dll]  <N/A><N/A>
    [C:\WINNT\system32\drivers\w24agio.sys]  <N/A><N/A>
[PID: 1212][C:\WINNT\system32\giou028.exe]  <Microsoft Corporation><5.00.2134.1>
    [C:\WINNT\system32\drivers\w24agio.sys]  <N/A><N/A>
    [C:\WINNT\system32\flntz.dll]  <N/A><N/A>
[PID: 1112][D:\TEMP\新建文件夹 (5)\SREng2\SREng.exe]  <Smallfrogs Studio><2.0.21.505>
    [C:\WINNT\system32\drivers\w24agio.sys]  <N/A><N/A>
    [C:\WINNT\system32\flntz.dll]  <N/A><N/A>
    [d:\Program Files\Filseclab\xfilter\XFILTER.DLL]  <Filseclab Corporation><3, 0, 0, 3644>

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================

好的谢谢,这就去,将把结果第一时间报告上来,请达人们继续关注.

太不幸了,最新版的安全卫士也没扫描出来,那个MY123专杀说我的系统里没有什么恶意软件,怎么办呀.....555~~

怎么办呀.....555

看了看那两个文件说是系统文件,删掉不会有什么影响吧?

而且它不让删除说是正在使用...安全模式又不能进~~

的确怀疑那两个文件,看了看06年11月27号创建,修改时间却是05年,而且没什么版本说明,可它不让删怎么办?请问有知道怎么删的吗?

用文件粉碎机将C:\WINNT\system32\drivers\w24agio.sys]
[C:\WINNT\system32\flntz.dll] ,sysresrv
删掉了,再用优化大师看启动项,靠,?变成flntz.dll与giou028了,取消重启,giou028没有了,不过sysresrv依然键在....这病毒也太毒了!

高手们快现身啊

顶