前几天用sreg查了api hook。。发现异常。。百思不得其解。。上这的论坛问版主。。版主也不敢肯定。。上江民的论坛上问版主。。有个人说我中的是什么自由图书馆病毒。。汗。。。因为我被修改的api hook 函数是叫什么freelibrary。。。当时，真是高兴。。就美言了他几句。。回家按照他说的法子找什么ravmond.exe文件。。发现更本没有这个文件~！于是，发现他在瞎说~！继续痛苦中。。。。打开sreg逐个排查看到的驱动和服务。。累啊。。一个一个不清楚的上百度和gogole上搜。。没有发现什么驱动和服务是我不知道的和可疑的。。于是。。夜不能寐。。想想平时自己的系统防的不错。。还在host列表中屏蔽了不良网页。。怎么就有hook问题了啊~？
于是，想想自己几装几删的游戏。。街头篮球。。对它是又爱又恨的。。游戏不错。。啊。爽。。可是代理商是sb。。不会是这个有毒？于是，上卡卡搜。。惊人的发现我的猜测居然是事实。。我靠。。看了版主大大写的“揭开街头篮球的面纱”吓了一跳。于是。重启系统。。。sreg检测发现没有api被修改。。。运行街球界面（还没有进游戏,只是登入界面). over ..重检测。。发现freelibrary被重新修改。。我靠。。一定就是它了~！
版主说这个会中灰鸽子。。可是，我用卡巴没有发现什么。。用sreg也没有发现它加载什么可疑的驱动和服务。。除了api hook被修改了，看版主说了只要是删了就没事了？真的是这么样吗？版主说的那个什么mcxx.tmp的文件也没有查到。。不是它现在版本更新了有了更好的隐蔽方法了把~！？请问版主删了这个倒霉的游戏后。怎么清除可能的trojan和blackdoor啊~！是不是用sreg的修复功能修复一下就好了？汗~！一下是我的sreg扫描。。望
baohee版主一定要看看。。这个游戏的后门只是删除了程序就行了？？可能的木马程序和后门要怎么清除啊~！万分感谢~！

[CODE]

2007-04-14,15:12:11

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\windows\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <RunShadowTip><C:\WINDOWS\system32\shadow\ShadowTip.exe>  [PowerShadow]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>  [(Verified)Microsoft Windows Component Publisher]

==================================
启动文件夹
N/A

==================================
服务
[ASP.NET State Service / aspnet_state][Stopped/Manual Start]
  <C:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[Ati HotKey Poller / Ati HotKey Poller][Stopped/Disabled]
  <C:\windows\system32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart][Stopped/Disabled]
  <C:\WINDOWS\system32\ati2sgag.exe><>
[Autodesk Licensing Service / Autodesk Licensing Service][Stopped/Manual Start]
  <"C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"><Autodesk>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\windows\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
  <"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"><Macrovision Corporation>
[Shadow System Service / ShadowSystemService][Running/Auto Start]
  <C:\WINDOWS\system32\shadow\ShadowService.exe><N/A>
[Windows Media Connect Service / WMConnectCDS][Stopped/Manual Start]
  <C:\Program Files\Windows Media Connect 2\wmccds.exe><Microsoft Corporation>
[WMDM PMSP Service / WMDM PMSP Service][Stopped/Disabled]
  <C:\WINDOWS\system32\MsPMSPSv.exe><Microsoft Corporation>
[Windows Driver Foundation - User-mode Driver Framework / WudfSvc][Stopped/Manual Start]
  <C:\windows\system32\svchost.exe -k WudfServiceGroup-->%SystemRoot%\System32\WUDFSvc.dll><Microsoft Corporation>

==================================

驱动程序
[aic78xx / aic78xx][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\aic78xx.sys><Microsoft Corporation>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Stopped/Manual Start]
  <system32\drivers\ALCXWDM.SYS><N/A>
[AMD Processor Driver / AmdK8][Running/System Start]
  <system32\DRIVERS\AmdK8.sys><Advanced Micro Devices>
[ati2mtag / ati2mtag][Running/Manual Start]
  <system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[ATITool Overclocking Utility / ATITool][Running/System Start]
  <system32\DRIVERS\ATITool.sys><>
[ICatch (VI) PC Camera / CA561][Running/Manual Start]
  <System32\Drivers\SPCA561.SYS><SP>
[cdrblock / cdrblock][Running/System Start]
  <system32\DRIVERS\cdrblock.sys><Canopus Co,. Ltd.>
[cdrport / cdrport][Running/System Start]
  <system32\DRIVERS\cdrport.sys><Canopus Co,. Ltd.>
[Creative AC3 Software Decoder / ctac32k][Running/Manual Start]
  <system32\drivers\ctac32k.sys><Creative Technology Ltd>
[Creative Audio Driver (WDM) / ctaud2k][Running/Manual Start]
  <system32\drivers\ctaud2k.sys><Creative Technology Ltd>
[Creative DVD-Audio Device Driver / ctdvda2k][Stopped/Manual Start]
  <system32\drivers\ctdvda2k.sys><Creative Technology Ltd>
[Creative Proxy Driver / ctprxy2k][Running/Manual Start]
  <system32\drivers\ctprxy2k.sys><Creative Technology Ltd>
[Creative SoundFont Management Device Driver / ctsfm2k][Running/Manual Start]
  <system32\drivers\ctsfm2k.sys><Creative Technology Ltd>
[d347bus / d347bus][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\d347bus.sys><>
[d347prt / d347prt][Running/Boot Start]
  <\SystemRoot\System32\Drivers\d347prt.sys><>
[e2eCap - WDM Video Capture / E2ECAP][Stopped/Auto Start]
  <system32\DRIVERS\e2ecap.sys><e2eSoft>
[E-mu Plug-in Architecture Driver / emupia][Running/Manual Start]
  <system32\drivers\emupia2k.sys><Creative Technology Ltd>
[Gmer / Gmer][Stopped/Manual Start]
  <System32\DRIVERS\gmer.sys><GMER>
[Creative Hardware Abstract Layer Driver / ha10kx2k][Running/Manual Start]
  <system32\drivers\ha10kx2k.sys><Creative Technology Ltd>
[Hamachi Network Interface / hamachi][Stopped/Manual Start]
  <system32\DRIVERS\hamachi.sys><LogMeIn, Inc.>
[Creative P16V HAL Driver / hap16v2k][Running/Manual Start]
  <system32\drivers\hap16v2k.sys><Creative Technology Ltd>
[Creative P17V HAL Driver / hap17v2k][Stopped/Manual Start]
  <system32\drivers\hap17v2k.sys><Creative Technology Ltd>
[IPvE Adapter Driver / IPvE][Stopped/Manual Start]
  <system32\DRIVERS\IPvE.sys><Hongtien>
[MAGIX_ASIO_BoostDriver / MagixASIODrv][Stopped/Manual Start]
  <\??\D:\安装软件\Samplitude_V8_professional\mxasio.sys><MAGIX AG>
[nvata / nvata][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\nvata.sys><NVIDIA Corporation>
[NVIDIA nForce Networking Controller Driver / NVENETFD][Running/Manual Start]
  <system32\DRIVERS\NVENETFD.sys><NVIDIA Corporation>
[NVIDIA Network Bus Enumerator / nvnetbus][Running/Manual Start]
  <system32\DRIVERS\nvnetbus.sys><NVIDIA Corporation>
[Creative OS Services Driver / ossrv][Running/Manual Start]
  <system32\drivers\ctoss2k.sys><Creative Technology Ltd.>
[PfDetNT / PfDetNT][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\PfModNT.sys><Creative Technology Ltd.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Secdrv / Secdrv][Running/Auto Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[StarForce Protection Environment Driver (version 1.x) / sfdrv01][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfdrv01.sys><Protection Technology>
[StarForce Protection Helper Driver (version 2.x) / sfhlp02][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfhlp02.sys><Protection Technology>
[StarForce Protection Synchronization Driver (version 3.x) / sfsync03][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfsync03.sys><Protection Technology>
[sptd / sptd][Running/Boot Start]
  <\SystemRoot\System32\Drivers\sptd.sys><N/A>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
  <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
[Windows Driver Foundation - User-mode Driver Framework Platform Driver / WudfPf][Stopped/Manual Start]
  <system32\DRIVERS\WudfPf.sys><Microsoft Corporation>
[Windows Driver Foundation - User-mode Driver Framework Reflector / WudfRd][Stopped/Manual Start]
  <system32\DRIVERS\wudfrd.sys><Microsoft Corporation>
[EagleNT / EagleNT][Stopped/Manual Start]
  <\??\C:\windows\system32\drivers\EagleNT.sys><N/A>

==================================

浏览器加载项
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[&使用迅雷下载]
  <D:\安装软件\Thunder553264_diy\Thunder\Program\geturl.htm, N/A>
[&使用迅雷下载全部链接]
  <D:\安装软件\Thunder553264_diy\Thunder\Program\getallurl.htm, N/A>
[使用 IDM 下载]
  <D:\安装软件\Internet Download Manager\Internet Download Manager\IEExt.htm, N/A>
[使用 IDM 下载所有链接]
  <D:\安装软件\Internet Download Manager\Internet Download Manager\IEGetAll.htm, N/A>
[使用KuGoo3下载(&K)]
  <D:\安装软件\KuGoo_3.233_wj\KuGoo\KuGoo3DownX.htm, N/A>

==================================
正在运行的进程
[PID: 672][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 724][\??\C:\windows\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1948][C:\windows\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\AcSignIcon.dll]  [Autodesk, 16.2.54.0]
    [C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll]  [Autodesk, 16.2.54.0]
    [D:\安装软件\Unlocker1.8.5\Unlocker1.8.5\UnlockerCOM.dll]  [N/A, ]
    [D:\安装软件\winrar3.61\rarext.dll]  [N/A, ]
    [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CmdLineExt02.dll]  [N/A, ]
    [C:\WINDOWS\system32\mscoree.dll]  [Microsoft Corporation, 1.1.4322.2032]
    [C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Shfusion.dll]  [Microsoft Corporation, 1.1.4322.573]
    [C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\windows\system32\asfsipc.dll]  [Microsoft Corporation, 1.1.00.3917]
[PID: 232][C:\windows\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2008][D:\安装软件\GreenBrowser_0906_DIY\GreenBrowser\GreenBrowser.exe]  [MoreQuick, 1, 0, 0, 0]
    [C:\WINDOWS\system32\AcSignIcon.dll]  [Autodesk, 16.2.54.0]
    [C:\windows\system32\Macromed\Flash\Flash9b.ocx]  [Adobe Systems, Inc., 9,0,28,0]
    [C:\windows\system32\SOGOUPY.IME]  [Sohu.com Inc., 1, 5, 0, 0]
    [D:\安装软件\SogouInput\SogouInput\Plugin\SgImeWord.dll]  [, 1, 0, 0, 31]
[PID: 564][D:\安装软件\sreng2.4.12.806\sreng2\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\windows\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost
127.0.0.1    registeridm.com
127.0.0.1    207.44.199.159
127.0.0.1    207.44.199.16
127.0.0.1 www.hao123.com
127.0.0.1 www.qq3344.com
127.0.0.1 www.dj3344.com
127.0.0.1 www.yysky.net
127.0.0.1 www.qq168.net
127.0.0.1 www.777888.com
127.0.0.1 www.5dsoft.com
127.0.0.1 www.wokoo.net
127.0.0.1 www.coolcdrom.com
127.0.0.1 www.mtv51.com
127.0.0.1 www.yibinren.com
127.0.0.1 yeapple.com
127.0.0.1 movie.sx.zj.cn
127.0.0.1 www.cctv8.net
127.0.0.1 www.kuliao.com
127.0.0.1 www.yyqy.com
127.0.0.1 www.sunvod.com
127.0.0.1 www.t168.com
127.0.0.1 www.boliwo.com
127.0.0.1 www.zhengdian.com
127.0.0.1 girlchinese.com
127.0.0.1 www.37021.com
127.0.0.1 www.cnqb.net
127.0.0.1 www.58589.com
127.0.0.1 www.pixpox.com
127.0.0.1 www.k163.com
127.0.0.1 www.pk.com
127.0.0.1 www.xxx.com
127.0.0.1 www.ehomeday.com
127.0.0.1 www.jinpin.net
127.0.0.1 www.es158.com
127.0.0.1 www.aisa-girl.net
127.0.0.1 www.boliwu.com
127.0.0.1 www.cctv1.net
127.0.0.1 www.play.cn.gs
127.0.0.1 www.nnptt.com
127.0.0.1 vod.hengshui.com
127.0.0.1 tv.megajoy.com
127.0.0.1 www.my288.com
127.0.0.1 www.youmiss.com
127.0.0.1 www.laws-online.net
127.0.0.1 www.435000.com
127.0.0.1 www.eastedu.com.cn
127.0.0.1 www.ezhgc.com
127.0.0.1 www.mmgirls.com
127.0.0.1 www.qq520.com
127.0.0.1 www.love520.net
127.0.0.1 www.hj168.net
127.0.0.1 www.9911.com
127.0.0.1 36920.com

==================================
API HOOK
入口点错误：FreeLibrary (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0x5F00002D)

==================================
隐藏进程
N/A

==================================