拿什么拯救你我的电脑! (很恶心的病毒)
起因: 昨夜程序开太多 内存不够索性 将卡巴关闭继续 冲浪.(一失足成千古恨)经过:点了某一小站 遨游无响应. 本能的恢复卡巴保护, 卡巴不能打开, 查看任务管理器, 可疑进程explore.exe (可结束,但是结束后再没出现过,但 启动象里有它) 冰刃 MSCONFIG regedit 无法执行
结果:确定中招.
症兆: 卡巴无法打开 (在安全模式下查得 卡巴的服务被关了,但无法恢复) 起用超级兔子(还好它可一用)查看启动项 存在HBSERVICE 项目位置HKEY_LOCAL_MACHINE\SOFTWAREMICROSOFT\WINDOWS\CURRENTVERSION\RUN(注册表打不开无法对它进行删除)它后面接的是EXPLORE.EXE 取消不掉.
开机 一串数字 XXXOOOOXXOO之内的 内存读写错误.接着桌面重新刷新一次.
对策:(能力有限) 卡巴在线杀毒不能用, 重安装卡巴被终止,下载金山清理专家不能运行,安全模式下 regedit不能用, WINDOWS \system32下没找到 EXPLORE.EXE .....
有请各位江湖侠士 武林高手救小弟于水深火热之中.[:32:] [:32:]
[[i] 本帖最后由 既无风雨也无情 于 2008-9-4 17:13 编辑 [/i]] 为何只看不讲话,,
确实没办法了 上来找帮忙, 不想重装系统不让它阴谋得逞啊!!!![:05:] 注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
<BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}><; "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"> [Nero AG]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
<run><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<High Definition Audio 属性页快捷方式><HDAShCut.exe> [(Verified)Microsoft Windows XP Publisher]
<HBService><explore.exe> [N/A]
<Alcmtr><; ALCMTR.EXE> [Realtek Semiconductor Corp.]
<AlcWzrd><; ALCWZRD.EXE> [RealTek Semicoductor Corp.]
<iSpeak6><; C:\Program Files\Changetech\iSpeak6.0\iSpeak.exe> [上海勤和互联网技术软件开发有限公司]
<NeroFilterCheck><; C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe> [Nero AG]
<RTHDCPL><; RTHDCPL.EXE> [Realtek Semiconductor Corp.]
<SoundMan><; SOUNDMAN.EXE> [Realtek Semiconductor Corp.]
<Storm2Set><; C:\WINDOWS\system32\rundll32.exe "C:\PROGRA~1\StormII\StormSet.dll",CheckEnv> [北京暴风网际科技有限公司]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<kcien12><kncer12.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Component Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{71A78CD4-E470-4a18-8457-E0E0283DD507}><C:\WINDOWS\system32\lweurqhx.dll> []
<{BB4E3499-0132-4d3f-849A-2BE1B26D84E1}><C:\WINDOWS\system32\inetresdxc.dll> []
<{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}><C:\WINDOWS\system32\slbiopfs2.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll> [(Verified)Microsoft Windows Component Publisher]
<inetresdxc.dll><C:\WINDOWS\system32\inetresdxc.dll> []
<xolehlpjh.dll><C:\WINDOWS\system32\xolehlpjh.dll> []
<lweurqhx.dll><C:\WINDOWS\system32\lweurqhx.dll> []
<slbiopfs2.dll><C:\WINDOWS\system32\slbiopfs2.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
<WinlogonNotify: klogon><C:\WINDOWS\system32\klogon.dll> [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
<N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
<IFEO[360rpt.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
<IFEO[360Safe.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
<IFEO[360tray.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe]
<IFEO[adam.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe]
<IFEO[AgentSvr.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe]
<IFEO[AntiArp.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe]
<IFEO[AppSvc32.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe]
<IFEO[autoruns.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe]
<IFEO[avconsol.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe]
<IFEO[avgrssvc.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe]
<IFEO[AvMonitor.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com]
<IFEO[avp.com]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
<IFEO[avp.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
<IFEO[CCenter.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe]
<IFEO[ccSvcHst.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe]
<IFEO[conime.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe]
<IFEO[DrvAnti.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe]
<IFEO[drwadins.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebscd.exe]
<IFEO[drwebscd.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe]
<IFEO[drwebupw.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe]
<IFEO[EGHOST.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe]
<IFEO[FileDsty.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe]
<IFEO[filemon.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe]
<IFEO[FTCleanerShell.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe]
<IFEO[FYFireWall.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe]
<IFEO[GFRing3.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.exe]
<IFEO[GFUpd.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.exe]
<IFEO[GuardField.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe]
<IFEO[HijackThis.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
<IFEO[IceSword.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe]
<IFEO[iparmo.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe]
<IFEO[Iparmor.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe]
<IFEO[isPwdSvc.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe]
<IFEO[kabaload.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR]
<IFEO[KaScrScn.SCR]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe]
<IFEO[KASMain.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe]
<IFEO[KASTask.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe]
<IFEO[KAV32.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe]
<IFEO[KAVDX.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe]
<IFEO[KAVPF.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe]
<IFEO[KAVPFW.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe]
<IFEO[KAVSetup.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe]
<IFEO[KAVStart.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe]
<IFEO[KISLnchr.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe]
<IFEO[KMailMon.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe]
<IFEO[KMFilter.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe]
<IFEO[KPFW32.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe]
<IFEO[KPFW32X.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe]
<IFEO[KPfwSvc.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe]
<IFEO[KRegEx.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com]
<IFEO[KRepair.com]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe]
<IFEO[KsLoader.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp]
<IFEO[KVCenter.kxp]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe]
<IFEO[KvDetect.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe]
<IFEO[KvfwMcl.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp]
<IFEO[KVMonXP.kxp]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp]
<IFEO[KVMonXP_1.kxp]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe]
<IFEO[kvol.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe]
<IFEO[kvolself.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp]
<IFEO[KvReport.kxp]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp]
<IFEO[KVScan.kxp]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe]
<IFEO[KVSrvXP.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp]
<IFEO[KVStub.kxp]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe]
<IFEO[kvupload.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe]
<IFEO[kvwsc.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp]
<IFEO[KvXP.kxp]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp]
<IFEO[KvXP_1.kxp]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe]
<IFEO[KWatch.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe]
<IFEO[KWatch9x.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe]
<IFEO[KWatchX.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe]
<IFEO[MagicSet.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe]
<IFEO[mcconsol.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe]
<IFEO[mmqczj.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe]
<IFEO[mmsk.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe]
<IFEO[Navapsvc.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe]
<IFEO[Navapw32.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe]
<IFEO[nod32.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe]
<IFEO[nod32krn.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe]
<IFEO[nod32kui.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe]
<IFEO[NPFMntor.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE]
<IFEO[OllyDBG.EXE]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyICE.EXE]
<IFEO[OllyICE.EXE]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
<IFEO[PFW.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe]
<IFEO[PFWLiveUpdate.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]
<IFEO[procexp.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe]
<IFEO[QHSET.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
<IFEO[QQDoctor.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe]
<IFEO[QQKav.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe]
<IFEO[Ras.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavCopy.exe]
<IFEO[RavCopy.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
<IFEO[RavMon.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe]
<IFEO[RavMonD.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe]
<IFEO[RavStub.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe]
<IFEO[RavTask.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavXP.exe]
<IFEO[RavXP.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe]
<IFEO[RawCopy.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe]
<IFEO[RegClean.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
<IFEO[regedit.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe]
<IFEO[regmon.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegTool.exe]
<IFEO[RegTool.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe]
<IFEO[rfwcfg.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe]
<IFEO[rfwmain.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe]
<IFEO[rfwProxy.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]
<IFEO[rfwsrv.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe]
<IFEO[rfwstub.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe]
<IFEO[RsAgent.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe]
<IFEO[Rsaupd.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
<IFEO[runiep.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe]
<IFEO[safelive.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe]
<IFEO[scan32.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe]
<IFEO[shcfg32.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe]
<IFEO[SmartUp.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderml.exe]
<IFEO[spiderml.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe]
<IFEO[spidernt.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe]
<IFEO[spiderui.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spml_set.exe]
<IFEO[spml_set.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE]
<IFEO[SREng.EXE]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe]
<IFEO[symlcsvc.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe]
<IFEO[SysSafe.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgar.exe]
<IFEO[taskmgar.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe]
<IFEO[TrojanDetector.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe]
<IFEO[Trojanwall.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp]
<IFEO[TrojDie.kxp]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe]
<IFEO[UIHost.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe]
<IFEO[UmxAgent.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe]
<IFEO[UmxAttachment.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe]
<IFEO[UmxCfg.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe]
<IFEO[UmxFwHlp.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe]
<IFEO[UmxPol.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe]
<IFEO[UpLive.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe]
<IFEO[vsstat.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe]
<IFEO[webscanx.exe]><ntsd -d> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe]
<IFEO[WoptiClean.exe]><ntsd -d> [N/A]
==================================
启动文件夹
N/A
==================================
服务
[Application Layer Gateway Service / ALG][Stopped/Manual Start]
<C:\WINDOWS\System32\alg.exe><N/A>
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
<C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart][Stopped/Auto Start]
<C:\WINDOWS\system32\ati2sgag.exe><>
[卡巴斯基互联网安全套装6.0个人版 / AVP][Stopped/Auto Start]
<"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r><Kaspersky Lab>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[NBService / NBService][Stopped/Manual Start]
<C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe><Nero AG>
[NMIndexingService / NMIndexingService][Stopped/Manual Start]
<"C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe"><Nero AG> 正在运行的进程
[PID: 684 / SYSTEM][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 756 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 784 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Ati2evxx.dll] [ATI Technologies Inc., 6.14.10.4152]
[C:\WINDOWS\system32\klogon.dll] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.2.621]
[PID: 828 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\AppPatch\AcAdProc.dll] [Microsoft Corporation, 5.1.2600.3008 (xpsp.061004-0027)]
[PID: 840 / SYSTEM][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1024 / SYSTEM][C:\WINDOWS\system32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4152]
[C:\WINDOWS\system32\Ati2edxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2509]
[C:\WINDOWS\system32\atipdlxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2513]
[PID: 1052 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1152 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1288 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\wups2.dll] [Microsoft Corporation, 7.0.6000.381 (winmain(wmbla).070730-1740)]
[PID: 1428 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1560 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 172 / SYSTEM][C:\WINDOWS\system32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4152]
[C:\WINDOWS\system32\Ati2edxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2509]
[C:\WINDOWS\system32\atipdlxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2513]
[C:\WINDOWS\system32\ati2evxx.dll] [ATI Technologies Inc., 6.14.10.4152]
[PID: 324 / hacker][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\slbiopfs2.dll] [N/A, ]
[C:\WINDOWS\system32\inetresdxc.dll] [N/A, ]
[C:\WINDOWS\system32\lweurqhx.dll] [N/A, ]
[PID: 132 / hacker][C:\WINDOWS\explorer.exe] [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_qfe.070613-1311)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scrchpg.dll] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\CDRom.dll] [Wopti, 1.0.7.126]
[C:\WINDOWS\system32\WPDShServiceObj.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\inetresdxc.dll] [N/A, ]
[C:\WINDOWS\system32\xolehlpjh.dll] [N/A, ]
[C:\WINDOWS\system32\lweurqhx.dll] [N/A, ]
[C:\WINDOWS\system32\slbiopfs2.dll] [N/A, ]
[C:\WINDOWS\system32\PortableDeviceTypes.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\PortableDeviceApi.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.2.621]
[C:\Program Files\Nero\Nero 7\Nero BackItUp\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Nero\Nero 7\Nero BackItUp\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\l3codeca.acm] [Fraunhofer Institut Integrierte Schaltungen IIS, 1, 9, 0, 0305]
[C:\WINDOWS\system32\msdmo.dll] [, ]
[C:\WINDOWS\system32\LCodcCMP.dll] [LEAD Technologies, Inc., 1.0.0.009]
[C:\Program Files\Common Files\Ahead\Lib\AdvrCntr2.dll] [Nero AG, 5,22,2, 10400]
[C:\WINDOWS\system32\asusasv1.dll] [, ]
[C:\WINDOWS\system32\asusasv2.dll] [, ]
[C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll] [Nero AG, 2, 7, 3, 0]
[C:\Program Files\Nero\Nero 7\Nero BackItUp\MFC71U.DLL] [Microsoft Corporation, 7.10.3077.0]
[H:\常用工具\QQ\qdshm.dll] [, 1, 0, 101, 20]
[H:\常用工具\QQ\MFC42.DLL] [Microsoft Corporation, 6.00.8665.0]
[C:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\wpdshext.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\Audiodev.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[PID: 1600 / hacker][C:\WINDOWS\system32\wuauclt.exe] [Microsoft Corporation, 7.0.6000.381 (winmain(wmbla).070730-1740)]
[C:\WINDOWS\system32\slbiopfs2.dll] [N/A, ]
[C:\WINDOWS\system32\lweurqhx.dll] [N/A, ]
[C:\WINDOWS\system32\inetresdxc.dll] [N/A, ]
[C:\WINDOWS\system32\wups2.dll] [Microsoft Corporation, 7.0.6000.381 (winmain(wmbla).070730-1740)]
[PID: 1536 / hacker][C:\Program Files\Maxthon\Maxthon.exe] [Maxthon International Ltd., 1, 6, 3, 80]
[C:\Program Files\Maxthon\maxzlib.dll] [ , 1, 0, 0, 2]
[C:\WINDOWS\system32\slbiopfs2.dll] [N/A, ]
[C:\WINDOWS\system32\lweurqhx.dll] [N/A, ]
[C:\WINDOWS\system32\inetresdxc.dll] [N/A, ]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scrchpg.dll] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\odbcbcp.dll] [Microsoft Corporation, 2000.085.1117.00 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\mscoree.dll] [Microsoft Corporation, 2.0.50727.42 (RTM.050727-4200)]
[C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CorperfmonExt.dll] [Microsoft Corporation, 2.0.50727.42 (RTM.050727-4200)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.2.621]
[C:\Program Files\Maxthon\Services\RealTime\real_time.dll] [, 1, 0, 0, 1]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\klscav.dll] [Kaspersky Lab, 6.0.2.621]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\prloader.dll] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx] [Adobe Systems, Inc., 9,0,124,0]
[C:\Program Files\FlashGet\jccatch.dll] [[url]www.flashget.com[/url], 1, 8, 1, 1006]
[PID: 3780 / hacker][H:\下载工具\eMule\emule.exe] [[url]http://www.emule-project.net[/url], 0.48.0.80902 Unicode]
[C:\WINDOWS\system32\slbiopfs2.dll] [N/A, ]
[C:\WINDOWS\system32\lweurqhx.dll] [N/A, ]
[C:\WINDOWS\system32\inetresdxc.dll] [N/A, ]
[H:\下载工具\eMule\config\antiLeech.dll] [[url]http://xtreme-mod.net[/url], 32, 0, 0, 0]
[H:\下载工具\eMule\lang\zh_CN.dll] [[url]http://www.emule-project.net[/url], 0.48.0.80902]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.2.621]
[PID: 3516 / hacker][C:\Program Files\WinRAR\WinRAR.exe] [N/A, ]
[C:\WINDOWS\system32\slbiopfs2.dll] [N/A, ]
[C:\WINDOWS\system32\lweurqhx.dll] [N/A, ]
[C:\WINDOWS\system32\inetresdxc.dll] [N/A, ]
[C:\WINDOWS\system32\wpdshext.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\PortableDeviceApi.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\Audiodev.dll] [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scrchpg.dll] [Kaspersky Lab, 6.0.2.621]
[PID: 2604 / hacker][C:\DOCUME~1\hacker\LOCALS~1\Temp\Rar$EX00.984\SREngLdr.EXE] [Smallfrogs Studio, 2.6.12.1018]
[PID: 3176 / hacker][C:\DOCUME~1\hacker\LOCALS~1\Temp\Rar$EX00.984\SREf3010d6d.EXE] [Smallfrogs Studio, 2.6.12.1018]
[C:\WINDOWS\system32\slbiopfs2.dll] [N/A, ]
[C:\WINDOWS\system32\lweurqhx.dll] [N/A, ]
[C:\WINDOWS\system32\inetresdxc.dll] [N/A, ]
[C:\DOCUME~1\hacker\LOCALS~1\Temp\Rar$EX00.984\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.2.621]
==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. ["hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
进程特权扫描
特殊特权被允许: SeLoadDriverPrivilege [PID = 1536, C:\PROGRAM FILES\MAXTHON\MAXTHON.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 3516, C:\PROGRAM FILES\WINRAR\WINRAR.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2604, C:\DOCUME~1\HACKER\LOCALS~1\TEMP\RAR$EX00.984\SRENGLDR.EXE]
==================================
API HOOK
入口点错误:CreateServiceA (危险等级: 高, 被下面模块所HOOK: 0x001354AC)
RVA 错误: LoadLibraryA (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 错误: LoadLibraryExA (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 错误: LoadLibraryExW (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 错误: LoadLibraryW (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 错误: GetProcAddress (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
==================================
隐藏进程
N/A
================================== [url]http://bbs.kafan.cn/thread-236736-1-1.html[/url] 6楼
修复IFEO劫持
用它修复映像劫持,这个时候卡巴应该可以打开,然后把卡巴升级到最新,查杀下。
日志我慢慢看,貌似有点不全[:26:]
回复 6楼 Amazing 的帖子
这病毒太强大了 用SRE看了一下 它貌似禁止了好多东西 我抱着试一试 的心态首先把冰人的那个删了发现 冰人可以用了 (我那高兴的) 然后找到有关 卡巴的! 把他们都删了卡巴可以用了 疯狂幸喜!!!!!!![:05:] [:05:] [:05:] [:05:] [:05:]
现在在用卡巴扫毒 好多 重来没中过这么多毒!.
日志我完全贴上去了....
卡巴对几个病毒好象杀不了.重起了杀 然后又叫重起
到现在我也没敢登陆QQ.
非常感谢! 论坛让我认识了SRE 第一次下来用.!!! C:\WINDOWS\system32\asusasv1.dll
C:\WINDOWS\system32\asusasv2.dll
发送到[url=http://www.virustotal.com/zh-cn/]http://www.virustotal.com/zh-cn/[/url] 检测下
先用6楼的工具修复IFEO,然后执行以下操作
[b]1.建议使用XDelBox删除以下文件[/b]:([url=http://www.dodudou.com/down/index.php]XDelBox1.7下载[/url])(如果是Vista系统,请不要使用XDelBox,用其他删除代替)
使用说明:删除时复制所有要删除文件的路径,在待删除文件列表里点击右键选择从“剪贴板导入不检查路径”,导入后在要删除文件上点击右键,选择立刻重启删除,电脑会重启进入DOS界面进行删除操作。运行xdelbox前最好卸载所有可移动存储介质(包括U盘,MP3,手机存储卡等)。
explore.exe
kncer12.exe
C:\WINDOWS\system32\lweurqhx.dll
C:\WINDOWS\system32\slbiopfs2.dll
C:\WINDOWS\system32\inetresdxc.dll
C:\WINDOWS\system32\xolehlpjh.dll
C:\DOCUME~1\hacker\LOCALS~1\Temp\_tmp.bat
C:\WINDOWS\system32\drivers\xbyqprxy.sys
C:\WINDOWS\System32\Drivers\msiffei.sys
[b]2.删除重启后使用SREng修复下面各项:[/b]
启动项目 -- 注册表之如下项删除:
<HBService><explore.exe>
<kcien12><kncer12.exe>
<{71A78CD4-E470-4a18-8457-E0E0283DD507}><C:\WINDOWS\system32\lweurqhx.dll>
<{BB4E3499-0132-4d3f-849A-2BE1B26D84E1}><C:\WINDOWS\system32\inetresdxc.dll>
<{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}><C:\WINDOWS\system32\slbiopfs2.dll>
<inetresdxc.dll><C:\WINDOWS\system32\inetresdxc.dll>
<xolehlpjh.dll><C:\WINDOWS\system32\xolehlpjh.dll>
<lweurqhx.dll><C:\WINDOWS\system32\lweurqhx.dll>
<slbiopfs2.dll><C:\WINDOWS\system32\slbiopfs2.dll>
启动项目 -- 服务-- 驱动程序之如下项禁用:
[kggee / kggee][Stopped/Manual Start]
<\??\C:\DOCUME~1\hacker\LOCALS~1\Temp\_tmp.bat><N/A>
[msiffei / msiffei][Stopped/Manual Start]
<System32\Drivers\msiffei.sys><N/A>
[xbyqprxy / xbyqprxy][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\xbyqprxy.sys><N/A>
[[i] 本帖最后由 Amazing 于 2008-9-4 15:06 编辑 [/i]] 楼主好,我稍微开了一下,你先试着进入安全模式(不要带网络连接),然后呢,
打开注册表编辑器。
打不开?先调出任务管理器,然后新建任务,浏览,到c:\windows下面,找到regedit,重命名,比如abc,然后运行abc就可以打开了。
整个病毒只是使用了映像劫持,没太多技术含量的。
打开注册表编辑器,找到HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\,然后把所有的项目删除。
然后,在Image File Execution Options项目上点右键,选择权限,安全里面把所有用户或组的【完全控制】权限都取消(包括system和adminstrators)的。
再然后,可以禁用所有的msconfig中的自启动项目,以及非Microsoft服务。重启。
然后,可以使用杀软杀毒。
另外,你的进程应该有一个explorer.exe的进程的,如果没有,你看不到桌面的。
-----------------------------------------------------------------------------------------------------------------------
其实,现在的病毒,只要不是太恶劣,解决起来都比较容易的,而且思路也差不多。 我先试试各位的方法.
日志我压缩上传它说服务器无法保存 目录不正确
驱动程序
[ati2mtag / ati2mtag][Running/Manual Start]
<system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[atitray / atitray][Running/System Start]
<\??\H:\小工具\ATI Tray Tools\atitray.sys><N/A>
[Broadcom NetXtreme Gigabit Ethernet / b57w2k][Running/Manual Start]
<system32\DRIVERS\b57xp32.sys><Broadcom Corporation>
[FXDRV / FXDRV][Stopped/Manual Start]
<\??\H:\小工具\super\Fxdrv.sys><Foxconn>
[HBKernel Driver / HBKernel][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\HBKernel.sys><N/A>
[Microsoft 用于 High Definition Audio 服务的 UAA 功能驱动程序 / HdAudAddService][Stopped/Manual Start]
<system32\drivers\HdAudio.sys><Windows (R) Server 2003 DDK provider>
[Microsoft 用于 High Definition Audio 的 UAA 总线驱动程序 / HDAudBus][Running/Manual Start]
<system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
<system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[KAVBootC / KAVBootC][Running/Boot Start]
<\SystemRoot\system32\Drivers\KAVBootC.sys><Kingsoft Corporation>
[KAVSafe / KAVSafe][Running/Auto Start]
<\??\C:\WINDOWS\system32\Drivers\KAVSafe.sys><Kingsoft Corporation>
[kggee / kggee][Stopped/Manual Start]
<\??\C:\DOCUME~1\hacker\LOCALS~1\Temp\_tmp.bat><N/A>
[kl1 / kl1][Running/Boot Start]
<\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Running/System Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[msiffei / msiffei][Stopped/Manual Start]
<System32\Drivers\msiffei.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[TesSafe / TesSafe][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\TesSafe.sys><TENCENT>
[xbyqprxy / xbyqprxy][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\xbyqprxy.sys><N/A>
==================================
浏览器加载项
[FGCatchUrl]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} <C:\Program Files\FlashGet\jccatch.dll, [url=http://www.flashget.com]www.flashget.com[/url]>
[Web反病毒统计]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll, (Signed) Kaspersky Lab>
[番茄花园]
{6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <[url=http://www.tomatolei.com]http://www.tomatolei.com[/url], N/A>
[快车]
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <C:\Program Files\FlashGet\FlashGet.exe, FlashGet.com>
[@xpsp3res.dll,-20001]
{e2e2dd38-d088-4134-82b7-f2ba38496583} <%windir%\Network Diagnostic\xpnetdiag.exe, (Signed) N/A>
[Messenger]
{FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, (Signed) Microsoft Corporation>
[AhnASP Control]
{6531D99C-0D0E-4293-B3CB-A3E1D0D41847} <C:\PROGRA~1\AhnLab\ASP\COMPON~1\AhnASP\AhnASP.ocx, (Signed) AhnLab, Inc.>
[RavOnline Class]
{9FAFB576-6933-4CCC-AB3D-B988EC43D04E} <C:\WINDOWS\Downloaded Program Files\RavOLCtl.dll, Beijing Rising Information Technology Co., Ltd.>
[]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <, >
[FGCatchUrl]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} <C:\Program Files\FlashGet\jccatch.dll, [url=http://www.flashget.com]www.flashget.com[/url]>
[]
{6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <, >
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx, (Signed) Adobe Systems, Inc.>
[]
{D6E814A0-E0C5-11D4-8D29-0050BA6940E3} <, >
[]
{E2E2DD38-D088-4134-82B7-F2BA38496583} <, >
[FlashGet GetFlash Class]
{F156768E-81EF-470C-9057-481BA8380DBA} <C:\Program Files\FlashGet\getflash.dll, [url=http://www.flashget.com]www.flashget.com[/url]>
[FGAutoLive]
{F90D830D-C175-4bbe-82C7-FF94669A4C42} <C:\Program Files\FlashGet\fgupdate.dll, [url=http://www.flashget.com]www.flashget.com[/url]>
[FGCatchUrl]
{FB5DA724-162B-11D3-8B9B-AA70B4B0B524} <C:\Program Files\FlashGet\jccatch.dll, [url=http://www.flashget.com]www.flashget.com[/url]>
[]
{FB5F1910-F110-11D2-BB9E-00C04F795683} <, >
[&使用快车(FlashGet)下载]
<C:\Program Files\FlashGet\jc_link.htm, N/A>
[&使用快车(FlashGet)下载全部链接]
<C:\Program Files\FlashGet\jc_all.htm, N/A>
[添加到QQ表情]
<H:\桌面\新建文件夹 (2)\AddEmotion.htm, N/A>
[[i] 本帖最后由 既无风雨也无情 于 2008-9-4 14:51 编辑 [/i]] 我把8楼重新编辑过了。
还有,刚才少说一句,服务是不是全部贴出来了?如果是的话,就按8楼操作吧。
不是的话,再把服务部分贴出来。
回复 8楼 Amazing 的帖子
(在你们方法前已经用卡巴查杀)行不通 IFEO 无法运行regedit
无法进行下一步操作
回复9楼.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ 完全控制以禁用
卡巴再次杀毒中
2008-9-4 15:08:41 文件 c:\windows\system32\drivers\hbkernel.sys: 检测到 木马程序 'Trojan-GameThief.Win32.OnLineGames.syng'.
无法删除 重起后依然存在!
卡巴杀毒后.
services.msc和regedit依然无法使用.
[[i] 本帖最后由 既无风雨也无情 于 2008-9-4 15:14 编辑 [/i]] 打开SREng -- 启动项目 -- 注册表(把IFEO 的项目全部删除)
[[i] 本帖最后由 Amazing 于 2008-9-4 15:15 编辑 [/i]]
回复 13楼 Amazing 的帖子
你好 照着你的做了.现在准备重起..
SRE 里 HBService(explore.exe )删不掉
我在注册表里删出后它依然存在 按楼下操作,我又重新写了一遍了!如果,已经用XDelox删除重启了,那么直接执行第二步,去SREng中删除那些键值,禁用驱动。
你说那个键值删除不掉.....你必须先删除病毒文件,然后用SREng去修改注册表的键值。
要先执行第一步删除病毒,然后执行第二步,去删除注册表中的信息。
之前让你修复IFEO,是为了让卡巴能够运行.
[[i] 本帖最后由 Amazing 于 2008-9-4 15:44 编辑 [/i]] C:\WINDOWS\system32\asusasv1.dll
C:\WINDOWS\system32\asusasv2.dll
发送到[url]http://www.virustotal.com/zh-cn/[/url] 检测下
1.建议使用XDelBox删除以下文件:(XDelBox1.7下载)(如果是Vista系统,请不要使用XDelBox,用其他删除代替)
使用说明:删除时复制所有要删除文件的路径,在待删除文件列表里点击右键选择从“剪贴板导入不检查路径”,导入后在要删除文件上点击右键,选择立刻重启删除,电脑会重启进入DOS界面进行删除操作。运行xdelbox前最好卸载所有可移动存储介质(包括U盘,MP3,手机存储卡等)。
explore.exe
kncer12.exe
C:\WINDOWS\system32\lweurqhx.dll
C:\WINDOWS\system32\slbiopfs2.dll
C:\WINDOWS\system32\inetresdxc.dll
C:\WINDOWS\system32\xolehlpjh.dll
C:\DOCUME~1\hacker\LOCALS~1\Temp\_tmp.bat
C:\WINDOWS\system32\drivers\xbyqprxy.sys
C:\WINDOWS\System32\Drivers\msiffei.sys
2.删除重启后使用SREng修复下面各项:
启动项目 -- 注册表之如下项删除:
<HBService><explore.exe>
<kcien12><kncer12.exe>
<{71A78CD4-E470-4a18-8457-E0E0283DD507}><C:\WINDOWS\system32\lweurqhx.dll>
<{BB4E3499-0132-4d3f-849A-2BE1B26D84E1}><C:\WINDOWS\system32\inetresdxc.dll>
<{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}><C:\WINDOWS\system32\slbiopfs2.dll>
<inetresdxc.dll><C:\WINDOWS\system32\inetresdxc.dll>
<xolehlpjh.dll><C:\WINDOWS\system32\xolehlpjh.dll>
<lweurqhx.dll><C:\WINDOWS\system32\lweurqhx.dll>
<slbiopfs2.dll><C:\WINDOWS\system32\slbiopfs2.dll>
(把有IFEO 的项目全部删除)
启动项目 -- 服务-- 驱动程序之如下项禁用:
[kggee / kggee][Stopped/Manual Start]
<\??\C:\DOCUME~1\hacker\LOCALS~1\Temp\_tmp.bat><N/A>
[msiffei / msiffei][Stopped/Manual Start]
<System32\Drivers\msiffei.sys><N/A>
[xbyqprxy / xbyqprxy][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\xbyqprxy.sys><N/A>
回复 16楼 Amazing 的帖子
C:\WINDOWS\system32\asusasv1.dll=====================================================
文件 asusasv1.dll 接收于 2008.09.04 09:44:06 (CET)
当前状态: 正在读取 ... 队列中 等待中 扫描中 完成 未发现 停止
结果: 0/36 (0%)
正在读取服务器信息中...
您的文件所排队列位置: 5.
预计开始时间为 56 和 81 秒之间.
扫描完成前请勿关闭窗口.
目前针对您的文件所进行的扫描进程已停止, 我们将会在稍后恢复.
如果您的等候时间超过 5 分钟, 请重新发送文件.
您的文件目前正在被 VirusTotal 扫描中,
结果将会稍后完成时生成.
格式化文本 打印结果
您的文件已过期或不存在.
目前服务已停止, 您的文件将会稍后的未知时间内进行扫描 (位置: ).
您可以继续等待回应 (自动读取) 或者在下面的表单内输入您的电子邮件地址, 并按下 "获取", 当扫描完成时, 系统会自动给您发送电子邮件通知.
Email:
反病毒引擎 版本 最后更新 扫描结果
AhnLab-V3 2008.9.3.0 2008.09.04 -
AntiVir 7.8.1.28 2008.09.04 -
Authentium 5.1.0.4 2008.09.03 -
Avast 4.8.1195.0 2008.09.03 -
AVG 8.0.0.161 2008.09.03 -
BitDefender 7.2 2008.09.04 -
CAT-QuickHeal 9.50 2008.09.02 -
ClamAV 0.93.1 2008.09.04 -
DrWeb 4.44.0.09170 2008.09.04 -
eSafe 7.0.17.0 2008.09.03 -
eTrust-Vet 31.6.6066 2008.09.03 -
Ewido 4.0 2008.09.03 -
F-Prot 4.4.4.56 2008.09.03 -
F-Secure 8.0.14332.0 2008.09.04 -
Fortinet 3.14.0.0 2008.09.03 -
GData 19 2008.09.04 -
Ikarus T3.1.1.34.0 2008.09.04 -
K7AntiVirus 7.10.439 2008.09.03 -
Kaspersky 7.0.0.125 2008.09.04 -
McAfee 5376 2008.09.03 -
Microsoft 1.3903 2008.09.04 -
NOD32v2 3413 2008.09.04 -
Norman 5.80.02 2008.09.03 -
Panda 9.0.0.4 2008.09.03 -
PCTools 4.4.2.0 2008.09.03 -
Prevx1 V2 2008.09.04 -
Rising 20.60.30.00 2008.09.04 -
Sophos 4.33.0 2008.09.04 -
Sunbelt 3.1.1582.1 2008.09.02 -
Symantec 10 2008.09.04 -
TheHacker 6.3.0.8.072 2008.09.04 -
TrendMicro 8.700.0.1004 2008.09.04 -
VBA32 3.12.8.4 2008.09.03 -
ViRobot 2008.9.2.1361 2008.09.03 -
VirusBuster 4.5.11.0 2008.09.03 -
Webwasher-Gateway 6.6.2 2008.09.04 -
附加信息
File size: 71680 bytes
MD5...: c67ef9685a34fc2be3d7cf3c09e998c2
SHA1..: 4f3ec2fb8ecc825ad11a553970f178d4a9766153
SHA256: 11cfa5138a368dd8d4a6e670577a7c67d351e6524709ab1f30b16c4ff5cd7c7c
SHA512: e51afa482dc6a4972c75fa43cee2351133a77327938084e7847ae0faa4007f95
01662f4feee797b84b491ee0bbc9b146088ad4a47b6a3d7c02286ca56193b580
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ 4.x (69.2%)
Win32 Executable MS Visual C++ (generic) (19.3%)
Win32 Executable Generic (4.3%)
Win32 Dynamic Link Library (generic) (3.8%)
Win16/32 Executable Delphi generic (1.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x7f842c40
timedatestamp.....: 0x38d9bc82 (Thu Mar 23 06:41:06 2000)
machinetype.......: 0x14c (I386)
( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xa0c0 0xa200 6.67 7d40c8c4f4325c59510341e13e7c7a23
.rdata 0xc000 0x46a 0x600 4.16 45913fc6ef4e61ed796725d6bbcb1576
.data 0xd000 0x39f4 0x3000 2.20 d04177e110008db88226e2880b81bc0a
.idata 0x11000 0x58c 0x600 4.93 621efdc59a94b0b7ce41e02c027931ff
.rsrc 0x12000 0x3000 0x2800 5.82 cb21afa6a048bbb54c7c9d40c869934a
.reloc 0x15000 0xd32 0xe00 6.22 1254e7975d3dc192d5c870118d91bbe2
( 4 imports )
> KERNEL32.dll: CloseHandle, CreateFileA, LocalLock, LocalUnlock, GetVersion, DeviceIoControl, LocalFree, WideCharToMultiByte, TerminateProcess, VirtualFree, HeapCreate, LCMapStringW, LCMapStringA, GetStringTypeW, GetStringTypeA, LoadLibraryA, GetCommandLineA, GetProcAddress, GetModuleHandleA, ExitProcess, LocalAlloc, GetCurrentProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, HeapDestroy, VirtualAlloc, MultiByteToWideChar, GetModuleFileNameA, GetCPInfo, GetACP, GetOEMCP, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, WriteFile, HeapAlloc, HeapFree
> USER32.dll: MessageBoxA, DialogBoxParamA, CheckRadioButton, IsDlgButtonChecked, EndDialog
> WINMM.dll: DefDriverProc
> ADVAPI32.dll: RegCreateKeyA, RegCloseKey, RegQueryValueExA, RegSetValueExA
( 1 exports )
DriverProc
C:\WINDOWS\system32\asusasv2.dll
=================================================
文件 asusasv2.dll 接收于 2008.09.04 09:47:03 (CET)
当前状态: 正在读取 ... 队列中 等待中 扫描中 完成 未发现 停止
结果: 0/35 (0%)
正在读取服务器信息中...
您的文件所排队列位置: ___.
预计开始时间为 ___ 和 ___ 之间.
扫描完成前请勿关闭窗口.
目前针对您的文件所进行的扫描进程已停止, 我们将会在稍后恢复.
如果您的等候时间超过 5 分钟, 请重新发送文件.
您的文件目前正在被 VirusTotal 扫描中,
结果将会稍后完成时生成.
格式化文本 打印结果
您的文件已过期或不存在.
目前服务已停止, 您的文件将会稍后的未知时间内进行扫描 (位置: ).
您可以继续等待回应 (自动读取) 或者在下面的表单内输入您的电子邮件地址, 并按下 "获取", 当扫描完成时, 系统会自动给您发送电子邮件通知.
Email:
反病毒引擎 版本 最后更新 扫描结果
AhnLab-V3 2008.9.3.0 2008.09.04 -
AntiVir 7.8.1.28 2008.09.04 -
Authentium 5.1.0.4 2008.09.03 -
Avast 4.8.1195.0 2008.09.03 -
AVG 8.0.0.161 2008.09.03 -
BitDefender 7.2 2008.09.04 -
CAT-QuickHeal 9.50 2008.09.02 -
ClamAV 0.93.1 2008.09.04 -
DrWeb 4.44.0.09170 2008.09.04 -
eSafe 7.0.17.0 2008.09.03 -
eTrust-Vet 31.6.6066 2008.09.03 -
Ewido 4.0 2008.09.03 -
F-Prot 4.4.4.56 2008.09.03 -
Fortinet 3.14.0.0 2008.09.03 -
GData 19 2008.09.04 -
Ikarus T3.1.1.34.0 2008.09.04 -
K7AntiVirus 7.10.439 2008.09.03 -
Kaspersky 7.0.0.125 2008.09.04 -
McAfee 5376 2008.09.03 -
Microsoft 1.3903 2008.09.04 -
NOD32v2 3413 2008.09.04 -
Norman 5.80.02 2008.09.03 -
Panda 9.0.0.4 2008.09.03 -
PCTools 4.4.2.0 2008.09.03 -
Prevx1 V2 2008.09.04 -
Rising 20.60.30.00 2008.09.04 -
Sophos 4.33.0 2008.09.04 -
Sunbelt 3.1.1582.1 2008.09.02 -
Symantec 10 2008.09.04 -
TheHacker 6.3.0.8.072 2008.09.04 -
TrendMicro 8.700.0.1004 2008.09.04 -
VBA32 3.12.8.4 2008.09.03 -
ViRobot 2008.9.2.1361 2008.09.03 -
VirusBuster 4.5.11.0 2008.09.03 -
Webwasher-Gateway 6.6.2 2008.09.04 -
附加信息
File size: 92672 bytes
MD5...: 04dd6e0554475cbea04fdcea007eefac
SHA1..: af34ae966618559ede0cdd521a9a4b33f896ffa7
SHA256: c5693d59d348a6f00d6abcfa5cb74acf0902dd843c364fb38e1dd2a4f1d4bbf9
SHA512: ed5c6b1c5ee3848bd0cda517bd5b24e49e1baefea61d4bca44ffc4ca123f75b9
edf4d183007167116b74a87ad0ad0b8d80bceff7cd44d3600f678420789325f3
PEiD..: Armadillo v1.xx - v2.xx
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x7f84306f
timedatestamp.....: 0x3b545771 (Tue Jul 17 15:19:13 2001)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xcb6b 0xcc00 6.83 02ab074cc5910b6571360fbdf4a8967b
.rdata 0xe000 0xb5a 0xc00 5.13 abdad96dba9df3e7048133b1bce6d4fd
.data 0xf000 0x257144 0x3e00 2.94 79b85d424a09720017e5ca2fb6e290b2
.rsrc 0x267000 0x2650 0x2800 5.56 bf475f681a0b32c8e614402e8ea1a66d
.reloc 0x26a000 0x276e 0x2800 3.37 73c6e378820a2b1bee7f546904101c18
( 4 imports )
> KERNEL32.dll: LocalFree, WideCharToMultiByte, LocalLock, LocalUnlock, GetVersion, CloseHandle, FindNextFileA, FindFirstFileA, GetPrivateProfileStringA, SetFilePointer, CreateFileA, DeviceIoControl, ReadFile, FindClose, GetCurrentProcess, GetFileType, GetStdHandle, RtlUnwind, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, GetCommandLineA, ExitProcess, TerminateProcess, LocalAlloc, GetModuleHandleA, GetModuleFileNameA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, HeapFree, SetHandleCount, GetProcAddress, LoadLibraryA, GetStartupInfoA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, WriteFile, HeapAlloc, VirtualAlloc, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP
> USER32.dll: MessageBoxA, wsprintfA, DialogBoxParamA, SendMessageA, GetDlgItem, EndDialog
> WINMM.dll: DefDriverProc
> ADVAPI32.dll: RegQueryValueExA, RegCloseKey, RegCreateKeyA, RegSetValueExA
( 1 exports )
DriverProc 了解,看来文件是安全的.
回复 18楼 Amazing 的帖子
好了...只有一个问题没解决
HBSERVICE 无法删除
这个病毒文件和注册表里的RUN 都删除后 它就是存在
explorer.exe 和regedit 依然无法用
就剩这个!
其他的都解决了
我重起看看!
回复 18楼 Amazing 的帖子
卡巴 提示下C:\WINDOWS\system32\driversHBKernel.sys 无法删除(刚才删了一次)
SRE提示下 C:\WINDOWS\system32\drivers
klif.sys 危险等级高 无法删除
无法删除原因都是 "XX拒绝访问.确定未写保护或文件未被使用"
[[i] 本帖最后由 既无风雨也无情 于 2008-9-4 16:13 编辑 [/i]]
页:
[1]
2