瑞星卡卡安全论坛

Logfile of Kaka v2. 0. 0. 8 Scan Module v2. 0. 0. 1
Scan saved at 11:44:30, on 2006-05-21
Platform: Microsoft Windows XP Professional Service Pack 2 (Build 2600)
MSIE: Internet Explorer v6.00 SP2; (6.00.2900.2180 (xpsp_sp2_rtm.040803-2158))


Running processes:
[SMSS.EXE]
CommandLine =

[CSRSS.EXE]
CommandLine = C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

[WINLOGON.EXE]
CommandLine = winlogon.exe

[SERVICES.EXE]
CommandLine = C:\WINDOWS\system32\services.exe

[LSASS.EXE]
CommandLine = C:\WINDOWS\system32\lsass.exe

[Ati2evxx.exe]
CommandLine = C:\WINDOWS\system32\Ati2evxx.exe

[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost -k DcomLaunch

[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost -k rpcss

[SVCHOST.EXE]
CommandLine = C:\WINDOWS\System32\svchost.exe -k netsvcs

[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost.exe -k NetworkService

[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost.exe -k LocalService

[SPOOLSV.EXE]
CommandLine = C:\WINDOWS\system32\spoolsv.exe

[EXPLORER.EXE]
CommandLine = C:\WINDOWS\Explorer.EXE

[INETINFO.EXE]
CommandLine = C:\WINDOWS\system32\inetsrv\inetinfo.exe

[IEXPLORE.EXE]
CommandLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

[mdm.exe]
CommandLine = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"

[RUNDLL32.EXE]
CommandLine = C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\WBEM\IRJIT.DLL,Export 1087

[SR_Watchdog.exe]
CommandLine = "C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe"

[wdfmgr.exe]
CommandLine = C:\WINDOWS\system32\wdfmgr.exe

[SR_Service.exe]
CommandLine = "C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"

[alg.exe]
CommandLine = C:\WINDOWS\System32\alg.exe

[Update.exe]
CommandLine = "C:\Program Files\Common Files\UPDAT\Update.exe"

[RUNDLL32.EXE]
CommandLine = "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\DeskAdTop\Run.dll" ,Rundll

[RUNDLL32.EXE]
CommandLine = "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\kc32update.dll,AppMain

[RUNDLL32.EXE]
CommandLine = "C:\WINDOWS\system32\Rundll32.exe"  "C:\WINDOWS\DOWNLO~1\hbhelper.dll",WaitWindows

[bgoomain.exe]
CommandLine = "C:\PROGRA~1\baigoo\bgoomain.exe"

[CTFMON.EXE]
CommandLine = "C:\WINDOWS\system32\ctfmon.exe"

[MSMSGS.EXE]
CommandLine = "C:\Program Files\Messenger\msmsgs.exe" /background

[wcescomm.exe]
CommandLine = "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[gcasDtServ.exe]
CommandLine = "C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe"

[RAPIMGR.EXE]
CommandLine = C:\PROGRA~1\MICROS~4\rapimgr.exe -Embedding

[zsearch.exe]
CommandLine = "C:\Program Files\HuaCi\huaci\zSearch.exe" us

[SearchNet.exe]
CommandLine = "C:\Program Files\SearchNet\SearchNet.exe"

[MyIE.exe]
CommandLine = "C:\Program Files\MyIE2\MyIE.exe"

[AdPop.exe]
CommandLine = "C:\Program Files\Yayad\AdPop.Exe"

[IEXPLORE.EXE]
CommandLine = "C:\Program Files\Internet Explorer\iexplore.exe"

[KkScan.exe]
CommandLine = "C:\Program Files\Rising\KakaToolBar\KkScan.exe"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: Ad Engine - {077FD0C3-1291-4104-A356-41E36B252682} - C:\Program Files\Yayad\AdCore.dll
O2 - BHO: Zhongsou Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO:  (file missing)
O2 - BHO: IE Browser Helper - {3CE496D1-1746-41CD-9489-3C0B93DF10E2} - C:\WINDOWS\Downlo~1\txa.dll
O2 - BHO: MMSAssist BHO - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O2 - BHO: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\System32\stdup.dll
O2 - BHO: Status Class - {7BDAF75A-0D6F-4F50-AFE9-333D08DF4005} - C:\Program Files\baigoo\BGooBHO.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\justDo\Jd2002.dll
O2 - BHO: HBObject Class - {AE22AFE5-1EF4-4D25-9E23-D2825FB17DA1} - C:\WINDOWS\DOWNLO~1\hbhelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\KakaTool.dll

续上
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [HNETPOLCY] rundll32.exe C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX3\HNETPO~1.DLL,Start
O4 - HKLM\..\Run: [IMJPMIG8.1] ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HNETPOLCY] rundll32.exe C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX3\HNETPO~1.DLL,Start
O4 - HKLM\..\Run: [MoveSearch] C:\Program Files\HuaCi\huaci\zsearch.exe
O4 - HKLM\..\Run: [Update] C:\Program Files\Common Files\UPDAT\Update.exe
O4 - HKLM\..\Run: [Desktop] C:\WINDOWS\system32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll
O4 - HKLM\..\Run: [IESAddr] Null
O4 - HKLM\..\Run: [kc32update] rundll32 C:\WINDOWS\system32\kc32update.dll,AppMain
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RichMedia] C:\WINDOWS\system32\Rundll32.exe  "C:\WINDOWS\DOWNLO~1\hbhelper.dll",WaitWindows
O4 - HKLM\..\Run: [bgoomain.exe] C:\PROGRA~1\baigoo\bgoomain.exe
O4 - HKLM\..\Run: [vckjig] RunDll32 "C:\WINDOWS\Downlo~1\vckjig.dll",Run
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\RunOnce: [dwMyTest] LOADHW.EXE
O4 - HKLM\..\RunOnce: [IeStub] C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\txa.exe
O4 - Startup: desktop.ini =
O4 - Startup: 划词搜索.lnk = C:\Program Files\HuaCi\huaci\zsearch.exe
O4 - Startup: 地址栏搜索.lnk = C:\Documents and Settings\wqw.WQW-B3CB0C5AB6F\Local Settings\Temp\txa.exe
O4 - Global Startup: desktop.ini =
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: >>彩信发送<< - res://C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - E:\software\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用搜狗直通车下载 - C:\PROGRA~1\P4P\dl.htm
O8 - Extra context menu item: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\software\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\software\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\software\QQ\SendMMS.htm
O9 - Extra Button: 金银岛 - {06926B30-424E-4f1c-8EE3-543CD96573DC} - D:\Program Files\Netcert\NCOnlineClt.exe
O9 - Extra Button: 金银岛 - {06926B30-424E-4f1c-8EE3-543CD96573DC}? - D:\Program Files\Netcert\NCOnlineClt.exe
O9 - Extra Button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - D:\游戏\浩方对战平台\GameClient.exe
O9 - Extra Button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O9 - Extra 'Tools' menuitem: 彩E精灵设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O9 - Extra Button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\hbmter.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\hbmter.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O18 - Filter : application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll
O18 - Filter : application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll
O18 - Filter : application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\ITSS.DLL
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\ITSS.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O21 - SSODL: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\System32\stdup.dll
O21 - SSODL: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O23 - Service: Adobe LM Service (Adobe LM Service) - Adobe Systems - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
O23 - Service: Ati HotKey Poller (Ati HotKey Poller) - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart (ATI Smart) -  - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Microsoft Corporation - C:\WINDOWS\svchost.exe
O23 - Service: Human Interface Device Access (HidServ) -  - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Macromedia Licensing Service (Macromedia Licensing Service) -  - "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"
O23 - Service: System Event Logger (MOBILL) -  - C:\WINDOWS\system32\rundll32.exe c:\windows\system32\wbem\irjit.dll,export 1087
O23 - Service: MSSQLSERVER (MSSQLSERVER) -  - e:\tools\chengxu\MSSQL\binn\sqlservr.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - "d:\Program Files\Rising\Rav\CCenter.exe"
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - "D:\Program Files\Rising\Rav\Ravmond.exe"
O23 - Service: SQLSERVERAGENT (SQLSERVERAGENT) -  - e:\tools\chengxu\MSSQL\binn\sqlagent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - "C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - "C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe"
O23 - Service: Remote Log (Remote Log) - 北京中搜在线软件有限公司 - C:\WINDOWS\system32\servehost.exe

进入控制面版的添加删除程序中卸载Winstdup,很棒小秘书(RichMedia),MMSASS~1彩信，中搜，划词搜索，地址栏搜索，这几个流氓软件
如果无法卸载，建议你下载超级兔子。
http://dl.pconline.com.cn/html_2/1/75/id=273&pn=0.html
安装好后，打开“超级兔子优化王”“专业卸载，卸载除迅雷所，所有提示的垃圾软件
问题多多，卸载后，请重启。
请下载 System Repair Engineer，使用“智能扫描”，按下“扫描”按钮进行扫描，扫描完成后按下“保存报告”按钮保存报告日志文件（SREng.LOG），把保存的报告日志文件内容复制-粘贴上来
http://www.kztechs.com/sreng/sreng2.zip
http://forum.ikaka.com/topic.asp?board=67&artid=5188931
日志一次粘不完，分次粘完，不要修改。

谢谢！用了超级兔子，解决了不少问题，但最后还有个“中搜”总也删除不了。谁知道“中搜”公司的地址，咱们一把火烧了他们公司算了——人不能这么无耻～～！软件不能这么流氓～～～！
以下是SRE的日志：
2006-05-21,17:23:50

System Repair Engineer 2.0.12.350 (2.0 RC 1)
    Windows XP Professional Service Pack 2 - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <MSMSGS><"C:\Program Files\Messenger\msmsgs.exe" /background>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <H/PC Connection Agent><"C:\Program Files\Microsoft ActiveSync\wcescomm.exe">
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <HNETPOLCY><rundll32.exe C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX3\HNETPO~1.DLL,Start>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <Super Rabbit IEPro><D:\Program Files\magicset\SRIECLI.EXE /LOAD>
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <load><>
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <run><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <IESAddr><Null>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <CdnCtr><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <kc32update><rundll32 C:\WINDOWS\system32\kc32update.dll,AppMain>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <gcasServ><"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe">
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <vckjig><RunDll32 "C:\WINDOWS\Downlo~1\w4v0.dll",Run>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <HNETPOLCY><rundll32.exe C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX3\HNETPO~1.DLL,Start>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
  <HNETPOLCY><rundll32.exe C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX3\HNETPO~1.DLL,Start>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <shell><Explorer.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <Userinit><C:\WINDOWS\system32\Userinit.exe,>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <AppInit_DLLs><>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <ATICCC><; "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <bgoomain.exe><; >
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <DAEMON Tools><; "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033>
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <H/PC Connection Agent><; "C:\PROGRA~1\MICROS~4\wcescomm.exe">
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <HNETPOLCY><; rundll32.exe C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX3\HNETPO~1.DLL,Start>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <KernelFaultCheck><; %systemroot%\system32\dumprep 0 -k>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <KvMonXP><; >
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <KvXP><; >
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <MINI_BFYY><; E:\实用工具\Storm Downloader\StormDownloader.exe>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <PigUpdate><; C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX1\DownLoadPig.exe>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <RealTray><; E:\SOFTWARE\real\RealPlay.exe SYSTEMBOOTHIDEPLAYER>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <RichMedia><; C:\WINDOWS\system32\Rundll32.exe  "C:\PROGRA~1\HBClient\tbhelper.dll",WaitWindows>
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
  <Run><; >
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <SoundMan><; SOUNDMAN.EXE>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <StormCodec_Helper><; "E:\实用工具\Storm Codec\StormSet.exe" /S /opti>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <yassistse><; "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe">
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  <YLive.exe><; >

==================================
启动文件夹
[Microsoft Office]
  <C:\Documents and Settings\All Users.WINDOWS\「开始」菜单\程序\启动\Microsoft Office.lnk><H>

==================================
服务
[Adobe LM Service / Adobe LM Service]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[Ati HotKey Poller / Ati HotKey Poller]
  <C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart]
  <C:\WINDOWS\system32\ati2sgag.exe><>
[Macromedia Licensing Service / Macromedia Licensing Service]
  <"C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"><N/A>
[MSSQLSERVER / MSSQLSERVER]
  <><N/A>
[Rising Process Communication Center / RsCCenter]
  <"d:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
  <"D:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[SQLSERVERAGENT / SQLSERVERAGENT]
  <><N/A>
[Check Point SecuRemote Service / SR_Service]
  <"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"><Check Point Software Technologies>
[Check Point SecuRemote WatchDog / SR_WatchDog]
  <"C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe"><Check Point Software Technologies>

续上：
==================================
浏览器加载项
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <D:\PROGRA~1\FlashGet\fgiebar.dll, Amaze Soft>
[卡卡上网安全助手]
  {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINDOWS\system32\KakaTool.dll, Beijing Rising Technology Co., Ltd.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx, Macromedia, Inc.>
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\mshtml.dll, N/A>
[DHTML Edit Control Safe for Scripting for IE5]
  {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\WINDOWS\system32\dllcache\dhtmled.ocx, Microsoft Corporation>
[Tabular Data Control]
  {333C7BC4-460F-11D0-BC04-0080C7055A83} <C:\WINDOWS\system32\tdc.ocx, Microsoft Corporation>
[IE Browser Helper]
  {3CE496D1-1746-41CD-9489-3C0B93DF10E2} <C:\WINDOWS\Downlo~1\lchiufx.dll, N/A>
[HHCtrl Object]
  {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} <C:\WINDOWS\system32\hhctrl.ocx, Microsoft Corporation>
[HHCtrl Object]
  {52A2AAAE-085D-4187-97EA-8C30DB990436} <C:\WINDOWS\system32\hhctrl.ocx, Microsoft Corporation>
[Shell Name Space]
  {55136805-B2DE-11D1-B9F2-00A0C98BC547} <%SystemRoot%\system32\shdocvw.dll, N/A>
[DragSearch BHO]
  {62EED7C6-9F02-42F9-B634-98E2899E147B} <C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL, N/A>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Active Desktop Mover]
  {72267F6A-A6F9-11D0-BC94-00C04FB67863} <%SystemRoot%\system32\SHELL32.dll, N/A>
[Microsoft Web 浏览器]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[Catcher Class]
  {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} <C:\Program Files\Common Files\justDo\IECatcher.dll, justDo Software>
[SnapFlash Class]
  {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} <C:\Program Files\Common Files\justDo\Jd2002.dll, N/A>
[Microsoft Scriptlet Component]
  {AE24FDAE-03C6-11D1-8B76-0080C744F389} <C:\WINDOWS\system32\mshtml.dll, Microsoft Corporation>
[卡卡上网安全助手]
  {AFF6E516-CBE5-4F8A-9C2F-38A68013E766} <C:\WINDOWS\system32\KakaTool.dll, Beijing Rising Technology Co., Ltd.>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[Messenger Object]
  {B69003B3-C55E-4B48-836C-BC5946FC3B28} <C:\Program Files\Messenger\msgsc.dll, Microsoft Corporation>
[MacroMediapd]
  {B8CCDD47-38E4-4CD2-B7FA-3B4B690F74BD} <C:\WINDOWS\system32\microapmddt.dll, N/A>
[AUDIO__MP3 Moniker Class]
  {CD3AFA76-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__WAV Moniker Class]
  {CD3AFA7B-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__X_MS_WMA Moniker Class]
  {CD3AFA84-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_WMV Moniker Class]
  {CD3AFA94-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[RealPlayer G2 Control]
  {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} <C:\WINDOWS\system32\rmoc3260.dll, RealNetworks>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx, Macromedia, Inc.>
[卡卡上网安全助手]
  {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINDOWS\system32\KakaTool.dll, Beijing Rising Technology Co., Ltd.>
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <D:\PROGRA~1\FlashGet\fgiebar.dll, Amaze Soft>
[上传到QQ网络硬盘]
  <E:\software\QQ\AddToNetDisk.htm, N/A>
[使用网际快车下载]
  <D:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <D:\Program Files\FlashGet\jc_all.htm, N/A>
[添加到QQ自定义面板]
  <E:\software\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
  <E:\software\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <E:\software\QQ\SendMMS.htm, N/A>

续上：
==================================
正在运行的进程
[PID: 1492][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1696][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1728][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1776][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1788][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1944][C:\WINDOWS\system32\Ati2evxx.exe]  <ATI Technologies Inc.><6.14.10.4114>
    [C:\WINDOWS\system32\Ati2edxx.dll]  <ATI Technologies, Inc.><6, 14, 10, 2496>
[PID: 1980][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 2040][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 440][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 624][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 956][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1268][C:\WINDOWS\system32\spoolsv.exe]  <Microsoft Corporation><5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)>
[PID: 1616][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  <Adobe Systems, Inc.><7.0.0.0>
    [C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX3\HNETPO~1.DLL]  <><1, 0, 0, 1>
    [C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll]  <><1, 0, 0, 1>
    [C:\WINDOWS\Downlo~1\w4v0.dll]  <Beijing Zhongsou Online Software><2, 0, 0, 6>
    [C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX3\modules\wrapper.dll]  <><1, 0, 0, 1>
    [C:\Program Files\WinRAR\rarext.dll]  <N/A><N/A>
    [C:\WINDOWS\system32\RavExt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
[PID: 424][C:\WINDOWS\system32\inetsrv\inetinfo.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 516][C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe]  <Microsoft Corporation><7.10.3077>
[PID: 660][C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\OS.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\dtInfo.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\CP_version_info.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\CPDtRegSvr.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpprod50.dll]  <Check Point Software Technologies><54,0,000,030>
    [C:\Program Files\CheckPoint\SecuRemote\bin\DataStruct.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\addreg.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpbcrypt.dll]  <Check Point Software Technologies><54,0,000,015>
    [C:\Program Files\CheckPoint\SecuRemote\bin\watchdog.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\dispatcher.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\ReportDT.dll]  <Check Point Software Technologies><54,0,000,088>
    [C:\Program Files\CheckPoint\SecuRemote\bin\ComUtils.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\Resolve.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\IkeStatus.dll]  <Check Point Software Technologies><54,0,000,088>
    [C:\Program Files\CheckPoint\SecuRemote\bin\logredir.dll]  <Check Point Software Technologies><54,0,000,132>

续上：
[PID: 688][C:\WINDOWS\system32\rundll32.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\kc32update.dll]  <N/A><N/A>
[PID: 1016][C:\WINDOWS\system32\ctfmon.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1024][C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe]  <Microsoft Corporation><1.00.0615>
[PID: 1056][C:\Program Files\Messenger\msmsgs.exe]  <Microsoft Corporation><4.7.3000>
[PID: 1200][C:\Program Files\Microsoft ActiveSync\wcescomm.exe]  <Microsoft Corporation><4.1.4841.0>
    [C:\Program Files\Microsoft ActiveSync\rapiproxystub.dll]  <N/A><N/A>
[PID: 1328][C:\PROGRA~1\MICROS~4\rapimgr.exe]  <Microsoft Corporation><4.1.4841.0>
    [C:\Program Files\Microsoft ActiveSync\rapiproxystub.dll]  <N/A><N/A>
[PID: 1500][C:\WINDOWS\system32\wdfmgr.exe]  <Microsoft Corporation><5.2.3790.1230 built by: DNSRV(bld4act)>
[PID: 724][C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\OS.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\dtInfo.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\CP_version_info.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\CPDtRegSvr.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpprod50.dll]  <Check Point Software Technologies><54,0,000,030>
    [C:\Program Files\CheckPoint\SecuRemote\bin\DataStruct.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\addreg.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpbcrypt.dll]  <Check Point Software Technologies><54,0,000,015>
    [C:\Program Files\CheckPoint\SecuRemote\bin\ckp_scv.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\FwBinding.dll]  <Check Point Software Technologies><54,0,000,088>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpfwsys.dll]  <Check Point Software Technologies><54,0,000,080>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpsys.dll]  <Check Point Software Technologies><54,0,000,080>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cvars.dll]  <Check Point Software Technologies><54,0,000,021>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpopenssl.dll]  <Check Point Software Technologies><54,0,000,012>
    [C:\Program Files\CheckPoint\SecuRemote\bin\ComUtils.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\Resolve.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\mastersapi.dll]  <Check Point Software Technologies><54,0,000,242>
    [C:\Program Files\CheckPoint\SecuRemote\bin\fwsmtpobj.dll]  <Check Point Software Technologies><54,0,000,242>
    [C:\Program Files\CheckPoint\SecuRemote\bin\objlib.dll]  <Check Point Software Technologies><54,0,000,242>
    [C:\Program Files\CheckPoint\SecuRemote\bin\CPSrvIS.dll]  <Check Point Software Technologies><54,0,000,018>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpcert.dll]  <Check Point Software Technologies><54,0,000,015>
    [C:\Program Files\CheckPoint\SecuRemote\bin\Encode.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpprng.dll]  <Check Point Software Technologies><54,0,000,015>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpcryptutil.dll]  <Check Point Software Technologies><54,0,000,015>
    [C:\Program Files\CheckPoint\SecuRemote\bin\ndb.dll]  <Check Point Software Technologies><54,0,000,008>
    [C:\Program Files\CheckPoint\SecuRemote\bin\AppUtils.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\EventUtils.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\fwadb.dll]  <Check Point Software Technologies><54,0,000,242>
    [C:\Program Files\CheckPoint\SecuRemote\bin\skey.dll]  <Check Point Software Technologies><54,0,000,242>
    [C:\Program Files\CheckPoint\SecuRemote\bin\fwsetdb.dll]  <Check Point Software Technologies><54,0,000,008>
    [c:\program files\checkpoint\securemote\scv\scvmonitor.dll]  <Check Point Software Technologies><54,0,000,029>
    [c:\program files\checkpoint\securemote\scv\scriptrun.dll]  <Check Point Software Technologies><54,0,000,029>
    [c:\program files\checkpoint\securemote\scv\regmonitor.dll]  <Check Point Software Technologies><54,0,000,029>
    [c:\program files\checkpoint\securemote\scv\processmonitor.dll]  <Check Point Software Technologies><54,0,000,029>
    [c:\program files\checkpoint\securemote\scv\osmonitor.dll]  <Check Point Software Technologies><54,0,000,029>
    [c:\program files\checkpoint\securemote\scv\hwmonitor.dll]  <Check Point Software Technologies><54,0,000,029>
    [c:\program files\checkpoint\securemote\scv\hotfixmonitor.dll]  <Check Point Software Technologies><54,0,000,029>
    [c:\program files\checkpoint\securemote\scv\groupmonitor.dll]  <Check Point Software Technologies><54,0,000,029>
    [c:\program files\checkpoint\securemote\scv\browsermonitor.dll]  <Check Point Software Technologies><54,0,000,029>
    [c:\program files\checkpoint\securemote\scv\antivirusmonitor.dll]  <Check Point Software Technologies><54,0,000,029>
    [C:\Program Files\CheckPoint\SecuRemote\bin\watchdog.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\vpn.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\srcert.dll]  <Check Point Software Technologies><54,0,000,088>
    [C:\Program Files\CheckPoint\SecuRemote\bin\clientProviders.dll]  <Check Point Software Technologies><54,0,000,015>
    [C:\Program Files\CheckPoint\SecuRemote\bin\entProv.dll]  <Check Point Software Technologies><54,0,000,015>
    [C:\Program Files\CheckPoint\SecuRemote\bin\p12Prov.dll]  <Check Point Software Technologies><54,0,000,015>
    [C:\Program Files\CheckPoint\SecuRemote\bin\p11Prov.dll]  <Check Point Software Technologies><54,0,000,015>
    [C:\Program Files\CheckPoint\SecuRemote\bin\capiProv.dll]  <Check Point Software Technologies><54,0,000,015>
    [C:\Program Files\CheckPoint\SecuRemote\bin\userc.dll]  <Check Point Software Technologies><54,0,000,088>
    [C:\Program Files\CheckPoint\SecuRemote\bin\sic.dll]  <Check Point Software Technologies><54,0,000,014>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cp_policy.dll]  <Check Point Software Technologies><54,0,000,012>
    [C:\Program Files\CheckPoint\SecuRemote\bin\sicauth.dll]  <Check Point Software Technologies><54,0,000,014>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpca.dll]  <Check Point Software Technologies><54,0,000,015>
    [C:\Program Files\CheckPoint\SecuRemote\bin\ckpssl.dll]  <Check Point Software Technologies><54,0,000,015>
    [C:\Program Files\CheckPoint\SecuRemote\bin\dtrtm.dll]  <Check Point Software Technologies><54,0,000,088>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpii.dll]  <Check Point Software Technologies><54,0,000,080>
    [C:\Program Files\CheckPoint\SecuRemote\bin\keydb_usersr.dll]  <Check Point Software Technologies><54,0,000,214>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpsic.dll]  <Check Point Software Technologies><54,0,000,012>
    [C:\Program Files\CheckPoint\SecuRemote\bin\messaging.dll]  <Check Point Software Technologies><54,0,000,012>
    [C:\Program Files\CheckPoint\SecuRemote\bin\sicobj.dll]  <Check Point Software Technologies><54,0,000,242>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpauth.dll]  <Check Point Software Technologies><54,0,000,080>
    [C:\Program Files\CheckPoint\SecuRemote\bin\exm_objlib.dll]  <Check Point Software Technologies><54,0,000,008>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpP11Modules.dll]  <Check Point Software Technologies><54,0,000,015>
    [C:\Program Files\CheckPoint\SecuRemote\bin\srcln_usersr.dll]  <Check Point Software Technologies><54,0,000,214>
    [C:\Program Files\CheckPoint\SecuRemote\bin\vpninfo_usersr.dll]  <Check Point Software Technologies><54,0,000,214>

续上：
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpstatlib.dll]  <Check Point Software Technologies><54,0,000,076>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpstatreg.dll]  <Check Point Software Technologies><54,0,000,076>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cpdag.dll]  <Check Point Software Technologies><54,0,000,080>
    [C:\Program Files\CheckPoint\SecuRemote\bin\IkeStatus.dll]  <Check Point Software Technologies><54,0,000,088>
    [C:\Program Files\CheckPoint\SecuRemote\bin\ReportDT.dll]  <Check Point Software Technologies><54,0,000,088>
    [C:\Program Files\CheckPoint\SecuRemote\bin\tunnel_test_usersr.dll]  <Check Point Software Technologies><54,0,000,214>
    [C:\Program Files\CheckPoint\SecuRemote\bin\ikessl_usersr.dll]  <Check Point Software Technologies><54,0,000,214>
    [C:\Program Files\CheckPoint\SecuRemote\bin\CAEnroll_usersr.dll]  <Check Point Software Technologies><54,0,000,214>
    [C:\Program Files\CheckPoint\SecuRemote\bin\Resolver.dll]  <Check Point Software Technologies><54,0,000,027>
    [C:\Program Files\CheckPoint\SecuRemote\bin\bind82.dll]  <N/A><N/A>
    [C:\Program Files\CheckPoint\SecuRemote\bin\CPLogLUUID.dll]  <Check Point Software Technologies><54,0,000,024>
    [C:\Program Files\CheckPoint\SecuRemote\bin\proxystub.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\dispatcher.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\swinst.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\sitemgr.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\simpipc.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\scvmgr.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\polmgr.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\dtftpclient.dll]  <Check Point Software Technologies><54,0,000,088>
    [C:\Program Files\CheckPoint\SecuRemote\bin\FileHash_DYN.dll]  <Check Point Software Technologies><54,0,000,088>
    [C:\Program Files\CheckPoint\SecuRemote\bin\verify.dll]  <Check Point Software Technologies><54,0,000,242>
    [C:\Program Files\CheckPoint\SecuRemote\bin\polclnt.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\dtmessage.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\logmgr.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\hapolsrv.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\connmgr.dll]  <Check Point Software Technologies><54,0,000,132>
    [C:\Program Files\CheckPoint\SecuRemote\bin\CPLogRepository.dll]  <Check Point Software Technologies><54,0,000,024>
    [C:\Program Files\CheckPoint\SecuRemote\bin\CPLogKlogUnify.dll]  <Check Point Software Technologies><54,0,000,024>
    [C:\Program Files\CheckPoint\SecuRemote\bin\CPLogLuuidDatabase.dll]  <Check Point Software Technologies><54,0,000,024>
    [C:\Program Files\CheckPoint\SecuRemote\bin\cp_bdb.dll]  <Check Point Software Technologies><54,0,000,010>

续上：
[PID: 896][C:\WINDOWS\System32\alg.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1088][D:\Program Files\magicset\SRIECLI.EXE]  <Super Rabbit Soft><7.55>
    [C:\WINDOWS\system32\shlobj71.ocx]  <Sky Software (http://www.ssware.com)><7, 1, 0, 0>
[PID: 3496][C:\Program Files\MyIE2\MyIE.exe]  <MY Soft Technology><0, 9, 26, 30>
    [C:\Program Files\MyIE2\Services\RealTime\real_time.dll]  <><1, 0, 0, 1>
    [C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx]  <Macromedia, Inc.><8,0,24,0>
    [C:\WINDOWS\system32\msdmo.dll]  <N/A><N/A>
    [C:\WINDOWS\system32\ffdshow.ax]  <N/A><1.0.2.24>
    [E:\实用工具\Storm Codec\Codecs\VSFilter.dll]  <Gabest><1, 0, 0, 9>
[PID: 2204][C:\Program Files\WinRAR\WinRAR.exe]  <N/A><N/A>
[PID: 2540][E:\software\SREng.exe]  <Smallfrogs Studio><2.0.12.350>

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================

至此，全部贴完。
请帮助分析，谢谢！

请再用兔子删除。很棒小秘书。
运行System Repair Engineer，点“启动项目，服务，勾选“隐藏微软服务”选中病毒服务MSSQLSERVER，SQLSERVERAGENT选择“删除所选服务”“否”（这两个空壳可以删除）。（每一个逗号隔开的就是一个病毒的服务，请逐一删除）
请到http://www.onlinedown.net/soft/43974.htm下载诺顿进程管理器终止所有RUNDLL32.EXE 的进程
运行System Repair Engineer，使用“启动项目，注册表”来删除以下选项。
（如果在注册表里无法识别那一下，可以选中一项后，点“编辑”这样会有很明细的路径（以下如果你也不知道，建议删除）
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<HNETPOLCY><rundll32.exe C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX3\HNETPO~1.DLL,Start>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<kc32update><rundll32 C:\WINDOWS\system32\kc32update.dll,AppMain>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<vckjig><RunDll32 "C:\WINDOWS\Downlo~1\w4v0.dll",Run>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<HNETPOLCY><rundll32.exe C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX3\HNETPO~1.DLL,Start>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<HNETPOLCY><rundll32.exe C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX3\HNETPO~1.DLL,Start
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<HNETPOLCY><; rundll32.exe C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX3\HNETPO~1.DLL,Start>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<PigUpdate><; C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp\RarSFX1\DownLoadPig.exe>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<RichMedia><; C:\WINDOWS\system32\Rundll32.exe "C:\PROGRA~1\HBClient\tbhelper.dll",WaitWindows
关闭所有浏览窗口以及一些不必要的程序
运行System Repair Engineer，使用“系统修复，浏览器加载项”来删除以下选项。
[Catcher Class]以下这两项似乎与博客有关，如果你不需要，建议删除
{90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} <C:\Program Files\Common Files\justDo\IECatcher.dll, justDo Software>
[SnapFlash Class]
{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} <C:\Program Files\Common Files\justDo\Jd2002.dll, N/A>
MacroMediapd]
{B8CCDD47-38E4-4CD2-B7FA-3B4B690F74BD} <C:\WINDOWS\system32\microapmddt.dll, N/A>
删除
C:\WINDOWS\system32\microapmddt.dll
C:\Program Files\Common Files\justDo
C:\PROGRA~1\HBClient
C:\DOCUME~1\WQW~1.WQW\LOCALS~1\Temp（删除里面所有能删除的东东
C:\WINDOWS\Downlo~1\w4v0.dll
C:\WINDOWS\system32\kc32update.dll