瑞星卡卡安全论坛

症状如下:用baidu或者google一搜索就会弹出一个窗口:www.maiwang.cn
刚开机的时候也会自动弹出这个网站.其他一切正常.用guardio查不出来.用hijackthis也没有010项目.用SRE扫描了一下也没看出什么太大的异常,用WinsockXPFix修复了也不管用.SRE日志如下.真快疯了...


2006-08-22,02:21:39

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [Microsoft Corporation]
    <MsnMsgr><; ; "C:\Program Files\MSN Messenger\msnmsgr.exe" /background>  []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [Microsoft Corporation]
    <LaunchAp><C:\Program Files\Launch Manager\LaunchAp.exe>  []
    <PowerKey><"C:\Program Files\Launch Manager\PowerKey.exe">  []
    <HotkeyApp><C:\Program Files\Launch Manager\HotkeyApp.exe>  [Wistron]
    <CtrlVol><C:\Program Files\Launch Manager\CtrlVol.exe>  [Wistron]
    <Wbutton><"C:\Program Files\Launch Manager\Wbutton.exe">  []
    <SynTPLpr><C:\Program Files\Synaptics\SynTP\SynTPLpr.exe>  [Synaptics, Inc.]
    <SynTPEnh><C:\Program Files\Synaptics\SynTP\SynTPEnh.exe>  [Synaptics, Inc.]
    <vptray><C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe>  [Symantec Corporation]
    <igfxtray><C:\WINDOWS\system32\igfxtray.exe>  [Intel Corporation]
    <igfxhkcmd><C:\WINDOWS\system32\hkcmd.exe>  [Intel Corporation]
    <igfxpers><C:\WINDOWS\system32\igfxpers.exe>  [Intel Corporation]
    <IMSCMig><C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload>  [Microsoft Corporation]
    <AGRSMMSG><; AGRSMMSG.exe>  [Agere Systems]
    <BluetoothAuthenticationAgent><; rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent>  [Microsoft Corporation]
    <PRONoMgr.exe><; C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe>  [Intel(R) Corporation]
    <ZCfgSvc.exe><; C:\WINDOWS\system32\ZCfgSvc.exe>  [Intel Corporation]
    <SOUNDMAN><C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE /AUTO>  [Avance Logic, Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [Microsoft Corporation]
    <Userinit><C:\WINDOWS\SYSTEM32\Userinit.exe,>  [Microsoft Corporation]
    <UIHost><logonui.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    <WinlogonNotify: igfxcui><igfxdev.dll>  [Intel Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    <WinlogonNotify: NavLogon><C:\WINDOWS\system32\NavLogon.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Sebring]
    <WinlogonNotify: Sebring><C:\WINDOWS\system32\LgNotify.dll>  [Intel Corporation]

==================================
启动文件夹
[TabUserW.exe]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\TabUserW.exe.lnk><N>
[usb phone api]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\usb phone api.lnk><N>

==================================
服务
[DefWatch / DefWatch]
  <C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe><Symantec Corporation>
[Intel NCS NetService / NetSvc]
  <C:\Program Files\Intel\NCS\Sync\NetSvc.exe><Intel(R) Corporation>
[Symantec AntiVirus Client / Norton AntiVirus Server]
  <C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe><Symantec Corporation>
[RegSrvc / RegSrvc]
  <C:\WINDOWS\system32\RegSrvc.exe><Intel Corporation>
[Remote Packet Capture Protocol v.0 (experimental) / rpcapd]
  <"C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini"><N/A>
[Spectrum24 Event Monitor / S24EventMonitor]
  <C:\WINDOWS\system32\S24EvMon.exe><Intel Corporation>
[TabletService / TabletService]
  <C:\WINDOWS\system32\Tablet.exe><Wacom Technology, Corp.>

==================================
浏览器加载项
[信息检索(&R)]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL, Microsoft Corporation>
[金山词霸]
  {9A687CA6-D585-4947-9ED9-BE96071F5CD9} <d:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll, 金山软件股份有限公司>
[FlashGet]
  {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <D:\PROGRA~1\FLASHGET\flashget.exe, Amaze Soft>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[BitComet工具栏]
  {3F1ABCDB-A875-46c1-8345-B72A4567E486} <d:\Program Files\BitComet\BitCometBar\BitCometBar0.6.dll, N/A>
[Windows Genuine Advantage Validation Tool]
  {17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\LegitCheckControl.DLL, Microsoft Corporation>
[CEditCtrl Object]
  {488A4255-3236-44B3-8F27-FA1AECAA8844} <C:\WINDOWS\system32\aliedit\AliEdit.dll, www.alipay.com>
[Submit Class]
  {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} <C:\WINDOWS\Downloaded Program Files\safein.dll, Beijing eChannels Century Technology Co.,Ltd>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[Edit Class]
  {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} <C:\WINDOWS\system32\CMBEdit.dll, >
[Windows Genuine Advantage Validation Tool]
  {17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\LegitCheckControl.DLL, Microsoft Corporation>
[BitComet工具栏]
  {3F1ABCDB-A875-46C1-8345-B72A4567E486} <d:\Program Files\BitComet\BitCometBar\BitCometBar0.6.dll, N/A>
[CEditCtrl Object]
  {488A4255-3236-44B3-8F27-FA1AECAA8844} <C:\WINDOWS\system32\aliedit\AliEdit.dll, www.alipay.com>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[&使用迅雷下载]
  <C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm, N/A>
[使用网际快车下载]
  <D:\Program Files\FlashGet\jc_link.htm, N/A>

正在运行的进程
[PID: 568][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 636][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 664][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\LgNotify.dll]  <Intel Corporation><7, 1, 4, 5>
    [C:\WINDOWS\system32\NavLogon.dll]  <N/A><N/A>
[PID: 708][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 720][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 872][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 956][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 992][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1036][C:\WINDOWS\system32\S24EvMon.exe]  <Intel Corporation ><7, 1, 4, 5>
[PID: 1132][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1348][C:\WINDOWS\system32\spoolsv.exe]  <Microsoft Corporation><5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)>
[PID: 1408][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1432][C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe]  <Symantec Corporation><8.1.0.821>
[PID: 1488][C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE]  <Microsoft Corporation><7.00.9466>
[PID: 1548][C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe]  <Symantec Corporation><8.1.0.821>
    [C:\WINDOWS\system32\CBA.DLL]  <Intel? Corporation><6.12.0.105 E>
    [C:\WINDOWS\system32\MsgSys.dll]  <Intel? Corporation><6.12.0.105 E>
    [C:\WINDOWS\system32\NTS.dll]  <Intel? Corporation><6.12.0.105 E>
    [C:\WINDOWS\system32\PDS.DLL]  <Intel? Corporation><6.12.0.105 E>
    [C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVLU.dll]  <Symantec Corporation><8.1.0.821>
    [C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVNTUTL.DLL]  <Symantec/Peter Norton Group><1, 0, 0, 1>
    [C:\PROGRA~1\SYMANT~1\SYMANT~1\i2ldvp3.dll]  <Symantec Corporation><8.1.0.821>
    [C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAPI32.DLL]  <Symantec Corp.><4.2.0.7>
    [C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060803.048\NAVEX32a.DLL]  <Symantec Corporation><20061.2.0.26>
    [C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060803.048\NAVENG32.DLL]  <Symantec Corporation><20061.2.0.26>
    [C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP32.DLL]  <Symantec Corporation><9.1.0.26>
    [C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpmsece.dll]  <Symantec Corporation><8.1.0.821>
[PID: 1572][C:\WINDOWS\system32\RegSrvc.exe]  <Intel Corporation><7, 1, 4, 5>
[PID: 1588][C:\WINDOWS\system32\tcpsvcs.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1628][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1652][C:\WINDOWS\system32\Tablet.exe]  <Wacom Technology, Corp.><4.94-3>
[PID: 1704][C:\WINDOWS\system32\wdfmgr.exe]  <Microsoft Corporation><5.2.3790.1230 built by: dnsrv(bld4act)>
[PID: 1748][C:\WINDOWS\system32\fxssvc.exe]  <Microsoft Corporation><5.2.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 284][C:\WINDOWS\system32\ZCfgSvc.exe]  <Intel Corporation><7, 1, 4, 5>
    [C:\WINDOWS\system32\PfMgrApi.dll]  <Intel Corporation><7, 1, 4, 5>
    [C:\WINDOWS\system32\PsRegApi.dll]  <Intel Corporation><7, 1, 4, 5>
    [C:\WINDOWS\system32\C1XStngs.dll]  <><7, 1, 4, 5>
    [C:\WINDOWS\system32\WConfig.DLL]  <Intel Corporation><7, 1, 4, 5>
    [C:\WINDOWS\system32\WiFiAdap.DLL]  <Intel Corporation><7, 1, 4, 5>
    [C:\WINDOWS\system32\LsaWrapi.dll]  <N/A><N/A>
    [C:\Program Files\Intel\PROSet\CHS\ZcSvcCHS.dll]  <Intel Corporation><7, 1, 4, 0>
    [C:\Program Files\Intel\PROSet\CHS\PmApiCHS.dll]  <Intel Corporation><7, 1, 4, 0>
    [C:\WINDOWS\system32\S24MUDLL.dll]  <Intel Corporation><7, 1, 4, 5>
    [C:\WINDOWS\system32\D8021Xps.dll]  <N/A><N/A>
    [C:\Program Files\Intel\PROSet\CHS\C1XStCHS.dll]  <><7, 1, 4, 0>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
[PID: 300][C:\WINDOWS\SYSTEM32\WISPTIS.EXE]  <Microsoft Corporation><1.7.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 524][C:\WINDOWS\system32\1XConfig.exe]  <Intel Corporation><7, 1, 4, 5>
    [C:\WINDOWS\system32\IntelAE5.dll]  <Meetinghouse Data Communications><3, 0, 28, 0>
    [C:\WINDOWS\system32\PsRegApi.dll]  <Intel Corporation><7, 1, 4, 5>
    [C:\WINDOWS\system32\D8021Xps.dll]  <N/A><N/A>
[PID: 624][C:\WINDOWS\System32\tabbtnu.exe]  <Microsoft Corporation><1.0.2201.0>
[PID: 892][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
    [d:\Program Files\WinRAR\rarext.dll]  <N/A><N/A>
    [C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll]  <Symantec Corporation><8.1.0.821>
[PID: 1624][C:\WINDOWS\System32\alg.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 2096][C:\Program Files\Launch Manager\LaunchAp.exe]  <><1, 0, 0, 3>
[PID: 2112][C:\Program Files\Launch Manager\PowerKey.exe]  <><1, 4, 4, 0>
[PID: 2120][C:\Program Files\Launch Manager\HotkeyApp.exe]  <Wistron><1, 0, 4, 5>
    [C:\Program Files\Launch Manager\KBHOOK.dll]  <Wistron Corp.><1, 4, 0, 0>
[PID: 2160][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 2168][C:\Program Files\Launch Manager\CtrlVol.exe]  <Wistron><1, 0, 0, 2>
[PID: 2176][C:\Program Files\Launch Manager\Wbutton.exe]  <><1, 0, 1, 6>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
[PID: 2200][C:\Program Files\Synaptics\SynTP\SynTPLpr.exe]  <Synaptics, Inc.><7.2.0 15Nov02>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
[PID: 2216][C:\Program Files\Synaptics\SynTP\SynTPEnh.exe]  <Synaptics, Inc.><7.2.0 15Nov02>
    [C:\WINDOWS\system32\SynTPAPI.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
[PID: 2240][C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe]  <Symantec Corporation><8.1.0.821>
    [C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliproxy.dll]  <Symantec Corporation><8.1.0.821>
    [C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVNTUTL.DLL]  <Symantec/Peter Norton Group><1, 0, 0, 1>
    [C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliscan.dll]  <Symantec Corporation><8.1.0.821>
[PID: 2400][C:\WINDOWS\system32\hkcmd.exe]  <Intel Corporation><3.0.0.4497>
    [C:\WINDOWS\system32\hccutils.DLL]  <Intel Corporation><3.0.0.4497>
    [C:\WINDOWS\system32\igfxsrvc.dll]  <Intel Corporation><3.0.0.4497>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
    [C:\WINDOWS\system32\igfxres.dll]  <Intel Corporation><3.0.0.4497>
[PID: 2412][C:\WINDOWS\system32\igfxpers.exe]  <Intel Corporation><3.0.0.4497>
    [C:\WINDOWS\system32\igfxsrvc.dll]  <Intel Corporation><3.0.0.4497>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
[PID: 2564][C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE]  <Avance Logic, Inc.><5.0>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
[PID: 2572][C:\WINDOWS\system32\ctfmon.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
[PID: 2588][C:\WINDOWS\system32\WTablet\TabUserW.exe]  <Wacom Technology, Corp.><4.94-3>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
[PID: 4020][C:\WINDOWS\system32\PYINTAU.EXE]  <北京六合源软件技术有限公司><2, 2, 1, 4>
    [C:\WINDOWS\system32\PYCODEU.dll]  <北京六合源软件技术有限公司><2, 2, 0, 4>
    [C:\WINDOWS\system32\PYJJCZU.dll]  <北京六合源软件技术有限公司><2, 2, 0, 0>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
[PID: 4060][C:\Program Files\Maxthon\new\Maxthon.exe]  <Maxthon International Ltd.><1, 5, 6, 42>
    [C:\Program Files\Maxthon\new\maxzlib.dll]  < ><1, 0, 0, 2>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
    [C:\Program Files\Maxthon\new\Plugin\ViewSource\ViewSrc.dll]  <><1, 0, 0, 1>
    [C:\Program Files\Maxthon\new\Services\RealTime\real_time.dll]  <><1, 0, 0, 1>
    [C:\WINDOWS\system32\PYJJU.IME]  <北京六合源软件公司＆HB-Z><2, 2, 0, 4>
    [C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx]  <Adobe Systems, Inc.><9,0,16,0>
[PID: 3928][C:\Documents and Settings\Leo\桌面\Guardio\Guardio.exe]  <智能实验室><3.09.0560>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
[PID: 3964][C:\Documents and Settings\Leo\桌面\Guardio\Defendio.exe]  <智能实验室><2.08.0501>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
[PID: 3344][C:\Documents and Settings\Leo\桌面\Guardio\DefendioMonitor.exe]  <智能实验室><1.00.0150>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
[PID: 240][D:\tools\procexp.exe]  <Sysinternals><9.25>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>
[PID: 252][D:\tools\SREng2\SREng.exe]  <Smallfrogs Studio><2.0.21.505>
    [C:\WINDOWS\system32\SynTPFcs.dll]  <Synaptics, Inc.><7.2.0 15Nov02>

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================

难道没人知道嘛...

发现一点线索.把file monitor加载到启动组里后查看开机过程.发现一开机就调用ie的是这么个指令
C:\WINDOWS\system32\svchost -k DcomLaunch
不知道有没有帮助

查到一个可疑的文件名字叫做bootvid32.dll,很象adplus的行为,在正常文件加一个32之类的.可是传不上来.用瑞星邮件系统提交了.用杀马分析了一下说是有注册表修改动作.

你再用hijackthis扫一个日志上来。

Logfile of HijackThis v1.99.1
Scan saved at 21:57:27, on 2006-8-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\usb phone\voip api\bin\VoipConsoleUI.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Maxthon\new\maxthon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PYINTAU.EXE
D:\Program Files\BitComet\BitComet.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\eMule\emule.exe
D:\tools\HijackThis.exe

O3 - Toolbar: BitComet工具栏 - {3F1ABCDB-A875-46c1-8345-B72A4567E486} - d:\Program Files\BitComet\BitCometBar\BitCometBar0.6.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [AGRSMMSG] ; AGRSMMSG.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] ; rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PRONoMgr.exe] ; C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] ; C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [SOUNDMAN] C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE /AUTO
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 快捷方式 到 Filemon.lnk = D:\tools\filemon_7_ch\Filemon.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: usb phone api.lnk = C:\Program Files\usb phone\voip api\bin\VoipConsoleUI.exe
O8 - Extra context menu item: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\Tencent\qq\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\qq\SendMMS.htm
O9 - Extra button: (no name) - {223bc3fe-345a-ffee-3c9e-fe12345678e1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - d:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/1007/aliedit.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEA15667-C36A-4D2A-BA35-2FECFAB63102}: NameServer = 202.106.46.151,202.106.0.20
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - d:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

这日志看不出问题
你且按你想的方法试试，如果解决了，烦把方法报上来。

O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/1007/aliedit.cab 

O17 - HKLM\System\CCS\Services\Tcpip\..\{CEA15667-C36A-4D2A-BA35-2FECFAB63102}: NameServer = 202.106.46.151,202.106.0.20
O9 - Extra button: (no name) - {223bc3fe-345a-ffee-3c9e-fe12345678e1} - C:\WINDOWS\system32\shdocvw.dll

你尝试用hijackthis修复上述三项试试看。

我发现的那个文件处理掉了.没用.问题依旧.

很遗憾，我看不出问题来。
要不你重启后，打开百度后，再扫个日志粘上来。

这是打开baidu搜索并且弹出窗口后的扫描日志

Logfile of HijackThis v1.99.1
Scan saved at 22:56:28, on 2006-8-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Maxthon\new\maxthon.exe
C:\WINDOWS\system32\wuauclt.exe
D:\tools\HijackThis.exe
C:\WINDOWS\system32\PYINTAU.EXE
C:\WINDOWS\System32\svchost.exe

O3 - Toolbar: BitComet工具栏 - {3F1ABCDB-A875-46c1-8345-B72A4567E486} - d:\Program Files\BitComet\BitCometBar\BitCometBar0.6.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [AGRSMMSG] ; AGRSMMSG.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] ; rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PRONoMgr.exe] ; C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] ; C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [SOUNDMAN] C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE /AUTO
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 快捷方式 到 Filemon.lnk = D:\tools\filemon_7_ch\Filemon.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: usb phone api.lnk = C:\Program Files\usb phone\voip api\bin\VoipConsoleUI.exe
O8 - Extra context menu item: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\Tencent\qq\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\qq\SendMMS.htm
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - d:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEA15667-C36A-4D2A-BA35-2FECFAB63102}: NameServer = 202.106.46.151,202.106.0.20
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - d:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
这三项如果你也不知道，你修复看看有没有效果
关闭所有浏览窗口以及一些不必要的程序
运行Hijackthis，扫描结束后在下列选项前打上勾，然后选"修复"
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
重启后删除
C:\WINDOWS\SYSTEM32\tpgwlnot.dll
C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
建议扫份System Repair Engineer的日志粘上来。

那三项是tablepc的组件.没有问题.SRE的日志在一楼

多谢反馈，日志我看不出问题，如果问题依旧，你也找不到办法的话。
我建议你直接重装系统了事。

如果系统有问题，最简单的一个办法就是做系统还原。其次再想其他办法。

系统还原是关闭的....不想重装系统.因为我的是tablepc.没有外挂原装光驱是不能重装系统的...

还有一个线索.换用了firefox就没有问题了.看来问题出在ie相关的模块上

反复试验有如下现象,如果使用ie进行baidu搜索.那么ie的当前窗口会失去焦点.但是看不到弹出的新窗口.估计隐藏起来了.如果用maxthon的话.那么新窗口可疑看到.如果打开maxthon并且打开ie的时候用ie搜索.那么打开的新窗口会在maxthon内.而我设置的系统默认浏览器是maxthon.刚开机时弹出的网页也时用maxthon的.看来是用了钩子或者USH...可是不知道怎么清除......

你有没有按照我9楼的贴子清理那三项？可以去试试，因为那三项可能是恶意劫持程序。

如果不行，可以考虑以下几种方式：

1，用正版瑞星、卡巴查杀病毒程序，很可能是木马病毒程序在作怪；

2，用国外的查杀恶意劫持程序的软件进行查杀，推荐：superadblocker(用google搜索下载，是一个月试用版，更新病毒库后查杀）

3，用安全卫士360的分析工具对运行程序分析，它的分析功能相当强大的。手工找出可以程序。

问题终于找出来了!一切办法用尽的时候只好用笨办法.把所有开机运行的程序都禁用.然后一个一个打开试是哪个程序在捣乱.第一个就试出来了.C:\windows\system32\soundman.exe在作怪.
因为按说这个程序是realtek的声卡程序.但是电脑任务托盘里却没有这个图标.所以产生了怀疑.一试就抓到了.
文件没有删除.如果有哪位老大有兴趣研究研究这个东西究竟是怎么躲过无数种围追堵截的的话我传给你.

这个东西太狡猾了!!!真值得研究研究

嗯，正常的不在这个目录里，楼主思路与动手能力不错。
把那东东也传我一份吧
twtxk@126.com

补充一下.抓到这个东西还有一个线索.我用了filemon加载到启动组里监视开机后的所有进程.发现这个程序有一点异常就是在不断的调用shdocvw.dll.在ie搜索到关键词会跳出窗口的时候它就调用几遍.这个库是和explorer打开新窗口有关的.它作为一个声卡的管理程序在没有人动的情况下老调用这个库显得很不正常.所以才作为第一个试验的目标.所以现在看来filemon这个工具还真的不错.配合procexp立了几次大功了.说不定以后木马病毒越来越发达.filemon也成为大家抓马的标准工具了.

filemon以下载。日后研究一下。

我在9楼已经指出，hijachthis怀疑shdocvw.dll程序有问题。果然是。

楼上的朋友,谢谢你的帮忙.不过有问题的不是shdocvw.dll,这个是系统文件.这个是一个线索.因为soundman.exe在调用这个库.

瑞星工程师反馈如下
我们已经详细分析过您的问题和文件，以下是您上传的文件的分析结果：
    1.文件名：SOUNDMAN.EXE
    病毒名：Trojan.Clicker.VB.wb

    我们将在较新的18.41.41版本中处理解决，请您届时将您的瑞星软件升级到18.41.41版本并且打开监控中心全盘杀毒。如果我们在测试过程中发现问题的话，我们会推迟一到两版本后升级。