瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 【求助】请问这是什么病毒 怎么杀也杀不掉 !!Logger.Delf.ps
山颠一寺 - 2006-9-25 18:31:00
[1144] C:\Program Files\Internet Explorer\IEXPLORE.Dat -> Logger.Delf.ps : 清除过程中出错.
[1152] C:\Program Files\Internet Explorer\IEXPLORE.Dat -> Logger.Delf.ps : 清除过程中出错.
[1796] C:\Program Files\Internet Explorer\IEXPLORE.Dat -> Logger.Delf.ps : 清除过程中出错.
[192] C:\Program Files\Internet Explorer\IEXPLORE.Dat -> Logger.Delf.ps : 清除过程中出错.
[256] C:\Program Files\Internet Explorer\IEXPLORE.Dat -> Logger.Delf.ps : 清除过程中出错.
[916] C:\Program Files\Internet Explorer\IEXPLORE.Dat -> Logger.Delf.ps : 清除过程中出错
用EWIDO次次都查的出来,但是在执行操作的时候无论是删除还是隔离都会说删除(隔离)过程中出错,请问这是什么病毒????有没有什么好的解决方法 ~谢谢了~
猪知山 - 2006-9-25 18:40:00
请到http://forum.ikaka.com/topic.asp?board=67&artid=5188931
6楼下载HijackThis
下载后运行HijackThis.rar,再运行HijackThis.exe
单击"扫描日志并保存日志"
把保存的日志复制粘贴上来. 日志一次粘不完,分次粘完,请不要修改.
山颠一寺 - 2006-9-25 18:44:00
谢谢大虾,您说的日志如下:
HijackThis_815汉化版扫描日志 V1.99.1
保存于      18:35:11, 日期 2006-9-25
操作系统:  Windows 2003 SP1 (WinNT 5.02.3790)
浏览器:    Internet Explorer v6.00 SP1 (6.00.3790.1830)

当前运行的进程:         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winasse.exe
C:\Program Files\SkyNet\FireWall\pfw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\conime.exe
D:\Program Files\TT\TTraveler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.183\HijackThis1991zww.exe

F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
O2 - BHO: FiltrateWebObj Class - {42AFACEE-2A77-41EB-9EE2-D9F8AF827F90} - (no file)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX
O2 - BHO: conimehlp Class - {B10343BD-1DC6-442F-9BA2-D44C708CEE83} - C:\WINDOWS\system32\mskey32.dll
O4 - 启动项HKLM\\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - 启动项HKLM\\Run: [SKYNET Personal FireWall] C:\Program Files\SkyNet\FireWall\pfw.exe
O4 - 启动项HKLM\\Run: [Tray] C:\WINDOWS\command\rundll32.exe
O4 - 启动项HKLM\\Run: [Super Rabbit Desktop Set] C:\Program Files\Super Rabbit\MagicSet\DS.EXE /Load
O4 - 启动项HKLM\\Run: [ms] C:\Program Files\Microsoft\svhost32.exe
O4 - 启动项HKLM\\Run: [zt] C:\WINDOWS\Intel\rundll32.exe
O4 - 启动项HKLM\\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 新浪UC.lnk = D:\Program Files\UC\uc.exe
O8 - IE右键菜单中的新增项目: 使用KuGoo3下载(&K) - D:\Program Files\KuGoo3\KuGoo3DownX.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O8 - IE右键菜单中的新增项目: 导出到 Microsoft Excel(&x) - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - 浏览器额外的按钮: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file)
O9 - 浏览器额外的按钮: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\WINDOWS\system32\shdocvw.dll
O9 - 浏览器额外的“工具”菜单项: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AXSafeControls.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab?f6152589ea0cb7bfc7d8800586e3d2d5254d12e65ab054d87fc988118434e3466bab068b10797ab0a993c60363f8ac77c782e1c5f05c3f34f44248769fb6c0:8274a50e7f8ecec38a1c82abf58d7533
O16 - DPF: {C661F36D-DF85-4EF4-83C7-E107B83D04B1} (WebActivater Control) - http://dl_dir.qq.com/3dshow/3DShowVM.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4E1056E-61B2-49D7-BC33-9EFCB74F0D7F}: NameServer = 85.255.116.155,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4F4DB50-DFD2-429E-8442-DCCA6EE0DD8B}: NameServer = 85.255.116.155,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0504249-64AC-4188-A121-58D2F0FACE44}: NameServer = 85.255.116.155 85.255.112.26
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.155 85.255.112.26
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.155 85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.155 85.255.112.26
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
山颠一寺 - 2006-9-25 18:49:00
大虾快来给看看吧 我快崩溃了~
山颠一寺 - 2006-9-25 19:03:00
我顶  快来看看呀呀呀呀呀~~
猪知山 - 2006-9-25 19:12:00
修复F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
O2 - BHO: FiltrateWebObj Class - {42AFACEE-2A77-41EB-9EE2-D9F8AF827F90} - (no file)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX
O9 - 浏览器额外的按钮: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file)

O16中自己不确定安全的网址修复下
修复O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll

结束下面的进程

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.exe
C:\WINDOWS\command\rundll32.exe
找到相应文件删除

C:\WINDOWS\system32\winasse.exe没见过
如果你自己也不知道是什么的话,建议干掉


deadmanzj - 2006-9-25 19:18:00
补充个删除C:\WINDOWS\rundl132.exe
(有威金的迹象)
山颠一寺 - 2006-9-25 19:28:00
为什么有两个这个进程,其中一个是不是有问题??
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
这两个是什么?
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\conime.exe

照您说的做了 接下来是不是再用EWIOD杀一下就可以了呢?
山颠一寺 - 2006-9-25 22:04:00
C:\Program Files\Internet Explorer\IEXPLORE.EXE
我每次将这个进程停止,过一会它都会自动又运行,是不是有问题啊~
高手们指点下~
还有 1.exe这个进程,照猪大侠的方法结束了进程又找到文件删除了,但是过一会还是会出现~请问该怎么办啊??
不想一个人玩 - 2006-9-25 22:16:00
O4 - 启动项HKLM\\Run: [xy] C:\WINDOWS\Download\svhost32.exe
这个大家都觉得没问题么?
猪知山 - 2006-9-25 22:16:00
安全模式下  关闭系统还原
拿最新的杀软 搞下就OK

C:\Program Files\Internet Explorer\IEXPLORE.EXE
你开网页他不出现才怪
猪知山 - 2006-9-25 22:19:00
O4 - 启动项HKLM\\Run: [ms] C:\Program Files\Microsoft\svhost32.exe
O4 - 启动项HKLM\\Run: [zt] C:\WINDOWS\Intel\rundll32.exe
O4 - 启动项HKLM\\Run: [xy] C:\WINDOWS\Download\svhost32.exe
这三个都干掉

结束进程 并找到相应项删除
开始运行 MSCONFIG 删除相应启动项
mopery - 2006-9-25 22:20:00
修复
F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
O2 - BHO: FiltrateWebObj Class - {42AFACEE-2A77-41EB-9EE2-D9F8AF827F90} - (no file)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - 启动项HKLM\\Run: [Tray] C:\WINDOWS\command\rundll32.exe
O4 - 启动项HKLM\\Run: [ms] C:\Program Files\Microsoft\svhost32.exe
O4 - 启动项HKLM\\Run: [zt] C:\WINDOWS\Intel\rundll32.exe
O4 - 启动项HKLM\\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O9 - 浏览器额外的按钮: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file)
删除
C:\WINDOWS\rundl132.exe
C:\WINDOWS\command\rundll32.exe
C:\Program Files\Microsoft\svhost32.exe
C:\WINDOWS\Intel\rundll32.exe
C:\WINDOWS\Download\svhost32.exe

修复杀软安全模式下查杀..


http://mopery.hits.io/sreng2.zip 下载System Repair Engineer
1 解压缩sreng2.zip
2 运行SREng.exe
3 智能扫描=》扫描=》保存报告
4 把日志中的报告完整拷贝贴上来,不要修改
山颠一寺 - 2006-9-25 22:20:00
我看进程里有两个就以为一个是病毒了~这两天给病毒搞神经了!!猪大虾见笑了~~~
petty - 2006-9-25 22:23:00
杀毒前一定要清空IE缓存.
不想一个人玩 - 2006-9-25 22:26:00
引用:
【山颠一寺的贴子】C:\Program Files\Internet Explorer\IEXPLORE.EXE
我每次将这个进程停止,过一会它都会自动又运行,是不是有问题啊~
高手们指点下~
还有 1.exe这个进程,照猪大侠的方法结束了进程又找到文件删除了,但是过一会还是会出现~请问该怎么办啊??
………………

照12楼的话做,另外运行注册表编辑器,找到所有与1.exe相关的键值全删除
然后尝试用超级兔子对电脑进行清理,主要是清理临时文件夹
山颠一寺 - 2006-9-25 22:38:00
照12楼的话做,另外运行注册表编辑器,找到所有与1.exe相关的键值全删除


这怎么找啊?我知道我很菜!
山颠一寺 - 2006-9-25 23:14:00
给我说说呀?
山颠一寺 - 2006-9-25 23:19:00
12楼的大侠说的日志如下:

2006-09-25,23:08:44

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows Server 2003 Standard Edition Service Pack 1 (Build 3790)
- 管理权限用户 - 完整功能

以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><C:\WINDOWS\rundl132.exe>  []
    <run><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot>  [RealNetworks, Inc.]
    <SKYNET Personal FireWall><C:\Program Files\SkyNet\FireWall\pfw.exe>  [天网]
    <Tray><C:\WINDOWS\command\rundll32.exe>  []
    <Super Rabbit Desktop Set><C:\Program Files\Super Rabbit\MagicSet\DS.EXE /Load>  [Super Rabbit Software]
    <ms><C:\Program Files\Microsoft\svhost32.exe>  []
    <zt><C:\WINDOWS\Intel\rundll32.exe>  []
    <xy><C:\WINDOWS\Download\svhost32.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <CheckFaultKernel><C:\WINDOWS\system32\mswdm.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><%SystemRoot%\system32\logonui.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{6E44887F-5214-41F2-AB46-4728735C4CC6}><C:\Program Files\Internet Explorer\PLUGINS\systemy.sys>  []
    <{99F1D023-7CEB-4586-80F7-BB1A98DB7602}><C:\Program Files\Internet Explorer\IEXPLORE.Sys>  []
    <{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}><C:\Program Files\Internet Explorer\IEXPLORE.Dat>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <IMEKRMIG6.1><; ; C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE>  [Microsoft Corporation]
    <IMJPMIG8.1><; ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [Microsoft Corporation]
    <NTdhcp><; >  []
    <PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [Microsoft Corporation]
    <StormCodec_Helper><; "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti>  []
    <Super Rabbit SRRestore><; C:\PROGRA~1\SUPERR~1\IEPro\SRRest.exe /autosave>  [Super Rabbit Soft]

==================================
山颠一寺 - 2006-9-25 23:19:00
启动文件夹
[新浪UC]
  <C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\新浪UC.lnk><N>

==================================
服务

==================================
浏览器加载项
[conimehlp Class]
  {B10343BD-1DC6-442F-9BA2-D44C708CEE83} <C:\WINDOWS\system32\mskey32.dll, Microsoft>
[QQ]
  {c95fe080-8f5d-11d2-a20b-00aa003c157b} <, N/A>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[ThunderIEHelper Class]
  {0005A87D-D626-4B3A-84F9-1D9571695F55} <, N/A>
[SearchToolbar]
  {08BEC6AA-49FC-4379-3587-4B21E286C19E} <, N/A>
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\mshtml.dll, N/A>
[XML DOM Document]
  {2933BF90-7B36-11D2-B20E-00C04F983E60} <C:\WINDOWS\system32\msxml3.dll, Microsoft Corporation>
[超级兔子上网精灵]
  {43869BB3-22FD-4F15-9B46-238106BA2F4E} <C:\Program Files\Super Rabbit\MagicSet\haokanbar.dll, Xiang Feng Technology>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Microsoft Web 浏览器]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[Microsoft Scriptlet Component]
  {AE24FDAE-03C6-11D1-8B76-0080C744F389} <C:\WINDOWS\system32\mshtml.dll, Microsoft Corporation>
[Wipe]
  {AF279B30-86EB-11D1-81BF-0000F87557DB} <C:\WINDOWS\system32\dxtmsft.dll, Microsoft Corporation>
[conimehlp Class]
  {B10343BD-1DC6-442F-9BA2-D44C708CEE83} <C:\WINDOWS\system32\mskey32.dll, Microsoft>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[DHTML Edit Control Safe for Scripting for IE6]
  {BF3FF9A2-AC03-40A1-BA0F-F31076325AA7} <C:\WINDOWS\system32\dllcache\dhtmled.ocx, Microsoft Corporation>
[RealPlayer G2 Control]
  {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} <C:\WINDOWS\system32\rmoc3260.dll, RealNetworks>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <D:\PROGRA~1\FlashGet\fgiebar.dll, Amaze Soft>
[XML HTTP Request]
  {ED8C108E-4349-11D2-91A4-00C04F7969E8} <C:\WINDOWS\system32\msxml3.dll, Microsoft Corporation>
[IEMoni Class]
  {F236CC5A-F6E4-4011-9EED-C52FDF51CE3D} <, N/A>
[XML DOM Document]
  {F6D90F11-9C73-11D3-B32E-00C04F990BB4} <C:\WINDOWS\system32\msxml3.dll, Microsoft Corporation>
[XML HTTP]
  {F6D90F16-9C73-11D3-B32E-00C04F990BB4} <C:\WINDOWS\system32\msxml3.dll, Microsoft Corporation>
[上传到QQ网络硬盘]
  <90F16-9C73-11D3-B32E-00C04F990BB4}, N/A>
[使用KuGoo3下载(&K)]
  <D:\Program Files\KuGoo3\KuGoo3DownX.htm, N/A>
[使用网际快车下载]
  <D:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <D:\Program Files\FlashGet\jc_all.htm, N/A>
[导出到 Microsoft Excel(&x)]
  <res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000, N/A>
[添加到QQ自定义面板]
  <, N/A>
[添加到QQ表情]
  <, N/A>
[用QQ彩信发送该图片]
  <, N/A>
山颠一寺 - 2006-9-25 23:20:00
正在运行的进程
[PID: 380][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 484][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 848][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 916][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
    [C:\Program Files\Internet Explorer\PLUGINS\systemy.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Dat]  <N/A><N/A>
[PID: 936][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 1152][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
    [C:\Program Files\Internet Explorer\PLUGINS\systemy.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Dat]  <N/A><N/A>
[PID: 1264][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1304][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1336][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1604][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1664][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1700][C:\WINDOWS\System32\dmadmin.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 268][C:\WINDOWS\system32\wbem\wmiprvse.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1796][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.3790.1830 (srv03_sp1_rtm.050324-1447)>
    [C:\Program Files\Internet Explorer\PLUGINS\systemy.sys]  <N/A><N/A>
    [C:\WINDOWS\system32\mskey32.dll]  <Microsoft><1, 0, 0, 1>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Dat]  <N/A><N/A>
    [D:\WinRAR\rarext.dll]  <N/A><N/A>
    [C:\Program Files\Common Files\Adobe\Shell\PSICON.DLL]  <Adobe Systems, Incorporated><7.0>
[PID: 256][C:\WINDOWS\system32\ctfmon.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
    [C:\Program Files\Internet Explorer\PLUGINS\systemy.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Dat]  <N/A><N/A>
[PID: 1168][C:\WINDOWS\system32\ctfmon.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1516][C:\Program Files\SkyNet\FireWall\PFW.exe]  <天网><2.7.3.1000>
    [C:\Program Files\SkyNet\FireWall\SKYMISC.DLL]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\PLUGINS\systemy.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
[PID: 160][D:\Program Files\TT\TTraveler.exe]  <腾讯公司><3.1.0.256>
    [C:\Program Files\Internet Explorer\PLUGINS\systemy.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
    [D:\Program Files\TT\PersonalDesktop.dll]  <深圳市腾讯计算机系统公司QQ工作小组><1, 0, 0, 4>
    [C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx]  <Adobe Systems, Inc.><9,0,16,0>
[PID: 1636][C:\WINDOWS\system32\NOTEPAD.EXE]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
    [C:\Program Files\Internet Explorer\PLUGINS\systemy.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
[PID: 1964][D:\WinRAR\WinRAR.exe]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\PLUGINS\systemy.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
[PID: 2252][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.324\SREng2\SREng.exe]  <Smallfrogs Studio><2.0.21.505>
    [C:\Program Files\Internet Explorer\PLUGINS\systemy.sys]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\IEXPLORE.Sys]  <N/A><N/A>
山颠一寺 - 2006-9-25 23:20:00
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  Error. [winhlp32.exe %1]
.INI  Error. [notepad.exe %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================
山颠一寺 - 2006-9-25 23:20:00
我先去照您说的杀了 广告之后马上回来~
山颠一寺 - 2006-9-26 0:12:00
顶起~
westbeck - 2006-9-26 0:44:00
楼主你没照前面几位大侠说得做哦,还有你怎么不装杀软??都快成毒窝了
请照做:
请到www.27814939.ys168.com,点“我的软件”下载KillBox.exe
运行System Repair Engineer,使用“系统修复,文件关联“修复所有文件关联
运行System Repair Engineer,使用“启动项目,注册表”来删除以下选项
<load><C:\WINDOWS\rundl132.exe>
<Tray><C:\WINDOWS\command\rundll32.exe>
<ms><C:\Program Files\Microsoft\svhost32.exe> []
<zt><C:\WINDOWS\Intel\rundll32.exe> []
<xy><C:\WINDOWS\Download\svhost32.exe>
<CheckFaultKernel><C:\WINDOWS\system32\mswdm.exe>
<{6E44887F-5214-41F2-AB46-4728735C4CC6}><C:\Program Files\Internet Explorer\PLUGINS\systemy.sys> []
<{99F1D023-7CEB-4586-80F7-BB1A98DB7602}><C:\Program Files\Internet Explorer\IEXPLORE.Sys> []
<{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}><C:\Program Files\Internet Explorer\IEXPLORE.Dat>
<NTdhcp><; >
运行System Repair Engineer,使用“系统修复,浏览器加载项”来删除以下选项
[conimehlp Class]
{B10343BD-1DC6-442F-9BA2-D44C708CEE83} <C:\WINDOWS\system32\mskey32.dll, Microsoft>
双击打开KillBox.exe,分别删除
C:\WINDOWS\rundl132.exe
C:\WINDOWS\command\rundll32.exe
C:\Program Files\Microsoft\svhost32.exe
C:\WINDOWS\Intel\rundll32.exe
C:\WINDOWS\Download\svhost32.exe
C:\WINDOWS\system32\mswdm.exe
C:\Program Files\Internet Explorer\PLUGINS\systemy.sys
C:\Program Files\Internet Explorer\IEXPLORE.Sys
C:\Program Files\Internet Explorer\IEXPLORE.Dat
C:\WINDOWS\system32\mskey32.dll
(删除时勾选“删除前先结束Explorer.EXE进程”)
注:后缀为.dll的文件如果无法删除,请勾选"反注册""再删除
如果还无法删除,请勾选重启时删除或重启时替换再试
山颠一寺 - 2006-9-26 14:57:00
以上步骤是不是要在安全模式下进行?
山颠一寺 - 2006-9-26 15:07:00
引用:

请照做:
请到www.27814939.ys168.com,点“我的软件”下载KillBox.exe
运行System Repair Engineer,使用“系统修复,文件关联“修复所有文件关联


………………

请问  System Repair Engineer这个是什么东西?是要在运行下打这些还是软件啊?“系统修复,文件关联“还有这个在那里找??我知道我很菜~~
山颠一寺 - 2006-9-26 15:38:00
我照大虾们说的做了 以下是我新的日志 再劳烦大虾们看看 是否已经恢复正常??
2006-09-26,15:29:01

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows Server 2003 Standard Edition Service Pack 1 (Build 3790)
- 管理权限用户 - 完整功能

以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  []
    <run><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <TkBellExe><; "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot>  [RealNetworks, Inc.]
    <SKYNET Personal FireWall><; C:\Program Files\SkyNet\FireWall\pfw.exe>  [天网]
    <Super Rabbit Desktop Set><; C:\Program Files\Super Rabbit\MagicSet\DS.EXE /Load>  [Super Rabbit Software]
    <IMEKRMIG6.1><; ; C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE>  [Microsoft Corporation]
    <IMJPMIG8.1><; ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [Microsoft Corporation]
    <PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [Microsoft Corporation]
    <StormCodec_Helper><; "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti>  []
    <Super Rabbit SRRestore><; C:\Program Files\Super Rabbit\MagicSet\srrest.exe /autosave>  [Super Rabbit Soft]
    <ShutdownEventCheck><; %systemroot%\system32\dumprep 0 -s>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <KernelCheck><; C:\WINDOWS\system32\winasse.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><%SystemRoot%\system32\logonui.exe>  [Microsoft Corporation]
山颠一寺 - 2006-9-26 15:39:00
==================================
启动文件夹
[新浪UC]
  <C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\新浪UC.lnk><N>

==================================
服务

==================================
浏览器加载项
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[ThunderIEHelper Class]
  {0005A87D-D626-4B3A-84F9-1D9571695F55} <, N/A>
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\mshtml.dll, N/A>
[XML DOM Document]
  {2933BF90-7B36-11D2-B20E-00C04F983E60} <C:\WINDOWS\system32\msxml3.dll, Microsoft Corporation>
[超级兔子上网精灵]
  {43869BB3-22FD-4F15-9B46-238106BA2F4E} <C:\Program Files\Super Rabbit\MagicSet\haokanbar.dll, Xiang Feng Technology>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Microsoft Web 浏览器]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[Microsoft Scriptlet Component]
  {AE24FDAE-03C6-11D1-8B76-0080C744F389} <C:\WINDOWS\system32\mshtml.dll, Microsoft Corporation>
[Wipe]
  {AF279B30-86EB-11D1-81BF-0000F87557DB} <C:\WINDOWS\system32\dxtmsft.dll, Microsoft Corporation>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[DHTML Edit Control Safe for Scripting for IE6]
  {BF3FF9A2-AC03-40A1-BA0F-F31076325AA7} <C:\WINDOWS\system32\dllcache\dhtmled.ocx, Microsoft Corporation>
[RealPlayer G2 Control]
  {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} <C:\WINDOWS\system32\rmoc3260.dll, RealNetworks>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <D:\PROGRA~1\FlashGet\fgiebar.dll, Amaze Soft>
[XML HTTP Request]
  {ED8C108E-4349-11D2-91A4-00C04F7969E8} <C:\WINDOWS\system32\msxml3.dll, Microsoft Corporation>
[IEMoni Class]
  {F236CC5A-F6E4-4011-9EED-C52FDF51CE3D} <, N/A>
[XML DOM Document]
  {F6D90F11-9C73-11D3-B32E-00C04F990BB4} <C:\WINDOWS\system32\msxml3.dll, Microsoft Corporation>
[XML HTTP]
  {F6D90F16-9C73-11D3-B32E-00C04F990BB4} <C:\WINDOWS\system32\msxml3.dll, Microsoft Corporation>
[上传到QQ网络硬盘]
  <90F16-9C73-11D3-B32E-00C04F990BB4}, N/A>
[使用网际快车下载]
  <D:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <D:\Program Files\FlashGet\jc_all.htm, N/A>
[导出到 Microsoft Excel(&x)]
  <res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000, N/A>
[添加到QQ自定义面板]
  <, N/A>
[添加到QQ表情]
  <, N/A>
[用QQ彩信发送该图片]
  <, N/A>

==================================
山颠一寺 - 2006-9-26 15:39:00
正在运行的进程
[PID: 380][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 484][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 848][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 916][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 936][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 1156][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1264][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1304][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1336][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1600][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1648][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1680][C:\WINDOWS\System32\dmadmin.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 328][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.3790.1830 (srv03_sp1_rtm.050324-1447)>
    [D:\WinRAR\rarext.dll]  <N/A><N/A>
[PID: 1032][C:\WINDOWS\system32\wbem\wmiprvse.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 604][C:\Program Files\SkyNet\FireWall\PFW.exe]  <天网><2.7.3.1000>
    [C:\Program Files\SkyNet\FireWall\SKYMISC.DLL]  <N/A><N/A>
[PID: 1176][D:\Program Files\TT\TTraveler.exe]  <腾讯公司><3.1.0.256>
    [D:\Program Files\TT\PersonalDesktop.dll]  <深圳市腾讯计算机系统公司QQ工作小组><1, 0, 0, 4>
    [C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx]  <Adobe Systems, Inc.><9,0,16,0>
[PID: 1524][C:\WINDOWS\system32\ctfmon.exe]  <Microsoft Corporation><5.2.3790.1830 (srv03_sp1_rtm.050324-1447)>
[PID: 1240][D:\WinRAR\WinRAR.exe]  <N/A><N/A>
[PID: 1988][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.874\SREng2\SREng.exe]  <Smallfrogs Studio><2.0.21.505>
12
查看完整版本: 【求助】请问这是什么病毒 怎么杀也杀不掉 !!Logger.Delf.ps
© 2000 - 2026 Rising Corp. Ltd.