瑞星卡卡安全论坛

2006-10-09,22:56:09

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 1 (Build 2600)
- Not in Administrators Group - Restricted Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf
    HOSTS File


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <MSMSGS><"C:\Program Files\Messenger\msmsgs.exe" /background>  [Microsoft Corporation]
    <ctfmon.exe><C:\WINDOWS\System32\CTFMON.EXE>  [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <QuickTime Task><"C:\Program Files\QuickTime\qttask.exe" -atboottime>  [Apple Computer, Inc.]
    <vptray><C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe>  [Symantec Corporation]
    <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Corporation]
    <IMEKRMIG6.1><C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE>  [(Verified)Microsoft Corporation]
    <MSPY2002><C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC>  [(Verified)N/A]
    <PHIME2002ASync><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Corporation]
    <PHIME2002A><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Corporation]
    <CSCLogonInfo><C:\WINDOWS\UsrLogon.exe>  [N/A]
    <CSCAdvantage><"C:\Program Files\Help Desk\CSCAdv.exe" /s>  [N/A]
    <PigUpdate><D:\Profiles\q16287\LOCALS~1\Temp\~ex11.exe>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    <WinlogonNotify: NavLogon><C:\WINDOWS\System32\NavLogon.dll>  [N/A]

==================================
Startup Folders
N/A

==================================
Services
[ASP.NET State Service / aspnet_state]
  <C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[BlackICE / BlackICE]
  <"C:\Program Files\ISS\DesktopProtection\blackd.exe"><Internet Security Systems, Inc.>
[SMS Agent Host / CcmExec]
  <C:\WINDOWS\System32\CCM\CcmExec.exe><N/A>
[DefWatch / DefWatch]
  <C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe><Symantec Corporation>
[Human Interface Device Access / HidServ]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Symantec AntiVirus Client / Norton AntiVirus Server]
  <C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe><Symantec Corporation>
[RapApp / RapApp]
  <"C:\Program Files\ISS\DesktopProtection\RapApp.exe"><Internet Security Systems, Inc.>

==================================
Drivers
[abp480n5 / abp480n5]
  <\SystemRoot\System32\DRIVERS\ABP480N5.SYS><Microsoft Corporation>
[Intel(r) 82801 Audio Driver Install Service (WDM) / ac97intc]
  <system32\drivers\ac97intc.sys><Intel Corporation>
[adpu160m / adpu160m]
  <\SystemRoot\System32\DRIVERS\adpu160m.sys><Microsoft Corporation>
[aeaudio / aeaudio]
  <system32\drivers\aeaudio.sys><Andrea Electronics Corporation>
[Aha154x / Aha154x]
  <\SystemRoot\System32\DRIVERS\aha154x.sys><Microsoft Corporation>
[aic78u2 / aic78u2]
  <\SystemRoot\System32\DRIVERS\aic78u2.sys><Microsoft Corporation>
[aic78xx / aic78xx]
  <\SystemRoot\System32\DRIVERS\aic78xx.sys><Microsoft Corporation>
[AliIde / AliIde]
  <\SystemRoot\System32\DRIVERS\aliide.sys><Acer Laboratories Inc.>
[AMD AGP Bus Filter Driver / amdagp]
  <\SystemRoot\System32\DRIVERS\amdagp.sys><Advanced Micro Devices, Inc.>
[asc / asc]
  <\SystemRoot\System32\DRIVERS\asc.sys><Advanced System Products, Inc.>
[asc3350p / asc3350p]
  <\SystemRoot\System32\DRIVERS\asc3350p.sys><Microsoft Corporation>
[asc3550 / asc3550]
  <\SystemRoot\System32\DRIVERS\asc3550.sys><Advanced System Products, Inc.>
[black / black]
  <System32\drivers\BlackDrv.sys><Internet Security Systems, Inc.>
[cd20xrnt / cd20xrnt]
  <\SystemRoot\System32\DRIVERS\cd20xrnt.sys><Microsoft Corporation>
[CmdIde / CmdIde]
  <\SystemRoot\System32\DRIVERS\cmdide.sys><CMD Technology, Inc.>
[dac2w2k / dac2w2k]
  <\SystemRoot\System32\DRIVERS\dac2w2k.sys><Mylex Corporation>
[dpti2o / dpti2o]
  <\SystemRoot\System32\DRIVERS\dpti2o.sys><Microsoft Corporation>
[3Com 3C90X-BC Family PCI EtherLink Adapter / EL90XBC]
  <System32\DRIVERS\el90xbc5.sys><3Com Corporation>
[i81x / i81x]
  <System32\DRIVERS\i81xnt5.sys><Intel(R) Corporation>
[iAimFP0 / iAimFP0]
  <System32\DRIVERS\wADV01nt.sys><Intel Corporation>
[iAimFP1 / iAimFP1]
  <System32\DRIVERS\wADV02NT.sys><Intel Corporation>
[iAimFP2 / iAimFP2]
  <System32\DRIVERS\wADV05NT.sys><Intel Corporation>
[iAimFP3 / iAimFP3]
  <System32\DRIVERS\wSiINTxx.sys><Intel Corporation>
[iAimFP4 / iAimFP4]
  <System32\DRIVERS\wVchNTxx.sys><Intel Corporation>
[iAimTV0 / iAimTV0]
  <System32\DRIVERS\wATV01nt.sys><Intel Corporation>
[iAimTV1 / iAimTV1]
  <System32\DRIVERS\wATV02NT.sys><Intel Corporation>
[iAimTV2 / iAimTV2]
  <System32\DRIVERS\wATV03nt.sys><Intel Corporation>
[iAimTV3 / iAimTV3]
  <System32\DRIVERS\wATV04nt.sys><Intel Corporation>
[iAimTV4 / iAimTV4]
  <System32\DRIVERS\wCh7xxNT.sys><Intel Corporation>
[ini910u / ini910u]
  <\SystemRoot\System32\DRIVERS\ini910u.sys><Microsoft Corporation>
[mraid35x / mraid35x]
  <\SystemRoot\System32\DRIVERS\mraid35x.sys><American Megatrends Inc.>
[NAVAP / NAVAP]
  <\??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys><Symantec Corporation>
[NAVAPEL / NAVAPEL]
  <\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS><Symantec Corporation>
[NAVENG / NAVENG]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20061008.008\NAVENG.sys><Symantec Corporation>
[NAVEX15 / NAVEX15]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20061008.008\NAVEX15.sys><Symantec Corporation>
[SMS Process Event Driver / prepdrvr]
  <\??\C:\WINDOWS\System32\CCM\prepdrv.sys><N/A>
[Direct Parallel Link Driver / Ptilink]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[ql1080 / ql1080]
  <\SystemRoot\System32\DRIVERS\ql1080.sys><QLogic Corporation>

[Ql10wnt / Ql10wnt]
  <\SystemRoot\System32\DRIVERS\ql10wnt.sys><Microsoft Corporation>
[ql12160 / ql12160]
  <\SystemRoot\System32\DRIVERS\ql12160.sys><QLogic Corporation>
[ql1280 / ql1280]
  <\SystemRoot\System32\DRIVERS\ql1280.sys><QLogic Corporation>
[RapFile / RapFile]
  <\??\C:\WINDOWS\System32\drivers\RapFile.sys><Internet Security Systems, Inc.>
[RapNet / RapNet]
  <\??\C:\WINDOWS\System32\drivers\RapNet.sys><Internet Security Systems, Inc.>
[Secdrv / Secdrv]
  <System32\DRIVERS\secdrv.sys><N/A>
[SIS AGP Bus Filter / sisagp]
  <\SystemRoot\System32\DRIVERS\sisagp.sys><Silicon Integrated Systems Corporation>
[smwdm / smwdm]
  <system32\drivers\smwdm.sys><Analog Devices, Inc.>
[Sparrow / Sparrow]
  <\SystemRoot\System32\DRIVERS\sparrow.sys><Adaptec, Inc.>
[symc810 / symc810]
  <\SystemRoot\System32\DRIVERS\symc810.sys><Symbios Logic Inc.>
[symc8xx / symc8xx]
  <\SystemRoot\System32\DRIVERS\symc8xx.sys><LSI Logic>
[SymEvent / SymEvent]
  <\??\C:\Program Files\Symantec\SYMEVENT.SYS><Symantec Corporation>
[Symmpi / Symmpi]
  <\SystemRoot\System32\DRIVERS\symmpi.sys><LSI Logic>
[sym_hi / sym_hi]
  <\SystemRoot\System32\DRIVERS\sym_hi.sys><LSI Logic>
[sym_u3 / sym_u3]
  <\SystemRoot\System32\DRIVERS\sym_u3.sys><LSI Logic>
[TosIde / TosIde]
  <\SystemRoot\System32\DRIVERS\toside.sys><Microsoft Corporation>
[ultra / ultra]
  <\SystemRoot\System32\DRIVERS\ultra.sys><Promise Technology, Inc.>

==================================
Browser Add-ons
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[MyIEHelper Class]
  {16B770A0-0E87-4278-B748-2460D64A8386} <D:\Profiles\All Users\Application Data\Microsoft\UserData\IEHelper_5078.dll, Microsoft Corporation>
[&Research]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, Microsoft Corporation>
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\MSMSGS.EXE, Microsoft Corporation>
[&Radio]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, N/A>
[Oracle JInitiator 1.1.8.18]
  {5e2a3510-4371-11d6-b64c-00c04faedb18} <C:\Program Files\Oracle\JInitiator 1.1.8.19\bin\beans.ocx, Oracle Corporation>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\System32\wuweb.dll, Microsoft Corporation>
[Java Plug-in 1.3.1_03]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\JavaSoft\JRE\1.3.1_03\bin\npjava131_03.dll, JavaSoft / Sun Microsystems, Inc.>
[Java Plug-in 1.3.1_02]
  {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} <C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\npjava131_02.dll, JavaSoft / Sun Microsystems, Inc.>
[Java Plug-in 1.3.1_03]
  {CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA} <C:\Program Files\JavaSoft\JRE\1.3.1_03\bin\npjava131_03.dll, JavaSoft / Sun Microsystems, Inc.>

==================================
Running Processes
[PID: 1556][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
    [C:\PROGRA~1\WINZIP\WZSHLSTB.DLL]  [WinZip Computing, Inc., 4.1 (32-bit)]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, N/A]
    [C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll]  [Symantec Corporation, 8.1.1.323]
    [C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 6.0.0.2003051500]
    [C:\WINDOWS\System32\Macromed\Flash\Flash.ocx]  [Macromedia, Inc., 6,0,84,0]
    [C:\WINDOWS\System32\Macromed\Common\SwSupport.dll]  [Macromedia, Inc., 8.5r321]
[PID: 208][C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe]  [Symantec Corporation, 8.1.1.323]
    [C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliproxy.dll]  [Symantec Corporation, 8.1.1.323]
    [C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVNTUTL.DLL]  [Symantec Corporation, 8.1.1.323]
    [C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliscan.dll]  [Symantec Corporation, 8.1.1.323]
[PID: 564][C:\Program Files\Messenger\msmsgs.exe]  [Microsoft Corporation, 4.6.0079]
[PID: 2028][C:\WINDOWS\System32\conime.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 392][C:\WINDOWS\System32\CTFMON.EXE]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 1632][D:\Profiles\qch7154\Desktop\f\SREng\SREng.exe]  [Smallfrogs Studio, 2.2.6.605]
[PID: 1468][C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE]  [Kingsoft Co, Ltd., 9, 0, 0, 0]
    [C:\Program Files\Kingsoft\PowerWord 2006\AccountActivate.dll]  [N/A, N/A]
    [C:\Program Files\Kingsoft\PowerWord 2006\DicMngr.dll]  [Kingsoft, 2, 0, 0, 0]
    [C:\Program Files\Kingsoft\PowerWord 2006\doshow.dll]  [N/A, N/A]
    [C:\Program Files\Kingsoft\PowerWord 2006\ITextOut.dll]  [Kingsoft, 1, 1, 0, 0]
    [C:\Program Files\Kingsoft\PowerWord 2006\KPic10.dll]  [N/A, N/A]
    [C:\Program Files\Kingsoft\PowerWord 2006\ijl11.dll]  [Intel Corporation, 1.1.2]
    [C:\Program Files\Kingsoft\PowerWord 2006\NormGrab.DLL]  [Kingsoft Co, Ltd., 6, 0, 0, 0]
    [C:\Program Files\Kingsoft\PowerWord 2006\toTTSEngine50.dll]  [Kingsoft Corporation, 1, 0, 0, 1]
    [C:\Program Files\Kingsoft\PowerWord 2006\xfile.dll]  [N/A, N/A]
    [C:\Program Files\Kingsoft\PowerWord 2006\DBCore10.dll]  [Kingsoft  Corp., 1, 0, 0, 0]
    [C:\Program Files\Kingsoft\PowerWord 2006\XdictGrb.dll]  [Kingsoft Co, Ltd., 9, 0, 0, 0]
    [C:\Program Files\Kingsoft\PowerWord 2006\KAVPassport.DLL]  [Kingsoft Corporation, 2005, 4, 7, 25]

==================================

File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1      localhost

==================================

在非ADMIN权限下，可以解决吗？

这有什么的,大不了卸了重装

灌水的别进

删掉以下启动项
<CSCLogonInfo><C:\WINDOWS\UsrLogon.exe> [N/A]
<CSCAdvantage><"C:\Program Files\Help Desk\CSCAdv.exe" /s> [N/A]
<PigUpdate><D:\Profiles\q16287\LOCALS~1\Temp\~ex11.exe> [N/A]

删掉浏览器加载项

[MyIEHelper Class]
{16B770A0-0E87-4278-B748-2460D64A8386} <D:\Profiles\All Users\Application Data\Microsoft\UserData\IEHelper_5078.dll, Microsoft Corporation>


进安全模式,先删c:\windows\system32\shdocvw2.dll
然后进注册表,搜shdocvw2.dll把找到的所有键值删除.
然后在开始里运行regedt32不是regedit
然后在里面搜索你的IEHelper****.dll文件名
删找到所有的键值.哪果有不能删除的.在此键值点右建添加自己的用户有所有权.然后删除.
然后再进IEHelper***.dll所在目录.
在右键--属性里面把它改成非只读，还要在安全选项卡里面修改权限才能删除。
成功删除后即可

注册表项可能有以下这些
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{16A770A0-0E87-4278-B748-2460D64A8386}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16B770A0-0E87-4278-B748-2460D64A8386}]