瑞星卡卡安全论坛

装的卡巴斯基，突然跳出来说中了Trojan-PSW.Win32.WOW.mx，但是清除不掉，怎么办？

附件: 69663020061122130402.JPG

sb.dll
到安全模式下删除,不行下冰刃删除,搜索注册表删除
http://free.ys168.com/?j7700074

到安全模式下删除,

在安全模式下，找不到这个文件了，是不是把注册表中相应的sb.dll删掉就可以了？

你的杀软,还报吗

没有好,请下载SREng2（最新版） ，使用“智能扫描”，按下“扫描”按钮进行扫描，
扫描完成后按下“保存报告”按钮保存报告日志文件（SREng.LOG），把保存的报告
日志文件内容复制-粘贴上来,,日志一次粘不完，分次粘完，请不要修改。

下载地址
http://www.kztechs.com/sreng/sreng2.zip

一直不停的报
2006-11-22,14:12:07

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 1 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe>  [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <NiceMs><C:\Program Files\Internet Explorer\PLUGINS\temp.exe>  []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  []
    <run><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <PHIME2002ASync><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [Microsoft Corporation]
    <PHIME2002A><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [Microsoft Corporation]
    <KAVPersonal50><"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize>  [Kaspersky Lab]
    <NeroFilterCheck><C:\WINDOWS\system32\NeroCheck.exe>  [Ahead Software Gmbh]
    <xy><C:\WINDOWS\Download\svhost32.exe>  []
    <rzt><C:\WINDOWS\Intel\rundll32.exe>  []
    <wl><C:\WINDOWS\Download\svhost32.exe>  []
    <r><C:\WINDOWS\down\rundll32.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [Microsoft Corporation]
    <Userinit><C:\WINDOWS\System32\userinit.exe,>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><"\Program Files\Logonui\Royale.exe">  []
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\WINDOWS\TIME.SCR>  []

==================================
启动文件夹
服务
[Autodesk Licensing Service / Autodesk Licensing Service]
  <"C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"><Autodesk, Inc.>
[kavsvc / kavsvc]
  <"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe"><Kaspersky Lab>
[NVIDIA Driver Helper Service / NVSvc]
  <C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>
[Remote Packet Capture Protocol v.0 (experimental) / rpcapd]
  <"C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini"><N/A>

==================================
浏览器加载项
[信息检索(&R)]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, Microsoft Corporation>
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[FlashGet]
  {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <C:\PROGRA~1\FLASHGET\flashget.exe, Amaze Soft>
[Adobe PDF]
  {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <C:\PROGRA~1\FLASHGET\fgiebar.dll, Amaze Soft>
[电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, Microsoft Corporation>
[SetupAct Class]
  {3A289F34-B61E-4E9B-BD55-738EC858BB53} <C:\WINDOWS\System32\kingsoft\SetupActiveX\SetupActiveX.dll, kingsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[使用网际快车下载]
  <C:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <C:\Program Files\FlashGet\jc_all.htm, N/A>
[导出到 Microsoft Office Excel(&X)]
  <res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>

==================================

正在运行的进程
[PID: 384][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 440][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 464][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 508][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 520][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 680][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 728][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 804][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 820][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1032][C:\WINDOWS\system32\spoolsv.exe]  <Microsoft Corporation><5.1.2600.0 (XPClient.010817-1148)>
    [C:\WINDOWS\System32\adimon.dll]  <Autodesk, Inc.><3,0,14,176>
    [C:\WINDOWS\system32\heidi3.dll]  <Autodesk, Inc.><3,0,14,176>
    [C:\WINDOWS\System32\AdobePDF.dll]  <Adobe Systems Incorporated.><6.0.000>
    [C:\Program Files\Adobe\Acrobat 6.0\Distillr\AdistRes.CHS]  <N/A><N/A>
    [C:\WINDOWS\system32\E_SL2602.DLL]  <SEIKO EPSON CORPORATION><1, 3, 0, 0>
[PID: 1344][C:\WINDOWS\System32\nvsvc32.exe]  <NVIDIA Corporation><6.13.10.3140>
[PID: 1388][C:\WINDOWS\System32\wdfmgr.exe]  <Microsoft Corporation><5.2.3790.1230 built by: dnsrv(bld4act)>
[PID: 1588][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\System32\AcSignIcon.dll]  <Autodesk><16.1.63.0>
    [C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll]  <Autodesk><16.1.63.0>
    [C:\WINDOWS\System32\wldll.dll]  <N/A><N/A>
    [C:\WINDOWS\rxdll.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\ztdll.dll]  <N/A><N/A>
    [C:\Program Files\Internet Explorer\PLUGINS\sb.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\mp3infp.dll]  <win32lab.com><2.44.3.0>
    [C:\Program Files\WinRAR\rarext.dll]  <N/A><N/A>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll]  <Kaspersky Lab><5.0.388.1>
    [C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll]  <Adobe Systems Inc.><1.0.0.2003051500>
    [C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.chs]  <Adobe Systems Inc.><1.0.0.2003051500>
    [C:\Program Files\Common Files\Adobe\Shell\PSICON.DLL]  <Adobe Systems, Incorporated><7.0>
    [C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll]  <Autodesk><16.1.63.0>
[PID: 1896][C:\WINDOWS\Download\svhost32.exe]  <N/A><N/A>
    [C:\WINDOWS\System32\wldll.dll]  <N/A><N/A>
    [C:\WINDOWS\rxdll.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\ztdll.dll]  <N/A><N/A>
[PID: 1904][C:\WINDOWS\Intel\rundll32.exe]  <N/A><N/A>
    [C:\WINDOWS\System32\ztdll.dll]  <N/A><N/A>
    [C:\WINDOWS\rxdll.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\wldll.dll]  <N/A><N/A>
[PID: 1912][C:\WINDOWS\Download\svhost32.exe]  <N/A><N/A>
[PID: 1928][C:\WINDOWS\down\rundll32.exe]  <N/A><N/A>
    [C:\WINDOWS\rxdll.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\ztdll.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\wldll.dll]  <N/A><N/A>
[PID: 1952][C:\WINDOWS\System32\ctfmon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\rxdll.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\ztdll.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\wldll.dll]  <N/A><N/A>
[PID: 1824][C:\Program Files\MwIE\MwIE.exe]  <><3, 8, 0, 0>
    [C:\WINDOWS\System32\AcSignIcon.dll]  <Autodesk><16.1.63.0>
    [C:\WINDOWS\rxdll.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\ztdll.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\wldll.dll]  <N/A><N/A>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\scrchpg.dll]  <Kaspersky Lab><5.0.1.18>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\scrch_ag.dll]  <Kaspersky Lab><5.0.388.1>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\FSSync.dll]  <Kaspersky Lab><5.0.388.0>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\pr_rmt.dll]  <Kaspersky Lab><5.0.388.0>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\ccclient.dll]  <Kaspersky Lab><5.0.388.1>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\klipc.dll]  <Kaspersky Lab><5.0.388.0>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\KLUtil.dll]  <Kaspersky Lab><5.0.388.1>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\rpt.dll]  <Kaspersky Lab><5.0.388.2>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\CCIFACE.dll]  <Kaspersky Lab><5.0.388.1>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\prloader.dll]  <Kaspersky Lab><5.0.388.0>
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\prkernel.ppl]  <Kaspersky Lab><5.0.388.0>
    [c:\program files\kaspersky lab\kaspersky anti-virus personal\prstring.ppl]  <Kaspersky Lab><5.0.388.0>
    [c:\program files\kaspersky lab\kaspersky anti-virus personal\pr_srv.ppl]  <Kaspersky Lab><5.0.388.0>
    [c:\program files\kaspersky lab\kaspersky anti-virus personal\pr_clnt.ppl]  <Kaspersky Lab><5.0.388.0>
    [c:\program files\kaspersky lab\kaspersky anti-virus personal\tempfile.ppl]  <Kaspersky Lab><5.0.388.0>
    [C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx]  <Adobe Systems, Inc.><9,0,28,0>
    [C:\WINDOWS\System32\cspyii.ime]  <中文之星><1, 0, 0, 1>
[PID: 360][C:\WINDOWS\notepad.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\rxdll.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\ztdll.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\wldll.dll]  <N/A><N/A>
[PID: 1580][G:\工具\新建文件夹\SREng2\SREng.exe]  <Smallfrogs Studio><2.0.21.505>
    [C:\WINDOWS\rxdll.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\ztdll.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\wldll.dll]  <N/A><N/A>

==================================
文件关联
.TXT  Error. [notepad.exe %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  Error. [regedit.exe %1]
.BAT  OK. ["%1" %*]
.SCR  Error. [AutoCADScript]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  Error. [notepad.exe %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================

还有注册表中也搜索不到sb.dll

运行(双击)SRENG2，点“启动项目，服务，点“Win32服务应用程序”
勾选“隐藏微软服务”选中病毒服务
Remote Packet Capture Protocol v.0
，选择“删除服务”
点“设置”选择“否”

运行SREng2,使用“启动项目”－－注册表－－删除
C:\Program Files\Internet Explorer\PLUGINS\temp.exe
C:\WINDOWS\Download\svhost32.exe
C:\WINDOWS\Intel\rundll32.exe
C:\WINDOWS\Download\svhost32.exe
C:\WINDOWS\down\rundll32.exe

重启按F８进入安全模式下
显示隐藏文件
删除：   
C:\Program Files\WinPcap\rpcapd.exe"
"C:\Program Files\WinPcap\rpcapd.ini
C:\Program Files\Internet Explorer\PLUGINS\temp.exe
C:\WINDOWS\Download\svhost32.exe
C:\WINDOWS\Intel\rundll32.exe
C:\WINDOWS\Download\svhost32.exe
C:\WINDOWS\down\rundll32.exe
C:\WINDOWS\System32\wldll.dll
C:\WINDOWS\rxdll.dll]
C:\WINDOWS\System32\ztdll.dll
[C:\Program Files\Internet Explorer\PLUGINS\sb.dll

用瑞星可以正常查杀的。

呵呵，已经没有病毒了，多谢“红夜鬼1 ”