【求助】Rootkit.Win32.Vanti.em病毒殺不掉 bbs.ikaka.com

Erika - 2006-12-2 22:27:00

電腦中了木馬Rootkit.Win32.Vanti.em
用防毒刪了,重新開機又出現

木馬程式 Rootkit.Win32.Vanti.em 檔案: C:\WINDOWS\TEMP\aoob.sys
怎么也刪不了,求高手幫忙

Erika - 2006-12-3 18:24:00

哪位高手幫幫忙

UFO不幸外人 - 2006-12-3 18:25:00

如果谁中了木马、简单蠕虫病毒，请使用瑞星听诊器，听诊，并把报告发送到1987noodle0158@sina.com 即可。瑞星听诊器请到瑞星主站上下载，不是非常大，但非常好用

我是一个大学生，经常帮助人们手工杀毒，有5年的经验。请大家相信，本人一定尽力解决。

UFO不幸外人 - 2006-12-3 18:25:00

这个病毒不知道病毒特性无法详细说明杀毒方法
但是用冰刃应该可以解决问题

水树雨下 - 2006-12-3 18:50:00

安全模式下清理这个文件夹所有文件C:\WINDOWS\TEMP

UFO不幸外人 - 2006-12-3 18:54:00

引用:

【水树雨下的贴子】安全模式下清理这个文件夹所有文件C:\WINDOWS\TEMP
………………

好像不行，因为sys是系统程序如果在驱动中加载
安全模式下也会加载为内核程序，同样无法删除

Erika - 2006-12-3 18:59:00

瑞星听诊器結果
http://dreambbs02.hp.infoseek.co.jp/Rsinfo.htm

麻煩了

Erika - 2006-12-3 19:09:00

2006-12-03,18:51:40

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 1 (Build 2600)
- Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
All Boot Items (Including Registry, Startup Folders, Services and so on)
Browser Add-ons
Runing Processes (Including process model information)
File Associations
Winsock Provider
Autorun.Inf
HOSTS File

Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe> [(Verified)Microsoft Corporation]
<ravshell><C:\Progra~1\Eset\rund1132.exe> [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Corporation]
<PHIMETIPSYNC><C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync> [(Verified)Microsoft Corp.]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<RTHDCPL><RTHDCPL.EXE> [(Verified)Realtek Semiconductor Corp.]
<Alcmtr><ALCMTR.EXE> [(Verified)Realtek Semiconductor Corp.]
<CJIMETIPSYNC><C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync> [(Verified)Microsoft Corp.]
<NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit> [NVIDIA Corporation]
<AVP><"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"> [Kaspersky Lab]
<Systems32><C:\WINDOWS\TEMP\svchost1.exe> [N/A]
<!AVG Anti-Spyware><"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized> [Anti-Malware Development a.s.]
<nwiz><nwiz.exe /install> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><"C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"> [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{57B86673-276A-48B2-BAE7-C6DBB3020EB8}><C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll> [Anti-Malware Development a.s.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
<WinlogonNotify: klogon><C:\WINDOWS\System32\klogon.dll> [Kaspersky Lab]

==================================
Startup Folders
N/A

==================================
Services
[ASP.NET State Service / aspnet_state]
<C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard]
<C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe><Anti-Malware Development a.s.>
[Kaspersky Internet Security 6.0 / AVP]
<"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r><Kaspersky Lab>
[Diskeeper / Diskeeper]
<C:\Program Files\Executive Software\Diskeeper\DkService.exe><Executive Software International, Inc.>
[Human Interface Device Access / HidServ]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT]
<"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"><Macrovision Corporation>
[NVIDIA Display Driver Service / NVSvc]
<C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>

==================================
Drivers
[a347bus / a347bus]
<\SystemRoot\System32\DRIVERS\a347bus.sys><>
[a347scsi / a347scsi]
<\SystemRoot\System32\Drivers\a347scsi.sys><>
[標準 IDE/ESDI 硬碟控制器 / atapi]
<\SystemRoot\System32\DRIVERS\atapi.sys><N/A>
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver]
<\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG Anti-Spyware Clean Driver / AvgAsCln]
<System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[dtscsi / dtscsi]
<\SystemRoot\System32\Drivers\dtscsi.sys><DT Soft Ltd.>
[Hamachi Network Interface / hamachi]
<System32\DRIVERS\hamachi.sys><Applied Networking Inc.>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus]
<System32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService]
<system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[kl1 / kl1]
<\SystemRoot\System32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif]
<\??\C:\WINDOWS\System32\drivers\klif.sys><Kaspersky Lab>
[npkcrypt / npkcrypt]
<\??\C:\Program Files\Tencent\QQ\npkcrypt.sys><N/A>
[nv / nv]
<System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[StarForce Protection Environment Driver v6 / prodrv06]
<\SystemRoot\System32\drivers\prodrv06.sys><Protection Technology>
[StarForce Protection Helper Driver v2 / prohlp02]
<\SystemRoot\System32\drivers\prohlp02.sys><Protection Technology>
[StarForce Protection Synchronization Driver v1 / prosync1]
<\SystemRoot\System32\drivers\prosync1.sys><Protection Technology>
[直接平行連接埠連結驅動程式 / Ptilink]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek 10/100/1000 NIC Family all in one NDIS XP Driver / RTL8023xp]
<System32\DRIVERS\Rtenicxp.sys><Realtek Semiconductor Corporation>
[Secdrv / Secdrv]
<System32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[StarForce Protection Environment Driver (version 1.x) / sfdrv01]
<\SystemRoot\System32\drivers\sfdrv01.sys><Protection Technology (StarForce)>
[StarForce Protection Helper Driver / sfhlp01]
<\SystemRoot\System32\drivers\sfhlp01.sys><Protection Technology>
[StarForce Protection Helper Driver (version 2.x) / sfhlp02]
<\SystemRoot\System32\drivers\sfhlp02.sys><Protection Technology (StarForce)>
[StarForce Protection Synchronization Driver (version 2.x) / sfsync02]
<\SystemRoot\System32\drivers\sfsync02.sys><Protection Technology>
[StarForce Protection Synchronization Driver (version 4.x) / sfsync04]
<\SystemRoot\System32\drivers\sfsync04.sys><Protection Technology (StarForce)>
[sptd / sptd]
<\SystemRoot\System32\Drivers\sptd.sys><N/A>
[TSP / TSP]
<\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>

==================================
Browser Add-ons
[AcroIEHlprObj Class]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[IeCatch5 Class]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} <C:\PROGRA~1\FlashGet\jccatch.dll, FlashGet>
[QQBrowserHelperObject Class]
{54EBD53A-9BC1-480B-966A-843A333CA162} <C:\Program Files\Tencent\QQ\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[Web Anti-Virus]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll, Kaspersky Lab>
[參考資料(&R)]
{92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, Microsoft Corporation>
[QQ]
{c95fe080-8f5d-11d2-a20b-00aa003c157b} <C:\Program Files\Tencent\QQ\QQ.EXE, TENCENT>
[FlashGet]
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <C:\PROGRA~1\FlashGet\flashget.exe, FlashGet.com>
[QQIEFloatBarCfgCmd Class]
{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} <C:\Program Files\Tencent\QQ\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[D.S.Lite]
{F8475519-8412-4D40-A46E-692D9D04DF7F} <C:\Downloads\DSLite2\DSLite.exe, watermonster.org>
[收音機(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, Microsoft Corporation>
[FlashGet Bar]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} <C:\PROGRA~1\FlashGet\fgiebar.dll, Amaze Soft>
[Shockwave ActiveX Control]
{166B1BCA-3F9C-11CF-8075-444553540000} <C:\WINDOWS\System32\macromed\Director\SwDir.dll, Adobe Systems, Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[上傳到QQ網路硬碟]
<C:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[下載編碼內容(&D.S.Lite)]
<C:\Downloads\DSLite2\dl_text.html, N/A>
[下載編碼檔案內容(&D.S.Lite)]
<C:\Downloads\DSLite2\dl_url.html, N/A>
[使用 FlashGet 下載]
<C:\Program Files\FlashGet\jc_link.htm, N/A>
[全部使用 FlashGet 下載]
<C:\Program Files\FlashGet\jc_all.htm, N/A>
[加入到卡巴斯基]
<C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm, N/A>
[匯出至 Microsoft Office Excel(&X)]
<res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>
[新增到QQ自定義面板]
<C:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[新增到QQ表情]
<C:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[添加到QQ自定義面板]
<C:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
<C:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ MMS傳送該圖片]
<C:\Program Files\Tencent\QQ\SendMMS.htm, N/A>
[用QQ彩信發送該圖片]
<C:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

Erika - 2006-12-3 19:10:00

==================================
Running Processes
[PID: 760][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 808][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 832][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[C:\WINDOWS\System32\klogon.dll] [Kaspersky Lab, 6.0.1.411]
[PID: 880][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 892][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 1076][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1176][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.1.411]
[PID: 1280][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1404][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
[C:\WINDOWS\system32\E_SL2346.DLL] [SEIKO EPSON CORPORATION, 2, 15, 0, 0]
[PID: 1804][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2800.1221 (xpsp2.030511-1403)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scrchpg.dll] [Kaspersky Lab, 1.0.6.411]
[C:\WINDOWS\System32\nview.dll] [N/A, N/A]
[C:\WINDOWS\System32\NVWRSZHT.DLL] [NVIDIA Corporation, 6.14.10.11033]
[C:\Program Files\Tencent\QQ\qdshm.dll] [, 1, 0, 1, 2]
[C:\Program Files\WinRAR\rarext.dll] [N/A, N/A]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll] [Kaspersky Lab, 6.0.1.411]
[C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll] [Anti-Malware Development a.s., 7, 5, 0, 49]
[C:\Program Files\7-Zip\7-zip.dll] [N/A, N/A]
[C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll] [Anti-Malware Development a.s., 7, 5, 0, 47]
[C:\PROGRA~1\FlashGet\jccatch.dll] [FlashGet, 1, 1, 5, 0]
[C:\WINDOWS\System32\nvwddi.dll] [NVIDIA Corporation, 6.14.10.8466]
[C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 6.0.0.2003051500]
[PID: 2024][C:\WINDOWS\System32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 416][C:\WINDOWS\RTHDCPL.EXE] [Realtek Semiconductor Corp., 2.0.5.9]
[C:\WINDOWS\System32\nview.dll] [N/A, N/A]
[C:\WINDOWS\System32\NVWRSZHT.DLL] [NVIDIA Corporation, 6.14.10.11033]
[PID: 456][C:\WINDOWS\System32\RUNDLL32.EXE] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\System32\NvMcTray.dll] [NVIDIA Corporation, 6.14.10.8466]
[C:\WINDOWS\System32\NVRSZHT.DLL] [NVIDIA Corporation, 6.14.10.8466]
[PID: 472][C:\WINDOWS\TEMP\svchost1.exe] [N/A, N/A]
[C:\WINDOWS\TEMP\e9ut9.dll] [N/A, N/A]
[PID: 480][C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe] [Anti-Malware Development a.s., 7, 5, 0, 50]
[C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll] [Anti-Malware Development a.s., 4, 2, 0, 15]
[C:\WINDOWS\System32\nview.dll] [N/A, N/A]
[C:\WINDOWS\System32\NVWRSZHT.DLL] [NVIDIA Corporation, 6.14.10.11033]
[PID: 548][C:\WINDOWS\System32\rundll32.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\System32\nview.dll] [N/A, N/A]
[C:\WINDOWS\System32\NVWRSZHT.DLL] [NVIDIA Corporation, 6.14.10.11033]
[C:\WINDOWS\System32\nvwddi.dll] [NVIDIA Corporation, 6.14.10.8466]
[C:\WINDOWS\System32\nvshell.dll] [N/A, N/A]
[PID: 776][C:\Program Files\Executive Software\Diskeeper\DkService.exe] [Executive Software International, Inc., 8.0.459.0]
[C:\Program Files\Executive Software\Diskeeper\DkLib.dll] [Executive Software International, Inc., 8.0.459.0]
[C:\Program Files\Executive Software\Diskeeper\DkRes.dll] [Executive Software International, Inc., 8.0.459.0]
[PID: 856][C:\WINDOWS\System32\nvsvc32.exe] [NVIDIA Corporation, 6.14.10.8466]
[PID: 2412][C:\Program Files\Maxthon\Maxthon.exe] [Maxthon International Ltd., 1, 5, 8, 120]
[C:\Program Files\Maxthon\maxzlib.dll] [ , 1, 0, 0, 2]
[C:\WINDOWS\System32\nview.dll] [N/A, N/A]
[C:\WINDOWS\System32\NVWRSZHT.DLL] [NVIDIA Corporation, 6.14.10.11033]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scrchpg.dll] [Kaspersky Lab, 1.0.6.411]
[C:\Program Files\Maxthon\Plugin\ViewSource\ViewSrc.dll] [, 1, 0, 0, 1]
[C:\WINDOWS\System32\nvwddi.dll] [NVIDIA Corporation, 6.14.10.8466]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.1.411]
[C:\Program Files\Maxthon\Services\RealTime\real_time.dll] [, 1, 0, 0, 1]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\klscav.dll] [Kaspersky Lab, 6.0.1.411]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\prremote.dll] [Kaspersky Lab, 6.0.1.411]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\prloader.dll] [Kaspersky Lab, 6.0.1.411]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\prkernel.ppl] [Kaspersky Lab, 6.0.1.411]
[c:\program files\kaspersky lab\kaspersky internet security 6.0\params.ppl] [Kaspersky Lab, 6.0.1.411]
[c:\program files\kaspersky lab\kaspersky internet security 6.0\pxstub.ppl] [Kaspersky Lab, 6.0.1.411]
[c:\program files\kaspersky lab\kaspersky internet security 6.0\tempfile.ppl] [Kaspersky Lab, 6.0.1.411]
[c:\program files\kaspersky lab\kaspersky internet security 6.0\nfio.ppl] [Kaspersky Lab, 6.0.1.411]
[c:\program files\kaspersky lab\kaspersky internet security 6.0\fsdrvplgn.ppl] [Kaspersky Lab, 6.0.1.411]
[c:\program files\kaspersky lab\kaspersky internet security 6.0\basegui.ppl] [Kaspersky Lab, 6.0.1.411]
[c:\program files\kaspersky lab\kaspersky internet security 6.0\winreg.ppl] [Kaspersky Lab, 6.0.1.411]
[C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0]
[C:\WINDOWS\System32\Macromed\Common\SwSupport.dll] [Adobe Systems, Inc., 10.1.4r20]
[PID: 2172][C:\PROGRA~1\COMMON~1\MICROS~1\IME\SHARED2.0\IMEPADSV.EXE] [Microsoft Corporation, 9.0.5510.0]
[C:\WINDOWS\System32\nview.dll] [N/A, N/A]
[C:\WINDOWS\System32\NVWRSZHT.DLL] [NVIDIA Corporation, 6.14.10.11033]
[PID: 2212][C:\Documents and Settings\Administrator\桌面\SREng\SREng.exe] [Smallfrogs Studio, 2.2.6.605]
[C:\WINDOWS\System32\nview.dll] [N/A, N/A]
[C:\WINDOWS\System32\NVWRSZHT.DLL] [NVIDIA Corporation, 6.14.10.11033]
[C:\WINDOWS\System32\nvwddi.dll] [NVIDIA Corporation, 6.14.10.8466]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.1.411]
[C:\Documents and Settings\Administrator\桌面\SREng\Plugins\SRECXTMG.SRE] [Smallfrogs Studio, 1, 5, 0, 55]

==================================
File Associations
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1 localhost

==================================

mopery - 2006-12-3 19:13:00

最简单的方法..

用冰刃咔嚓这文件..

UFO不幸外人 - 2006-12-3 19:18:00

谢谢你支持我
首先你用软件删除的那几个都是病毒，但是不是非常全。请按下面方法作进一步的删除
1、利用冰刃结束C:\WINDOWS\TEMP\SVCHOST1.EXE进程，并且此进程不再启动后，进行以下操作，并且全部运用冰刃里面带的文件和注册表。
2、进入注册表，找到HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
删除Systems32 = C:\WINDOWS\TEMP\SVCHOST1.EXE这个键值
3、找到HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run删除ravshell = C:\PROGRA~1\ESET\RUND1132.EXE这个键值
4、重新启动计算机C:\WINDOWS\TEMP\SVCHOST1.EXE
5、删除C:\WINDOWS\TEMP\SVCHOST1.EXE文件（如果愿意可以发送到我的邮箱来一份）
6、查看D盘下是否有winio.sys这个文件
查看进程中是否还存在，是否有用处。如果存在并且无用进行以下操作：在冰刃第一栏里面找到服务，把winio服务改为手动，并停用此服务即可

看到你发给我的邮件了但是无法回复，不知道为什么

瑞星卡卡安全论坛