瑞星卡卡安全论坛

我的电脑中了一种木马变种，瑞星直接删除那个病毒文件，删除不了，它是dll文件。只能杀毒，但杀完以后，再次点击那个文件显示还是病毒，永远都杀不干净！我下了一个能强行删除dll文件的软件，也删除不了！心理很是窝火！希望各位不吝指教！菜鸟在此等候！

有没有高手来帮帮我？是不是我的问题太幼稚了？？？？？？？

到http://free5.ys168.com/?jxsbb
下载sreng2.zip 0.4MB 系统扫描工具，解压，打开，运行，执行扫描，保存日志，将日志内容贴上来，注意不要改动，一次贴不完，分多次贴！扫描前关闭所有手工打开的软件和窗口!

谢谢了！我马上做

2006-12-07,11:11:31

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <kis><"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe">  [Kaspersky Lab]
    <!ewido><"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized>  [Anti-Malware Development a.s.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll>  [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
    <WinlogonNotify: klogon><C:\WINDOWS\system32\klogon.dll>  [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><sclgntfy.dll>  [N/A]

启动文件夹
N/A

==================================
服务
[卡巴斯基互联网安全套装 6.0 / AVP]
  <"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r><Kaspersky Lab>
[ewido anti-spyware 4.0 guard / ewido anti-spyware 4.0 guard]
  <C:\Program Files\ewido anti-spyware 4.0\guard.exe><Anti-Malware Development a.s.>
[Human Interface Device Access / HidServ]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Computer Storage / NHLscA]
  <C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\WBEM\TCPZP.DLL,Export 1087><N/A>
[Rising Proxy  Service / RfwProxySrv]
  <c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService]
  <c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>

==================================
驱动程序
[agdffjdi / agdffjdi]
  <\SystemRoot\system32\drivers\agdffjdi.sys><N/A>
[Rising TDI Base Driver / BaseTDI]
  <System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[biecfgcc / biecfgcc]
  <\SystemRoot\system32\drivers\biecfgcc.sys><中国互联网络信息中心(CNNIC)>
[ewido anti-spyware 4.0 driver / ewido anti-spyware 4.0 driver]
  <\??\C:\Program Files\ewido anti-spyware 4.0\guard.sys><N/A>
[hnaomuh / hnaomuhj]
  <\SystemRoot\System32\DRIVERS\hnaomuhj.sys><N/A>
[HookUrl / HookUrl]
  <\??\C:\Program Files\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[kl1 / kl1]
  <\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif]
  <\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[mProcRs / mProcRs]
  <\??\c:\program files\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[msqmx / msqmx]
  <\SystemRoot\system32\drivers\msqmx.sys><Microsoft Corporation>
[mzcy / mzcyp]
  <\SystemRoot\System32\DRIVERS\mzcyp.sys><N/A>
[npkcrypt / npkcrypt]
  <\??\E:\新建文件夹\npkcrypt.sys><INCA Internet Co., Ltd.>
[npkycryp / npkycryp]
  <\??\F:\新建文件夹\npkycryp.sys><N/A>
[Direct Parallel Link Driver / Ptilink]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsFwDrv / RsFwDrv]
  <\??\C:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv]
  <system32\DRIVERS\secdrv.sys><N/A>
[Si3112 / Si3112]
  <C:\WINDOWS\SYSTEM32\DRIVERS\Si3112.SYS><Silicon Image, Inc.>
[TSP / TSP]
  <\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[wzssijg / wzssijgh]
  <\SystemRoot\System32\DRIVERS\wzssijgh.sys><N/A>

浏览器加载项
[Web反病毒保护]
  {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll, Kaspersky Lab>
[Web Browser Applet Control]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\WINDOWS\system32\Msjava.dll, Microsoft Corporation>
[XBTB05774 Class]
  {129DD540-E5E4-4601-825A-43ED660159E0} <, N/A>
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\Mshtml.dll, N/A>
[DHTML Edit Control Safe for Scripting for IE5]
  {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
[Tabular Data Control]
  {333C7BC4-460F-11D0-BC04-0080C7055A83} <C:\WINDOWS\system32\tdc.ocx, Microsoft Corporation>
[Microsoft Office Control]
  {4453D895-F2A1-4A38-A285-1EF9BD3F6D5D} <C:\PROGRA~1\MICROS~1\OFFICE11\AUTHZAX.DLL, Microsoft Corporation>
[CEditCtrl Object]
  {488A4255-3236-44B3-8F27-FA1AECAA8844} <C:\WINDOWS\system32\aliedit\AliEdit.dll, www.alipay.com>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Active Desktop Mover]
  {72267F6A-A6F9-11D0-BC94-00C04FB67863} <%SystemRoot%\system32\SHELL32.dll, N/A>
[Microsoft Web 浏览器]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[Microsoft Scriptlet Component]
  {AE24FDAE-03C6-11D1-8B76-0080C744F389} <C:\WINDOWS\system32\Mshtml.dll, Microsoft Corporation>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[上传到QQ网络硬盘]
  <E:\新建文件夹\AddToNetDisk.htm, N/A>
[添加到QQ自定义面板]
  <E:\新建文件夹\AddPanel.htm, N/A>
[添加到QQ表情]
  <E:\新建文件夹\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <E:\新建文件夹\SendMMS.htm, N/A>
[用比特精灵下载(&B)]
  <C:\Program Files\BitSpirit_iparmor\bsurl.htm, N/A

正在运行的进程
[PID: 548][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 612][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 636][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\klogon.dll]  [Kaspersky Lab, 6.0.0.299]
    [C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
[PID: 680][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 692][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 848][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 892][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 960][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
[PID: 1040][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1104][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1176][c:\program files\rising\rfw\rfwsrv.exe]  [Beijing Rising Technology Co., Ltd., 4, 0, 0, 33]
    [c:\program files\rising\rfw\RfwRule.dll]  [Beijing Rising Technology Co., Ltd., 4, 0, 0, 13]
    [c:\program files\rising\rfw\rfwlog.dll]  [Beijing Rising Technology Co., Ltd., 4, 0, 0, 6]
    [c:\program files\rising\rfw\Rfwdrv.dll]  [Beijing Rising Technology Co., Ltd., 4, 0, 0, 21]
    [c:\program files\rising\rfw\MonDrv.dll]  [rs, 1, 0, 0, 4]
    [c:\program files\rising\rfw\ProcLib.dll]  [Beijing Rising Technology Co., Ltd., 4, 0, 0, 9]
[PID: 1508][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
    [C:\WINDOWS\System32\spool\PRTPROCS\W32X86\vprproc.dll]  [Windows (R) 2000 DDK provider, 5.00.2195.1620]
[PID: 804][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2896][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\rqxch.dll]  [N/A, N/A]
    [C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
    [F:\rarext.dll]  [N/A, N/A]
    [C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll]  [Kaspersky Lab, 6.0.0.299]
    [C:\Program Files\ewido anti-spyware 4.0\context.dll]  [Anti-Malware Development a.s., 4, 0, 0, 172]
    [C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\pr_remote.dll]  [Kaspersky Lab, 6.0.0.299]
    [C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\prloader.dll]  [Kaspersky Lab, 6.0.0.299]
[PID: 2932][c:\program files\rising\rfw\RfwMain.exe]  [Beijing Rising Technology Co., Ltd., 4, 0, 0, 52]
    [c:\program files\rising\rfw\RsGuiLib.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 23]
    [c:\program files\rising\rfw\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [c:\program files\rising\rfw\PngDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[PID: 3772][C:\Program Files\ewido anti-spyware 4.0\ewido.exe]  [Anti-Malware Development a.s., 4, 0, 0, 172]
    [C:\Program Files\ewido anti-spyware 4.0\engine.dll]  [Anti-Malware Development a.s., 4, 0, 0, 172]
[PID: 3304][C:\Documents and Settings\Administrator\桌面\MT木马捆绑克星\mview21.exe]  [UULAND, 2.10.0.0]
    [C:\Documents and Settings\Administrator\桌面\MT木马捆绑克星\meng.dll]  [UULAND LABS, 2, 10, 0, 1]
[PID: 2128][C:\Documents and Settings\Administrator\桌面\SREng\SREng.exe]  [Smallfrogs Studio, 2.2.6.605]
    [C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]

请你帮我看看吧！我听别人说卡巴斯基好用，我就把瑞星给卸载了。但是我装完卡巴斯基后，它反到查不出病毒了。我用木马捆绑克星，发现了好多问题。我用的瑞星是正版的。我也不知道现在该怎样做了，请你帮我指点迷津吧？

日志没有贴完吧!

打开SRENG-启动项目-服务-WIN32服务应用程序，选择隐藏已认证的微软项目，找到并删除：
<C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\WBEM\TCPZP.DLL,Export 1087><N/A>
打开SRENG-启动项目-服务-驱动程序，选择隐藏已认证的微软项目，找到并删除：
\SystemRoot\system32\drivers\agdffjdi.sys><N/A>
<\SystemRoot\System32\DRIVERS\hnaomuhj.sys><N/A>
<\SystemRoot\System32\DRIVERS\mzcyp.sys><N/A>
<\SystemRoot\System32\DRIVERS\wzssijgh.sys><N/A>
安全模式下，显示隐藏文件和文件夹，删除：
[C:\WINDOWS\system32\rqxch.dll] [N/A, N/A]
\SystemRoot\system32\drivers\agdffjdi.sys><N/A>
<\SystemRoot\System32\DRIVERS\hnaomuhj.sys><N/A>
<\SystemRoot\System32\DRIVERS\mzcyp.sys><N/A>
<\SystemRoot\System32\DRIVERS\wzssijgh.sys><N/A>
C:\WINDOWS\SYSTEM32\WBEM\TCPZP.DLL

贴完了呀！再麻烦问你以下，怎么打开SRENG-启动项目-服务-WIN32服务应用程序。谢谢了。

哦！我知道了！是在sreng2里打开是吧！谢谢你了

WINDOWS\system32\rqxch.dll在安全模式下删除不了！rqxch.dll它就是病毒，瑞星能出出来，但是也删除不了。\SystemRoot\system32\drivers\agdffjdi.sys><N/A>
<\SystemRoot\System32\DRIVERS\hnaomuhj.sys><N/A>
<\SystemRoot\System32\DRIVERS\mzcyp.sys><N/A>
<\SystemRoot\System32\DRIVERS\wzssijgh.sys><N/A>
C:\WINDOWS\SYSTEM32\WBEM\TCPZP.DLL
找不到啊？

我的电脑---文件夹选项----查看----隐藏已知受系统保护的文件勾去掉,显示所有文件勾上，隐藏已知文件类型的扩展名这个勾去掉
再找

好的！

WINDOWS\system32\rqxch.dll在安全模式下删除不了！
SystemRoot这个文件夹我找不到啊？

WINDOWS\SYSTEM32\WBEM，文件夹下没有TCPZP.DLL这个文件啊！我把艘有隐藏的文件都显示了，还有受保护的系统文件，也显示了，就是找不到啊？拜托你了~！谢谢！

我在删除文件的时候不下心把，网卡的注册信息给删了，现在到是能上网，但就是在设备管理器中显示，由于其配置信息(注册表中的)不完整或已损坏，Windows 无法启动这个硬件设备。 (代码 19)
直接并行！能不能告诉我怎么恢复或修复此问题啊？我下了一个新的驱动，装完还是那样！我的网卡是8139  的

SystemRoot就是指系统盘,你是C:
网上重下一个,百度查一下.