这个spoolsv.exe怎么这么难弄呀！达人请出手帮帮我。 bbs.ikaka.com

caocaocao - 2007-2-1 10:14:00

大家知道正常情况下这个东西位于c:\windows\system32目录下，跟打印服务有关。问题是本人没有安装打印机，也没有开启打印功能，而且我的这个程序已经从上面的目录里和从DLLCACHE中全部删除了。可是我的电脑总是在毫无察觉的情况下开启这个进程，而且程序位于c:\windows目录下，隐藏属性，可以删除，可是不久又会自动爆出来，一旦开启，就会不停的向网络不固定的ip地址发出连接要求。程序大小为258kb,属性显示是微软公司发布的。可是偶觉得不可信。请哪位达人指点一二。

高歌猛进 - 2007-2-1 10:22:00

服务中禁用

caocaocao - 2007-2-1 10:35:00

没有用的，我把相关的注册表项目也全部清除了，禁用了打印服务，可是还是莫明其妙的自动出现这个东西。

baohe - 2007-2-1 10:39:00

【回复“caocaocao”的帖子】
扫个SREng日志贴上来

caocaocao - 2007-2-1 13:21:00

[CODE]

2007-02-01,12:57:06

System Repair Engineer 2.3.13.690
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\windows\system32\ctfmon.exe> [(Verified)Microsoft Corporation]
<KvXP><; "D:\KV2006\KvXP.kxp" /ScanBoot /ScanSys> [Jiangmin Co.Ltd]
<bgswitch><; C:\WINDOWS\system32\bgswitch.exe> [N/A]
<dianlei><; "D:\Program Files\Dianlei\dianlei.exe" -Tray> [N/A]
<KVFW><; "C:\Program Files\KVFW\kvfw.exe" -silent> [Beijing Jiangmin.]
<PcSync><; > [N/A]
<xvcclip><; > [N/A]
<eMuleAutoStart><D:\Program Files\eMule\emule.exe -AutoStart> [http://www.emule-project.net]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
<run><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<ATICCC><; "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay> [N/A]
<DAEMON Tools><; "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033> [(Verified)DT Soft Ltd.]
<IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Corporation]
<KvMonXP><; "D:\KV2006\KVMonXP.kxp" /auto> [Jiangmin Co.Ltd]
<NeroFilterCheck><; C:\WINDOWS\system32\NeroCheck.exe> [Ahead Software Gmbh]
<PCSuiteTrayApplication><; C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup> [Nokia]
<PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Corporation]
<PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Corporation]
<SoundMan><; SOUNDMAN.EXE> [(Verified)Realtek Semiconductor Corp.]
<SunJavaUpdateSched><; C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RegMon32]
<WinlogonNotify: RegMon32><cryptchr.dll> [Microsoft Corporation]

caocaocao - 2007-2-1 13:23:00

==================================
启动文件夹
N/A

==================================
服务
[Ati HotKey Poller / Ati HotKey Poller][Stopped/Disabled]
<C:\windows\system32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart][Stopped/Disabled]
<C:\WINDOWS\system32\ati2sgag.exe><>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\windows\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Disabled]
<"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"><Macrovision Corporation>
[KVSrvXP / KVSrvXP][Stopped/Disabled]
<D:\KV2006\KVSrvXP.exe /Service><Jiangmin Co. Ltd>
[KVWSC / KVWSC][Stopped/Disabled]
<"D:\KV2006\kvwsc.exe"><Jiangmin Co.Ltd>
[LightScribeService Direct Disc Labeling Service / LightScribeService][Stopped/Disabled]
<"C:\Program Files\Common Files\LightScribe\LSSrvc.exe"><Hewlett-Packard Company>
[MPSVC Service / MPSVCService][Stopped/Auto Start]
<D:\weidian\Micropoint\MPSVC.exe><Micropoint Corporation>
[Remote Packet Capture Protocol v.0 (experimental) / rpcapd][Stopped/Disabled]
<"C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini"><CACE Technologies>
[ServiceLayer / ServiceLayer][Stopped/Disabled]
<"C:\Program Files\PC Connectivity Solution\ServiceLayer.exe"><Nokia.>
[Shadow System Service / ShadowSystemService][Stopped/Disabled]
<C:\WINDOWS\system32\shadow\ShadowService.exe><N/A>
[InternetExplorer / SocksCap][Stopped/Disabled]
<><N/A>
[Print Spooler / Spooler][Stopped/Disabled]
<><N/A>
[Windows Media Player / Windows Media Player][Stopped/Disabled]
<C:\windows\system32\com\player><N/A>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
<C:\windows\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\mspmsnsv.dll><Microsoft Corporation>

==================================
驱动程序
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[ati2mtag / ati2mtag][Running/Manual Start]
<system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[Bluetooth Audio Service / BlueletAudio][Stopped/Manual Start]
<system32\DRIVERS\blueletaudio.sys><IVT Corporation>
[Bluetooth PAN Network Adapter / BT][Stopped/Manual Start]
<system32\DRIVERS\btnetdrv.sys><IVT Corporation>
[Bluetooth USB For Bluetooth Service / Btcsrusb][Stopped/Manual Start]
<System32\Drivers\btcusb.sys><IVT Corporation>
[Bluetooth HID Enumerator / BTHidEnum][Stopped/Manual Start]
<system32\DRIVERS\vbtenum.sys><N/A>
[Bluetooth HID Manager Service / BTHidMgr][Running/Boot Start]
<\SystemRoot\System32\Drivers\BTHidMgr.sys><IVT Corporation>
[Bluetooth Network Filter / BTNetFilter][Stopped/Manual Start]
<\??\C:\windows\system32\drivers\BTNetFilter.sys><N/A>
[Yamaha DS1 Audio Driver (WDM) / ds1][Running/Manual Start]
<system32\drivers\ds1wdm.sys><Yamaha Corp.>
[GMSIPCI / GMSIPCI][Stopped/Manual Start]
<\??\H:\INSTALL\GMSIPCI.SYS><N/A>
[Network Fire Hydrant / HdFw_slot][Running/Auto Start]
<\??\C:\Program Files\KVFW\hdfw.sys><北京江民新科技术有限公司>
[KRegEx / KRegEx][Running/System Start]
<\??\D:\KV2006\KRegEx.sys><Jiangmin Co. Ltd.>
[KSysCall Service / KSysCall][Running/System Start]
<\??\D:\KV2006\KSysCall.sys><Jiangmin Co. Ltd.>
[KVDriver for NT (KVDP) / KVDP][Stopped/Manual Start]
<\??\D:\KV2006\KVDP_1.sys><Jiangmin Co., Ltd.>
[KVDP_1 / KVDP_1][Stopped/Manual Start]
<\??\D:\KV2006\KVDP_1.sys><Jiangmin Co., Ltd.>
[KvMemon / KvMemon][Stopped/Manual Start]
<\??\D:\KV2006\KvMemon.sys><Jiangmin Co. Ltd.>
[KVREDIR / KVREDIR][Running/System Start]
<\??\D:\KV2006\KVREDIR.sys><Jiangmin Co. Ltd>
[mp110001 / mp110001][Running/Auto Start]
<system32\drivers\mp110001.sys><MicroPoint Corporation>
[mp110002 / mp110002][Running/Auto Start]
<system32\drivers\mp110002.sys><Micropoint Corporation>
[mp110003 / mp110003][Running/Boot Start]
<\SystemRoot\system32\drivers\mp110003.sys><Micropoint Corporation>
[mp110004 / mp110004][Running/Auto Start]
<system32\drivers\mp110004.sys><Micropoint Corporation>
[mp110005 / mp110005][Running/Manual Start]
<system32\drivers\mp110005.sys><Micropoint Corporation>
[mp110006 / mp110006][Running/System Start]
<system32\drivers\mp110006.sys><Micropoint Corporation>
[mp110007 / mp110007][Running/System Start]
<system32\drivers\mp110007.sys><Micropoint Corporation>
[mp110008 / mp110008][Running/Auto Start]
<system32\drivers\mp110008.sys><Micropoint Corporation>
[mp110009 / mp110009][Running/System Start]
<system32\drivers\mp110009.sys><Micropoint Corporation>
[mp110010 / mp110010][Running/Boot Start]
<\SystemRoot\system32\drivers\mp110010.sys><Micropoint Corporation>
[mp110011 / mp110011][Running/System Start]
<system32\drivers\mp110011.sys><Micropoint Corporation>
[mp110012 / mp110012][Stopped/Manual Start]
<system32\drivers\mp110012.sys><Micropoint Corporation>
[mp110013 / mp110013][Running/Boot Start]
<\SystemRoot\system32\drivers\mp110013.sys><Micropoint Corporation>
[Nokia USB Generic / Nokia USB Generic][Stopped/Manual Start]
<system32\drivers\nmwcdc.sys><Nokia>
[Nokia USB Modem / Nokia USB Modem][Stopped/Manual Start]
<system32\drivers\nmwcdcm.sys><Nokia>
[Nokia USB Phone Parent / Nokia USB Phone Parent][Stopped/Manual Start]
<system32\drivers\nmwcd.sys><Nokia>
[NetGroup Packet Filter Driver / NPF][Stopped/Manual Start]
<system32\drivers\npf.sys><CACE Technologies>
[NTACCESS / NTACCESS][Stopped/Manual Start]
<\??\H:\NTACCESS.sys><N/A>
[PProtect / PProtect][Running/System Start]
<\??\D:\KV2006\PProtect.sys><Jiangmin Co. Ltd.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek 10/100/1000 NIC Family all in one NDIS XP Driver / RTL8023xp][Running/Manual Start]
<system32\DRIVERS\Rtlnicxp.sys><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[SetupNTGLM7X / SetupNTGLM7X][Stopped/Manual Start]
<\??\H:\NTGLM7X.sys><N/A>
[sptd / sptd][Running/Boot Start]
<\SystemRoot\System32\Drivers\sptd.sys><N/A>
[TCP/IP Protocol Driver / Tcpip][Running/System Start]
<system32\DRIVERS\tcpip.sys><Microsoft Corporation>
[Virtual Serial port driver / VComm][Stopped/Manual Start]
<system32\DRIVERS\VComm.sys><IVT Corporation>
[Bluetooth VComm Manager Service / VcommMgr][Stopped/Manual Start]
<System32\Drivers\VcommMgr.sys><IVT Corporation>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>

caocaocao - 2007-2-1 13:24:00

==================================
浏览器加载项
[启动迅雷5]
{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <d:\Program Files\Thunder Network\Thunder\Thunder.exe, Thunder Networking Technologies,LTD>
[网中漫步]
{6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <http://bbs.hz0752.net, N/A>
[启动Web迅雷]
{962EFB8E-2683-42d4-AC74-AAA4C759B9C6} <http://my.xunlei.com, N/A>
[快车]
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <D:\PROGRA~1\FlashGet\flashget.exe, FlashGet.com>
[江民杀毒工具栏]
{B5A34A93-D538-43A7-8371-864CB6148D12} <D:\KV2006\KvShell.dll, Jiangmin Co.Ltd>
[快车(FlashGet)]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} <D:\Program Files\FlashGet\fgiebar.dll, Amaze Soft>
[&Google]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, N/A>
[CEditCtrl Object]
{488A4255-3236-44B3-8F27-FA1AECAA8844} <, N/A>
[Java Plug-in 1.4.2_06]
{8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll, JavaSoft / Sun Microsystems, Inc.>
[Java Plug-in 1.4.2_06]
{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} <C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll, JavaSoft / Sun Microsystems, Inc.>
[WebThunder Browser Helper]
{00000AAA-A363-466E-BEF5-9BB68697AA7F} <C:\Program Files\Thunder Network\WebThunder\WebThunderBHO_016.dll, Thunder Networking Technologies,LTD>
[&Google]
{2318C2B1-4965-11D4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, N/A>
[BitComet Helper]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} <, N/A>
[FiltrateWebObj Class]
{42AFACEE-2A77-41EB-9EE2-D9F8AF827F90} <D:\KV2006\KVBHO.dll, Jiangmin Co.Ltd>
[BHOHelper Class]
{67A90DD6-128D-43AB-B97C-565D2DD42A28} <, N/A>
[WangWangObj Class]
{6E213FC7-DD5A-4115-B7E6-D4C7838C361E} <D:\Program Files\淘宝网\淘宝旺旺\WangWangX4.dll, 阿里软件（中国）有限公司>
[Active Desktop Mover]
{72267F6A-A6F9-11D0-BC94-00C04FB67863} <%SystemRoot%\system32\SHELL32.dll, N/A>
[BrowseHelper Class]
{80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} <D:\KV2006\KvShell.dll, Jiangmin Co.Ltd>
[Google Toolbar Helper]
{AA58ED58-01DD-4D91-8333-CF10577473F7} <c:\program files\google\googletoolbar1.dll, N/A>
[SearchAssistantOC]
{B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[江民杀毒工具栏]
{B5A34A93-D538-43A7-8371-864CB6148D12} <D:\KV2006\KvShell.dll, Jiangmin Co.Ltd>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[快车(FlashGet)]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} <D:\Program Files\FlashGet\fgiebar.dll, Amaze Soft>
[ADXAutoLive]
{E5212437-921F-44a3-8865-11C0B9BA4AF2} <C:\Program Files\real\autolive.dll, Microsoft Corporation>
[gFlash Class]
{F156768E-81EF-470C-9057-481BA8380DBA} <, N/A>
[&使用BitComet下载]
<res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm, N/A>
[&使用BitComet下载全部链接]
<res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm, N/A>
[&使用BitComet下载本页视频]
<res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm, N/A>
[&使用快车(FlashGet)下载]
<D:\Program Files\FlashGet\jc_link.htm, N/A>
[&使用快车(FlashGet)下载全部链接]
<D:\Program Files\FlashGet\jc_all.htm, N/A>
[&使用迅雷下载]
<d:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm, N/A>
[&使用迅雷下载全部链接]
<d:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm, N/A>
[使用Web迅雷下载]
<C:\Program Files\Thunder Network\WebThunder\GetUrl.htm, N/A>
[使用Web迅雷下载全部链接]
<C:\Program Files\Thunder Network\WebThunder\GetAllUrl.htm, N/A>

==================================
正在运行的进程
[PID: 448][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 504][\??\C:\windows\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 528][\??\C:\windows\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[C:\windows\system32\Ati2evxx.dll] [ATI Technologies Inc., 6.14.10.4128]
[PID: 572][C:\windows\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[PID: 584][C:\windows\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[PID: 744][C:\windows\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[PID: 952][C:\windows\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[PID: 1056][C:\windows\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[PID: 1136][C:\windows\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[PID: 1224][C:\windows\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[PID: 1872][C:\windows\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[C:\PROGRA~1\Nokia\NOKIAP~1\Lang\ConnectionManager_chi-sc.nlr] [Nokia, 6, 82, 52, 0]
[d:\Program Files\K-Lite Codec Pack\filters\vsfilter.dll] [Gabest, 1, 0, 0, 9]
[d:\Program Files\Thunder Network\Thunder\Components\VPShell\RealMediaSplitter.ax] [Gabest, 1, 0, 1, 0]
[d:\Program Files\K-Lite Codec Pack\ffdshow\ffdshow.ax] [N/A, 1.0.2.2012]
[d:\Program Files\K-Lite Codec Pack\filters\xvid.ax] [N/A, N/A]
[C:\Program Files\Common Files\Ahead\DSFilter\NeVideo.ax] [Nero AG, 3,2,0,18]
[C:\Program Files\Common Files\Ahead\Lib\AdvrCntr.dll] [Ahead Software AG, 1,2,12, 2310]
[d:\Program Files\K-Lite Codec Pack\filters\divxdec.ax] [DivXNetworks, Inc., 5.2.1.1335]
[PID: 1040][C:\windows\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1672][C:\windows\System32\alg.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[PID: 2348][C:\windows\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[PID: 2444][D:\KV2006\UIHost.exe] [Jiangmin Co. Ltd, 9.2.0.50822]
[D:\KV2006\UpdateX.dll] [JiangMin Co.Ltd., 9, 0, 5, 831]
[D:\KV2006\ComUI.dll] [Jiangmin Ltd., 9. 0. 0.509]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[D:\KV2006\ComUIPS.dll] [Jiangmin Ltd., 9. 5. 5. 20]
[D:\KV2006\GUIExt.dll] [Jiangmin Co.Ltd, 9, 0, 5, 927]
[D:\KV2006\lang\GUIExt0804.lng] [JiangMin Ltd., 7, 1, 0, 200]
[PID: 2752][D:\Program Files\eMule\emule.exe] [http://www.emule-project.net, 0.47.2 Unicode]
[D:\Program Files\eMule\lang\zh_CN.dll] [http://www.emule-project.net, 0.47.2]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0]
[PID: 960][D:\Program Files\Video Converter\VideoConverter.exe] [MZ, 1, 0, 0, 1]
[D:\Program Files\Video Converter\MediaInfo.dll] [http://mediainfo.sourceforge.net, 0.7.2.1]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[C:\windows\system32\msdmo.dll] [N/A, N/A]
[d:\Program Files\K-Lite Codec Pack\filters\vsfilter.dll] [Gabest, 1, 0, 0, 9]
[d:\Program Files\Thunder Network\Thunder\Components\VPShell\RealMediaSplitter.ax] [Gabest, 1, 0, 1, 0]
[d:\Program Files\K-Lite Codec Pack\ffdshow\ffdshow.ax] [N/A, 1.0.2.2012]
[d:\Program Files\K-Lite Codec Pack\filters\ac3filter.ax] [, 1.01a]
[C:\Program Files\Common Files\Ahead\DSFilter\NeVideo.ax] [Nero AG, 3,2,0,18]
[C:\Program Files\Common Files\Ahead\Lib\AdvrCntr.dll] [Ahead Software AG, 1,2,12, 2310]
[PID: 2344][C:\windows\system32\cmd.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3168][C:\windows\system32\conime.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3904][C:\windows\spoolsv.exe] [Microsoft Corporation., 0.0.0.1]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[PID: 1280][D:\Program Files\Video Converter\mencoder.exe] [, Sherpya-MinGW-20060312-4.1.0]
[D:\Program Files\Video Converter\codecs\drv43260.dll] [RealNetworks, Inc., 6.0.7.2389]
[C:\windows\system32\PNCRT.dll] [Real Networks, Inc, 6.0.0.0]
[PID: 3992][C:\PROGRA~1\Zipghost\Zipghost.exe] [Guohua Software, 3.7.0.510]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]
[PID: 1964][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ZG0012\SREng.EXE] [Smallfrogs Studio, 2.3.13.690]
[D:\weidian\Micropoint\mp110031.dll] [Micropoint Corporation, 1.2.10032]

caocaocao - 2007-2-1 13:25:00

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\windows\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost
127.0.0.1 mmsk.cn
127.0.0.1 bbs.mmsk.cn
127.0.0.1 www.mmsk.cn
127.0.0.1 soudong.com
127.0.0.1 www.soudong.com

==================================
API HOOK
N/A

==================================

[/CODE]

caocaocao - 2007-2-1 13:29:00

偶再贴个图片，可以看到问件属性和生成的时间。

附件: 719231200721132013.bmp

caocaocao - 2007-2-1 13:42:00

再发个昨天用**监控的记录

附件: 719231200721133312.bmp

baohe - 2007-2-1 14:17:00

【回复“caocaocao”的帖子】
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<PcSync><; > [N/A]
<xvcclip><; > [N/A]
这是什么？

[Print Spooler / Spooler][Stopped/Disabled]
<><N/A>
[Windows Media Player / Windows Media Player][Stopped/Disabled]
<C:\windows\system32\com\player><N/A>
删除这两个驱动。重启后，删除C:\windows\system32\com\player。

[GMSIPCI / GMSIPCI][Stopped/Manual Start]
<\??\H:\INSTALL\GMSIPCI.SYS><N/A>
[NTACCESS / NTACCESS][Stopped/Manual Start]
<\??\H:\NTACCESS.sys><N/A>
[SetupNTGLM7X / SetupNTGLM7X][Stopped/Manual Start]
<\??\H:\NTGLM7X.sys><N/A>
不认识的驱动

[NetGroup Packet Filter Driver / NPF][Stopped/Manual Start]
<system32\drivers\npf.sys><CACE Technologies>
删除这个驱动。重启后，删除C:\windows\system32\drivers\npf.sys。

另：请将那个C:\WINDOWS\SPOOLSV.EXE打包，加密（解压密码用：123），发到：baohelin@yahoo.com.cn

caocaocao - 2007-2-1 19:09:00

PcSync这个东西是安装NOKIApcsuite时安装的文件
xvcclip这个我也不知道
GMSIPCI / GMSIPCI][Stopped/Manual Start]
<\??\H:\INSTALL\GMSIPCI.SYS><N/A>
[NTACCESS / NTACCESS][Stopped/Manual Start]
<\??\H:\NTACCESS.sys><N/A>
[SetupNTGLM7X / SetupNTGLM7X][Stopped/Manual Start]
<\??\H:\NTGLM7X.sys><N/A>
不认识的驱动
这一段是安装某个驱动时（H:是光驱号）留下的东西，木马克星也老是报告这个东西，但是没办法找到删除。用的是随机的正版，应该不是病毒之类的东西。（因为安装的多了，一时想不起是那个硬件或者数码产品的驱动，不好意思）
C:\windows\system32\com\player没有找到

caocaocao - 2007-2-3 11:15:00

报告版主：偶把那个npf.sys干掉后，这两天都没看见这个讨厌的spoolsv.exe出来了，可是在这之前偶忘了保存样本，唉！自我鄙视中......
PS:一旦发现再次中毒，我立即给您发送病毒样本。
谢谢您的指点！！！

caocaocao - 2007-2-3 15:38:00

哈哈哈哈！！！！！！功夫不负苦心人，偶终于还是等到这个家伙了！今上午再次出现这个该死的东西。顺带报告一下，这个东西虽然向一些不固定的网址发出信息，但是没有明显地占用系统资源，跟网络上各位朋友常见地动不动就要98％占用CPU资源完全不一样哟

ADL - 2007-2-3 15:41:00

http://www.microsoft.com/china/technet/security/bulletin/MS05-043.mspx

Microsoft 安全公告 MS05-043
Print Spooler 服务中的漏洞可能允许远程执行代码 (896423)

发布日期： 2005 年 8 月 9 日
版本： 1.0

摘要
本文的目标读者：使用 Microsoft Windows 的客户

漏洞的影响：远程执行代码

最高严重等级：严重

建议：客户应立即应用此更新。

安全更新替代：无

注意事项：无

测试过的软件和安全更新下载位置：

受影响的软件：

? Microsoft Windows 2000 Service Pack 4 – 下载此更新

? Microsoft Windows XP Service Pack 1 和 Microsoft Windows XP Service Pack 2 – 下载此更新

? Microsoft Windows Server 2003 – 下载此更新

? Microsoft Windows Server 2003（用于基于 Itanium 的系统） – 下载此更新

不受影响的软件：

? Microsoft Windows XP Professional x64 Edition

? Microsoft Windows Server 2003 Service Pack 1

? Microsoft Windows Server 2003 with SP1（用于基于 Itanium 的系统）

? Microsoft Windows Server 2003 x64 Edition

? Microsoft Windows 98、Microsoft Windows 98 Second Edition (SE) 和 Microsoft Windows Millennium Edition (ME)

caocaocao - 2007-2-4 17:13:00

谢谢ADL兄的指点，不过我的机器没有这个漏洞，重新打上这个补丁不到半小时还是出现这个东西了。

爬围墙上青天 - 2007-2-4 17:16:00

用超级兔子删```

caocaocao - 2007-2-4 17:17:00

青天老哥，兔子连他的踪影都发现不了，遑论删除了。^=^

caocaocao - 2007-2-5 9:55:00

呓！难道这个问题就这样沉底了吗？偶不相信！偶不相信！！！！

spacely - 2007-2-5 22:13:00

【回复“caocaocao”的帖子】
我单位局域网上的一个机器也中了！呜呜！尝试了N种方法，还是没办法。在注册表的好几个位置都找到了spoolsv.exe键值，删除后问题依旧，指向是c:\windows\spoolsv.exe，这一点和网上热论的c:\windows\system32\spoolsv.exe可是两码事，高人在哪啊？？

caocaocao - 2007-2-6 20:34:00

baohe老大，您有没有从源码中看出点啥子名堂哟！难道只有重装系统了不成？？

caocaocao - 2007-2-9 9:02:00

偶耐心等待中。。。。。。

IGaara - 2007-2-9 10:23:00

呵呵说句LZ不喜欢的话，
不是我的电脑我才懒得看RSING分析的东西，呵呵。
你不是本地中毒吗？
教你一个超级简单的方法，就是把spoolsv.exe提取出来
在虚拟机里面运行，并且监控。
不就OK了？
郁闷求人不如求己
唉~！
咱不是N淫，脱壳的不懂，反汇编的不懂，分析的更不懂。
呵呵。

caocaocao - 2007-2-12 19:22:00

看来偶是没戏了，重新装系统吧！！！

瑞星卡卡安全论坛