版主baohe的贴 bbs.ikaka.com

kazefei - 2007-2-26 13:43:00

看了版主baohe的贴
才知道电脑是中了病毒
进程里有DRIVER.EXE跟WUAUCLL.EXE
还有一个RUNDLLFROMWIN2,怪怪的不知道是什么

启动后桌面不显示,就说有ERROR,正在创建日志什么的
任务管理器中用新任务可以打开文件
另外老弹出来什么**电影的网站
超级烦人

照BAOHE的做了一遍
CMD.COM跟SVCHOST.COM这两个文件没找到
所以没删成
结果是老样子
桌面还是不出来

怎么办啊?
哪位帮忙看看.....?

姑苏残月 - 2007-2-26 13:48:00

去下载SRENG,扫描日志发上来吧.SRENG的下载地址和使用说明置顶中有

魔域乖乖 - 2007-2-26 13:48:00

扫个日志好点,爱莫能助

魔域乖乖 - 2007-2-26 13:50:00

http://www.kztechs.com/sreng/.zip 下载System Repair Engineer
1 解压缩sreng2.zip
2 运行SREng.exe
3 智能扫描=》扫描=》保存报告
4 把日志中的报告完整拷贝贴上来，不要修改
注意:在扫描的时候别运行其他程序
如果sreng不能运行，就把拓展名改成com、scr
嘻嘻

kazefei - 2007-2-26 13:52:00

谢谢两位
也许除了WUAUCLL.EXE
还有其他病毒
那我扫一个日志上来吧

kazefei - 2007-2-26 15:18:00

在新任务中输入EXPLORER.EXE
桌面出来了
不过还是有很多莫名其妙的进程
日志哪位帮忙分析下?
[CODE]

2007-02-26,14:33:17

System Repair Engineer 2.3.13.690
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)
- Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
All Boot Items (Including Registry, Startup Folders, Services and so on)
Browser Add-ons
Runing Processes (Including process model information)
File Associations
Winsock Provider
Autorun.Inf
HOSTS File

Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe> [(Verified)Microsoft Corporation]
<9bebulc0stir><C:\WINNT\rundl13a.exe> [N/A]
<wc0ldm><C:\WINNT\Servera.exe> [N/A]
<svc><C:\DOCUME~1\xishuai1\LOCALS~1\Temp\sysonling.exe> [Microsoft Corporation]
<jiy46ift><C:\WINNT\iexpl0re.exe> [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Synchronization Manager><mobsync.exe /logon> [(Verified)Microsoft Corporation]
<RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<JobHisInit><C:\Program Files\RMClient\JobHisInit.exe> [N/A]
<MplSetUp><C:\Program Files\RMClient\MplSetUp.exe> [RICOH CO.,LTD.]
<mppds><C:\WINNT\mppds.exe> [N/A]
<msccrt><C:\WINNT\msccrt.exe> [N/A]
<wsttrs><C:\WINNT\wsttrs.exe> [N/A]
<cmdbcs><C:\WINNT\cmdbcs.exe> [N/A]
<wWinlogin><C:\DOCUME~1\xishuai1\LOCALS~1\Temp\wkernel33.exe> [N/A]
<System><C:\Program Files\Common Files\System\Updaterun.exe> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<twin><C:\WINNT\system32\ctfnom.exe> [N/A]
<main><rundll32.exe "C:\program files\internet explorer\use17.dll" mymain> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><userinit.exe,> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINNT\system32\RavExt.dll> [Beijing Rising Technology Co., Ltd.]
<{A6011F8F-A7F8-49AA-9ADA-49127D43138F}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk> [N/A]
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys> [N/A]
<{DD7D4640-4464-48C0-82FD-21338366D2D2}><C:\Program Files\Internet Explorer\InfoMs.tdm> [N/A]
<{99F1D023-7CEB-4586-80F7-BB1A98DB7602}><C:\Program Files\Internet Explorer\IEXPLORE.Sys> [N/A]
<{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}><C:\Program Files\Internet Explorer\IEXPLORE.Dat> [N/A]
<{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}><C:\Program Files\Internet Explorer\IEXPLORE.win> [N/A]
<{4DEC9B29-F08F-4cbc-B179-592B9283FAC9}><c:\program files\rising\rav\puifefkj.dll> [N/A]
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><C:\WINNT\System32\scrnsave.scr> [(Verified)Microsoft Corporation]

==================================
Startup Folders
[Office ｽﾀｰﾄｱｯﾌﾟ]
<C:\Documents and Settings\All Users\スタートメニュー\プログラム\スタートアップ\Office ｽﾀｰﾄｱｯﾌﾟ.lnk --> C:\PROGRA~1\MICROS~2\Office\OSA.EXE [N/A]><N>
[Microsoft Office ｼｮｰﾄｶｯﾄﾊﾞｰ]
<C:\Documents and Settings\All Users\スタートメニュー\プログラム\スタートアップ\Microsoft Office ｼｮｰﾄｶｯﾄﾊﾞｰ.lnk --> C:\PROGRA~1\MICROS~2\Office\MSOFFICE.EXE [Microsoft Corporation]><N>
[Microsoft Find Fast]
<C:\Documents and Settings\All Users\スタートメニュー\プログラム\スタートアップ\Microsoft Find Fast.lnk --> C:\PROGRA~1\MICROS~2\Office\FINDFAST.EXE [Microsoft Corporation]><N>
[SmartNetMonitor for Client]
<C:\Documents and Settings\All Users\スタートメニュー\プログラム\スタートアップ\SmartNetMonitor for Client.lnk --> C:\PROGRA~1\RMClient\PMClient.exe [RICOH COMPANY,LTD.]><N>
[YamasaClock]
<C:\Documents and Settings\xishuai1\スタートメニュー\プログラム\スタートアップ\YamasaClock.lnk --> D:\デスク~1\Clock.exe [N/A]><N>

==================================
Services
[20A3C0A7 / 20A3C0A7][Stopped/Auto Start]
<C:\WINNT\system32\20A3C0A7.EXE -service><Microsoft Corporation>
[8D3C2EE6 / 8D3C2EE6][Stopped/Auto Start]
<C:\WINNT\system32\8D3C2EE6.EXE -service><Microsoft Corporation>
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[System Event Logger / MouTALS][Running/Auto Start]
<C:\WINNT\SYSTEM32\RUNDLLFROMWIN2000.EXE C:\WINNT\SYSTEM32\WBEM\YMYVC.DLL,Export 1087><Microsoft Corporation>
[Remote Procedure Call System(RPCS) / RpcS][Running/Auto Start]
<C:\WINNT\system32\RpcS.exe><Microsoft Corporation>
[Remote Procedure Call System(RPCSA) / RpcSA][Running/Auto Start]
<C:\WINNT\system32\Rpcsa.exe><Microsoft Corporation>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
<"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
<"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Clipboard / Trial][Running/Auto Start]
<C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\bmcez.dll><Microsoft Corporation>
[Windows DHCP Service / WinDHCPsvc][Stopped/Auto Start]
<C:\WINNT\System32\rundll32.exe windhcp.ocx,start><Microsoft Corporation>

kazefei - 2007-2-26 15:19:00

==================================
Drivers
[BaseTDI / BaseTDI][Running/Auto Start]
<\??\C:\WINNT\System32\drivers\basetdi.sys><Beijing Rising Technology Co., Ltd.>
[Cdsys / Cdsys][Stopped/Manual Start]
<\??\C:\WINNT\System32\cdcd.sys><N/A>
[dmboot / dmboot][Stopped/Disabled]
<System32\drivers\dmboot.sys><VERITAS Software Corp.>
[論理ディスクマネージャドライバ / dmio][Running/Boot Start]
<\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
<\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[ExpScaner / ExpScaner][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\ExpScan.sys><>
[HookCont / HookCont][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\HookSys.sys><Rising>
[i81x / i81x][Running/Manual Start]
<System32\DRIVERS\i81xnt5.sys><Intel Corporation>
[KWatch3 / KWatch3][Running/System Start]
<\??\C:\WINNT\System32\drivers\KWatch3.SYS><Kingsoft Corporation>
[MEMSCAN / MEMSCAN][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星?件有限公司>
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
<System32\DRIVERS\npf.sys><CACE Technologies>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[rrsx / rrsxv][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\rrsxv.sys><N/A>
[RsNTGDI / RsNTGDI][Running/Boot Start]
<\SystemRoot\System32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
<\??\C:\Program Files\Rising\Rav\RSPPSYS.sys><Rising>
[Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver / rtl8029][Stopped/Manual Start]
<System32\DRIVERS\RTL8029.SYS><REALTEK Semiconductor Corp.>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
<System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>

==================================
Browser Add-ons
[IdnHelperObj Class]
{118CE65F-5D86-4AEA-A9BD-94F92B89119F} <C:\WINNT\DOWNLO~1\CnsMinIdn.dll, JWord Inc.>
[ｿｨｿｨﾉﾏﾍｲﾈｫﾖ摠ﾖ]
{AFF6E516-CBE5-4F8A-9C2F-38A68013E766} <C:\WINNT\System32\kakatool.dll, N/A>
[JWord (日本語キーワード)]
{5D73EE86-05F1-49ed-B850-E423120EC338} <http://www.jword.jp/intro/?partner=AP&type=lk&frm=iebutton, N/A>
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[ラジオ(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\System32\msdxm.ocx, Microsoft Corporation>
[ｿｨｿｨﾉﾏﾍｲﾈｫﾖ摠ﾖ]
{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINNT\System32\kakatool.dll, N/A>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[JWordでウェブ検索(&J)]
<res://C:\WINNT\DOWNLO~1\CnsMin.dll/203, N/A>

==================================
Running Processes
[PID: 140][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 172][\??\C:\WINNT\system32\csrss.exe] [Microsoft Corporation, 5.00.2195.6601]
[C:\WINNT\system32\20A3C0A7.DLL] [Microsoft Corporation, 5.2.3790.1830]
[PID: 168][\??\C:\WINNT\system32\winlogon.exe] [Microsoft Corporation, 5.00.2195.6714]
[C:\WINNT\system32\20A3C0A7.DLL] [Microsoft Corporation, 5.2.3790.1830]
[c:\program files\rising\rav\puifefkj.dll] [, 1, 0, 0, 11]
[PID: 220][C:\WINNT\system32\services.exe] [Microsoft Corporation, 5.00.2195.6700]
[C:\WINNT\system32\dmserver.dll] [VERITAS Software Corp., 2195.6605.297.3]
[C:\WINNT\system32\20A3C0A7.DLL] [Microsoft Corporation, 5.2.3790.1830]
[PID: 232][C:\WINNT\system32\lsass.exe] [Microsoft Corporation, 5.00.2195.6695]
[C:\WINNT\system32\20A3C0A7.DLL] [Microsoft Corporation, 5.2.3790.1830]
[PID: 392][C:\WINNT\system32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[C:\WINNT\system32\20A3C0A7.DLL] [Microsoft Corporation, 5.2.3790.1830]
[PID: 380][C:\Program Files\Rising\Rav\CCenter.exe] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
[C:\WINNT\system32\20A3C0A7.DLL] [Microsoft Corporation, 5.2.3790.1830]
[PID: 480][C:\WINNT\system32\spoolsv.exe] [Microsoft Corporation, 5.00.2195.6659]
[C:\WINNT\system32\20A3C0A7.DLL] [Microsoft Corporation, 5.2.3790.1830]
[C:\WINNT\system32\HPBMMON.DLL] [Hewlett-Packard, 10.00.15]
[C:\WINNT\system32\hpdomon.dll] [Hewlett-Packard, 03.42.00]
[C:\WINNT\system32\HPBHealr.dll] [N/A, N/A]
[C:\WINNT\system32\RPNV2MON.DLL] [RICOH, 1, 0, 1, 17]
[C:\WINNT\system32\rpnv2EN.dll] [RICOH COMPANY, LTD., 1,0,0,10]
[C:\WINNT\system32\spool\PRTPROCS\W32X86\IMFPrint.DLL] [Zenographics, Inc., 5, 54, 330, 0]
[C:\WINNT\system32\Imf32.dll] [Zenographics, Inc., 5, 60, 1204, 0]
[C:\WINNT\system32\ZTAG32.dll] [Zenographics, Inc., 5, 60, 1210, 0]
[C:\WINNT\system32\ZSPOOL.dll] [Zenographics, Inc., 5, 51, 709, 0]
[PID: 548][C:\WINNT\System32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[C:\WINNT\system32\20A3C0A7.DLL] [Microsoft Corporation, 5.2.3790.1830]
[c:\winnt\system32\bmcez.dll] [Microsoft Corporation, 5.1.2600.0]
[PID: 568][C:\WINNT\system32\hidserv.exe] [Microsoft Corporation, 5.00.2195.6655]
[C:\WINNT\system32\20A3C0A7.DLL] [Microsoft Corporation, 5.2.3790.1830]
[PID: 724][C:\WINNT\SYSTEM32\RUNDLLFROMWIN2000.EXE] [Microsoft Corporation, 5.00.2134.1]
[C:\WINNT\SYSTEM32\WBEM\YMYVC.DLL] [Microsoft Corporation, 5, 1, 2600, 2709]
[PID: 784][C:\Program Files\Rising\Rav\RavStub.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 4]
[C:\Program Files\Rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[PID: 740][C:\WINNT\system32\regsvc.exe] [Microsoft Corporation, 5.00.2195.6701]
[PID: 988][C:\WINNT\system32\RpcS.exe] [Microsoft Corporation, 5.2.3790.1830]
[PID: 1008][C:\WINNT\system32\MSTask.exe] [Microsoft Corporation, 4.71.2195.6704]
[PID: 1028][C:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.2800.1106]
[C:\WINNT\DOWNLO~1\CnsMinIdn.dll] [JWord Inc., 2, 0, 3, 2]
[PID: 1404][C:\WINNT\system32\imejpmgr.exe] [Microsoft Corporation, 7.0.1.4326]
[PID: 1336][C:\WINNT\system32\taskmgr.exe] [Microsoft Corporation, 5.00.2195.6620]
[C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk] [N/A, N/A]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
[C:\Program Files\Internet Explorer\IEXPLORE.Sys] [N/A, N/A]
[PID: 512][C:\WINNT\System32\WBEM\WinMgmt.exe] [Microsoft Corporation, 1.50.1085.0100]
[PID: 1304][C:\WINNT\system32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[PID: 1044][D:\My Documents\111\sreng2\SREng.EXE] [Smallfrogs Studio, 2.3.13.690]

==================================
File Associations
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1 localhost
127.0.0.1 test.nicemm.cn
127.0.0.1 new3.etsoft.com.cn
127.0.0.1 www.djdj110.com
127.0.0.1 www.gaodumm.com
127.0.0.1 www.88cc8.com
127.0.0.1 wg770.com
127.0.0.1 www.y988.com
127.0.0.1 ads.9168a.com
127.0.0.1 www.flashsky.com

==================================
API HOOK
N/A

==================================

[/CODE]

鸟儿天上飞 - 2007-2-26 15:28:00

我去..
重新安装C盘...重装好以后不要动其他的盘..装瑞星升级到最新版本全盘扫描

kazefei - 2007-2-26 15:31:00

你去干嘛?
帮忙分析?

kazefei - 2007-2-26 15:34:00

说明白点行吗?
都是些什么病毒啊?
无可救药了?

寻找北方的哥儿 - 2007-2-26 15:55:00

<mppds><C:\WINNT\mppds.exe> [N/A]
<msccrt><C:\WINNT\msccrt.exe> [N/A]
<wsttrs><C:\WINNT\wsttrs.exe> [N/A]
<cmdbcs><C:\WINNT\cmdbcs.exe> [N/A]
<wWinlogin><C:\DOCUME~1\xishuai1\LOCALS~1\Temp\wkernel33.exe> [N/A]
<System><C:\Program Files\Common Files\System\Updaterun.exe> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<twin><C:\WINNT\system32\ctfnom.exe> [N/A]
<main><rundll32.exe "C:\program files\internet explorer\use17.dll" mymain> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><userinit.exe,> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINNT\system32\RavExt.dll> [Beijing Rising Technology Co., Ltd.]
<{A6011F8F-A7F8-49AA-9ADA-49127D43138F}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk> [N/A]
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys> [N/A]
<{DD7D4640-4464-48C0-82FD-21338366D2D2}><C:\Program Files\Internet Explorer\InfoMs.tdm> [N/A]
<{99F1D023-7CEB-4586-80F7-BB1A98DB7602}><C:\Program Files\Internet Explorer\IEXPLORE.Sys> [N/A]
<{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}><C:\Program Files\Internet Explorer\IEXPLORE.Dat> [N/A]
<{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}><C:\Program Files\Internet Explorer\IEXPLORE.win> [N/A]
<{4DEC9B29-F08F-4cbc-B179-592B9283FAC9}><c:\program files\rising\rav\puifefkj.dll> [N/A]
[HKEY_CURRENT_USER\Control Panel\Desktop]

有大半是毒.........说起来麻烦

深渊t34 - 2007-2-26 16:03:00

建议格了吧...
好乱...

jmbt - 2007-2-26 16:12:00

<9bebulc0stir><C:\WINNT\rundl13a.exe> [N/A]
<wc0ldm><C:\WINNT\Servera.exe> [N/A]
<svc><C:\DOCUME~1\xishuai1\LOCALS~1\Temp\sysonling.exe> [Microsoft Corporation]
<jiy46ift><C:\WINNT\iexpl0re.exe> [N/A]

同意楼上

猪知山 - 2007-2-26 16:28:00

运行 SRENG 启动注册表
删除
9bebulc0stir><C:\WINNT\rundl13a.exe> [N/A]
<wc0ldm><C:\WINNT\Servera.exe> [N/A]
<svc><C:\DOCUME~1\xishuai1\LOCALS~1\Temp\sysonling.exe> [Microsoft Corporation]
<jiy46ift><C:\WINNT\iexpl0re.exe> [N/A]
<JobHisInit><C:\Program Files\RMClient\JobHisInit.exe> [N/A]
<mppds><C:\WINNT\mppds.exe> [N/A]
<msccrt><C:\WINNT\msccrt.exe> [N/A]
<wsttrs><C:\WINNT\wsttrs.exe> [N/A]
<cmdbcs><C:\WINNT\cmdbcs.exe> [N/A]
<wWinlogin><C:\DOCUME~1\xishuai1\LOCALS~1\Temp\wkernel33.exe> [N/A]
<System><C:\Program Files\Common Files\System\Updaterun.exe> [N/A]
main><rundll32.exe "C:\program files\internet explorer\use17.dll" mymain> [N/A]
<{A6011F8F-A7F8-49AA-9ADA-49127D43138F}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk> [N/A]
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys> [N/A]
<{DD7D4640-4464-48C0-82FD-21338366D2D2}><C:\Program Files\Internet Explorer\InfoMs.tdm> [N/A]
<{99F1D023-7CEB-4586-80F7-BB1A98DB7602}><C:\Program Files\Internet Explorer\IEXPLORE.Sys> [N/A]
<{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}><C:\Program Files\Internet Explorer\IEXPLORE.Dat> [N/A]
<{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}><C:\Program Files\Internet Explorer\IEXPLORE.win> [N/A]
<{4DEC9B29-F08F-4cbc-B179-592B9283FAC9}><c:\program files\rising\rav\puifefkj.dll> [N/A]

至于自启动项
都是日文，LZ自己看吧。。。。
建议都删除。。。。

猪知山 - 2007-2-26 16:34:00

运行SRENG 启动服务
隐藏已认证的微软服务
选中20A3C0A7 / 20A3C0A7，8D3C2EE6 / 8D3C2EE6
设置点否删除重启后删除
C:\WINNT\system32\20A3C0A7.EXE
C:\WINNT\system32\8D3C2EE6.EXE

运行SRENG 启动服务驱动服务
隐藏已认证的微软服务
选中Cdsys / Cdsys，rrsx / rrsxv
设置点否删除
重启后删除
C:\WINNT\System32\cdcd.sys
SystemRoot\System32\DRIVERS\rrsxv.sys
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk] [N/A, N/A]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
[C:\Program Files\Internet Explorer\IEXPLORE.Sys] [N/A, N/A]

kazefei - 2007-2-26 16:42:00

谢谢了!!
这就照办去....

姑苏残月 - 2007-2-26 17:16:00

<jiy46ift><C:\WINNT\iexpl0re.exe> [N/A]
又是这个东西,不知道你中了多久了,看你系统病毒实在太多，建议重装吧,这样比较安全,重新安装完了记得立刻安装并升级杀毒软件,然后杀毒

好学的忆忆 - 2007-2-26 18:56:00

好复杂..不如重装下还比较快

bravoliuliu - 2007-2-26 19:01:00

学习一下~~~~~~~~~

kazefei - 2007-2-26 21:42:00

请教各位
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
下的各个键值全都删了有问题吗?

因为IE的START PAGE给改成了恶意网页
据说是WINDOWS启动组中加载了恶意程序
我又不知道是哪个.....
一古脑全删了行吗?

misaboa - 2007-2-26 21:53:00

当电脑成马窝后，别考虑杀毒了，格了C盘重装把
几十分钟后又是一条好汉
建议重要文件不要放C盘

kazefei - 2007-2-27 9:07:00

那就重装吧
上面的问题能回答下吗?

spiritfire - 2007-2-27 9:27:00

引用:

【kazefei的贴子】那就重装吧
上面的问题能回答下吗?
………………

当然不能全删，正常的为何要删？

kazefei - 2007-2-27 9:49:00

引用:

【姑苏残月的贴子】<jiy46ift><C:\WINNT\iexpl0re.exe> [N/A]
又是这个东西,不知道你中了多久了,看你系统病毒实在太多，建议重装吧,这样比较安全,重新安装完了记得立刻安装并升级杀毒软件,然后杀毒
………………

这是个什么东西?以前没见过......
是什么毒?

pigboy - 2007-2-27 10:00:00

楼主发帖的名字真行

瑞星卡卡安全论坛