各位大虾,请帮帮忙!! bbs.ikaka.com

那個那個誰 - 2007-3-27 2:44:00

进程里面有个名为RUNDLL2000.EXE的程序,结束不掉!!另外开机后会提示中毒,在system32文件夹内!下面是我重启后的智能扫描,一版发不完,分了两版,请各位帮忙分析下!!小的在此谢过了!!!!
2007-03-27,02:17:16

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe> [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Synchronization Manager><mobsync.exe /logon> [(Verified)Microsoft Corporation]
<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot> [RealNetworks, Inc.]
<SoundMan><SOUNDMAN.EXE> [Realtek Semiconductor Corp.]
<IgfxTray><C:\WINNT\system32\igfxtray.exe> [(Verified)Intel Corporation]
<HotKeysCmds><C:\WINNT\system32\hkcmd.exe> [(Verified)Intel Corporation]
<ccApp><"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"> [(Verified)Symantec Corporation]
<vptray><C:\PROGRA~1\SYMANT~1\VPTray.exe> [(Verified)Symantec Corporation]
<QQNetbar><F:\QQNetBar\QQNetBar.exe> [腾讯科技（深圳）有限公司]
<mppds><C:\WINNT\mppds.exe> [N/A]
<cmdbcs><C:\WINNT\cmdbcs.exe> [N/A]
<msccrt><C:\WINNT\msccrt.exe> [N/A]
<upxdnd><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upxdnd.exe> [N/A]
<wgs3><C:\WINNT\wgs3.exe> [N/A]
<wms3><C:\WINNT\wms3.exe> [N/A]
<System><C:\Program Files\Common Files\System\Updaterun.exe> [N/A]
<CdnCtr><C:\Program Files\CNNIC\Cdn\cdnup.exe> [N/A]
<winform><C:\WINNT\winform.exe> [N/A]
<SunJavaUpdateSched><"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"> [(Verified)Sun Microsystems, Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><C:\WINNT\system32\userinit.exe,> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}><C:\Program Files\Internet Explorer\Connection Wizard\isignup.sys> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
<WinlogonNotify: NavLogon><C:\WINNT\system32\NavLogon.dll> [(Verified)Symantec Corporation]
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><(无)> [N/A]

==================================
启动文件夹
N/A

==================================
服务
[Messanger Accelerator / Accelerator Tools]
<C:\WINNT\system32\mis.exe><N/A>
[Symantec Event Manager / ccEvtMgr]
<"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"><Symantec Corporation>
[Symantec Password Validation / ccPwdSvc]
<"C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"><Symantec Corporation>
[Symantec Settings Manager / ccSetMgr]
<"C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"><Symantec Corporation>
[Print Manager / DATEING]
<C:\WINNT\SYSTEM32\RUNDLL2000.EXE C:\WINNT\SYSTEM32\WBEM\OILPE.DLL,Export 1087><Microsoft Corporation>
[Symantec AntiVirus Definition Watcher / DefWatch]
<"C:\Program Files\Symantec AntiVirus\DefWatch.exe"><Symantec Corporation>
[Logical Disk Manager Administrative Service / dmadmin]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Application Accelerator / License]
<C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\nfibz.dll><Microsoft Corporation>
[P4P Service / P4P Service]
<C:\Program Files\Common Files\Sogou PXP\p2psvr.exe><Sohu.com Inc.>
[SavRoam / SavRoam]
<"C:\Program Files\Symantec AntiVirus\SavRoam.exe"><symantec>
[Symantec Network Drivers Service / SNDSrvc]
<"C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"><Symantec Corporation>
[Symantec AntiVirus / Symantec AntiVirus]
<"C:\Program Files\Symantec AntiVirus\Rtvscan.exe"><Symantec Corporation>

==================================
驱动程序
[acpidisk / acpidisk]
<\??\C:\WINNT\system32\drivers\acpidisk.sys><N/A>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM]
<system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[BdGuard / BdGuard]
<\SystemRoot\system32\drivers\BDGuard.SYS><N/A>
[Cdr4_2K / Cdr4_2K]
<C:\WINNT\SYSTEM32\DRIVERS\Cdr4_2K.SYS><Roxio>
[Cdralw2k / Cdralw2k]
<C:\WINNT\SYSTEM32\DRIVERS\Cdralw2k.SYS><Roxio>
[dmboot / dmboot]
<System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio]
<\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload]
<\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[i81x / i81x]
<System32\DRIVERS\i81xnt5.sys><Intel Corporation>
[ialm / ialm]
<system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[NAVENG / NAVENG]
<\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070321.018\naveng.sys><Symantec Corporation>
[NAVEX15 / NAVEX15]
<\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070321.018\navex15.sys><Symantec Corporation>
[Netgroup Packet Filter / NPF]
<system32\DRIVERS\npf.sys><CACE Technologies>
[npkcrypt / npkcrypt]
<\??\F:\qq\npkcrypt.sys><INCA Internet Co., Ltd.>
[Direct Parallel Link Driver / Ptilink]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139]
<System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[SAVRT / SAVRT]
<\??\C:\Program Files\Symantec AntiVirus\savrt.sys><Symantec Corporation>
[SAVRTPEL / SAVRTPEL]
<\??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys><Symantec Corporation>
[SymEvent / SymEvent]
<\??\C:\Program Files\Symantec\SYMEVENT.SYS><Symantec Corporation>
[SYMREDRV / SYMREDRV]
<\SystemRoot\System32\Drivers\SYMREDRV.SYS><Symantec Corporation>
[SYMTDI / SYMTDI]
<\SystemRoot\System32\Drivers\SYMTDI.SYS><Symantec Corporation>

那個那個誰 - 2007-3-27 2:44:00

==================================
浏览器加载项
[CAdLogic Object]
{11F09AFD-75AD-4E51-AB43-E09E9351CE16} <C:\Program Files\Common Files\CPUSH\cpush0.dll, N/A>
[CdnForIE Class]
{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} <C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll, CNNIC>
[实用搜索]
{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2} <C:\Program Files\superutilbar\superutilbar.dll, www.shiyongsousuo.com>
[SSVHelper Class]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll, Sun Microsystems, Inc.>
[BandIE Class]
{77FEF28E-EB96-44FF-B511-3185DEA48697} <C:\PROGRA~1\baidu\bar\baidubar.dll, Baidu.com, Inc.>
[Java Plug-in 1.5.0_11]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll, Sun Microsystems, Inc.>
[CdnForIE Class]
{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} <C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll, CNNIC>
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\System32\msdxm.ocx, Microsoft Corporation>
[百度超级搜霸]
{B580CF65-E151-49C3-B73F-70B13FCA8E86} <C:\PROGRA~1\baidu\bar\baidubar.dll, Baidu.com, Inc.>
[实用搜索工具条2.0]
{03465FF5-00AE-411a-9C34-960ED566EC03} <C:\Program Files\superutilbar\superutilbar.dll, www.shiyongsousuo.com>
[MMCPlayer Class]
{05C1004E-2596-48E5-8E26-39362985EEB9} <C:\WINNT\Downloaded Program Files\MMCShell.dll, Sohu.com Inc.>
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINNT\system32\wuweb.dll, Microsoft Corporation>
[Java Plug-in 1.5.0_11]
{8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_11]
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_11]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll, Sun Microsystems, Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[Rising Web Scan Object]
{E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} <C:\WINNT\Downloaded Program Files\OL2005.dll, Beijing Rising Technology Co., Ltd.>
[上传到QQ网络硬盘]
<F:\qq\AddToNetDisk.htm, N/A>
[添加到QQ自定义面板]
<F:\qq\AddPanel.htm, N/A>
[添加到QQ表情]
<F:\qq\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<F:\qq\SendMMS.htm, N/A>
[访问通用网址]
<C:\Program Files\CNNIC\Cdn\cnnic.htm, N/A>

==================================
正在运行的进程
[PID: 152][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 180][\??\C:\WINNT\system32\csrss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 200][\??\C:\WINNT\system32\winlogon.exe] [Microsoft Corporation, 5.00.2195.6997]
[C:\WINNT\system32\winlib .dll] [N/A, N/A]
[C:\WINNT\system32\NavLogon.dll] [Symantec Corporation, 9.0.1.1000]
[PID: 228][C:\WINNT\system32\services.exe] [Microsoft Corporation, 5.00.2195.7035]
[C:\WINNT\system32\dmserver.dll] [VERITAS Software Corp., 2195.6605.297.3]
[PID: 240][C:\WINNT\system32\lsass.exe] [Microsoft Corporation, 5.00.2195.7011]
[PID: 404][C:\WINNT\system32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[PID: 432][C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe] [Symantec Corporation, 2.2.1.004]
[C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll] [Symantec Corporation, 2.2.1.004]
[PID: 460][C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe] [Symantec Corporation, 2.2.1.004]
[C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll] [Symantec Corporation, 2.2.1.004]
[C:\PROGRA~1\COMMON~1\SYMANT~1\CCSETEVT.DLL] [Symantec Corporation, 2.2.1.004]
[PID: 556][C:\WINNT\system32\spoolsv.exe] [Microsoft Corporation, 5.00.2195.7013]
[PID: 584][C:\WINNT\system32\mis.exe] [N/A, N/A]
[PID: 612][C:\WINNT\SYSTEM32\RUNDLL2000.EXE] [Microsoft Corporation, 5.00.2134.1]
[PID: 664][C:\Program Files\Symantec AntiVirus\DefWatch.exe] [Symantec Corporation, 9.0.1.1000]
[PID: 684][C:\WINNT\System32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[PID: 728][C:\Program Files\Common Files\Sogou PXP\p2psvr.exe] [Sohu.com Inc., 2, 0, 0, 31]
[C:\Program Files\Sogou PXP\vodsvr.dll] [Sohu.com Inc., 2, 4, 0, 5]
[C:\Program Files\Sogou PXP\pxpnet.dll] [Sohu.com Inc., 1, 0, 0, 9]
[C:\Program Files\Sogou PXP\p2pclient.dll] [Sohu.com Inc., 2, 9, 1, 6]
[PID: 756][C:\WINNT\system32\regsvc.exe] [Microsoft Corporation, 5.00.2195.6701]
[PID: 764][C:\Program Files\Symantec AntiVirus\SavRoam.exe] [symantec, 1.5.0.0]
[C:\Program Files\Common Files\Symantec Shared\SSC\Transman.dll] [Symantec Corporation, 9.0.1.1000]
[C:\WINNT\system32\CBA.DLL] [Intel? Corporation, 6.12.0.126 E]
[C:\WINNT\system32\MsgSys.dll] [Intel? Corporation, 6.12.0.126 E]
[C:\WINNT\system32\NTS.dll] [Intel? Corporation, 6.12.0.126 E]
[C:\WINNT\system32\PDS.DLL] [Intel? Corporation, 6.12.0.126 E]
[PID: 776][C:\WINNT\system32\MSTask.exe] [Microsoft Corporation, 4.71.2195.6972]
[PID: 836][C:\WINNT\System32\WBEM\WinMgmt.exe] [Microsoft Corporation, 1.50.1085.0100]
[PID: 860][C:\WINNT\system32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[PID: 1152][C:\WINNT\Explorer.EXE] [Microsoft Corporation, 5.00.3700.6690]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upxdnd.dll] [N/A, N/A]
[C:\WINNT\system32\winform.dll] [N/A, N/A]
[C:\WINNT\system32\hccutils.DLL] [Intel Corporation, 3.0.0.3943]
[C:\WINNT\system32\igfxres.dll] [Intel Corporation, 3.0.0.3943]
[C:\WINNT\system32\igfxsrvc.dll] [Intel Corporation, 3.0.0.3943]
[C:\WINNT\system32\igfxdev.dll] [Intel Corporation, 3.0.0.3943]
[C:\Program Files\CNNIC\Cdn\cdnforie.dll] [CNNIC, 2, 0, 0, 0]
[C:\Program Files\superutilbar\superutilbar.dll] [www.shiyongsousuo.com, 2, 1, 8, 24]
[C:\PROGRA~1\baidu\bar\baidubar.dll] [Baidu.com, Inc., 2, 0, 2, 135]
[PID: 1288][C:\Program Files\Common Files\Real\Update_OB\realsched.exe] [RealNetworks, Inc., 0.1.0.1622]
[PID: 1296][C:\WINNT\SOUNDMAN.EXE] [Realtek Semiconductor Corp., 5.1.0.34]
[PID: 1348][C:\WINNT\system32\hkcmd.exe] [Intel Corporation, 3.0.0.3943]
[C:\WINNT\system32\hccutils.DLL] [Intel Corporation, 3.0.0.3943]
[C:\WINNT\system32\igfxdev.dll] [Intel Corporation, 3.0.0.3943]
[C:\WINNT\system32\igfxsrvc.dll] [Intel Corporation, 3.0.0.3943]
[C:\WINNT\system32\igfxhk.dll] [Intel Corporation, 3.0.0.3943]
[C:\WINNT\system32\igfxres.dll] [Intel Corporation, 3.0.0.3943]
[PID: 1356][C:\Program Files\Common Files\Symantec Shared\ccApp.exe] [Symantec Corporation, 2.2.1.004]
[C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll] [Symantec Corporation, 2.2.1.004]
[C:\Program Files\Symantec\LiveUpdate\ProductRegCom.DLL] [Symantec Corporation, 2.0.39.0]
[C:\Program Files\Symantec\LiveUpdate\LuComServerPS.DLL] [Symantec Corporation, 2.0.39.0]
[C:\PROGRA~1\COMMON~1\SYMANT~1\CCALERT.DLL] [Symantec Corporation, 2.2.1.004]
[C:\PROGRA~1\COMMON~1\SYMANT~1\CCEMLPXY.DLL] [Symantec Corporation, 2.2.1.004]
[C:\WINNT\system32\SYMREDIR.dll] [Symantec Corporation, 5.3.5.3]
[C:\Program Files\Common Files\Symantec Shared\ccSetEvt.dll] [Symantec Corporation, 2.2.1.004]
[C:\Program Files\Symantec AntiVirus\SavEmail.dll] [Symantec Corporation, 9.0.1.1000]
[C:\Program Files\Common Files\Symantec Shared\ccProSub.dll] [Symantec Corporation, 2.2.1.004]
[PID: 1392][C:\PROGRA~1\SYMANT~1\VPTray.exe] [Symantec Corporation, 9.0.1.1000]
[C:\Program Files\Symantec AntiVirus\SAVRT32.DLL] [Symantec Corporation, 9.3.0.28]
[C:\Program Files\Symantec AntiVirus\Cliproxy.dll] [Symantec Corporation, 9.0.1.1000]
[C:\PROGRA~1\SYMANT~1\NAVNTUTL.DLL] [Symantec Corporation, 9.0.1.1000]
[C:\Program Files\Symantec AntiVirus\Cliscan.dll] [Symantec Corporation, 9.0.1.1000]
[PID: 1472][C:\WINNT\wgs3.exe] [N/A, N/A]
[PID: 1476][C:\WINNT\wms3.exe] [N/A, N/A]
[PID: 1508][C:\Program Files\Common Files\System\Updaterun.exe] [N/A, N/A]
[PID: 1456][C:\Program Files\CNNIC\Cdn\cdnup.exe] [, 2, 4, 0, 3]
[C:\Program Files\CNNIC\Cdn\cdnforie.dll] [CNNIC, 2, 0, 0, 0]
[PID: 1540][C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe] [Sun Microsystems, Inc., 5.0.110.3]
[PID: 1564][C:\WINNT\system32\internat.exe] [Microsoft Corporation, 5.00.2920.0000]
[PID: 1320][C:\Documents and Settings\Administrator\桌面\新建文件夹\SREng\SREng.exe] [Smallfrogs Studio, 2.2.6.605]
[C:\Program Files\CNNIC\Cdn\cdnforie.dll] [CNNIC, 2, 0, 0, 0]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost

==================================

newcenturymoon - 2007-3-27 8:06:00

首先下载软件http://download.pchome.net/utility/antivirus/trojan/20621.html
费尔木马强力助手
然后重启计算机进入
安全模式下(开机后不断按F8键然后出来一个高级菜单选择第一项安全模式进入系统)
打开费尔木马强力助手在文件名处输入如下文字

C:\WINNT\system32\winlib .dll
然后选中清除并抑制文件再次生成开始
打开sreng （就是你扫日志的软件）
启动项目注册表删除如下项目 (如果有哪项你认识或者确认不是病毒请不要删除)
<mppds><C:\WINNT\mppds.exe> [N/A]
<cmdbcs><C:\WINNT\cmdbcs.exe> [N/A]
<msccrt><C:\WINNT\msccrt.exe> [N/A]
<upxdnd><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upxdnd.exe> [N/A]
<wgs3><C:\WINNT\wgs3.exe> [N/A]
<wms3><C:\WINNT\wms3.exe> [N/A]
<System><C:\Program Files\Common Files\System\Updaterun.exe> [N/A]
<winform><C:\WINNT\winform.exe> [N/A]
<{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}><C:\Program Files\Internet Explorer\Connection Wizard\isignup.sys> [N/A]

“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”，
选中以下项目，点“删除服务”，再点“设置”，在弹出的框中点“否”：
Messanger Accelerator / Accelerator Tools
Print Manager / DATEING

双击我的电脑－工具－文件夹选项－查看－显示所有文件和文件夹，把“隐藏受保护的系统文件”的勾去掉。
然后删除C:\WINNT\system32\mis.exe
C:\WINNT\system32\winform.dll
C:\WINNT\system32\mis.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp下面所有文件
C:\WINNT\system32\winlib .dll
C:\WINNT\mppds.exe
C:\WINNT\cmdbcs.exe
C:\WINNT\msccrt.exe
C:\WINNT\wgs3.exe
C:\WINNT\wms3.exe
C:\Program Files\Common Files\System\Updaterun.exe
C:\WINNT\winform.exe
C:\Program Files\Internet Explorer\Connection Wizard\isignup.sys

瑞星卡卡安全论坛