【求助】sreng和hijack日志 bbs.ikaka.com

su2qi - 2008-3-22 11:13:00

日志文件 Trend Micro HijackThis v 2.0.2
日志保存时间: 10:43:23,2008-3-22
操作系统: Windows 2003 SP2 (WinNT 5.02.3790)
IE版本: Internet Explorer v6.00 SP2 (6.00.3790.3959)
启动模式: 正常

正在运行的进程:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
d:\KAV2007\KWatch.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
d:\KAV2007\KPfwSvc.EXE
D:\oracle\ora92\BIN\TNSLSNR.exe
d:\oracle\ora92\bin\ORACLE.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
d:\KAV2007\KAVStart.exe
d:\Program Files\360safe\safemon\360tray.exe
C:\WINDOWS\system32\ctfmon.exe
d:\KAV2007\KPFW32.EXE
d:\KAV2007\KMailMon.EXE
C:\WINDOWS\system32\DrvMon.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Autorun.exe
C:\WINDOWS\explorer.exe
D:\su2qi_fj\杀毒\hijackthis.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsaF.tmp\hijackthis.exe

R3 - URLSearchHook: BDSrchHook Class - {2C5AA40E-8814-4EB6-876E-7EFB8B3F9662} - C:\WINDOWS\DOWNLO~1\BDSrHook.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - d:\program files\thunder network\thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: KAVAntiFishing - {55302805-482E-470E-8A57-6795A1487F90} - d:\KAV2007\KAVAFish.DLL
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - d:\program files\thunder network\thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: MyBHO_0.1 - {989D2FEB-5411-4565-8988-1DD2C5263377} - C:\WINDOWS\system32\SysInfo.dll
O2 - BHO: SafeMon Class - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - d:\Program Files\360safe\safemon\safemon.dll
O2 - BHO: BDHlprObj Class - {CA92B524-BC8A-4610-BD2C-6BD3E28155D0} - C:\WINDOWS\DOWNLO~1\BDHelper.dll(文件不存在)
O4 - HKLM\..\Run: [KavStart] "d:\KAV2007\KAVStart.exe" -startup
O4 - HKLM\..\Run: [360Safetray] d:\Program Files\360safe\safemon\360tray.exe /start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [KavPFW] "d:\KAV2007\KPFW32.EXE"
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - 扩展右键菜单项: &使用暴风下载器下载 - E:\Program Files\Storm Downloader\geturl.htm
O8 - 扩展右键菜单项: 使用迅雷下载 - d:\program files\thunder network\thunder\Program\geturl.htm
O8 - 扩展右键菜单项: 使用迅雷下载全部链接 - d:\program files\thunder network\thunder\Program\getallurl.htm
O8 - 扩展右键菜单项: 发送到 Bluetooth 设备(&B)... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - 扩展右键菜单项: 导出到 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - 扩展右键菜单项: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - 扩展右键菜单项: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - 扩展右键菜单项: 金山毒霸反钓鱼... - d:\KAV2007\KAF\ShowSet.htm
O9 - 额外的按钮: (未命名) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - 额外的“工具”菜单项目: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - 额外的按钮: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - d:\Program Files\Thunder Network\Thunder\Thunder.exe(文件不存在)
O9 - 额外的“工具”菜单项目: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - d:\Program Files\Thunder Network\Thunder\Thunder.exe(文件不存在)
O9 - 额外的按钮: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - 额外的按钮: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - 额外的“工具”菜单项目: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O15 - ESC Trusted Zone: http://g1a25.mail.126.com
O15 - ESC Trusted Zone: http://g1a26.mail.126.com
O15 - ESC Trusted Zone: http://g1a51.mail.126.com

[用户系统信息]Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; Maxthon)

su2qi - 2008-3-22 11:15:00

已经删除了很多个01项；
其中15项很多，是不是没有必要贴出来了，据说是受信任站点
O16 - DPF: {098A3F72-3110-4004-B954-2F9DC44934B4} (AddSHCARoot Control) - https://etrade.efunds.com.cn/etrading/AddSHCARootCert.cab
O16 - DPF: {0EB487C8-E9AC-43A6-8C4C-083999B0622F} (InfosecCertInstall Class) - https://mybank.icbc.com.cn/icbc/perbank/certInStall.dll
O16 - DPF: {62B938C4-4190-4F37-8CF0-A92B0A91CC77} (InfoSecNetSign Class) - https://mybank.icbc.com.cn/icbc/NetSign.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175742550171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187789994453
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {C35D7AE1-0865-4A30-BF07-29FA29324155} (CSetLET Class) - https://mybank.icbc.com.cn/icbc/perbank/GDSetLET.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lyy
O17 - HKLM\Software\..\Telephony: DomainName = lyy
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lyy
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\PROGRA~1\KuGoo3\InExtend\KUGOO3~1.OCX
O23 - NT 服务: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - NT 服务: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - NT 服务: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - NT 服务: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - NT 服务: Kingsoft Personal Firewall Service (KPfwSvc) - Kingsoft Corporation - d:\KAV2007\KPfwSvc.EXE
O23 - NT 服务: Kingsoft Antivirus KWatch Service (KWatchSvc) - Kingsoft Corporation - d:\KAV2007\KWatch.EXE
O23 - NT 服务: OracleOraHome92TNSListener - Unknown owner - D:\oracle\ora92\BIN\TNSLSNR.exe
O23 - NT 服务: OracleServicePSIDP - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - NT 服务: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - NT 服务: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
文件结束 - 41620 字节

su2qi - 2008-3-22 11:21:00

第一次扫描时有很多018项，修复了一些01和015，又用sreng扫描了一下，018项就只剩下这一个了

su2qi - 2008-3-22 11:21:00

[CODE]

2008-03-22,10:51:09

System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)

Windows Server 2003 "R2" Standard Edition Service Pack 2 (Build 3790) - 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
进程特权扫描

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Component Publisher]
<KavPFW><; "C:\KAV2007\KPFW32.EXE" -startup> [N/A]
<DrvMon.exe><; C:\WINDOWS\system32\DrvMon.exe> [Alcor Micro, Corp.]
<MsnMsgr><; "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background> [(Verified)Microsoft Corporation]
<pyjj><; C:\Program Files\jj4\jjsvr4.exe> [加加开发组]
<updateMgr><; C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9> [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<KavStart><; "C:\KAV2007\KAVStart.exe" -startup> [N/A]
<360Safetray><d:\Program Files\360safe\safemon\360tray.exe /start> [奇虎网]
<ATICCC><; "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"> []
<BIE><; Rundll32 C:\WINDOWS\DOWNLO~1\BDPlugin.dll,Rundll32> [N/A]
<BLOG><; rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog> []
<cmdbcs><; C:\WINDOWS\cmdbcs.exe> [N/A]
<DAEMON Tools-1033><; "C:\Program Files\D-Tools\daemon.exe" -lang 1033> [DAEMON'S HOME]
<DbgHlp32><; C:\WINDOWS\DbgHlp32.exe> [N/A]
<IMEKRMIG6.1><; C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE> [(Verified)Microsoft Windows Component Publisher]
<IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Component Publisher]
<IMSCMig><; C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload> [N/A]
<iTunesHelper><; "C:\Program Files\iTunes\iTunesHelper.exe"> [(Verified)Apple Inc.]
<Kvsc3><; C:\WINDOWS\Kvsc3.exE> [N/A]
<Microsoft Pinyin IME Migration><; C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL> [(Verified)Microsoft Corporation]
<MINI_BFYY><; E:\Program Files\Storm Downloader\StormDownloader.exe> [深圳市三代科技开发有限公司]
<msccrt><; C:\WINDOWS\msccrt.exe> [N/A]
<NAVMon32><; C:\WINDOWS\NAVMon32.exE> [N/A]
<NuTCSetupEnviron><; C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe> []
<PCSuiteTrayApplication><; E:\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup> [N/A]
<PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Component Publisher]
<PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Component Publisher]
<PWRMGRTR><; rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor> [Lenovo Group Limited]
<QuickTime Task><; "E:\Program Files\Storm Codec\QTTask.exe" -atboottime> [Apple Inc.]
<SHAProc><; C:\WINDOWS\SHAProc.exe> [N/A]
<SoundMAX><; "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray> [Analog Devices, Inc.]
<SoundMAXPnP><; C:\Program Files\Analog Devices\Core\smax4pnp.exe> [Analog Devices, Inc.]
<StormCodec_Helper><; "E:\Program Files\Storm Codec\StormSet.exe" /S /opti> []
<SynTPEnh><; C:\Program Files\Synaptics\SynTP\SynTPEnh.exe> [Synaptics, Inc.]
<SynTPLpr><; C:\Program Files\Synaptics\SynTP\SynTPLpr.exe> [Synaptics, Inc.]
<UserFaultCheck><; %systemroot%\system32\dumprep 0 -u> [N/A]
<WebThunder><; C:\Program Files\Thunder Network\WebThunder\WebThunder.exe> [N/A]
<WinampAgent><; D:\Program Files\Winamp\winampa.exe> [N/A]
<WINSvr32><; C:\WINDOWS\WINSvr32.exE> [N/A]
<WSockDrv32><; C:\WINDOWS\mklwlh.exe> []

su2qi - 2008-3-22 11:21:00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Component Publisher]
<Userinit><C:\WINDOWS\system32\UserInit.exe,> [(Verified)Microsoft Windows Component Publisher]
<GinaDLL><vrlogon.dll> [UPEK Inc.]
<UIHost><%SystemRoot%\system32\logonui.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]
<WinlogonNotify: psfus><C:\WINDOWS\system32\psqlpwd.dll> [UPEK Inc.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
<IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
<N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install> [(Verified)Microsoft Windows Component Publisher]

==================================
启动文件夹
N/A

==================================
服务
[Atheros Configuration Service / acs][Stopped/Disabled]
<C:\WINDOWS\system32\acs.exe><Atheros>
[Cognos Access Manager Server (cer4) / amserver_cer4][Stopped/Disabled]
<"d:\Program Files\Cognos\cer4\bin\amserver.exe"><N/A>
[Apple Mobile Device / Apple Mobile Device][Stopped/Disabled]
<"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"><Apple, Inc.>
[Ati HotKey Poller / Ati HotKey Poller][Stopped/Disabled]
<C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[Bonjour 服务 / Bonjour Service][Stopped/Disabled]
<"C:\Program Files\Bonjour\mDNSResponder.exe"><Apple Inc.>
[Bluetooth Service / btwdins][Running/Auto Start]
<C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe><Broadcom Corporation.>
[Cognos PowerPlay Enterprise Server (cer4) / Cognos PowerPlay Enterprise Server (cer4)][Stopped/Disabled]
<"d:\Program Files\Cognos\cer4\bin\ppserver.exe"><N/A>
[Cognos Upfront Administration Service (cer4) / Cognos UpfrontAdministration (cer4)][Stopped/Disabled]
<"D:\Program Files\Cognos\cer4\bin\UpfrontAdministration.exe"><N/A>
[Cognos Upfront Data Store (cer4) / Cognos UpfrontDataStore (cer4)][Stopped/Disabled]
<"D:\Program Files\Cognos\cer4\bin\upfdbsrv.exe"><N/A>
[Cognos Upfront Dispatcher (cer4) / Cognos UpfrontDispatcher (cer4)][Stopped/Disabled]
<"D:\Program Files\Cognos\cer4\bin\UpfDispatcherService.exe"><N/A>
[Intel(R) PROSet/Wireless Event Log / EvtEng][Running/Auto Start]
<C:\Program Files\Intel\Wireless\Bin\EvtEng.exe><Intel Corporation>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[ThinkPad PM Service / IBMPMSVC][Running/Auto Start]
<C:\WINDOWS\system32\ibmpmsvc.exe><Lenovo>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
<"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"><Macrovision Corporation>
[iPod 服务 / iPod Service][Stopped/Disabled]
<"C:\Program Files\iPod\bin\iPodService.exe"><Apple Inc.>
[Kingsoft Personal Firewall Service / KPfwSvc][Running/Auto Start]
<"d:\KAV2007\KPfwSvc.EXE"><Kingsoft Corporation>
[Kingsoft Antivirus KWatch Service / KWatchSvc][Running/Auto Start]
<d:\KAV2007\KWatch.EXE><Kingsoft Corporation>
[Microsoft Search / MSSEARCH][Running/Auto Start]
<"C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe"><Microsoft Corporation>
[MSSQLSERVER / MSSQLSERVER][Stopped/Disabled]
<C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe><Microsoft Corporation>
[MSSQLServerADHelper / MSSQLServerADHelper][Stopped/Disabled]
<C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe><Microsoft Corporation>
[NuTCRACKERService / NuTCRACKERService][Stopped/Disabled]
<C:\WINDOWS\system32\nutsrv4.exe><DataFocus, Inc.>
[OracleMTSRecoveryService / OracleMTSRecoveryService][Stopped/Disabled]
<D:\oracle\ora92\bin\omtsreco.exe "OracleMTSRecoveryService"><Oracle Corporation>
[OracleOraHome92Agent / OracleOraHome92Agent][Stopped/Disabled]
<D:\oracle\ora92\bin\agntsrvc.exe><Oracle Corporation>
[OracleOraHome92ClientCache / OracleOraHome92ClientCache][Stopped/Disabled]
<D:\oracle\ora92\BIN\ONRSD.EXE><N/A>
[OracleOraHome92HTTPServer / OracleOraHome92HTTPServer][Stopped/Disabled]
<"D:\oracle\ora92\Apache\Apache\apache.exe" --ntservice><N/A>
[OracleOraHome92PagingServer / OracleOraHome92PagingServer][Stopped/Disabled]
<D:\oracle\ora92/bin/pagntsrv.exe><N/A>
[OracleOraHome92SNMPPeerEncapsulator / OracleOraHome92SNMPPeerEncapsulator][Stopped/Disabled]
<D:\oracle\ora92\BIN\ENCSVC.EXE><N/A

su2qi - 2008-3-22 11:22:00

==================================
驱动程序
[ADI UAA Function Driver for High Definition Audio Service / ADIHdAudAddService][Running/Manual Start]
<system32\drivers\ADIHdAud.sys><Analog Devices, Inc.>
[AEAudio Service / AEAudioService][Running/Manual Start]
<system32\drivers\AEAudio.sys><Andrea Electronics Corporation>
[AEGIS Protocol (IEEE 802.1x) v3.6.0.0 / AegisP][Running/Auto Start]
<system32\DRIVERS\AegisP.sys><Meetinghouse Data Communications>
[ati2mtag / ati2mtag][Running/Manual Start]
<system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[蓝牙总线枚举器 / BTKRNL][Running/Manual Start]
<system32\DRIVERS\btkrnl.sys><Broadcom Corporation.>
[d347bus / d347bus][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\d347bus.sys><>
[d347prt / d347prt][Running/Boot Start]
<\SystemRoot\System32\Drivers\d347prt.sys><>
[dohs / dohs][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7B.tmp><N/A>
[Intel(R) PRO/1000 PCI Express Network Connection Driver / e1express][Running/Manual Start]
<system32\DRIVERS\e1e5132.sys><Intel Corporation>
[GEARAspiWDM / GEARAspiWDM][Running/Manual Start]
<System32\Drivers\GEARAspiWDM.sys><GEAR Software Inc.>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
<system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[HSFHWAZL / HSFHWAZL][Running/Manual Start]
<system32\DRIVERS\HSFHWAZL.sys><Conexant Systems, Inc.>
[HSF_DPV / HSF_DPV][Running/Manual Start]
<system32\DRIVERS\HSF_DPV.sys><Conexant Systems, Inc.>
[Intel AHCI Controller / iastor][Running/Boot Start]
<\SystemRoot\System32\Drivers\iaStor.sys><Intel Corporation>
[IBMPMDRV / IBMPMDRV][Running/Manual Start]
<system32\DRIVERS\ibmpmdrv.sys><Lenovo.>
[iCafe Manager / iCafe Manager][Stopped/Manual Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\usbhcid.sys><N/A>
[IP in IP Tunnel Driver / IpInIp][Stopped/Manual Start]
<system32\DRIVERS\ipinip.sys><N/A>
[KAVBootC / KAVBootC][Running/Boot Start]
<\SystemRoot\system32\Drivers\KAVBootC.sys><Kingsoft Corporation>
[KNetWch / KNetWch][Running/System Start]
<\??\d:\KAV2007\KNetWch.SYS><Kingsoft Corporation>
[KWatch3 / KWatch3][Running/System Start]
<\??\C:\WINDOWS\system32\drivers\KWatch3.SYS><Kingsoft Corporation>
[mdmxsdk / mdmxsdk][Running/Auto Start]
<system32\DRIVERS\mdmxsdk.sys><Conexant>
[mhfp / mhfp][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp8F.tmp><N/A>
[用于 Windows XP 32 Bit 版的英特尔(R) PRO/无线 3945ABG 适配器驱动程序 / NETw3x32][Stopped/Manual Start]
<system32\DRIVERS\NETw3x32.sys><Intel? Corporation>
[Nokia USB Phone Parent / nmwcd][Stopped/Manual Start]
<system32\drivers\nmwcd.sys><Nokia>
[Nokia USB Generic / nmwcdc][Stopped/Manual Start]
<system32\drivers\nmwcdc.sys><Nokia>
[Nokia USB Port / nmwcdcj][Stopped/Manual Start]
<system32\drivers\nmwcdcj.sys><Nokia>
[Nokia USB Modem / nmwcdcm][Stopped/Manual Start]
<system32\drivers\nmwcdcm.sys><Nokia>
[NSC Infrared Device Driver / NSCIRDA][Running/Manual Start]
<system32\DRIVERS\nscirda.sys><National Semiconductor Corporation>
[Lenovo Parties Service Access Device Driver / psadd][Stopped/Manual Start]
<system32\DRIVERS\psadd.sys><Lenovo (United States) Inc.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
<\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[WLAN 传输 / s24trans][Running/Auto Start]
<system32\DRIVERS\s24trans.sys><Intel Corporation>
[Sc Manager / Sc Manager][Stopped/Manual Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\usbcams3.sys><N/A>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[SMI Helper Driver (smihlp) / smihlp][Running/Auto Start]
<\??\C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys><UPEK Inc.>
[Synaptics TouchPad Driver / SynTP][Running/Manual Start]
<system32\DRIVERS\SynTP.sys><Synaptics, Inc.>
[TC USB Kernel Driver / TcUsb][Running/Manual Start]
<System32\Drivers\tcusb.sys><UPEK Inc.>
[TPPWRIF / TPPWRIF][Running/System Start]
<System32\drivers\Tppwrif.sys><N/A>
[TSMAPIP / TSMAPIP][Running/System Start]
<System32\drivers\TSMAPIP.SYS><N/A>
[Conexant Setup API / UIUSys][Stopped/Manual Start]
<system32\DRIVERS\UIUSYS.SYS><N/A>
[Apple Mobile USB Driver / USBAAPL][Stopped/Manual Start]
<System32\Drivers\usbaapl.sys><Apple, Inc.>
[winachsf / winachsf][Running/Manual Start]
<system32\DRIVERS\HSF_CNXT.sys><Conexant Systems, Inc.>
[WL / WL][Stopped/Manual Start]
<\??\C:\WINDOWS\TEMP\tmp20.tmp><N/A>
[wsimd Service / WSIMD][Stopped/Manual Start]
<system32\DRIVERS\wsimd.sys><Atheros Communications, Inc.>

su2qi - 2008-3-22 11:22:00

==================================
浏览器加载项
[ThunderAtOnce Class]
{01443AEC-0FD1-40fd-9C87-E93D1494C233} <d:\program files\thunder network\thunder\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
[Adobe PDF Reader Link Helper]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[CBrowseStakeout Class]
{55302805-482E-470E-8A57-6795A1487F90} <d:\KAV2007\KAVAFish.DLL, Kingsoft Corporation>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <d:\program files\thunder network\thunder\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
[]
{989D2FEB-5411-4565-8988-1DD2C5263377} <C:\WINDOWS\system32\SysInfo.dll, Microsoft Corporation>
[SafeMon Class]
{B69F34DD-F0F9-42DC-9EDD-957187DA688D} <d:\Program Files\360safe\safemon\safemon.dll, 奇虎网>
[BDHlprObj Class]
{CA92B524-BC8A-4610-BD2C-6BD3E28155D0} <C:\WINDOWS\DOWNLO~1\BDHelper.dll, N/A>
[Web Browser Applet Control]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\WINDOWS\system32\msjava.dll, Microsoft Corporation>
[启动迅雷5]
{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <d:\Program Files\Thunder Network\Thunder\Thunder.exe, N/A>
[信息检索(&R)]
{92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL, Microsoft Corporation>
[@btrez.dll,-4015]
{CCA281CA-C863-46ef-9331-5C8D4460577F} <, N/A>
[AddSHCARoot Control]
{098A3F72-3110-4004-B954-2F9DC44934B4} <C:\WINDOWS\DOWNLO~1\ADDCAR~1.OCX, SHECA>
[InfosecCertInstall Class]
{0EB487C8-E9AC-43A6-8C4C-083999B0622F} <C:\WINDOWS\Downloaded Program Files\certInStall.dll, >
[InfoSecNetSign Class]
{62B938C4-4190-4F37-8CF0-A92B0A91CC77} <C:\WINDOWS\DOWNLO~1\NetSign.dll, Infosec Technologies Co., Ltd.>
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[MUWebControl Class]
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} <C:\WINDOWS\system32\muweb.dll, Microsoft Corporation>
[Java Plug-in 1.4.2]
{8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll, JavaSoft / Sun Microsystems, Inc.>
[AxSubmitControl Class]
{8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} <C:\WINDOWS\DOWNLO~1\SUBMIT~1.DLL, >
[CSetLET Class]
{C35D7AE1-0865-4A30-BF07-29FA29324155} <C:\WINDOWS\DOWNLO~1\GDSetLET.dll, >
[Java Plug-in 1.4.2]
{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} <C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll, JavaSoft / Sun Microsystems, Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx, Adobe Systems, Inc.>
[ThunderAtOnce Class]
{01443AEC-0FD1-40FD-9C87-E93D1494C233} <d:\program files\thunder network\thunder\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
[Adobe PDF Reader Link Helper]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Web Browser Applet Control]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\WINDOWS\system32\msjava.dll, Microsoft Corporation>
[Thunder Agent Class]
{485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <d:\program files\thunder network\thunder\ComDlls\ThunderAgent_Now.dll, N/A>
[CBrowseStakeout Class]
{55302805-482E-470E-8A57-6795A1487F90} <d:\KAV2007\KAVAFish.DLL, Kingsoft Corporation>
[XMP Class]
{6483F145-A768-4C41-AACC-52D4D7845851} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\xplayer.dll_1_work, >
[XDRM]
{693571CB-54A3-4E90-9D52-EEAE1334E2D3} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\xdrm.dll_1_work, >
[Windows Media Player]
{6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AxInputControl Class]
{73E4740C-08EB-4133-896B-8D0A7C9EE3CD} <C:\WINDOWS\DOWNLO~1\INPUTC~1.DLL, >
[MediaComm Class]
{7670648D-461B-42AF-BDFE-46D26AF5EFF2} <d:\Program Files\Thunder Network\Thunder\Components\InMedia\MediaAddin14.dll, N/A>
[360SafeLive]
{87515F61-A66C-4319-A0E0-D416CB8059E3} <d:\Program Files\360safe\live.dll, 360safe.com>
[Microsoft Web 浏览器]
{8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <d:\program files\thunder network\thunder\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
[AxSubmitControl Class]
{8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} <C:\WINDOWS\DOWNLO~1\SUBMIT~1.DLL, >
[]
{989D2FEB-5411-4565-8988-1DD2C5263377} <C:\WINDOWS\system32\SysInfo.dll, Microsoft Corporation>
[RMGetLicense Class]
{A9FC132B-096D-460B-B7D5-1DB0FAE0C062} <C:\WINDOWS\system32\msnetobj.dll, Microsoft Corporation>
[SafeMon Class]
{B69F34DD-F0F9-42DC-9EDD-957187DA688D} <d:\Program Files\360safe\safemon\safemon.dll, 奇虎网>
[RDS.DataSpace]
{BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[BDHlprObj Class]
{CA92B524-BC8A-4610-BD2C-6BD3E28155D0} <C:\WINDOWS\DOWNLO~1\BDHelper.dll, N/A>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx, Adobe Systems, Inc.>
[Thunder DapPlayer]
{EEDD6FF9-13DE-496B-9A1C-D78B3215E266} <d:\Program Files\Thunder Network\Thunder\Components\DownAndPlay\DapPlayer3.0.35.59.dll, N/A>
[XPPlayer Class]
{F3E70CEA-956E-49CC-B444-73AFE593AD7F} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\pplayer.dll_1_work, Thunder>
[XML HTTP]
{F6D90F16-9C73-11D3-B32E-00C04F990BB4} <C:\WINDOWS\system32\msxml3.dll, Microsoft Corporation>
[&使用暴风下载器下载]
<E:\Program Files\Storm Downloader\geturl.htm, N/A>
[使用迅雷下载]
<d:\program files\thunder network\thunder\Program\geturl.htm, N/A>
[使用迅雷下载全部链接]
<d:\program files\thunder network\thunder\Program\getallurl.htm, N/A>
[发送到 Bluetooth 设备(&B)...]
<C:\Program Files\ThinkPad\Bluetooth Softwa

su2qi - 2008-3-22 11:22:00

正在运行的进程
[PID: 376 / SYSTEM][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 424 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 452 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[C:\WINDOWS\system32\vrlogon.dll] [UPEK Inc., 5.6.0.3297]
[C:\WINDOWS\system32\Ati2evxx.dll] [ATI Technologies Inc., 6.14.10.4142]
[C:\WINDOWS\system32\psqlpwd.dll] [UPEK Inc., 5.6.0.3297]
[C:\Program Files\ThinkVantage Fingerprint Software\homefus2.dll] [UPEK Inc., 5.6.0.3297]
[C:\Program Files\ThinkVantage Fingerprint Software\infra.dll] [UPEK Inc., 5.6.0.3297]
[C:\Program Files\ThinkVantage Fingerprint Software\homepass.dll] [UPEK Inc., 5.6.0.3297]
[C:\Program Files\ThinkVantage Fingerprint Software\bio.dll] [UPEK Inc., 5.6.0.3297]
[C:\Program Files\ThinkVantage Fingerprint Software\ps2css.dll] [UPEK Inc., 5.6.0.3297]
[C:\Program Files\ThinkVantage Fingerprint Software\crypto.dll] [UPEK Inc., 5.6.0.3297]
[C:\Program Files\ThinkVantage Fingerprint Software\remote.dll] [UPEK Inc., 5.6.0.3297]
[C:\Program Files\ThinkVantage Fingerprint Software\pscssint.dll] [UPEK Inc., 5.6.0.3297]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[C:\WINDOWS\system32\SysInfo.dll] [Microsoft Corporation, 1.0.0.0]
[PID: 500 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 512 / SYSTEM][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[C:\WINDOWS\system32\psqlpwd.dll] [UPEK Inc., 5.6.0.3297]
[C:\Program Files\ThinkVantage Fingerprint Software\homefus2.dll] [UPEK Inc., 5.6.0.3297]
[C:\Program Files\ThinkVantage Fingerprint Software\infra.dll] [UPEK Inc., 5.6.0.3297]
[PID: 700 / SYSTEM][C:\WINDOWS\system32\ibmpmsvc.exe] [Lenovo, 1.41]
[PID: 732 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 808 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 852 / SYSTEM][C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe] [Broadcom Corporation., 5.1.0.2100]
[PID: 908 / SYSTEM][C:\Program Files\Intel\Wireless\Bin\EvtEng.exe] [Intel Corporation, 10.5.1.22]
[C:\Program Files\Intel\Wireless\Bin\PfMgrApi.dll] [Intel Corporation, 10, 5, 1, 1 ]
[C:\Program Files\Intel\Wireless\Bin\TraceAPI.DLL] [Intel Corporation, 10.5.1.6]
[C:\Program Files\Intel\Wireless\Bin\PsRegApi.dll] [Intel Corporation, 10.5.1.6]
[C:\Program Files\Intel\Wireless\Bin\DbEngine.dll] [Intel Corporation, 10, 5, 1, 17]
[C:\Program Files\Intel\Wireless\Bin\LIBEAY32.dll] [The OpenSSL Project, http://www.openssl.org/, 0.9.8]
[C:\Program Files\Intel\Wireless\Bin\IntStngs.dll] [, 10.5.1.0 ]
[C:\Program Files\Intel\Wireless\Bin\MurocApi.dll] [Intel Corporation, 10.5.1.5]
[C:\Program Files\Intel\Wireless\Bin\S24MUDLL.dll] [Intel Corporation, 10.5.1.2]
[PID: 952 / SYSTEM][C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe] [Intel Corporation , 10, 5, 1, 8]
[C:\Program Files\Intel\Wireless\Bin\TraceAPI.DLL] [Intel Corporation, 10.5.1.6]
[C:\Program Files\Intel\Wireless\Bin\PsRegApi.dll] [Intel Corporation, 10.5.1.6]
[C:\Program Files\Intel\Wireless\Bin\LIBEAY32.dll] [The OpenSSL Project, http://www.openssl.org/, 0.9.8]
[C:\Program Files\Intel\Wireless\Bin\IntStngs.dll] [, 10.5.1.0 ]
[C:\Program Files\Intel\Wireless\Bin\IWMSPROV.DLL] [N/A, ]
[PID: 1008 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 1044 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 1076 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 1144 / SYSTEM][d:\KAV2007\KWatch.EXE] [Kingsoft Corporation, 2005, 9, 27, 51]
[d:\KAV2007\KAVIPC2.DLL] [Kingsoft Corporation, 2004, 12, 28, 20]
[d:\KAV2007\KAEPlat.DLL] [Kingsoft Corp., 2006, 5, 30, 59]
[d:\KAV2007\KAEMem.DAT] [Kingsoft, 2006, 5, 17, 14]
[d:\KAV2007\KAEUnpack.DAT] [Kingsoft Corp., 2006, 7, 27, 59]
[PID: 1256 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[C:\WINDOWS\system32\bthcrp.dll] [Broadcom Corporation., 5.1.0.2100]
[C:\WINDOWS\system32\WidcommSdk.dll] [Broadcom Corporation., 5.1.0.2100]
[C:\WINDOWS\system32\wbtapi.dll] [Broadcom Corporation., 5.1.0.2100]
[C:\WINDOWS\system32\spool\PRTPROCS\W32X86\mdippr.dll] [Microsoft Corporation, 11.3.2175.0]
[C:\WINDOWS\system32\spool\PRTPROCS\W32X86\vprproc.dll] [Windows (R) 2000 DDK provider, 5.00.2195.1620]
[C:\Program Files\Bonjour\mdnsNSP.dll] [Apple Inc., 1,0,4,12]
[PID: 1292 / NETWORK SERVICE][C:\WINDOWS\system32\msdtc.exe] [Microsoft Corporation, 2001.12.4720.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 1652 / SYSTEM][C:\WINDOWS\system32\inetsrv\inetinfo.exe] [Microsoft Corporation, 6.0.3790.3959 (srv03_sp2_rtm.070216-1710)]
[C:\Program Files\Bonjour\mdnsNSP.dll] [Apple Inc., 1,0,4,12]
[PID: 1724 / SYSTEM][d:\KAV2007\KPfwSvc.EXE] [Kingsoft Corporation, 2005, 9, 5, 28]
[PID: 1832 / SYSTEM][D:\oracle\ora92\BIN\TNSLSNR.exe] [N/A, ]
[D:\oracle\ora92\BIN\oransgr9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[D:\oracle\ora92\BIN\oran9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[D:\oracle\ora92\BIN\oranl9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[D:\oracle\ora92\BIN\oranldap9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[D:\oracle\ora92\BIN\orannzsb

su2qi - 2008-3-22 11:23:00

[PID: 1856 / SYSTEM][d:\oracle\ora92\bin\ORACLE.EXE] [Oracle Corporation, 9.2.0.1.0 Production ]
[d:\oracle\ora92\bin\oraclient9.dll] [Oracle Corporation, 9.2.0.1.0 Production ]
[d:\oracle\ora92\bin\oracore9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\oranls9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\oraunls9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\oravsn9.dll] [Oracle Corporation, 9.2.0.1.0 Production ]
[d:\oracle\ora92\bin\oracommon9.dll] [Oracle Corporation, 9.2.0.1.0 Production ]
[d:\oracle\ora92\bin\orageneric9.dll] [Oracle Corporation, 9.2.0.1.0 Production ]
[d:\oracle\ora92\bin\oraxml9.dll] [Oracle Corporation, ]
[d:\oracle\ora92\bin\oraxsd9.dll] [Oracle Corporation, ]
[d:\oracle\ora92\bin\orannzsbb9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\oran9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\oranl9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\oranldap9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\oraldapclnt9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\orancrypt9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\ORATRACE9.dll] [N/A, ]
[d:\oracle\ora92\bin\oranro9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\oranhost9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\oranoname9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\orancds9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\orantns9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\oranms.dll] [Oracle Corporation, 9.2.0.0.0]
[d:\oracle\ora92\bin\oranmsp.dll] [Oracle Corporation, 9.2.0.0.0]
[d:\oracle\ora92\bin\orapls9.dll] [Oracle Corporation, 9.2.0.1.0 Production ]
[d:\oracle\ora92\bin\oraslax9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\orasnls9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\orawtc9.dll] [Oracle Corporation, 9.2.0.1.0 Production ]
[d:\oracle\ora92\bin\orasql9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\oraodm9.dll] [Oracle Corporation, 9.2.0.1.0 Production ]
[d:\oracle\ora92\bin\oraplp9.dll] [Oracle Corporation, 9.2.0.1.0 Production ]
[d:\oracle\ora92\bin\orajox9.dll] [N/A, ]
[d:\oracle\ora92\bin\oransgr9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[d:\oracle\ora92\bin\orawwg9.dll] [Oracle Corporation, 8.1.7.0.0]
[d:\oracle\ora92\bin\ocijdbc9.dll] [N/A, ]
[D:\oracle\ora92\BIN\ORAIMR9.Dll] [Oracle Corporation, 9.2.0.1.0]
[D:\oracle\ora92\bin\oranbeq9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[D:\oracle\ora92\bin\orannts9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[D:\oracle\ora92\bin\orantcp9.dll] [Oracle Corporation, 9.2.0.1.0 Production]
[C:\Program Files\Bonjour\mdnsNSP.dll] [Apple Inc., 1,0,4,12]
[PID: 1892 / SYSTEM][C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe] [Intel Corporation, 10.5.1.6 ]
[PID: 1908 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 2032 / SYSTEM][C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe] [Microsoft Corporation, 9.107.5512.0]
[C:\Program Files\Common Files\System\MSSearch\Bin\mssws.dll] [Microsoft Corporation, 9.107.5512.0]
[C:\PROGRA~1\COMMON~1\System\MSSearch\Bin\mssrch.dll] [Microsoft Corporation, 9.107.5512.0]
[C:\Program Files\Common Files\System\MSSearch\Bin\tquery.dll] [Microsoft Corporation, 9.107.5512.0]
[C:\PROGRA~1\COMMON~1\System\MSSearch\Bin\propdefs.dll] [Microsoft Corporation, 9.107.5512.0]
[C:\PROGRA~1\COMMON~1\System\MSSearch\Bin\srchidx.dll] [Microsoft Corporation, 9.107.5512.0]
[PID: 576 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 1352 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 1488 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 1504 / NETWORK SERVICE][C:\WINDOWS\system32\wbem\wmiprvse.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 972 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 2296 / SYSTEM][C:\WINDOWS\system32\wbem\wmiprvse.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 2724 / Administrator][d:\KAV2007\KAVStart.exe] [Kingsoft Corporation, 2006, 9, 7, 210]
[C:\WINDOWS\system32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MFC71CHS.DLL] [Microsoft Corporation, 7.10.3077.0]
[d:\KAV2007\KAVIPC2.DLL] [Kingsoft Corporation, 2004, 12, 28, 20]
[d:\KAV2007\SvcTimer.DLL] [Kingsoft Corporation, 2006.7.24.80]
[d:\Program Files\360safe\safemon\safemon.dll] [奇虎网, 4, 0, 3, 1003]
[d:\KAV2007\KAVPassp.dll] [Kingsoft Corporation, 2006, 9, 7, 270]
[d:\KAV2007\PopSprt3.dll] [Kingsoft Corporation, 2006, 8, 7, 38]
[d:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[C:\Program Files\Bonjour\mdnsNSP.dll] [Apple Inc., 1,0,4,12]
[PID: 2736 / Administrator][d:\Program Files\360safe\safemon\360tray.exe] [奇虎网, 4, 0, 3, 1005]
[d:\Program Files\360safe\safemon\safemon.dll] [奇虎网, 4, 0, 3, 1003]
[d:\Program Files\360safe\safemon\SafeKrnl.dll] [奇虎网, 4, 0, 3, 1001]
[d:\Program Files\360safe\AntiAdwa.dll] [36

su2qi - 2008-3-22 11:23:00

==================================
文件关联
.TXT Error. [C:\WINDOWS\notepad.exe %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. [Compiled Help Module]
.HLP Error. [winhlp32.exe %1]
.INI Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
[C:\]
[autorun]
open=RunDll32.exe .\SysInfo2.Dll,MyFun
shell\1=打开(&O)
shell\1\Command=RunDll32.exe .\SysInfo2.Dll,MyFun
shellexecute=RunDll32.exe .\SysInfo2.Dll,MyFun
[D:\]
[autorun]
open=RunDll32.exe .\SysInfo2.Dll,MyFun
shell\1=打开(&O)
shell\1\Command=RunDll32.exe .\SysInfo2.Dll,MyFun
shellexecute=RunDll32.exe .\SysInfo2.Dll,MyFun
[E:\]
[autorun]
open=RunDll32.exe .\SysInfo2.Dll,MyFun
shell\1=打开(&O)
shell\1\Command=RunDll32.exe .\SysInfo2.Dll,MyFun
shellexecute=RunDll32.exe .\SysInfo2.Dll,MyFun

==================================
HOSTS 文件
127.0.0.1 localhost
127.0.0.1 yu.8s7.net
127.0.0.1 1.jopanqc.com
127.0.0.1 2.joppnqq.com
127.0.0.1 wg.47255.com
127.0.0.1 1.joppnqq.com
127.0.0.1 xxx.m111.biz
127.0.0.1 1.jopenqc.com
127.0.0.1 1.jopenkk.com
127.0.0.1 xxx.vh7.biz
127.0.0.1 xxx.j41m.com
127.0.0.1 3.joppnqq.com
127.0.0.1 d.93se.com
127.0.0.1 www.868wg.com
127.0.0.1 xxx.mmma.biz
127.0.0.1 ilove.com
127.0.0.1 tp.shpzhan.cn
127.0.0.1 www.tomwg.com
127.0.0.1 www.cike007.cn
127.0.0.1 www.22aaa.com
127.0.0.1 xx.exiao01.com
127.0.0.1 www.exiao01.com
127.0.0.1 www.exiao01.com
127.0.0.1 new.749571.com
127.0.0.1 xtx.kv8.info
127.0.0.1 cao.kv8.info
127.0.0.1 1.jopmmqq.com
127.0.0.1 171817.171817.com
127.0.0.1 d2.llsging.com
127.0.0.1 down.malasc.cn
127.0.0.1 llboss.com
127.0.0.1 nx.51ylb.cn
127.0.0.1 my.531jx.cn
127.0.0.1 qqq.dzydhx.com
127.0.0.1 qqq.hao1658.com
127.0.0.1 www.333292.com
127.0.0.1 down.18dd.net
127.0.0.1 up.22x44.com

==================================
进程特权扫描
特殊特权被允许： SeDebugPrivilege [PID = 2736, D:\PROGRAM FILES\360SAFE\SAFEMON\360TRAY.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 2780, D:\KAV2007\KPFW32.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 2816, D:\KAV2007\KMAILMON.EXE]

==================================
API HOOK
入口点错误：LoadLibraryExW (危险等级: 高, 被下面模块所HOOK: d:\KAV2007\KASocket.dll)

==================================
隐藏进程
N/A

==================================

[/CODE]

su2qi - 2008-3-22 11:26:00

扫描sreng时，警告注册表GinaDLL被修改为非正常值，请检查病毒，文件系统也说有错误……
没用过sreng，请帮忙分析一下。
补充一下电脑症状：前阵子中毒很深，用卡巴杀了之后感觉还有有点慢，有时电脑自动刷屏

超级游戏迷 - 2008-3-22 17:24:00

一、拔掉网线，顺便把日志扫描工具软件所在文件夹整体复制到桌面上，然后下载xdelbox1.6（我网盘有，地址见签名），解压在桌面上（建议先搞个空文件夹），运行后，用该工具删除以下文件：
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\Kvsc3.exE
C:\WINDOWS\msccrt.exe
C:\WINDOWS\NAVMon32.exE
C:\WINDOWS\SHAProc.exe
C:\WINDOWS\WINSvr32.exE
C:\WINDOWS\mklwlh.exe
C:\WINDOWS\DOWNLOAD PROGRAM FILES\BDHelper.dll
C:\Document and settings\administrator\local settings\Temp\tmp7B.tmp
C:\Document and settings\administrator\local settings\Temp\usbhcid.sys
C:\Document and settings\administrator\local settings\Temp\tmp8F.tmp
C:\Document and settings\administrator\local settings\Temp\usbcams3.sys
C:\WINDOWS\TEMP\tmp20.tmp
C:\WINDOWS\system32\SysInfo.dll
C:\WINDOWS\system32\SysInfo2.dll
c:\SysInfo2.Dll
d:\SysInfo2.Dll
e:\SysInfo2.Dll
c:\autorun.inf
d:\autorun.inf
e:\autorun.inf

二、开始--运行--输入regedit-- 回车，进入注册表编辑器，执行以下操作：
1、删除如下注册表值项：
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<BIE><; Rundll32 C:\WINDOWS\DOWNLO~1\BDPlugin.dll,Rundll32> [N/A]
<cmdbcs><; C:\WINDOWS\cmdbcs.exe> [N/A]
<DbgHlp32><; C:\WINDOWS\DbgHlp32.exe> [N/A]
<Kvsc3><; C:\WINDOWS\Kvsc3.exE> [N/A]
<msccrt><; C:\WINDOWS\msccrt.exe> [N/A]
<NAVMon32><; C:\WINDOWS\NAVMon32.exE> [N/A]
<SHAProc><; C:\WINDOWS\SHAProc.exe> [N/A]
<WINSvr32><; C:\WINDOWS\WINSvr32.exE> [N/A]
<WSockDrv32><; C:\WINDOWS\mklwlh.exe> []
2、将HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\这个子项的项名称修改为MountPoints，关闭注册表编辑器。

三、运行桌面上SRENG扫描日志的可执行文件SRENGPS.EXE，用SRENG扫描工具删除以下项目：
1、驱动程序
[dohs / dohs]
[iCafe Manager / iCafe Manager]
[mhfp / mhfp]
[Sc Manager / Sc Manager]
[WL / WL]
2、浏览器加载项
[]
{989D2FEB-5411-4565-8988-1DD2C5263377}
[BDHlprObj Class]
{CA92B524-BC8A-4610-BD2C-6BD3E28155D0}
[BDHlprObj Class]
{CA92B524-BC8A-4610-BD2C-6BD3E28155D0}

四、重启电脑后，进入安全模式，用杀软全盘杀毒。

关于SRENG提示关于UIHOST被改的问题,可以将[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]<UIHost>这个值项的数值数据由<%SystemRoot%\system32\logonui.exe>编辑为 <logonui.exe>,也可不改。这主要是你安装了什么XP变脸王的原因。

注意：1、整个过程请不要以任何方式直接访问任何驱动器，直接在桌面上完成。
2、关于相关软件的使用自学软件的帮助文件。

PS：还有指纹识别系统……

瑞星卡卡安全论坛