为了此病毒我费近周折.可是还是没有办法.望哪位高手可以帮忙.再下实在万分感谢.
在下WIN2000系统.

病毒名称是Ydqztyef.d1l
属于pcclient病毒.是存于WINDOWS下面的一个PE类型的病毒.

下面是我这半年来对付此病毒的方法.(失败)

某天.手动杀毒瑞星报
c:\winnt\system32      下面出现ydqztyef.d1l. 重启后删除此文件
c:\winnt\system32\drivers 下面出现ydqztydf.sys 清除成功

乐啊.真容易啊.马上重启..
重启后系统崩溃.
基本征状就是系统文件夹下没有一个文件.搜索系统全部失灵.控制面版内的各项图标全部跑到左边应该是属性栏的地方,右边为空白. 所有系统的复制粘贴全部失灵.在快进入WINDOWS的时候会出现正在检测网络这样的提示.时间为5分钟.在5分钟进入后.桌面一片空白.时间大概是5分钟后正常显示..具体不说了.整个系统就像是没有成形的WINDOWS..
无奈.直接重装…

重启不久.我想瑞星不行.我用诺顿试试..
一切就绪后.诺顿显示
ydqztydf.sys 隔离成功.
Ydyztydf.d1l 清除 失败  隔离 失败
马上重启.一切非常好.就是杀不掉.心里马上一个反映.这垃圾瑞星真垃圾啊.看到病毒不修复直接删的啊?P 诺顿就是好.他不删文件.可是自己心里知道.这不是好.这只是因为诺顿没有处理这个文件才能让系统正常..

那么听说这个是一个木马程序.我装了7到8种木马.没有一种木马软件可以找到他.

我非常绝望.我决定和他战斗到底..
进入安全模式.直接删除ydqztydf.d1l.成功.重启后.出来的症状和瑞星杀的一模一样.自己心里想.难道瑞星发现病毒真的不管他是不是系统文件直接删的吗?汗颜..那么就认定这个ydqztydf.dll就是系统文件.可是当我恢复新系统时他并没有这个文件.那么让我考虑到他和系统是集成在一起.那么这不是永远也没有办法删掉吗???一删掉不代表我系统完了吗??

我还是不信.继续战斗.

装上icesword．发现此文件．删除．马上复制出来．一点没用．
装上ProcessExplorer，这时候才明白原来他符在ＩＥ下面．而ＩＥ是符在svchost.exe下面．因为ydqztydf.d1l符带系统一起的．没法删．我试着用ProcessExplorer软件把svchost.exe禁止掉．结果．奇怪的事情又来了．Winnt下面的文件一样一个看不到．那这个ydqztydf.d1l还是没法删除．马上自已想了一个聪明的办法．先把system32打开．再去结束这个svchost.exe.嘿．这下可以把ydqztydf.d1l删除了吧．果然．删除了他．可是惨的又来了．再次回恢到刚才说的和瑞星直接删除文件一样的情况．．

再次考虑．想到在system32\drivers下面也有这个ydqztydf.sys.想到病毒可能和驱动联系起来加载了．马上进入到控制面版．计算机管理．打开设备管理器，显示隐藏的设备．我倒．在非即插即用驱动程序下面赫然存在一个带！号的ydqztydf驱动．我日,马上卸载．同时打开regedit.把所有相关的ydqztydf全部删除．再次重启．系统再次崩溃．幸好有ＧＨＯＳＴ．再次恢复．过不了多久．Ydqztydf.d1l继续产品．

谁可以救救我啊．到底应该怎么办．这个文件没法删除．安全模式.禁止svchos.exe是可以删除,可是删除后系统就崩溃．有谁知道联系我好吗？

ＱＱ：３４３３２６４０
邮箱:neteasy_h@163.com

插入系统进程了？

http://forum.ikaka.com/topic.asp?board=28&artid=6979213
下载System Repair Engineer 2.0.12.350
导出日志

日志太大.我上传不上来.

2006-02-24,15:49:27

System Repair Engineer 2.0.12.350 (2.0 RC 1)
    Windows 2000 Professional Service Pack 4 - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <Internat.exe><internat.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <load><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <Synchronization Manager><mobsync.exe /logon>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <NvCplDaemon><RUNDLL32.EXE NvQTwk,NvCplDaemon initialize>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <vptray><D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <SoundMan><SOUNDMAN.EXE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <NeroFilterCheck><C:\WINNT\system32\NeroCheck.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <CdnCtr><C:\Program Files\CNNIC\Cdn\cdnup.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <RfwMain><"d:\Program Files\Rising\Rfw\rfwmain.exe" -Startup>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <Windows木马防火墙><D:\Program Files\ftc\Trojanwall.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <the2avpromon><D:\Documents and Settings\Administrator\桌面\杀木马的工具\the2avpromon.exe /load>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
  <TkBellnet><TkBellnet.EXE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <shell><Explorer.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <Userinit><C:\WINNT\system32\userinit.exe,>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <AppInit_DLLs><>

==================================
启动文件夹
[Adobe Gamma]
  <C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\Adobe Gamma.lnk><N>

==================================
服务
[Adobe LM Service / Adobe LM Service]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[Autodesk Licensing Service / Autodesk Licensing Service]
  <"C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"><N/A>
[DefWatch / DefWatch]
  <"D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe"><Symantec Corporation>
[Logical Disk Manager Administrative Service / dmadmin]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Symantec AntiVirus Client / Norton AntiVirus Server]
  <"D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe"><Symantec Corporation>
[Rising Personal Firewall Service / RfwService]
  <d:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>

==================================
浏览器加载项
[QQBrowserHelperObject Class]
  {54EBD53A-9BC1-480B-966A-843A333CA162} <d:\Program Files\Tencent\QQ\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[CdnForIE Class]
  {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} <C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll, CNNIC>
[BandIE Class]
  {77FEF28E-EB96-44FF-B511-3185DEA48697} <C:\PROGRA~1\baidu\bar\baidubar.dll, Baidu.com, Inc.>
[IeCatch2 Class]
  {A5366673-E8CA-11D3-9CD9-0090271D075B} <D:\PROGRA~1\FLASHGET\jccatch.dll, Amaze Soft>
[Google Toolbar Helper]
  {AA58ED58-01DD-4d91-8333-CF10577473F7} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[WMHlprObj Class]
  {F5824EFB-728A-4726-A5A5-85A68B20EDC3} <C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll, CNNIC>
[CdnForIE Class]
  {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} <C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll, CNNIC>
[QQ]
  {c95fe080-8f5d-11d2-a20b-00aa003c157b} <d:\Program Files\Tencent\QQ\QQ.EXE, TENCENT>
[FlashGet]
  {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <D:\PROGRA~1\FLASHGET\flashget.exe, Amaze Soft>
[QQIEFloatBarCfgCmd Class]
  {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} <d:\Program Files\Tencent\QQ\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[@msdxmLC.dll,-1@2052,电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <D:\PROGRA~1\FLASHGET\fgiebar.dll, Amaze Soft>
[百度超级搜霸]
  {B580CF65-E151-49C3-B73F-70B13FCA8E86} <C:\PROGRA~1\baidu\bar\baidubar.dll, Baidu.com, Inc.>
[&Google]
  {2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[AxInputControl Class]
  {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} <C:\WINNT\DOWNLO~1\INPUTC~1.DLL, >
[WCSMain Control]
  {D25CCF2F-05BA-4E6F-8B4C-B1BC88128824} <C:\WINNT\DOWNLO~1\WCSCLI~1.OCX, Whaty Info&Tech, LTD >
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>
[KATScan Control]
  {DDA166FA-B3EA-4A3B-8EE2-4F552CDEEE81} <C:\WINNT\system32\kingsoft\KATScan\KATScan.OCX, Kingsoft>
[CPasswordEditCtrl Object]
  {E787FD25-8D7C-4693-AE67-9406BC6E22DF} <C:\WINNT\system32\qqedit\qqedit.dll, 腾讯科技（深圳）有限公司>
[&Google Search]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html, N/A>
[&Translate English Word]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html, N/A>
[Backward Links]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html, N/A>
[Cached Snapshot of Page]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html, N/A>
[Similar Pages]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html, N/A>
[Translate Page into English]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html, N/A>
[上传到QQ网络硬盘]
  <D:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[使用网际快车下载]
  <D:\PROGRA~1\FLASHGET\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <D:\PROGRA~1\FLASHGET\jc_all.htm, N/A>
[添加到QQ自定义面板]
  <D:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
  <D:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <D:\Program Files\Tencent\QQ\SendMMS.htm, N/A>
[百度-搜索MP3]
  <res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUMP3.HTM, N/A>
[百度-搜索图片]
  <res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUIMG.HTM, N/A>
[百度-搜索新闻]
  <res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUNEWS.HTM, N/A>
[百度-搜索歌词]
  <res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDULYRIC.HTM, N/A>
[百度-搜索网页]
  <res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUSEARCH.HTM, N/A>
[百度-搜索贴吧]
  <res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUPOST.HTM, N/A>
[百度-词典搜索]
  <res://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDU_DIC.HTM, N/A>

==================================

正在运行的进程
[PID: 148][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.00.2195.6601>
[PID: 192][\??\C:\WINNT\system32\csrss.exe]  <Microsoft Corporation><5.00.2195.6601>
[PID: 212][\??\C:\WINNT\system32\winlogon.exe]  <Microsoft Corporation><5.00.2195.6997>
    [C:\WINNT\system32\NavLogon.dll]  <N/A><N/A>
[PID: 240][C:\WINNT\system32\services.exe]  <Microsoft Corporation><5.00.2195.7035>
    [C:\WINNT\system32\dmserver.dll]  <VERITAS Software Corp.><2195.6605.297.3>
[PID: 252][C:\WINNT\system32\lsass.exe]  <Microsoft Corporation><5.00.2195.7011>
[PID: 420][d:\program files\rising\rfw\rfwsrv.exe]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 30>
    [d:\program files\rising\rfw\RfwRule.dll]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 12>
    [d:\program files\rising\rfw\rfwlog.dll]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 6>
    [d:\program files\rising\rfw\Rfwdrv.dll]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 21>
    [d:\program files\rising\rfw\MonDrv.dll]  <rs><1, 0, 0, 4>
    [d:\program files\rising\rfw\ProcLib.dll]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 9>
[PID: 488][C:\WINNT\system32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
    [c:\winnt\system32\ydqztyef.d1l]  <N/A><N/A>
    [C:\WINNT\system32\cdnns.dll]  <CNNIC><2, 0, 0, 0>
[PID: 504][C:\Program Files\Internet Explorer\iexplore.exe]  <Microsoft Corporation><6.00.2800.1106>
    [C:\WINNT\system32\Ydqztyef.d1l]  <N/A><N/A>
    [C:\WINNT\system32\cdnns.dll]  <CNNIC><2, 0, 0, 0>
    [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ydqztyef.dl1]  <N/A><N/A>
[PID: 572][C:\WINNT\system32\spoolsv.exe]  <Microsoft Corporation><5.00.2195.7059>
    [C:\WINNT\system32\cdnns.dll]  <CNNIC><2, 0, 0, 0>
[PID: 600][C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe]  <N/A><2.51.000>
[PID: 628][D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe]  <Symantec Corporation><8.00.00.9374>
[PID: 644][C:\WINNT\system32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
[PID: 672][D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe]  <Symantec Corporation><8.00.00.9374>
    [C:\WINNT\system32\CBA.DLL]  <Intel? Corporation><6.12.0.71 E>
    [C:\WINNT\system32\MsgSys.dll]  <Intel? Corporation><6.12.0.71 E>
    [C:\WINNT\system32\NTS.dll]  <Intel? Corporation><6.12.0.71 E>
    [C:\WINNT\system32\PDS.DLL]  <Intel? Corporation><6.12.0.71 E>
    [D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVLU.dll]  <Symantec Corporation><8.00.00.9374>
    [D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVNTUTL.DLL]  <Symantec/Peter Norton Group><1, 0, 0, 1>
    [D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\i2ldvp3.dll]  <Symantec Corporation><8.00.00.9374>
    [D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPI32.DLL]  <Symantec Corp.><4.1.0.15>
    [C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060222.006\NAVEX32a.DLL]  <Symantec Corporation><20051.3.1.11>
    [C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060222.006\NAVENG32.DLL]  <Symantec Corporation><20051.3.1.11>
    [D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP32.DLL]  <Symantec Corporation><9.0.0.14>
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\Scandlgs.dll]  <Symantec Corporation><8.00.00.9374>
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPCtls.ocx]  <Symantec Corporation><8.00.00.9374>
[PID: 680][C:\WINNT\system32\regsvc.exe]  <Microsoft Corporation><5.00.2195.6701>
[PID: 800][C:\WINNT\system32\MSTask.exe]  <Microsoft Corporation><4.71.2195.6972>
    [C:\WINNT\system32\cdnns.dll]  <CNNIC><2, 0, 0, 0>
[PID: 852][C:\WINNT\system32\stisvc.exe]  <Microsoft Corporation><5.00.2195.6656>
[PID: 904][C:\WINNT\System32\WBEM\WinMgmt.exe]  <Microsoft Corporation><1.50.1085.0100>
[PID: 912][C:\WINNT\system32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
[PID: 1024][C:\WINNT\Explorer.EXE]  <Microsoft Corporation><5.00.3700.6690>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 2>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 0>
    [C:\PROGRA~1\baidu\bar\baidubar.dll]  <Baidu.com, Inc.><2, 0, 2, 62>
    [D:\PROGRA~1\FLASHGET\jccatch.dll]  <Amaze Soft><1, 1, 4, 0>
    [D:\Program Files\Tencent\QQ\qdshm.dll]  <><1, 0, 1, 2>
    [D:\Program Files\WinRAR\rarext.dll]  <N/A><N/A>
    [C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll]  <Symantec Corporation><8.00.00.9374>
[PID: 1144][d:\program files\rising\rfw\RfwMain.exe]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 47>
    [d:\program files\rising\rfw\RsGuiLib.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 23>
    [d:\program files\rising\rfw\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [d:\program files\rising\rfw\PngDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 0>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 4>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 2>
[PID: 1256][D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe]  <Symantec Corporation><8.00.00.9374>
    [D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliscan.dll]  <Symantec Corporation><8.00.00.9374>
    [D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVNTUTL.DLL]  <Symantec/Peter Norton Group><1, 0, 0, 1>
    [D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliproxy.dll]  <Symantec Corporation><8.00.00.9374>
[PID: 1264][C:\Program Files\CNNIC\Cdn\cdnup.exe]  <><2, 3, 0, 3>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 2>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 0>
    [C:\Program Files\CNNIC\Cdn\cdntdns.dll]  <CNNIC><2, 2, 0, 3>
[PID: 1292][C:\Program Files\Common Files\Real\Update_OB\realsched.exe]  <RealNetworks, Inc.><0.1.0.3292>
[PID: 1296][C:\WINNT\system32\internat.exe]  <Microsoft Corporation><5.00.2920.0000>
[PID: 1540][C:\WINNT\system32\conime.exe]  <Microsoft Corporation><5.00.2195.6655>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 0>

[C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 4>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 2>
[PID: 1652][C:\WINNT\system32\wuauclt.exe]  <Microsoft Corporation><5.8.0.2469 built by: lab01_n(wmbla)>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 0>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 4>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 2>
[PID: 284][C:\Program Files\Internet Explorer\iexplore.exe]  <Microsoft Corporation><6.00.2800.1106>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 0>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 4>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 2>
    [C:\PROGRA~1\baidu\bar\baidubar.dll]  <Baidu.com, Inc.><2, 0, 2, 62>
    [d:\Program Files\Tencent\QQ\QQIEHelper.dll]  <深圳市腾讯计算机系统有限公司><1, 1, 0, 5>
    [D:\PROGRA~1\FLASHGET\jccatch.dll]  <Amaze Soft><1, 1, 4, 0>
    [c:\program files\google\googletoolbar1.dll]  <Google Inc.><3, 0, 125, 1>
    [C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll]  <CNNIC><1, 1, 0, 0>
    [C:\WINNT\system32\cdnns.dll]  <CNNIC><2, 0, 0, 0>
    [C:\WINNT\system32\kingsoft\KATScan\KATScan.OCX]  <Kingsoft><2005, 1, 28, 3>
    [C:\WINNT\system32\Macromed\Flash\Flash8.ocx]  <Macromedia, Inc.><8,0,22,0>
[PID: 1532][D:\Program Files\Tencent\QQ\QQ.exe]  <TENCENT><14, 27, 0, 082>
    [D:\Program Files\Tencent\QQ\QQBaseClassInDll.dll]  <><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\QQHelperDll.dll]  <><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\BasicCtrlDll.dll]  <Tencent><0, 3, 3, 6>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 0>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 4>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 2>
    [D:\Program Files\Tencent\QQ\QQAPI.dll]  <><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\TIMProxy.dll]  <tencent><0, 3, 2, 4>
    [D:\Program Files\Tencent\QQ\LoginCtrl.dll]  <><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\npkcntc.dll]  <INCA Internet Co., Ltd.><2005, 9, 1, 1>
    [D:\Program Files\Tencent\QQ\npkpdb.dll]  <INCA Internet Co., Ltd.><2003, 10, 1, 1>
    [D:\Program Files\Tencent\QQ\QQRes.dll]  <tencent><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\QQMainFrame.dll]  <N/A><N/A>
    [D:\Program Files\Tencent\QQ\CQQApplication.dll]  <N/A><N/A>
    [D:\Program Files\Tencent\QQ\NewSkin.dll]  <><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\HostingMgr.dll]  <><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\MailSummary.dll]  <><1, 0, 0, 1>
    [C:\WINNT\system32\cdnns.dll]  <CNNIC><2, 0, 0, 0>
    [D:\Program Files\Tencent\QQ\QQSpace.dll]  <><1, 0, 0, 1>
    [C:\WINNT\system32\msdmo.dll]  <N/A><N/A>
    [D:\Program Files\Tencent\QQ\QQSysMsgMng.dll]  <N/A><N/A>
    [D:\Program Files\Tencent\QQ\QQConfigPlugin.dll]  <><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\UserDefinedHead.dll]  <><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\QRingMng.dll]  <N/A><N/A>
    [D:\Program Files\Tencent\QQ\PhoneAPI.dll]  <><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\DialerAllinOne.dll]  <tencent><1, 4, 0, 0>
    [D:\Program Files\Tencent\QQ\QQAvatar.dll]  <N/A><N/A>
    [D:\Program Files\Tencent\QQ\FlashAvatarDll.dll]  <><1, 4, 0, 1>
    [D:\Program Files\Tencent\QQ\LongConnection.dll]  <tencent><0, 3, 3, 8>
    [D:\Program Files\Tencent\QQ\QQPet.dll]  <><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\BQQApplication.dll]  <N/A><N/A>
    [D:\Program Files\Tencent\QQ\QQPlugin.dll]  <N/A><N/A>
    [D:\Program Files\Tencent\QQ\QQAllInOne.dll]  <N/A><N/A>
    [D:\Program Files\Tencent\QQ\CameraDll.dll]  <><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\SCCore.dll]  <N/A><N/A>
    [D:\Program Files\Tencent\QQ\QQCustomFace.dll]  <N/A><N/A>
    [C:\WINNT\system32\Macromed\Flash\Flash8.ocx]  <Macromedia, Inc.><8,0,22,0>
    [D:\Program Files\Tencent\QQ\ImageOle.dll]  <TODO: <Company name>><1.0.0.1>
    [D:\Program Files\Tencent\QQ\QQSceneMng.dll]  <N/A><N/A>
    [D:\Program Files\Tencent\QQ\GroupConnection.dll]  <Tencent><0, 3, 3, 5>
    [D:\Program Files\Tencent\QQ\CommercesMng.dll]  <><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\PersonalDesktop.dll]  <深圳市腾讯计算机系统公司QQ工作小组><1, 0, 0, 2>
    [D:\Program Files\Tencent\QQ\QQGroupMng.dll]  <><1, 0, 0, 1>
    [D:\Program Files\Tencent\QQ\QQAddr.dll]  <深圳市腾讯计算机系统有限公司><4, 0, 200, 32>
    [D:\Program Files\Tencent\QQ\OEMApplication.dll]  <><1, 0, 0, 1>
    [C:\WINNT\system32\OiWbx.ime]  <OutInn><4.00.950>
    [D:\Program Files\Tencent\QQ\QQZip.dll]  <tencent><0, 3, 2, 4>
    [D:\Program Files\Tencent\QQ\QQPhoneHelper.dll]  <腾讯科技（深圳）有限公司><1, 1, 4, 60>
    [D:\Program Files\Tencent\QQ\QQMagicFace.dll]  <><1, 0, 0, 1>
[PID: 1016][D:\Program Files\Tencent\QQ\TIMPlatform.exe]  <tencent><0, 3, 1, 8>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 0>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 4>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 2>
    [D:\Program Files\Tencent\QQ\TIMProxy.dll]  <tencent><0, 3, 2, 4>
[PID: 1396][C:\Program Files\Internet Explorer\iexplore.exe]  <Microsoft Corporation><6.00.2800.1106>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 0>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 4>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 2>
    [C:\PROGRA~1\baidu\bar\baidubar.dll]  <Baidu.com, Inc.><2, 0, 2, 62>
    [d:\Program Files\Tencent\QQ\QQIEHelper.dll]  <深圳市腾讯计算机系统有限公司><1, 1, 0, 5>
    [D:\PROGRA~1\FLASHGET\jccatch.dll]  <Amaze Soft><1, 1, 4, 0>
    [c:\program files\google\googletoolbar1.dll]  <Google Inc.><3, 0, 125, 1>
    [C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll]  <CNNIC><1, 1, 0, 0>
    [C:\WINNT\system32\cdnns.dll]  <CNNIC><2, 0, 0, 0>
    [C:\WINNT\system32\Macromed\Flash\Flash8.ocx]  <Macromedia, Inc.><8,0,22,0>
    [C:\WINNT\system32\OiWbx.ime]  <OutInn><4.00.950>
[PID: 2012][C:\Documents and Settings\Administrator\桌面\sreng2\SREng.exe]  <Smallfrogs Studio><2.0.12.350>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 0>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 4>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 2>
    [C:\WINNT\system32\cdnns.dll]  <CNNIC><2, 0, 0, 0>

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

看看这个有没有帮助http://forum.ikaka.com/topic.asp?board=28&artid=7538008

两个木马啊：
c:\winnt\system32\ydqztyef.d1l
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ydqztyef.dl1

其中
c:\winnt\system32\ydqztyef.d1l插入到如下两个进程中：
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ydqztyef.dl1插入到
C:\Program Files\Internet Explorer\iexplore.exe

操作如下：
下载安装SSM

在SSM中添加规则
禁止如下两个文件加载
c:\winnt\system32\ydqztyef.d1l
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ydqztyef.dl1
并将SSM设置为“自动加载”

重启后删除：
c:\winnt\system32\ydqztyef.d1l
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ydqztyef.dl1

http://forum.ikaka.com/topic.asp?board=28&artid=6979213
下载Icesword v1.12
查找并删除对应的.sys文件（千万不要误删哟）
－－－－－－－－－－－－－
说明：
SSM就是System Safety Monitor
官方下载http://www.syssafety.com/
支持中文

若不会使用请搜索baohe版主与SMM相关的贴子

【回复“柳叶飘心”的帖子】
你中的是PCShare的变种。
这个木马的一个特点是：那个d1l文件除了插入IE进程外，还插入一个svchost进程。具体是那个svchost被插入了？可以用IceSword检查。
确定被那个d1l插入的进程后（见附图），在IceSword的“设置”面板中勾选“禁止进/线程创建”，再点击“确定”。
然后结束IE以及被d1l插入的那个svchost进程，顺手用IceSword删除那个d1l和sys文件，就搞掂了。

然后，再扫一下垃圾——