好,==,扫描好了就贴上来.

18:10:00删除csrss.exe,新出来的csrss.exe的创建时间是18:14:15

附,我的系统里杂乱的软件安装得很少,后台进程也一般控制在22个以下.应该是比较"清纯"的哦  *(^_^)*  .是不是会对查找病毒干扰会少点?

重贴的日志

2006-09-06,19:59:07

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 1 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <ShStatEXE><"C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE>  [Network Associates, Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <CheckFaultKernel><C:\WINDOWS\System32\mswdm.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [Microsoft Corporation]
    <UIHost><logonui.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\System Safety Monitor]
    <WinlogonNotify: System Safety Monitor><SSMWinlogonEx.dll>  [System Safety Limited]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <Advanced Tools Check><; ; ; ; ; ; C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE>  []
    <ccApp><; ; ; ; ; ; "C:\Program Files\Common Files\Symantec Shared\ccApp.exe">  []
    <ccRegVfy><; ; ; ; ; ; "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe">  []
    <gcasServ><; ; ; ; ; ; "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe">  []
    <IMJPMIG8.1><; ; ; ; ; ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [Microsoft Corporation]
    <McAfeeUpdaterUI><; ; ; ; ; ; "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey>  []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <msnmsgr><; ; ; "C:\Program Files\MSN Messenger\msnmsgr.exe" /background>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <MSPY2002><; ; ; ; ; ; C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC>  []
    <NeroFilterCheck><; ; ; ; ; ; C:\WINDOWS\system32\NeroCheck.exe>  [Ahead Software Gmbh]
    <Network Associates Error Reporting Service><; ; ; ; ; ; "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe">  []
    <PHIME2002A><; ; ; ; ; ; C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [Microsoft Corporation]
    <PHIME2002ASync><; ; ; ; ; ; C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [Microsoft Corporation]
    <RealTray><; ; ; ; ; ; C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER>  []
    <SSC_UserPrompt><; ; ; ; ; ; C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe>  []
    <SysExplr><; ; ; ; ; ; C:\HEROSOFT\Hero3000\SYSEXPLR.EXE>  []
    <TkBellExe><; ; ; ; ; ; "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  []

==================================
启动文件夹
服务
[Adobe LM Service / Adobe LM Service]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[McAfee Framework 服务 / McAfeeFramework]
  <C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart><Network Associates, Inc.>
[Network Associates McShield / McShield]
  <"C:\Program Files\Network Associates\VirusScan\Mcshield.exe"><Network Associates, Inc.>
[Network Associates Task Manager / McTaskManager]
  <"C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"><Network Associates, Inc.>
[SoundMAX Agent Service / SoundMAX Agent Service (default)]
  <C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe><Analog Devices, Inc.>
[Update Service For Windows / winupdate]
  <C:\WINDOWS\winupdate.exe><N/A>

==================================
浏览器加载项
[QQBrowserHelperObject Class]
  {54EBD53A-9BC1-480B-966A-843A333CA162} <D:\Tencent2006\QQ\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[Windows Live Sign-in Helper]
  {9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[Sun Java2]
  {C61A70F3-505E-4B90-916F-627A8706B4BC} <c:\WINDOWS\system32\COMBoHEvent.dll, N/A>
[金山词霸]
  {9A687CA6-D585-4947-9ED9-BE96071F5CD9} <C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll, 金山软件股份有限公司>
[QQIEFloatBarCfgCmd Class]
  {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} <D:\Tencent2006\QQ\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, Microsoft Corporation>
[Edit Class]
  {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} <C:\WINDOWS\System32\CMBEdit.dll, >
[safeInput Class]
  {ECCBA953-80E5-11D3-9285-0080ADB811C5} <C:\WINDOWS\Downloaded Program Files\safein.dll, Beijing eChannels Century Technology Co.,Ltd>
[上传到QQ网络硬盘]
  <D:\Tencent\qq\AddToNetDisk.htm, N/A>
[导出到 Microsoft Excel(&x)]
  <res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000, N/A>
[添加到QQ自定义面板]
  <D:\Tencent\qq\AddPanel.htm, N/A>
[添加到QQ表情]
  <D:\Tencent\qq\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <D:\Tencent\qq\SendMMS.htm, N/A>

==================================
正在运行的进程
[PID: 448][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 504][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 528][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\System32\SYNCOR11.DLL]  <SoundMAX><1.2.3>
    [C:\WINDOWS\system32\SSMWinlogonEx.dll]  <System Safety Limited><2.0.8.582>
[PID: 572][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 584][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 744][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 792][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\SYNCOR11.DLL]  <SoundMAX><1.2.3>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 844][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 864][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 1248][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\System32\SYNCOR11.DLL]  <SoundMAX><1.2.3>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
    [C:\Program Files\WinRAR\rarext.dll]  <N/A><N/A>
    [C:\Program Files\Network Associates\VirusScan\shext.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\RES04\ShExtRes.dll]  <Network Associates, Inc.><8.0.0.912>
[PID: 1400][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\SYNCOR11.DLL]  <SoundMAX><1.2.3>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 1436][C:\Program Files\Network Associates\VirusScan\Mcshield.exe]  <Network Associates, Inc.><8.0.0.251>
    [C:\Program Files\Network Associates\VirusScan\Res04\McShield.DLL]  <Network Associates, Inc.><8.0.0.251>
    [C:\Program Files\Network Associates\VirusScan\FTL.Dll]  <Network Associates, Inc.><8.0.0.133>
    [C:\Program Files\Network Associates\VirusScan\naiann.dll]  <Network Associates, Inc.><8.0.0.306>
    [C:\Program Files\Network Associates\VirusScan\mytilus.dll]  <Network Associates, Inc.><8.0.0.306>
    [C:\Program Files\Network Associates\Common Framework\GenEvtInf.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\VirusScan\NaEventU.DLL]  <Network Associates, Inc.><8.0.0.342>
    [C:\Program Files\Network Associates\VirusScan\Res04\naEvtRes.dll]  <Network Associates, Inc.><8.0.0.342>
    [C:\Program Files\Network Associates\VirusScan\VSIDSvr.dll]  <Network Associates, Inc.><8.0.0.251>
    [C:\Program Files\Common Files\Network Associates\Engine\MCSCAN32.DLL]  <McAfee, Inc.><4.4.00>
    [C:\Program Files\Network Associates\Common Framework\SecureFrameworkFactory.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\VirusScan\EntSrv.Dll]  <Network Associates, Inc><8.0.0.240>
[PID: 1460][C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\SHUTIL.dll]  <Network Associates, Inc.><8.0.0.989>
    [C:\Program Files\Network Associates\VirusScan\naiwmain.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\naicondl.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\RES04\VsTskMgr.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\MIDUtil.Dll]  <Network Associates, Inc.><8.0.0.145>
[PID: 1560][C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe]  <Analog Devices, Inc.><3, 2, 6, 0>
[PID: 300][C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\SHUTIL.dll]  <Network Associates, Inc.><8.0.0.989>
    [C:\Program Files\Network Associates\VirusScan\naiwmain.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\RES04\shstat.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\RES04\Product.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\RES04\McShield.dll]  <Network Associates, Inc.><8.0.0.251>
    [C:\Program Files\Network Associates\VirusScan\RES04\Shutilrc.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\Graphics.dll]  <Network Associates, Inc.><8.0.0.912>
[PID: 692][C:\WINDOWS\System32\ctfmon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 1508][D:\悲愤\优选工具\新18种工具\SREng2\SREng.exe]  <Smallfrogs Studio><2.0.21.505>
    [C:\WINDOWS\System32\SYNCOR11.DLL]  <SoundMAX><1.2.3>

==================================
文件关联
.TXT  Error. [NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  Error. [超级解霸3000]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================

【回复“fzzfzz”的帖子】
果然有鬼！

注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<CheckFaultKernel><C:\WINDOWS\System32\mswdm.exe> []——查杀参考：http://forum.ikaka.com/topic.asp?board=28&artid=8154055

服务
[Update Service For Windows / winupdate]
<C:\WINDOWS\winupdate.exe><N/A>——查杀参考：http://forum.ikaka.com/topic.asp?board=28&artid=7713905

以上的日志是重新贴过的.

洗看原来的那个日志时,发现有许多是在msconfig中被关掉的启动项.看了一下msconfig,发现不知道什么时候全选了启动项.
改回来后,重新扫描后,把正确的日志贴上来了.

正不好意思

引用:

【baohe的贴子】【回复“fzzfzz”的帖子】 果然有鬼！ 注册表 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] <CheckFaultKernel><C:\WINDOWS\System32\mswdm.exe> []——查杀参考：http://forum.ikaka.com/topic.asp?board=28&artid=8154055 服务 [Update Service For Windows / winupdate] <C:\WINDOWS\winupdate.exe><N/A>——查杀参考：http://forum.ikaka.com/topic.asp?board=28&artid=7713905 ………………

用SSM阻止了mswmd.exe, 要想删这个文件，可是很奇怪，到c:\windows\system32中怎么也找不（已经打开了文件夹显示隐藏文件的选项），用系统的搜索也没有找到，最后，用搜索软件Ava Find找，找到并删除，并在回收站里看到有它。

真是很奇怪！

在注册表里发现：
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
名称 CheckFaultKernel  键值：C:\WINDOWS\System32\mswdm.exe
需要删，对吗？

对于：
服务
[Update Service For Windows / winupdate]
<C:\WINDOWS\winupdate.exe><N/A>
这个服务在HijackThis 的报告里也可以看到：file missing . 到C:\WINDOWS里也没有找到这个文件。
记得好像是手工删过这个文件的。
应该清理注册表里的相关项，在SSM里终止这个进程?

【回复“fzzfzz”的帖子】
既然你已经熟悉SSM，就把C:\WINDOWS\winupdate.exe和C:\WINDOWS\System32\mswdm.exe都禁了。它们的注册表项——统统删除。这没什么可犹豫的。

很遗憾地向baohe 斑竹报告,做了上面的各项后,发现inetsrv 里的情况依旧,删了csrss.exe 还会恢复.

晕死了!