症状：无论上何网，过一会Symentec ver.10便跳出感染了Trojan.dropper木马病毒，并在temp和Internet temporary里生成bind_40055.exe文件（如图所示），接下来symentec显示已清除，并且我几次启动至安全模式，将有bind_40055.exe的文件夹全删除，但重新启动后，有几次还未上网，就会跳出同样的问题，一上网又会跳出，有好几次死机显示蓝屏，实在是烦得很，最后附有SREN的报告，下面是我这两天杀毒的艰苦历程，期间杀了不下10种毒或恶意软件，其中心得对大家可能有用，但就是这个找不到原因，而且会不断有新的恶意插件被安装，可能和这个有关，另外现在上网后，进程里显示的是大写的IEXPLORE.EXE(以前都是小写的)，但数量和用户都是正常的，搜了一下，也是在正常的Internet explore的目录下，但总觉怪怪的，文章有点长，但碰到的东西比较典型， 忘高手仔细分析并赐教。

起因：公司杀毒软件升级，由Symantec Ver.8升到Ver.10,但可能病毒安装公司水平不够，并未先将服务器上病毒杀除，当电脑一连到公司的局域网上，立刻遭受病毒袭击。

1. 其先我并未在公司，所以开始并未升级，联网后Symantec Ver.8显示中了infosteal木马病毒，但无法删除病毒程序，后由本人花了一上午时间，经SRE2分析，终于找到元凶mywow.dll和mywl.dll文件，重起至安全模式，除清。
2.午饭后，原以为可安心工作，上网查资料，立刻遭受Downloader木马病毒和QQ木马病毒（我重未使用过QQ），但由Symentec Ver.8检出并杀除。
3.随连到公司系统上，立刻Symentec Ver.8显示中了W32.looked.p蠕虫病毒，在杀病毒同时将本机公司系统.exe文件删除，此时公司请的维护公司正在公司，立刻连到公司服务器上，将Symentec升级至ver.10，但实际服务器上病毒泛滥，Symentec早就感染了病毒，本机升级后查出很多.exe文件被W32.Looked.P感染，而且不能清除，Symentec只能通过删除文件来杀毒，但因已被感染，查到一半便查不下去，后连着两天由杀毒公司重新安装，所有电脑隔离杀毒终于基本杀清。
4.正以为可舒一口气时，试一下上网，先是跳出CNNIC恶意软件安装，好不容易卸载，又跳出百度超级搜霸强行安装，不过这些还算简单，一一搞定
5.又上网试了一会，Symentec便跳出感染了Trojan.dropper木马病毒，具体如开头所示，期间我查了很多网站，又仔细分析了进程，同样用了HiJack和SREN2，又发现了1）.IEHelper_5048.dll(就是怎样删也删不掉，最后看了瑞星的推荐用权限控制终于删掉，并将regedit里的相关也删了，不过不知为什么SREN里还是显示有)
2). <DTService><rundll32.exe C:\WINDOWS\system32\soundmix.dll,Load>非法进程，手工删除
3).<C:\WINDOWS\SYSTEM32\RUNDLL.EXEC:\WINDOWS\SYSTEM32\WBEM\AZDUKE38.DLL,Export 1087非法进程，手工删除
4). <C:\WINDOWS\system32\clipsvr.exe及powermrng.exe非法进程（就是不论用什么搜索都会跳到Yahoo搜索），手工删除
5).写这段文字的时候，刚刚在网上想找一下方法，但又中了HENBANG的强行安装，所以SREN里会有，但我想这应该不是bind_40055.
6).SREN里还有一些可疑项目，如
[OMEY / OMEY]
  <C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OMEY.exe><N/A>，但搜了一遍并未发现

好像这次中了病毒后，机器特别容易中各种恶意插件和木马病毒，不知为什么，我的是正版的XP HOME版，基本该升级的都升了，而且这次之前，就是有一些恶意插件也会被microsoft defender和Symentec档掉，但不知为何升级了反而防护能力差了。基本上这两天就是这些，虽然杀的辛苦，但也学了不少东西，

2006-10-19,21:13:26

System Repair Engineer 2.2.6.605

Windows XP Home Edition Service Pack 2 (Build 2600)
- 管理权限用户 - 完整功能


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Corporation]
    <swg><C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe>  [(Verified)Google Inc.]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Corporation]
    <IgfxTray><C:\WINDOWS\system32\igfxtray.exe>  [(Verified)Intel Corporation]
    <HotKeysCmds><C:\WINDOWS\system32\hkcmd.exe>  [(Verified)Intel Corporation]
    <IMSCMig><C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload>  [(Verified)Microsoft Corporation]
    <Windows Defender><"C:\Program Files\Windows Defender\MSASCui.exe" -hide>  [(Verified)Microsoft Corporation]
    <PHIME2002ASync><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Corporation]
    <PHIME2002A><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Corporation]
    <KernelFaultCheck><%systemroot%\system32\dumprep 0 -k>  [N/A]
    <ccApp><"C:\Program Files\Common Files\Symantec Shared\ccApp.exe">  [(Verified)Symantec Corporation]
    <vptray><C:\PROGRA~1\SYMANT~2\VPTray.exe>  [(Verified)Symantec Corporation]
    <MSConfig><C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto>  [(Verified)Microsoft Corporation]
    <RichMedia><C:\WINDOWS\system32\Rundll32.exe  "C:\PROGRA~1\pcast\hbcast.dll",WaitWindows>  [Shanghai Henbang Technology Co., Ltd]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <DTService><rundll32.exe C:\WINDOWS\system32\soundmix.dll,Load>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}><C:\PROGRA~1\WIFD1F~1\MpShHook.dll>  [(Verified)Microsoft Corporation]
    <{56F9679E-7826-4C84-81F3-532071A8BCC5}><C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll>  [Microsoft Corporation]

==================================
启动文件夹
[FTP Utility]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\FTP Utility.lnk --> C:\PROGRA~1\KONICA~1\FTPUTI~1\KMFtp.exe [KONICA MINOLTA BUSINESS TECHNOLOGIES, INC.]><N>

==================================
服务
[Application Management / AppMgmt]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A>
[NT Data Provider / BUZOR]
  <C:\WINDOWS\SYSTEM32\RUNDLL.EXE C:\WINDOWS\SYSTEM32\WBEM\AZDUKE38.DLL,Export 1087><Microsoft Corporation>
[Symantec Event Manager / ccEvtMgr]
  <"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"><Symantec Corporation>
[Symantec Settings Manager / ccSetMgr]
  <"C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"><Symantec Corporation>
[ClipBook / ClipBook]
  <C:\WINDOWS\system32\clipsvr.exe><N/A>
[Symantec AntiVirus Definition Watcher / DefWatch]
  <"C:\Program Files\Symantec AntiVirus\DefWatch.exe"><Symantec Corporation>
[EPSON Printer Status Agent2 / EPSONStatusAgent2]
  <C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe><SEIKO EPSON CORPORATION>
[SVCHOST.EXE / Event Log]
  <><N/A>
[Human Interface Device Access / HidServ]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT]
  <"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"><Macrovision Corporation>
[Windows Gateway / Indtry]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\ovioxt90.dll><Microsoft Corporation>
[Microsoft Digital Identity Service / InfoCard Service]
  <><N/A>
[Indigo Tcp Port Sharing Service / itcppss]
  <><N/A>
[LiveUpdate / LiveUpdate]
  <"C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"><Symantec Corporation>
[Machine Debug Manager / MDM]
  <><N/A>
[Intel NCS NetService / NetSvc]
  <C:\Program Files\Intel\NCS\Sync\NetSvc.exe><Intel(R) Corporation>
[OMEY / OMEY]
  <C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OMEY.exe><N/A>
[RegSrvc / RegSrvc]
  <C:\WINDOWS\System32\RegSrvc.exe><Intel Corporation>
[Spectrum24 Event Monitor / S24EventMonitor]
  <C:\WINDOWS\System32\S24EvMon.exe><Intel Corporation>
[SavRoam / SavRoam]
  <"C:\Program Files\Symantec AntiVirus\SavRoam.exe"><symantec>
[Symantec Network Drivers Service / SNDSrvc]
  <"C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"><Symantec Corporation>
[Symantec SPBBCSvc / SPBBCSvc]
  <"C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"><Symantec Corporation>
[Symantec AntiVirus / Symantec AntiVirus]
  <"C:\Program Files\Symantec AntiVirus\Rtvscan.exe"><Symantec Corporation>
==================================

浏览器加载项
[]
  {16B770A0-0E87-4278-B748-2460D64A8386} <C:\Documents and Settings\All Users\Application Data\Microsoft\UserData\IEHelper_5048.dll, N/A>
[Google Toolbar Helper]
  {AA58ED58-01DD-4d91-8333-CF10577473F7} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[isObject Class]
  {BE0B5843-553A-48C2-9A42-258A1D791AFC} <C:\PROGRA~1\pcast\hbcast.dll, Shanghai Henbang Technology Co., Ltd>
[Adobe PDF]
  {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[&Google]
  {2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[Web Browser Applet Control]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\WINDOWS\System32\msjava.dll, N/A>
[]
  {16B770A0-0E87-4278-B748-2460D64A8386} <C:\Documents and Settings\All Users\Application Data\Microsoft\UserData\IEHelper_5048.dll, N/A>
[&Google]
  {2318C2B1-4965-11D4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[Adobe PDF]
  {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[Windows Desktop Search Combo Control]
  {4E430174-1673-4FF3-BF28-A3B37F6573E7} <C:\Program Files\Windows Desktop Search\wdsShell.dll, Microsoft Corporation>
[Google Toolbar Helper]
  {AA58ED58-01DD-4D91-8333-CF10577473F7} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash8a.ocx, Macromedia, Inc.>
[&Windows Live Search]
  <res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm, N/A>
[Open in new background tab]
  <res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?2bcb1bd3e1154a12ac2c4faec1cfd712, N/A>
[Open in new foreground tab]
  <res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?2bcb1bd3e1154a12ac2c4faec1cfd712, N/A>
[使用网际快车下载]
  <, N/A>
[使用网际快车下载全部链接]
  <, N/A>
[导出到 Microsoft Excel(&x)]
  <res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000, N/A>
[导出到 Microsoft Office Excel(&X)]
  <res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>

==================================
正在运行的进程
[PID: 976][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1316][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1628][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2004][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2016][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 956][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1272][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1452][C:\Program Files\Windows Defender\MsMpEng.exe]  [Microsoft Corporation, 1.1.1347.0]
[PID: 1812][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 236][C:\WINDOWS\System32\S24EvMon.exe]  [Intel Corporation , 4, 1, 0, 3]
[PID: 476][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 832][C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccL40.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccSetEvt.dll]  [Symantec Corporation, 104.0.7.3]
[PID: 868][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\soundmix.dll]  [, 1, 4, 0, 0]
    [C:\WINDOWS\system32\ext\dtdl.dll]  [N/A, N/A]
    [C:\WINDOWS\system32\ext\dtsm.dll]  [N/A, N/A]
    [C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, N/A]
    [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]

[C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll]  [Nokia, 6, 70, 24, 4]
    [C:\Program Files\Nokia\Nokia PC Suite 6\PCSCM.dll]  [Nokia, 6, 70, 58, 3]
    [C:\WINDOWS\system32\ConnAPI.DLL]  [Nokia., 6, 70, 39, 5]
    [C:\Program Files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_chi-sc.nlr]  [Nokia, 6, 70, 7, 1]
    [C:\Program Files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr]  [Nokia, 6, 70, 7, 0]
[PID: 1604][C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccL40.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccSet.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SPBBC\SPBBCEVT.DLL]  [Symantec Corporation, 2.2.0.5]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\CCSETEVT.DLL]  [Symantec Corporation, 104.0.7.3]
[PID: 356][C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe]  [Symantec Corporation, 2.2.0.5]
    [C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccL40.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccSet.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCEvt.dll]  [Symantec Corporation, 2.2.0.5]
    [C:\Program Files\Common Files\Symantec Shared\SPBBC\bbRGen.dll]  [Symantec Corporation, 2.2.0.5]
[PID: 460][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
    [C:\WINDOWS\System32\AdobePDF.dll]  [Adobe Systems Incorporated., 6.0.000]
    [C:\Program Files\Adobe\Acrobat 6.0\Distillr\adistres.dll]  [Adobe Systems Incorporated., 6.0.0.2003051500]
    [C:\WINDOWS\system32\E_SL2311.DLL]  [SEIKO EPSON CORPORATION, 2, 11, 0, 0]
    [C:\WINDOWS\System32\spool\PRTPROCS\W32X86\FSPPMFP.DLL]  [N/A, 1, 0, 0, 0]
[PID: 936][C:\Program Files\Symantec AntiVirus\DefWatch.exe]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\Common Files\Symantec Shared\ccL40.dll]  [Symantec Corporation, 104.0.7.3]
[PID: 1116][C:\WINDOWS\System32\RegSrvc.exe]  [Intel Corporation, 4, 1, 0, 0]
[PID: 816][C:\Program Files\Symantec AntiVirus\SavRoam.exe]  [symantec, 10.1.0.394]
    [C:\Program Files\Common Files\Symantec Shared\SSC\Transman.dll]  [Symantec Corporation, 10.1.0.394]
    [C:\WINDOWS\system32\CBA.DLL]  [LANDesk Software Ltd., 6.12.0.142 E]
    [C:\WINDOWS\system32\MsgSys.dll]  [LANDesk Software Ltd., 6.12.0.142 E]
    [C:\WINDOWS\system32\NTS.dll]  [LANDesk Software Ltd., 6.12.0.142 E]
    [C:\WINDOWS\system32\PDS.DLL]  [LANDesk Software Ltd., 6.12.0.142 E]
    [c:\program files\common files\symantec shared\ssc\ScsComms.dll]  [Symantec Corporation, 10.1.0.394]
[PID: 780][C:\WINDOWS\System32\tcpsvcs.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 824][C:\WINDOWS\System32\snmp.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 844][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 884][C:\Program Files\Symantec AntiVirus\Rtvscan.exe]  [Symantec Corporation, 10.1.0.394]
    [C:\WINDOWS\system32\CBA.DLL]  [LANDesk Software Ltd., 6.12.0.142 E]
    [C:\WINDOWS\system32\MsgSys.dll]  [LANDesk Software Ltd., 6.12.0.142 E]
    [C:\WINDOWS\system32\NTS.dll]  [LANDesk Software Ltd., 6.12.0.142 E]
    [C:\WINDOWS\system32\PDS.DLL]  [LANDesk Software Ltd., 6.12.0.142 E]
    [C:\Program Files\Symantec AntiVirus\NAVLU.dll]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\Common Files\Symantec Shared\ccL40.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Symantec AntiVirus\NAVNTUTL.DLL]  [Symantec Corporation, 10.1.0.394]
    [c:\program files\common files\symantec shared\ssc\ScsComms.dll]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\Symantec AntiVirus\I2ldvp3.dll]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccDec.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\decsdk.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2ID.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2Zip.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2SS.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2GZIP.dll]  [Symantec Corporation, 3.02.14.08]

[C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2CAB.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2LHA.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2ARJ.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2TNEF.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2LZ.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2AMG.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2RAR.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2TAR.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2RTF.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\Decomposers\Dec2Text.dll]  [Symantec Corporation, 3.02.14.08]
    [C:\Program Files\Common Files\Symantec Shared\ccScan.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ecmldr32.DLL]  [Symantec Corporation, 51.3.0.11]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20061018.039\ccEraser.dll]  [Symantec Corporation, 106.3.0.29]
    [C:\Program Files\Symantec AntiVirus\DefUtDCD.dll]  [Symantec Corporation, 3.1.13a.0]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20061018.039\ecmsvr32.dll]  [Symantec Corporation, 61.3.0.18]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20061018.039\NAVEX32a.DLL]  [Symantec Corporation, 20061.3.0.12]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20061018.039\NAVENG32.DLL]  [Symantec Corporation, 20061.3.0.12]
    [C:\Program Files\Symantec AntiVirus\SAVRT32.DLL]  [Symantec Corporation, 9.7.1.4]
    [C:\Program Files\Symantec AntiVirus\IMail.dll]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\Symantec AntiVirus\NotesExt.dll]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\Symantec AntiVirus\vpmsece4.dll]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\Symantec AntiVirus\SymProtectStorage.dll]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCEvt.dll]  [Symantec Corporation, 2.2.0.5]
    [C:\Program Files\Common Files\Symantec Shared\SSC\scandlgs.dll]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\Symantec AntiVirus\Cliscan.dll]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\Common Files\Symantec Shared\SSC\LDVPCtls.ocx]  [Symantec Corporation, 10.1.0.394]
[PID: 304][C:\WINDOWS\System32\wdfmgr.exe]  [Microsoft Corporation, 5.2.3790.1230 built by: DNSRV(bld4act)]
[PID: 1864][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2652][C:\WINDOWS\system32\hkcmd.exe]  [Intel Corporation, 3.0.0.3889]
    [C:\WINDOWS\system32\hccutils.DLL]  [Intel Corporation, 3.0.0.3889]
    [C:\WINDOWS\system32\igfxdev.dll]  [Intel Corporation, 3.0.0.3889]
    [C:\WINDOWS\system32\igfxsrvc.dll]  [Intel Corporation, 3.0.0.3889]
    [C:\WINDOWS\system32\igfxres.dll]  [Intel Corporation, 3.0.0.3889]
    [C:\WINDOWS\system32\igfxhk.dll]  [Intel Corporation, 3.0.0.3889]
[PID: 2912][C:\Program Files\Windows Defender\MSASCui.exe]  [Microsoft Corporation, 1.1.1347.0]
[PID: 3364][C:\Program Files\Common Files\Symantec Shared\ccApp.exe]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccL40.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\CCALERT.DLL]  [Symantec Corporation, 104.0.7.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\CCEMLPXY.DLL]  [Symantec Corporation, 104.0.7.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\rcEmlPxy.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccSet.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\WINDOWS\system32\SYMREDIR.DLL]  [Symantec Corporation, 6.0.2.211]
    [C:\Program Files\Common Files\Symantec Shared\ccSetEvt.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccProSub.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Symantec AntiVirus\SavEmail.dll]  [Symantec Corporation, 10.1.0.394]
[PID: 3664][C:\PROGRA~1\SYMANT~2\VPTray.exe]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\Common Files\Symantec Shared\ccL40.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Symantec AntiVirus\SAVRT32.DLL]  [Symantec Corporation, 9.7.1.4]
    [C:\Program Files\Common Files\Symantec Shared\ccSetEvt.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccProSub.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccAlert.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Common Files\Symantec Shared\ccSet.dll]  [Symantec Corporation, 104.0.7.3]
    [C:\Program Files\Symantec AntiVirus\Cliproxy.dll]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\Symantec AntiVirus\NAVNTUTL.DLL]  [Symantec Corporation, 10.1.0.394]
    [C:\Program Files\Symantec AntiVirus\Cliscan.dll]  [Symantec Corporation, 10.1.0.394]
[PID: 1140][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2636][C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe]  [Google Inc., 1, 0, 720, 4156]
    [C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\res_zh-CN.dll]  [Google Inc., 1, 0, 720, 4156]
    [C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\swg.dll]  [Google Inc., 1, 0, 720, 4156]
[PID: 3860][C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe]  [KONICA MINOLTA BUSINESS TECHNOLOGIES, INC., 1, 0, 0, 0]
    [C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtpCM.dll]  [KONICA MINOLTA BUSINESS TECHNOLOGIES, INC., 1, 0, 0, 0]
    [C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtpEV.dll]  [KONICA MINOLTA BUSINESS TECHNOLOGIES, INC., 1, 0, 0, 0]
    [C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtpVR.dll]  [KONICA MINOLTA BUSINESS TECHNOLOGIES, INC., 1, 0, 0, 0]
    [C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtpSN.dll]  [KONICA MINOLTA BUSINESS TECHNOLOGIES, INC., 1, 0, 0, 0]
    [C:\Program Files\KONICA MINOLTA\FTP Utility\KMFTPReg.dll]  [KONICA MINOLTA BUSINESS TECHNOLOGIES, INC, 1, 0, 0, 0]
[PID: 340][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [c:\program files\google\googletoolbar1.dll]  [Google Inc., 4, 0, 1019, 9238]
    [C:\WINDOWS\system32\Macromed\Flash\Flash8a.ocx]  [Macromedia, Inc., 8,0,24,0]
    [C:\WINDOWS\system32\Macromed\Common\SwSupport.dll]  [Macromedia, Inc., 10.0.1r4]
[PID: 1744][c:\windows\pmsgr.exe]  [Microsoft Corporation, 5.2.3790.1830]
[PID: 3272][C:\DOCUME~1\xy\LOCALS~1\Temp\Rar$EX03.166\SREng\SREng.exe] 

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost

==================================

请教

顶

汗，楼主自己列出来的东东，有一些在日志里可以看到都没有清理干净。楼主既求助，又附查杀过程，可是日志里还是没干净，不明白楼主的用意……

谢谢斑竹！
1.问题就在这，像如下几个，实际上我已经都在安全模式下，将相关的文件已经删除了，而且注册表里也已经将相关的信息删除了，但不知为何SRN里还是有，请教是否我没删清除？
1)<DTService><rundll32.exe C:\WINDOWS\system32\soundmix.dll,Load> []
2)<C:\WINDOWS\SYSTEM32\RUNDLL.EXE C:\WINDOWS\SYSTEM32\WBEM\AZDUKE38.DLL,Export 1087><Microsoft Corporation>
3)<C:\WINDOWS\system32\clipsvr.exe><N/A>
4){16B770A0-0E87-4278-B748-2460D64A8386} <C:\Documents and Settings\All Users\Application Data\Microsoft\UserData\IEHelper_5048.dll, N/A>

2.像<RichMedia><C:\WINDOWS\system32\Rundll32.exe "C:\PROGRA~1\pcast\hbcast.dll",WaitWindows> [Shanghai Henbang Technology Co., Ltd]这条，就是我在上网求助时，又不知不觉被安装的，原来没有中毒前，都不会有这种被强行安装的，所以觉得这次系统特别容易遭受病毒袭击，不知是否和Trojan.dropper这个病毒有关。

再次谢谢斑竹，能否再指导我接下来如何，是否将新SRN的再发给你？