ogfile of HijackThis v1.99.1
Scan saved at 14:40:36, on 2007-1-3
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\System32\winsys16_061231.dll start
O1 - Hosts: 202.109.114.142 survey88.allyes.com
O1 - Hosts: 202.109.114.142 adtaobao.allyes.com
O1 - Hosts: 202.109.114.142 code.qihoo.com
O1 - Hosts: 202.109.114.142 union.mop.com
O1 - Hosts: 202.109.114.142 js.kkunion.com
O1 - Hosts: 202.109.114.142 v.kkunion.com
O1 - Hosts: 202.109.114.142 v.21cn.com
O1 - Hosts: 202.109.114.142 iplusms.allyes.com
O1 - Hosts: 202.109.114.142 mms.t2t2.com
O1 - Hosts: 202.109.114.142 ivr.dobig.net
O1 - Hosts: 202.109.114.142 www.u8u.com
O1 - Hosts: 202.109.114.142 u.u8u.com
O1 - Hosts: 202.109.114.142 img.zhangxiu.com
O1 - Hosts: 202.109.114.142 tl.linktone.com
O1 - Hosts: 202.109.114.142 channel.e78.com
O1 - Hosts: 202.109.114.142 u.7town.com
O1 - Hosts: 202.109.114.142 union.95ol.com.cn
O1 - Hosts: 202.109.114.142 mms1.95ol.com.cn
O1 - Hosts: 202.109.114.142 mfs.95ol.com.cn
O1 - Hosts: 202.109.114.142 tl.a8.com
O1 - Hosts: 202.109.114.142 ad01.a8.com
O1 - Hosts: 202.109.114.142 u2.caiku.com
O1 - Hosts: 202.109.114.142 mms.caiku.com
O1 - Hosts: 202.109.114.142 code1.caiku.com
O1 - Hosts: 202.109.114.142 pub.lele.com
O1 - Hosts: 202.109.114.142 u.lele.com
O1 - Hosts: 202.109.114.142 7town.com
O1 - Hosts: 202.109.114.142 tvsend.7town.com
O1 - Hosts: 202.109.114.142 ivrsend.7town.com
O1 - Hosts: 202.109.114.142 tlt.7town.com
O1 - Hosts: 202.109.114.142 gsend.7town.com
O1 - Hosts: 202.109.114.142 smssend.7town.com
O1 - Hosts: 202.109.114.142 mmssend.moyu.com
O1 - Hosts: 202.109.114.142 91ivr.com
O1 - Hosts: 202.109.114.142 myad.91ivr.com
O1 - Hosts: 202.109.114.142 u.91ivr.com
O1 - Hosts: 202.109.114.142 union.91ivr.com
O1 - Hosts: 202.109.114.142 cm.p4p.cn.yahoo.com
O1 - Hosts: 202.109.114.142 un.265.com
O1 - Hosts: 202.109.114.142 union.qq.com
O1 - Hosts: 202.109.114.142 view.aliunion.cn.yahoo.com
O1 - Hosts: 202.109.114.142 union.narrowad.com
O1 - Hosts: 202.109.114.142 ln.heima8.com
O1 - Hosts: 202.109.114.142 www.fboat.cn
O1 - Hosts: 202.109.114.142 cpro.baidu.com
O1 - Hosts: 202.109.114.142 unstat.baidu.com
O1 - Hosts: 202.109.114.142 y.cnxad.com
O1 - Hosts: 202.109.114.142 www.ewowo.com
O1 - Hosts: 202.109.114.142 template.union.163.com
O1 - Hosts: 202.109.114.142 new.is686.com
O1 - Hosts: 202.109.114.142 creative.unionsys.bolaa.com
O1 - Hosts: 202.109.114.142 www.qyule.com
O1 - Hosts: 202.109.114.142 99e.cc
O1 - Hosts: 202.109.114.142 www.91ivr.com
O1 - Hosts: 202.109.114.142 mg.ukaka.com
O1 - Hosts: 202.109.114.142 kooxoo2.ad4all.net
O1 - Hosts: 202.109.114.142 www.8fff.com
O1 - Hosts: 202.109.114.142 union.pomoho.com
O1 - Hosts: 202.109.114.142 202.107.233.211
O1 - Hosts: 202.109.114.142 www.end123.com
O1 - Hosts: 202.109.114.142 w1.7clink.com
O1 - Hosts: 202.109.114.142 w2.7clink.com
O1 - Hosts: 202.109.114.142 union01.com
O1 - Hosts: 202.109.114.142 click.8le8le.com
O1 - Hosts: 202.109.114.142 stbanner.allyes.com
O1 - Hosts: 202.109.114.142 mms1.moyu.com
O1 - Hosts: 202.109.114.142 u.moyu.com
O1 - Hosts: 202.109.114.142 mmsu.moyu.com
O1 - Hosts: 202.109.114.142 show.moyu.com
O1 - Hosts: 202.109.114.142 ivrsend.moyu.com
O1 - Hosts: 202.109.114.142 ivru.moyu.com
O1 - Hosts: 202.109.114.142 ivr1.moyu.com
O1 - Hosts: 203.191.146.205 corep.dmcast.com
O1 - Hosts: 203.191.146.205 m081.dmcast.com
O1 - Hosts: 203.191.146.205 dcww.dmcast.com
O1 - Hosts: 203.191.146.205 renren.dmcast.com
O1 - Hosts: 203.191.146.205 files.henbang.net
O1 - Hosts: 203.191.146.205 bannerbox.cn
O1 - Hosts: 203.191.146.205 www.bannerbox.cn
O1 - Hosts: 203.191.146.205 action.coopen.cn
O1 - Hosts: 203.191.146.205 u4.sky99.cn
O1 - Hosts: 203.191.146.205 u1.sky99.cn
O1 - Hosts: 203.191.146.205 u2.sky99.cn
O1 - Hosts: 203.191.146.205 u3.sky99.cn
O1 - Hosts: 203.191.146.205 sky99.cn
O1 - Hosts: 203.191.146.205 u.sky99.cn
O1 - Hosts: 203.191.146.205 u.ete.cn
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 www.365tan.com
O1 - Hosts: 203.191.146.205 www.winopen.cn
O1 - Hosts: 203.191.146.205 www.tanip.com
O1 - Hosts: 203.191.146.205 alexaanywhere.com
O1 - Hosts: 203.191.146.205 jssb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ns250.alexaanywhere.com
O1 - Hosts: 203.191.146.205 sb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 pop.9v.cn
O1 - Hosts: 203.191.146.205 xuni.myad.cn
O1 - Hosts: 203.191.146.205 iebar.t2t2.com
O1 - Hosts: 203.191.146.205 error.newcell.cn
O1 - Hosts: 203.191.146.205 auto.search.msn.com
O2 - BHO: ThunderIEHelper - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\System32\xunleibho_v13.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IEMonitor Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\WINDOWS\System32\IESHEL~1.DLL (file missing)
O2 - BHO: xhly - {2D369182-BBD0-4843-BE25-48ADEDAD321B} - C:\PROGRA~1\COMMON~1\dquh\huyl.dll
O2 - BHO: QKYAVLWNQFJ - {55DE9BE9-EE2A-46C8-A2AB-520A1242F4BB} - C:\WINDOWS\system32\SCUIE.DLL
O2 - BHO: MCBMQ - {7D7D00B6-7C00-4890-A66A-8CD4B71D6DDC} - C:\WINDOWS\system32\TDBEPOTORN.DLL
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{39888~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {D3341007-C77C-4F1C-B2A5-D94D5BE55F7E} - C:\WINDOWS\system32\qrnnztomsyvtwld.dll
O2 - BHO: IEHlprObj Class - {DE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\POPNTS.DLL
O2 - BHO: XBTP03742 - {E9640745-EBE0-435a-AEF2-D9C5D77E29F0} - (no file)
O2 - BHO: cnwin Class - {EC497BD8-460F-44F0-B2A4-8C2B2198035B} - C:\WINDOWS\System32\cnwin.dll (file missing)
O2 - BHO: (no name) - {F770522B-198D-4134-9D74-D30F41B3BA44} - C:\WINDOWS\system32\uewcpydewgncl.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{39888~1\Bar888.dll (file missing)
O3 - Toolbar: 安全卫士 - {8F621983-8C5B-4BD6-A5AA-E0BD80D7812A} - C:\Program Files\安全卫士\360safe.dll (file missing)
O3 - Toolbar: 实用搜索工具条2.0 - {03465FF5-00AE-411a-9C34-960ED566EC03} - C:\Program Files\superutilbar\superutilbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SysExplr] C:\Herosoft\HeroV8\SYSEXPLR.EXE
O4 - HKLM\..\Run: [C:\DOCUME~1\ABC\LOCALS~1\Temp\sna.exe] C:\DOCUME~1\ABC\LOCALS~1\Temp\sna.exe
O4 - HKLM\..\Run: [osuiti4r] rundll32.exe C:\WINDOWS\12r3kl0mb5.dll _start@16
O4 - HKLM\..\Run: [Desktop] "C:\WINDOWS\System32\rundll32.exe" "C:\WINDOWS\System32\NTService32.dll",Run
O4 - HKLM\..\Run: [TempCom] C:\WINDOWS\FONTS\E677F.com
O4 - HKLM\..\Run: [sdafdsafds] C:\WINDOWS\temp\sd151.exe
O4 - HKLM\..\Run: [runeip] C:\Program Files\Rising\AntiSpyware\runiep.exe
O4 - HKLM\..\Run: [RavTask] "E:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [{898887D4-0AF0-2052-1104-030505200056}] "C:\Program Files\Common Files\{898887D4-0AF0-2052-1104-030505200056}\Update.exe" te-110-12-0000113
O4 - HKLM\..\Run: [A] C:\WINDOWS\System32\rundll32.exe mq.ocx s
O4 - HKLM\..\Run: [tpxhst32.exe] C:\WINDOWS\System32\tpxhst32.exe
O4 - HKLM\..\RunOnce: [splai] %systemroot%\system32\Rundll32.exe %systemroot%\system32\splai.dll,DllUnregisterServer
O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [winsamps] C:\WINDOWS\winamps.exe
O4 - HKCU\..\Run: [myZt3] C:\DOCUME~1\ABC\LOCALS~1\Temp\zt3\SVCHQST.EXE
O4 - HKCU\..\Run: [myWl2] C:\DOCUME~1\ABC\LOCALS~1\Temp\Wl2\lexplore.exe
O4 - HKCU\..\Run: [ravshell] C:\WINDOWS\rund1132.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &使用迅雷下载 - F:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - F:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - Extra context menu item: 豪杰超级解霸V8实时播放 - C:\Herosoft\HeroV8\MPURLGET.HTM
O9 - Extra button: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra 'Tools' menuitem: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra button: 安全卫士 - {8F621983-8C5B-4BD6-A5AA-E0BD80D7812A} - C:\Program Files\安全卫士\360safe.dll (file missing)
O9 - Extra 'Tools' menuitem: 安全卫士 - {8F621983-8C5B-4BD6-A5AA-E0BD80D7812A} - C:\Program Files\安全卫士\360safe.dll (file missing)
O9 - Extra button: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ScCardLogn - C:\WINDOWS\ScNotify.dll (file missing)
O23 - Service: C920434C - Unknown owner - C:\WINDOWS\System32\C920434C.EXE (file missing)
O23 - Service: CMServerToXPM (CMServerToXP) - Unknown owner - C:\Windows\system32\EDEXLZEEEIMO.EXE
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000049 (file missing)
O23 - Service: Remote Procedure Call System(11RPCS) (RpcS11) - Unknown owner - C:\WINDOWS\System32\Rpcs11.exe (file missing)
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - E:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - E:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: sqlserver - Unknown owner - C:\WINDOWS\System32\sqlserver.exe
O23 - Service: Windows NT Service32 - Unknown owner - C:\WINDOWS\System32\rundll32.exe" "C:\WINDOWS\System32\NTService32.dll",Start (file missing)

[CODE]

2007-01-03,14:41:26

System Repair Engineer 2.3.13.690
Smallfrogs (http://www.KZTechs.com)

Windows XP Home Edition Service Pack 1 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe>  [(Verified)Microsoft Corporation]
    <winsamps><C:\WINDOWS\winamps.exe>  [N/A]
    <myZt3><C:\DOCUME~1\ABC\LOCALS~1\Temp\zt3\SVCHQST.EXE>  [N/A]
    <myWl2><C:\DOCUME~1\ABC\LOCALS~1\Temp\Wl2\lexplore.exe>  [N/A]
    <ravshell><C:\WINDOWS\rund1132.exe>  [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <{898887D4-0AF0-2052-1104-030505200056}><"C:\Program Files\Common Files\{898887D4-0AF0-2052-1104-030505200056}\Update.exe" te-110-12-0000113>  [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Corporation]
    <PHIME2002ASync><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Corporation]
    <PHIME2002A><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Corporation]
    <IgfxTray><C:\WINDOWS\System32\igfxtray.exe>  [(Verified)Intel Corporation]
    <HotKeysCmds><C:\WINDOWS\System32\hkcmd.exe>  [(Verified)Intel Corporation]
    <SysExplr><C:\Herosoft\HeroV8\SYSEXPLR.EXE>  [N/A]
    <C:\DOCUME~1\ABC\LOCALS~1\Temp\sna.exe><C:\DOCUME~1\ABC\LOCALS~1\Temp\sna.exe>  [N/A]
    <osuiti4r><rundll32.exe C:\WINDOWS\12r3kl0mb5.dll _start@16>  [N/A]
    <Desktop><"C:\WINDOWS\System32\rundll32.exe" "C:\WINDOWS\System32\NTService32.dll",Run>  []
    <TempCom><C:\WINDOWS\FONTS\E677F.com>  [N/A]
    <sdafdsafds><C:\WINDOWS\temp\sd151.exe>  [N/A]
    <runeip><C:\Program Files\Rising\AntiSpyware\runiep.exe>  [N/A]
    <RavTask><"E:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <{898887D4-0AF0-2052-1104-030505200056}><"C:\Program Files\Common Files\{898887D4-0AF0-2052-1104-030505200056}\Update.exe" te-110-12-0000113>  [N/A]
    <A><C:\WINDOWS\System32\rundll32.exe mq.ocx s>  [N/A]
    <tpxhst32.exe><C:\WINDOWS\System32\tpxhst32.exe>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    <splai><%systemroot%\system32\Rundll32.exe %systemroot%\system32\splai.dll,DllUnregisterServer>  [N/A]
    <KKDelay><C:\Program Files\Rising\AntiSpyware\RunOnce.exe>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <main><rundll32.exe "C:\program files\internet explorer\use10.dll" mymain>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\System32\winsys16_061231.dll start>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Corporation]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
    <{159D159D-9D15-59D1-26AE-7BF37BF37BF3}><C:\WINDOWS\System32\BXXTT.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Corporation]
    <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Corporation]
    <WebCheck><%SystemRoot%\System32\webcheck.dll>  [(Verified)Microsoft Corporation]
    <SysTray><C:\WINDOWS\System32\stobject.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCardLogn]
    <WinlogonNotify: ScCardLogn><C:\WINDOWS\ScNotify.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\System32\browseui.dll>  [(Verified)Microsoft Corporation]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\System32\browseui.dll>  [(Verified)Microsoft Corporation]

==================================
启动文件夹
N/A

==================================
服务
[73755CB0 / 73755CB0][Stopped/Auto Start]
  <C:\WINDOWS\System32\73755CB0.EXE -service><Microsoft Corporation>
[87CADFDC / 87CADFDC][Stopped/Auto Start]
  <C:\WINDOWS\System32\87CADFDC.EXE -service><Microsoft Corporation>
[Application Management / AppMgmt][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A>
[C920434C / C920434C][Stopped/Auto Start]
  <C:\WINDOWS\System32\C920434C.EXE -service><N/A>
[CMServerToXPM / CMServerToXP][Stopped/Auto Start]
  <C:\Windows\system32\EDEXLZEEEIMO.EXE><N/A>
[COM+ Messages / COM+ Messages][Stopped/Auto Start]
  <"C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000049><N/A>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[RestoreService / RestoreService][Stopped/Auto Start]
  <C:\WINDOWS\System32\Svchost.exe -k RestoreService-->C:\WINDOWS\System32\drivers\restore.dll><N/A>
[Remote Procedure Call System(11RPCS) / RpcS11][Stopped/Auto Start]
  <C:\WINDOWS\System32\Rpcs11.exe><N/A>
[Rising Process Communication Center / RsCCenter][Stopped/Auto Start]
  <"E:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon][Stopped/Auto Start]
  <"E:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[SQLServer Supports / sqlservech][Stopped/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k sqlservech-->C:\WINDOWS\System32\sqlservech.dll><Microsoft Corporation>
[sqlserver / sqlserver][Stopped/Auto Start]
  <C:\WINDOWS\System32\sqlserver.exe><N/A>
[Windows NT Service32 / Windows NT Service32][Stopped/Auto Start]
  <"C:\WINDOWS\System32\rundll32.exe" "C:\WINDOWS\System32\NTService32.dll",Start><Microsoft Corporation>
[WinXP DHCP Service / WinXPDHCPsvc][Stopped/Auto Start]
  <C:\WINDOWS\System32\rundll32.exe xpdhcp.dll,start><Microsoft Corporation>
[Vsn xkob Service / xkob][Stopped/Auto Start]
  <C:\WINDOWS\System32\rundll32.exe C:\PROGRA~1\COMMON~1\dquh\kxbo.dll,Service><Microsoft Corporation>

==================================

驱动程序
[aeaudio / aeaudio][Stopped/Manual Start]
  <system32\drivers\aeaudio.sys><Andrea Electronics Corporation>
[Broadcom NetXtreme Gigabit Ethernet / b57w2k][Running/Manual Start]
  <System32\DRIVERS\b57xp32.sys><Broadcom Corporation>
[BaseTDI / BaseTDI][Stopped/Auto Start]
  <\??\C:\WINDOWS\System32\drivers\basetdi.sys><Beijing Rising Technology Co., Ltd.>
[cfpziv4 / cfpziv48][Stopped/Boot Start]
  <\SystemRoot\System32\DRIVERS\cfpziv48.sys><N/A>
[csksrzgq / csksrzgq][Stopped/Boot Start]
  <\SystemRoot\system32\drivers\csksrzgq.sys><N/A>
[ExpScaner / ExpScaner][Stopped/Auto Start]
  <\??\E:\Program Files\Rising\Rav\ExpScan.sys><>
[ggcfiaja / ggcfiaja][Stopped/Boot Start]
  <\SystemRoot\system32\drivers\ggcfiaja.sys><N/A>
[HookCont / HookCont][Stopped/Auto Start]
  <\??\E:\Program Files\Rising\Rav\HOOKCONT.sys><Rising>
[HookReg / HookReg][Stopped/Auto Start]
  <\??\E:\Program Files\Rising\Rav\HookReg.sys><>
[HookSys / HookSys][Stopped/Auto Start]
  <\??\E:\Program Files\Rising\Rav\HookSys.sys><Rising>
[ialm / ialm][Stopped/Manual Start]
  <System32\DRIVERS\ialmnt5.sys><Intel Corporation>
[ivuvpd7 / ivuvpd76][Stopped/Boot Start]
  <\SystemRoot\System32\DRIVERS\ivuvpd76.sys><N/A>
[ixgo / ixgoy][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\ixgoy.sys><N/A>
[izuyafwh / izuyafwh][Running/Boot Start]
  <\SystemRoot\system32\drivers\izuyafwh.sys><N/A>
[MEMSCAN / MEMSCAN][Stopped/Auto Start]
  <\??\E:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件有限公司>
[mkjuhb63 / mkjuhb63][Stopped/Manual Start]
  <\??\C:\WINDOWS\System32\drivers\mkjuhb63.sys><N/A>
[msprotect / msprotect][Running/System Start]
  <system32\DRIVERS\msprotect.sys><Windows (R) 2000 DDK provider>
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
  <system32\drivers\npf.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
  <\SystemRoot\System32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Stopped/Auto Start]
  <\??\E:\Program Files\Rising\Rav\RSPPSYS.sys><Rising>
[Secdrv / Secdrv][Stopped/Manual Start]
  <System32\DRIVERS\secdrv.sys><N/A>
[smwdm / smwdm][Stopped/Manual Start]
  <system32\drivers\smwdm.sys><Analog Devices, Inc.>
[WINIO / WINIO][Stopped/Manual Start]
  <\??\C:\WINDOWS\Downloaded Program Files\winio.sys><N/A>
[Intel(R) Graphics Platform (SoftBIOS) Driver / {6080A529-897E-4629-A488-ABA0C29B635E}][Stopped/Manual Start]
  <system32\drivers\ialmsbw.sys><Intel Corporation>
[Intel(R) Graphics Chipset (KCH) Driver / {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}][Stopped/Manual Start]
  <system32\drivers\ialmkchw.sys><Intel Corporation>

==================================
浏览器加载项
[ThunderIEHelper Class]
  {0005A87D-D626-4B3A-84F9-1D9571695F55} <C:\WINDOWS\System32\xunleibho_v13.dll, Thunder Networking Technologies,LTD>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[IEMonitor Class]
  {08A312BB-5409-49FC-9347-54BB7D069AC6} <C:\WINDOWS\System32\IESHEL~1.DLL, N/A>
[xhly]
  {2D369182-BBD0-4843-BE25-48ADEDAD321B} <C:\PROGRA~1\COMMON~1\dquh\huyl.dll, >
[QKYAVLWNQFJ]
  {55DE9BE9-EE2A-46C8-A2AB-520A1242F4BB} <C:\WINDOWS\system32\SCUIE.DLL, N/A>
[MCBMQ]
  {7D7D00B6-7C00-4890-A66A-8CD4B71D6DDC} <C:\WINDOWS\system32\TDBEPOTORN.DLL, N/A>
[Bar888]
  {C1B4DEC2-2623-438e-9CA2-C9043AB28508} <C:\PROGRA~1\COMMON~1\{39888~1\Bar888.dll, N/A>
[]
  {D3341007-C77C-4F1C-B2A5-D94D5BE55F7E} <C:\WINDOWS\system32\qrnnztomsyvtwld.dll, N/A>
[IEHlprObj Class]
  {DE7C3CF0-4B15-11D1-ABED-709549C10000} <C:\WINDOWS\POPNTS.DLL, >
[XBTP03742 Class]
  {E9640745-EBE0-435a-AEF2-D9C5D77E29F0} <, N/A>
[cnwin Class]
  {EC497BD8-460F-44F0-B2A4-8C2B2198035B} <C:\WINDOWS\System32\cnwin.dll, N/A>
[]
  {F770522B-198D-4134-9D74-D30F41B3BA44} <C:\WINDOWS\system32\uewcpydewgncl.dll, N/A>
[豪杰超级解霸V8]
  {367E0A21-8601-4986-9C9A-153BF5ACA118} <C:\Herosoft\HeroV8\STHSDVD.EXE, N/A>
[安全卫士]
  {8F621983-8C5B-4BD6-A5AA-E0BD80D7812A} <C:\Program Files\安全卫士\360safe.dll, N/A>
[金山词霸]
  {9A687CA6-D585-4947-9ED9-BE96071F5CD9} <C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll, 金山软件股份有限公司>
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, Microsoft Corporation>
[Bar888]
  {C1B4DEC2-2623-438e-9CA2-C9043AB28508} <C:\PROGRA~1\COMMON~1\{39888~1\Bar888.dll, N/A>
[安全卫士]
  {8F621983-8C5B-4BD6-A5AA-E0BD80D7812A} <C:\Program Files\安全卫士\360safe.dll, N/A>
[实用搜索工具条2.0]
  {03465FF5-00AE-411a-9C34-960ED566EC03} <C:\Program Files\superutilbar\superutilbar.dll, www.shiyongsousuo.com>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[&使用迅雷下载]
  <F:\Program Files\Thunder Network\Thunder\geturl.htm, N/A>
[&使用迅雷下载全部链接]
  <F:\Program Files\Thunder Network\Thunder\getallurl.htm, N/A>
[豪杰超级解霸V8实时播放]
  <C:\Herosoft\HeroV8\MPURLGET.HTM, N/A>

==================================
正在运行的进程
[PID: 316][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 388][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 412][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 456][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 468][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 640][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 716][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 792][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 820][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1204][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
    [C:\WINDOWS\System32\igfxpph.dll]  [Intel Corporation, 3.0.0.2249]
    [C:\WINDOWS\System32\hccutils.DLL]  [Intel Corporation, 3.0.0.2249]
    [C:\WINDOWS\System32\igfxres.dll]  [Intel Corporation, 3.0.0.2249]
    [C:\WINDOWS\System32\igfxsrvc.dll]  [Intel Corporation, 3.0.0.2249]
    [C:\WINDOWS\System32\igfxdev.dll]  [Intel Corporation, 3.0.0.2249]
    [C:\WINDOWS\System32\BXXTT.dll]  [N/A, N/A]
    [E:\Program Files\Rising\Rav\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx]  [Adobe Systems, Inc., 9,0,28,0]
    [C:\WINDOWS\system32\RavExt.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
[PID: 1268][C:\program files\internet explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
    [C:\WINDOWS\System32\winsys32_061231.dll]  [N/A, N/A]
[PID: 1292][C:\WINDOWS\System32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 1356][C:\WINDOWS\System32\cmd.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1408][C:\WINDOWS\System32\conime.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 1508][C:\WINDOWS\System32\rundll32.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\WINDOWS\System32\BXXTT.dll]  [N/A, N/A]
[PID: 1540][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
[PID: 1884][F:\sreng2\SREng.EXE]  [Smallfrogs Studio, 2.3.13.690]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
[D:\]
[autorun]
open=d:\mplay.com

==================================
HOSTS 文件
N/A

==================================
API HOOK
N/A

==================================


[/CODE]

运行SREng2,使用“启动项目”－－注册表－－删除
C:\WINDOWS\winamps.exe
C:\DOCUME~1\ABC\LOCALS~1\Temp\zt3\SVCHQST.EXE
C:\DOCUME~1\ABC\LOCALS~1\Temp\Wl2\lexplore.exe
C:\WINDOWS\rund1132.exe
C:\Program Files\Common Files\{898887D4-0AF0-2052-1104-030505200056}\Update.exe
<C:\DOCUME~1\ABC\LOCALS~1\Temp\sna.exe><C:\DOCUME~1\ABC\LOCALS~1\Temp\sna.exe> [N/A]
osuiti4r><rundll32.exe C:\WINDOWS\12r3kl0mb5.dll _start@16> [N/A]
Desktop><"C:\WINDOWS\System32\rundll32.exe" "C:\WINDOWS\System32\NTService32.dll",Run> []
sdafdsafds><C:\WINDOWS\temp\sd151.exe> [N/A]
<{898887D4-0AF0-2052-1104-030505200056}><"C:\Program Files\Common Files\{898887D4-0AF0-2052-1104-030505200056}\Update.exe" te-110-12-0000113> [N/A]
<A><C:\WINDOWS\System32\rundll32.exe mq.ocx s> [N/A]
<tpxhst32.exe><C:\WINDOWS\System32\tpxhst32.exe> [N/A]

运行(双击)SRENG2，点“启动项目，服务，点“Win32服务应用程序”
勾选“隐藏微软服务”选中病毒服务
73755CB0
87CADFDC
C920434C
CMServerToXPM
RestoreService
SQLServer Supports
Remote Procedure Call System
Windows NT Service32
WinXP DHCP Service
Vsn xkob Service
，选择“删除服务”
点“设置”选择“否”

运行(双击)SRENG2，点“启动项目，服务，点“驱动程序”
勾选“隐藏微软服务”选中病毒服务
cfpziv4
ggcfiaja
csksrzgq
ivuvpd7
izuyafwh
mkjuhb63
Netgroup Packet Filter
，选择“删除服务”
点“设置”选择“否”

运行SREng2,使用“系统修复”－－浏览器加载项－－删除
IEMonitor Class]
{08A312BB-5409-49FC-9347-54BB7D069AC6} <C:\WINDOWS\System32\IESHEL~1.DLL, N/A>
[xhly]
{2D369182-BBD0-4843-BE25-48ADEDAD321B} <C:\PROGRA~1\COMMON~1\dquh\huyl.dll, >
[QKYAVLWNQFJ]
{55DE9BE9-EE2A-46C8-A2AB-520A1242F4BB} <C:\WINDOWS\system32\SCUIE.DLL, N/A>
[MCBMQ]
{7D7D00B6-7C00-4890-A66A-8CD4B71D6DDC} <C:\WINDOWS\system32\TDBEPOTORN.DLL, N/A>
[Bar888]
{C1B4DEC2-2623-438e-9CA2-C9043AB28508} <C:\PROGRA~1\COMMON~1\{39888~1\Bar888.dll, N/A>
[]
{D3341007-C77C-4F1C-B2A5-D94D5BE55F7E} <C:\WINDOWS\system32\qrnnztomsyvtwld.dll, N/A>
[IEHlprObj Class]
{DE7C3CF0-4B15-11D1-ABED-709549C10000} <C:\WINDOWS\POPNTS.DLL, >
[XBTP03742 Class]
{E9640745-EBE0-435a-AEF2-D9C5D77E29F0} <, N/A>
[cnwin Class]
[]
{F770522B-198D-4134-9D74-D30F41B3BA44} <C:\WINDOWS\system32\uewcpydewgncl.dll, N/A>


重启按F８进入安全模式下
显示隐藏文件
删除：     
C:\WINDOWS\system32\SCUIE.DLL
C:\WINDOWS\System32\IESHEL~1.DLL
:\PROGRA~1\COMMON~1\dquh\huyl.dll
C:\WINDOWS\system32\TDBEPOTORN.DLL
<C:\PROGRA~1\COMMON~1\{39888~1\Bar888.dll
:\WINDOWS\system32\qrnnztomsyvtwld.dll
C:\WINDOWS\POPNTS.DLL
C:\WINDOWS\System32\NTService32.dll
xpdhcp.dll
:\PROGRA~1\COMMON~1\dquh\kxbo.dll
:\WINDOWS\System32\sqlservech.dll
C:\WINDOWS\System32\Rpcs11.exe
C:\WINDOWS\System32\drivers\restore.dll
C:\Windows\system32\EDEXLZEEEIMO.EXE
C:\WINDOWS\System32\73755CB0.EXE
C:\WINDOWS\System32\87CADFDC.EXE
C:\WINDOWS\System32\C920434C.EXE
\SystemRoot\System32\DRIVERS\cfpziv48.sys
SystemRoot\system32\drivers\csksrzgq.sys
SystemRoot\system32\drivers\ggcfiaja.sys
<\SystemRoot\System32\DRIVERS\ivuvpd76.sys
\SystemRoot\system32\drivers\izuyafwh.sys
C:\WINDOWS\System32\drivers\mkjuhb63.sys
system32\drivers\npf.sys
C:\WINDOWS\winamps.exe
C:\WINDOWS\rund1132.exe
C:\Program Files\Common Files\{898887D4-0AF0-2052-1104-030505200056}\Update.exe
:\WINDOWS\12r3kl0mb5.dll
C:\WINDOWS\temp\sd151.exe
C:\WINDOWS\system32\uewcpydewgncl.dll
C:\DOCUME~1\ABC\LOCALS~1\Temp\清空文件夹

mplay.com
参考
http://forum.ikaka.com/topic.asp?board=28&artid=8229638