状况：1、开机右下角会出现瑞星的一个监控出口，显示不断在发生邮件。2、从路由器ip nat显示，该计算机的网络访问流量很大。


2008-03-05,16:14:41

System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件
    进程特权扫描


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [N/A]
    <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <RavTray><"C:\Program Files\Rising\Rav\RavTray.exe">  [Rising]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <cftmon.exe><C:\WINDOWS\system32\cftmon.exe >  [Microsoft Corporation]
    <runeip><"C:\Program Files\Rising\AntiSpyware\runiep.exe" /startup>  [Beijing Rising Technology Co., Ltd.]
    <8cdf6241><rundll32.exe "C:\WINDOWS\system32\rjrieapd.dll",b>  []
    <Glock Suite 1.1><C:\WINDOWS\system32\glock32.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Publisher]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\ravext.dll>  [Beijing Rising Technology Co., Ltd.]
    <{AC2DC2EF-5165-40A3-8CDF-41DCA1B0901A}><C:\WINDOWS\system32\shlhook.dll>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <WebCheck><C:\WINDOWS\system32\webcheck.dll>  [(Verified)Microsoft Windows Publisher]
    <SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    <WinlogonNotify: WgaLogon><WgaLogon.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32]
    <WinlogonNotify: WLCtrl32><WLCtrl32.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvuvtqq]
    <WinlogonNotify: wvuvtqq><wvuvtqq.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
    <IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    <Browser Customizations><RunDLL32 IEDKCS32.DLL,Brand

[用户系统信息]Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; baiduds;  Embedded Web Browser from: http://bsalsa.com/; Maxthon; .NET CLR 1.1.4322; InfoPath.2)

日志不全，还没贴完吧？？
把他存成txt的直接上传

太谢谢了

1.建议使用XDelBox删除以下文件：[urlhttp://www.dodudou.com/down/[/url] 原创里面，下载1.6那个。
使用说明：删除时复制所有要删除文件的路径，在待删除文件列表里点击右键选择从剪贴板导入，导入后在要删除文件上点击右键，选择立刻重启删除，电脑会重启进入DOS界面进行删除操作。运行xdelbox前最好卸载所有可移动存储介质（包括U盘，MP3，手机存储卡等）。
c:\windows\temp\bn3.tmp
c:\windows\system32\wlctrl32.dll
c:\windows\system32\pmnlk.dll
c:\windows\system32\com\gidzgszorskf.dll
c:\windows\system32\pwuhhnswld.dll
c:\windows\system32\rjrieapd.dll
c:\windows\system32\ccwld16_080304.dll
c:\windows\system32\ccwld32_080304.dll
c:\windows\system32\ctfmon.exe
c:\windows\system32\wvuvtqq.dll
c:\windows\wvuvtqq.dll
c:\windows\system32\glock32.exe
c:\windows\system32\rjrieapd.dll
c:\program files\rising\rav\ravtray.exe
c:\windows\system32\ftqs.dll
c:\progra~1\znkm\jxuw.dll
c:\progra~1\common~1\viagio\viagio.dll
c:\progra~1\ljoprq\ljoprq.dll
c:\windows\system32\com\gidzgszorskf.dll
c:\windows\system32\drivers\whj81.sys
c:\windows\system32\drivers\mee21.sys
c:\windows\system32\vtstt.dll
c:\windows\system32\jbudpeek.dll
c:\windows\system32\sstqn.dll
c:\windows\system32\wuweb.dll
C:\Documents and Settings\All Users\「开始」菜单\程序\启动\msword.lnk
C:\WINDOWS\system32\CCWLE0~1.EXE
C:\Documents and Settings\LuckyStar\「开始」菜单\程序\启动\INTERNAT.lnk
C:\WINDOWS\system32\internat.exe

2.删除重启后使用SREng修复下面各项:

    启动项目 －－ 注册表之如下项删除：
[ctfmon.exe]    <C:\WINDOWS\system32\ctfmon.exe>
[WinlogonNotify: wvuvtqq]    <wvuvtqq.dll>
[WinlogonNotify: WLCtrl32]    <WLCtrl32.dll>
[Glock Suite 1.1]    <C:\WINDOWS\system32\glock32.exe>
[8cdf6241]    <rundll32.exe "C:\WINDOWS\system32\rjrieapd.dll",b>
[RavTray]    <"C:\Program Files\Rising\Rav\RavTray.exe">

    启动项目 －－ 服务 －－ Win32服务应用程序之如下项禁用：
[CoolWare / CoolWare]    <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\ftqs.dll>
[Windows espr RunThem / espr]    <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\znkm\jxuw.dll>
[iiagco / iiagco]    <C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\COMMON~1\viagio\viagio.dll,Service -s>
[yjoprq / yjoprq]    <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\ljoprq\ljoprq.dll>
[Secondary Logon / seclogon]    <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\com\gidzgszorskf.dll>

    启动项目 －－ 服务－－ 驱动程序之如下项禁用：
[Whj81 / Whj81]    <\SystemRoot\System32\Drivers\Whj81.sys>
[Mee21 / Mee21]    <\SystemRoot\System32\Drivers\Mee21.sys>

    系统修复－－　浏览器加载项之如下项删除：
[]    <C:\WINDOWS\system32\vtstt.dll>
[]    <C:\WINDOWS\system32\jbudpeek.dll>
[]    <C:\WINDOWS\system32\pwuhhnswld.dll>
[]    <C:\WINDOWS\system32\pmnlk.dll>
[]    <C:\WINDOWS\system32\sstqn.dll>
[]    <C:\WINDOWS\system32\vtstt.dll>
[]    <C:\WINDOWS\system32\pwuhhnswld.dll>
[]    <C:\WINDOWS\system32\pmnlk.dll>
[]    <C:\WINDOWS\system32\sstqn.dll>
[WUWebControl Class]    <C:\WINDOWS\system32\wuweb.dll>

忘记说了，还要从c:\windows\system32\dllcache里面复制一个ctfmon.exe到c:\windows\system32下。
最好再用windows清理助手清理一哈