中了邪门的病毒，关机的时候总被“ tianlia.exe”跳出挡住要求强制关闭，开机的时候WIN1、WIN2、WIN3……WIN8都会跳出很多，查找到是在C:\Documents and Settings\ibm\Local Settings\Temp文件夹里，删除后还会自动生产，瑞星还杀不掉不知道是什么病毒。

我也是啊，根据金山毒霸查的结果WIN1里的病毒是win32.Troj.OnLineGamesT.ob.17920还有2-9里的是Win32.PSWTroj.OnlineGames.7440系统启动时就自己恢复了，再查其他地方也都没有毒，这几个文件即使被删除，重新启动后2-3分钟又会自动出现，关机跟你一样

不好意思，我是上了http://www.lovesex.com.cn/sbbs/showerr.asp?BoardID=68&ErrCodes=27&action=%B7%C3%CE%CA%C9%BD%B6%AB%D0%D4%CF%A2%BD%BB%C1%F7%D6%D0%D0%C4这个网站中的毒

另外还有一个914847M.BMP的文件很可以，那家伙会自动运行，我用的是SSM拦截下了，我手动给删除了，不过上边的情况删除了也照样出现

日志呢

2007-04-20,22:41:48

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional (Build 2195) - 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件


启动项目


注册表

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
(Internat.exe)(internat.exe) [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
(load)() [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
(Synchronization Manager)(mobsync.exe /logon) [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
(shell)(Explorer.exe) [(Verified)Microsoft Windows 2000 Publisher]
(Userinit)(D:\WINNT\System32\UserInit.exe,) [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
(AppInit_DLLs)(914847M.BMP) [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
({A6011F8F-A7F8-49AA-9ADA-49127D43138F})(D:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.vxd) []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\System Safety Monitor]
(WinlogonNotify: System Safety Monitor)(SSMWinlogonEx.dll) [(Verified)System Safety Limited]
[HKEY_CURRENT_USER\Control Panel\Desktop]
(SCRNSAVE.EXE)((无)) [N/A]




--------------------------------------------------------------------------------



启动文件夹

N/A



--------------------------------------------------------------------------------



服务

[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
(D:\WINNT\System32\dmadmin.exe /com)(VERITAS Software Corp.)
[Kingsoft Antivirus KWatch Service / KWatchSvc][Running/Auto Start]
(D:\KAV2007\KWatch.EXE)(Kingsoft Corporation)
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
(D:\WINNT\System32\svchost.exe -k netsvcs--)D:\WINNT\System32\mspmsnsv.dll)(Microsoft Corporation)



--------------------------------------------------------------------------------



驱动程序

[dmboot / dmboot][Stopped/Disabled]
(System32\drivers\dmboot.sys)(VERITAS Software Corp.)
[Logical Disk Manager Driver / dmio][Running/Boot Start]
(\SystemRoot\System32\drivers\dmio.sys)(VERITAS Software Corp.)
[dmload / dmload][Running/Boot Start]
(\SystemRoot\System32\drivers\dmload.sys)(VERITAS Software Corp.)
[3Com EtherLink XL B/C Adapter Driver / EL90BC][Running/Manual Start]
(System32\DRIVERS\el90xbc5.sys)(3Com Corporation)
[i81x / i81x][Running/Manual Start]
(System32\DRIVERS\i81xnt5.sys)(Intel Corporation)
[KWatch3 / KWatch3][Running/System Start]
(\??\D:\WINNT\System32\drivers\KWatch3.SYS)(Kingsoft Corporation)
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
(System32\DRIVERS\ptilink.sys)(Parallel Technologies, Inc.)
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
(\SystemRoot\System32\drivers\RsBoot.sys)(Beijing Rising)
[System Safety Monitor 2.0 Core Engine / safemon][Running/Boot Start]
(\SystemRoot\system32\drivers\safemon.sys)(System Safety Limited)



--------------------------------------------------------------------------------



浏览器加载项

[CBrowseStakeout Class]
{55302805-482E-470E-8A57-6795A1487F90} (D:\KAV2007\KAVAFish.DLL, Kingsoft Corporation)
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} (, N/A)
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} (D:\WINNT\System32\msdxm.ocx, Microsoft Corporation)
[卡卡上网安全助手]
{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} (D:\WINNT\System32\kakatool.dll, Beijing Rising Technology Co., Ltd.)
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} (D:\WINNT\System32\Macromed\Flash\Flash9c.ocx, Adobe Systems, Inc.)
[上传到QQ网络硬盘]
(E:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A)
[添加到QQ自定义面板]
(E:\Program Files\Tencent\QQ\AddPanel.htm, N/A)
[添加到QQ表情]
(E:\Program Files\Tencent\QQ\AddEmotion.htm, N/A)
[用QQ彩信发送该图片]
(E:\Program Files\Tencent\QQ\SendMMS.htm, N/A)
[金山毒霸反钓鱼...]
(D:\KAV2007\KAF\ShowSet.htm, N/A)



--------------------------------------------------------------------------------



正在运行的进程

[PID: 140][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.00.2170.1]
[PID: 168][\??\D:\WINNT\system32\csrss.exe] [Microsoft Corporation, 5.00.2137.1]
[PID: 188][\??\D:\WINNT\system32\winlogon.exe] [Microsoft Corporation, 5.00.2182.1]
[D:\WINNT\system32\wdmaud.drv] [Microsoft Corporation, 5.00.2147.1]
[D:\WINNT\system32\SSMWinlogonEx.dll] [System Safety Limited, 2.0.8.583]
[D:\WINNT\system32\msacm32.drv] [Microsoft Corporation, 5.00.2134.1]
[PID: 776][D:\WINNT\Explorer.exe] [Microsoft Corporation, 5.00.2920.0000]
[D:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.vxd] [N/A, ]
[D:\WINNT\System32\wdmaud.drv] [Microsoft Corporation, 5.00.2147.1]
[D:\WINNT\System32\msacm32.drv] [Microsoft Corporation, 5.00.2134.1]
[D:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[D:\KAV2007\KMailOEBand.dll] [Kingsoft Corporation, 2006, 9, 7, 132]
[D:\WINNT\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[D:\WINNT\System32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\WINNT\System32\msadp32.acm] [Microsoft Corporation, 5.00.2134.1]
[D:\KAV2007\KAScript.DLL] [Kingsoft Corporation, 2006, 11, 9, 68]
[D:\KAV2007\KAEPlat.DLL] [Kingsoft Corp., 2007, 2, 4, 61]
[D:\KAV2007\KAEMem.DAT] [Kingsoft, 2006, 9, 25, 16]
[D:\KAV2007\KAEUnpack.DAT] [Kingsoft Corp., 2007, 3, 12, 114]
[D:\KAV2007\KAVEXT.DLL] [Kingsoft Corporation, 2005, 8, 5, 16]
[PID: 936][D:\KAV2007\KAVStart.exe] [Kingsoft Corporation, 2006, 11, 10, 212]
[D:\WINNT\System32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[D:\WINNT\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[D:\WINNT\System32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\WINNT\System32\MFC71CHS.DLL] [Microsoft Corporation, 7.10.3077.0]
[D:\KAV2007\KAVIPC2.DLL] [Kingsoft Corporation, 2004, 12, 28, 20]
[D:\KAV2007\SvcTimer.DLL] [Kingsoft Corporation, 2006.12.22.84]
[D:\KAV2007\KAVPassp.dll] [Kingsoft Corporation, 2006, 9, 7, 270]
[D:\KAV2007\PopSprt3.dll] [Kingsoft Corporation, 2006, 9, 26, 38]
[D:\KAV2007\KMailOEBand.dll] [Kingsoft Corporation, 2006, 9, 7, 132]
[D:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[PID: 740][D:\KAV2007\KMailMon.EXE] [Kingsoft Corporation, 2006, 9, 7, 918]
[D:\KAV2007\KAntiSpm.dll] [Kingsoft Corporation, 2006, 8, 19, 104]
[D:\WINNT\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[D:\WINNT\System32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\KAV2007\KAVIPC2.DLL] [Kingsoft Corporation, 2004, 12, 28, 20]
[D:\KAV2007\KAECall2.DLL] [Kingsoft Corporation, 2004, 12, 28, 7]
[D:\KAV2007\KAEPlat.DLL] [Kingsoft Corp., 2007, 2, 4, 61]
[D:\KAV2007\KAEMem.DAT] [Kingsoft, 2006, 9, 25, 16]
[D:\KAV2007\KAEUnpack.DAT] [Kingsoft Corp., 2007, 3, 12, 114]
[D:\KAV2007\KAConfig.DLL] [Kingsoft Corporation, 2006, 10, 30, 39]
[D:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[D:\KAV2007\KMailOEBand.dll] [Kingsoft Corporation, 2006, 9, 7, 132]
[PID: 844][D:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2800.1106]
[D:\KAV2007\KMailOEBand.dll] [Kingsoft Corporation, 2006, 9, 7, 132]
[D:\WINNT\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[D:\WINNT\System32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[D:\WINNT\System32\kakatool.dll] [Beijing Rising Technology Co., Ltd., 2, 0, 3, 0]
[D:\KAV2007\KAVAFish.DLL] [Kingsoft Corporation, 2006, 10, 25, 27]
[D:\WINNT\System32\PINTLGNT.IME] [Microsoft Corporation, 4.2.32]
[D:\WINNT\System32\winabc.ime] [Microsoft Corporation, 5.00.2190.1]
[D:\WINNT\System32\wdmaud.drv] [Microsoft Corporation, 5.00.2147.1]
[D:\WINNT\System32\msacm32.drv] [Microsoft Corporation, 5.00.2134.1]
[D:\WINNT\System32\msadp32.acm] [Microsoft Corporation, 5.00.2134.1]
[D:\KAV2007\KAScript.DLL] [Kingsoft Corporation, 2006, 11, 9, 68]
[D:\KAV2007\KAEPlat.DLL] [Kingsoft Corp., 2007, 2, 4, 61]
[D:\KAV2007\KAEMem.DAT] [Kingsoft, 2006, 9, 25, 16]
[D:\KAV2007\KAEUnpack.DAT] [Kingsoft Corp., 2007, 3, 12, 114]
[D:\WINNT\System32\msxml3.dll] [Microsoft Corporation, 8.30.9926.0]
[D:\WINNT\System32\Macromed\Flash\Flash9c.ocx] [Adobe Systems, Inc., 9,0,45,0]
[PID: 824][D:\Documents and Settings\陈彦良\桌面\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[D:\KAV2007\KMailOEBand.dll] [Kingsoft Corporation, 2006, 9, 7, 132]
[D:\WINNT\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[D:\WINNT\System32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[D:\KAV2007\KASocket.dll] [Kingsoft Corporation, 2005, 2, 22, 233]
[D:\Documents and Settings\陈彦良\桌面\sreng2\Plugins\NWMON.SRE] [Smallfrogs Studio, 1, 0, 0, 8]



--------------------------------------------------------------------------------



文件关联

.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. ["hh.exe" %1]
.HLP Error. [winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]



--------------------------------------------------------------------------------



Winsock 提供者

N/A



--------------------------------------------------------------------------------



Autorun.inf

N/A



--------------------------------------------------------------------------------



HOSTS 文件

127.0.0.1 localhost



--------------------------------------------------------------------------------



API HOOK

入口点错误：LoadLibraryExW (危险等级: 一般, 被下面模块所HOOK: D:\KAV2007\KASocket.dll)



--------------------------------------------------------------------------------



隐藏进程

N/A

高手，麻烦你了，我在线等你，需要什么说啊

自己顶下，希望有高手帮我

我也中了类似的，也在那个TEMP里，瑞星会提示毒，杀了N个后，无论怎么查都没了，但是重起还会有，到目前瑞星杀不了。
进程里多个svho....（记不请了）和conime.
结果，我用中毒前的系统还原把他还掉了。。。。。
汗。。。。。。找不道关于病毒的资料

[CODE]

在桌面建立一个文件夹，再用WinRAR工具(即开始-->所有程序里的WinRAR)打开WinRAR-->点“查找”在磁盘和文件夹选 C: 。找到文件（或文件相关的程序），然后按解压到，选桌面刚建的文件夹，然后确定，然后等所有操作做完后再将那个文件夹压缩加密码123(即高级-->设置密码）给我，我的QQ是397005089或者油箱也行wuduyouli@yahoo.com.cn要找的文件如下:

==============================================================================
关闭所有正在使用的应用程序包括QQ等等
然后关闭系统还原(WIN2000可以忽略）：按我的电脑右键的属性点系统还原，在所有驱动器上关闭系统还原 打勾。[等所有操作完成后再去打开]
用ATF清理工具点这里下载,在全选那打勾，然后点立即清理
然后按照我以下的方法做：
==============================================================================
PowerRMV 下载地址: 

使用方法：
分别填入下面的文件（包括完整的路径） ，勾选“抑止杀灭对象再次生成”，点杀灭 【如果其实目标不存在，那就忽略继续】
使用PowerRMV删除如下文件:
D:\WINNT\System32\914847M.BMP（没有就忽略）
D:\WINNT\914847M.BMP（没有就忽略）
D:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.vxd
==============================================================================
等XDelBox杀完后去安全模式进行如下操作（重启电脑 不断按F8 然后选安全模式）进不了安全模式,可以在SREng中 点系统修复 --> 点高级修复，再点修复安全模式
==============================================================================
用工具 SREng 删除如下各项
在SREng中 点 启动项目 --> 注册表  进入后 用鼠标左键在对应要修复的项上单击 然后点击"删除"
  删除如下项目：
(Internat.exe)(internat.exe) [(Verified)Microsoft Windows 2000 Publisher](有可能是木马，具体看帖
(Synchronization Manager)(mobsync.exe /logon) [(Verified)Microsoft Windows 2000 Publisher]（留不留具体看帖
编辑(AppInit_DLLs)(914847M.BMP) [N/A]为(AppInit_DLLs)[N/A]
({A6011F8F-A7F8-49AA-9ADA-49127D43138F})(D:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.vxd) []
SCRNSAVE.EXE)((无)) [N/A]

==============================================================================
在SREng中 点系统修复 --> 点文件关联，点“修复”
在SREng中 点系统修复 --> 点Windows Shell/IE ,勾全选，点“修复”
==============================================================================
以上步骤做完就重启电脑,然后重装QQ(先卸载了，再安装),再用WINDOWS 清理助手点这里下载和恶意软件清理助手点这里下载杀恶意软件,再升级杀毒软件全盘杀毒

                                                       
                                                                        分  析：無毒侑禮
                                                                        时 间：2007-4-21
                                                                          QQ：397005089
                                                              E-mail：wuduyouli@yahoo.com.cn