机器中了个劫持软件，怎么也杀不掉。

每隔几分钟，就会自动弹出一个IE页面，指向一个广告网站，比如:  http://www.AD-w-a-r-e.com/

该软件在C:\WINNT\System32\下随机生成几个dll文件，如:jtr2079oe.dll
这些dll文件无法被铲除，出错信息是:文件正在被使用。

该软件在注册表中如下位置生成一个key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]
    <WinlogonNotify: MCD><C:\WINNT\system32\jtr2079oe.dll>

删除此键值，refresh后又会重新生成。应该是有个守护进程在运行。
但是用Process Explorer看不到任何可疑进程。

以上试图删除dll和注册表键值的操作在普通模式和安全模式都一样失败了。（在安全模式下几乎没几个进程存在了，根本就没有任何蛛丝马迹）

用AVG Anti-Spyware 7.5查，可以发现这些dll，并且adware的名字是Look2Me，但是无法清除，只能忽略。

这是HijackThis 的LOG

Logfile of HijackThis v1.99.1
Scan saved at 1:48:44 AM, on 5/2/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\llssrv.exe
e:\PROGRA~1\MICROS~1\MSSQL$~1\binn\sqlservr.exe
e:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\oracle\ora92\bin\omtsreco.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
e:\PROGRA~1\MICROS~1\MSSQL$~1\binn\sqlagent.exe
e:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINNT\System32\CPQNiMgt\cpqnimgt.exe
C:\WINNT\System32\CpqRcmc.exe
C:\WINNT\System32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINNT\System32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\System32\CPQMgmt\CqMgHost\cqmghost.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DWRCST.exe
C:\WINNT\system32\cpqteam.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\TodaySPC3000\System\bin\osagent.exe
C:\Program Files\TodaySPC3000\VbjGui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TodaySPC3000\System\bin\vbj.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\conime.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\regedit.exe
C:\WINNT\System32\rundll32.exe
E:\Program Files\sreng2\SREng.EXE
E:\Program Files\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [osagent] C:\Program Files\TodaySPC3000\System\bin\osagent.exe
O4 - HKLM\..\Run: [CorbaEventServer] C:\Program Files\TodaySPC3000\VbjGui.exe
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aaaa.aaaa.aaaa.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3DCAA1D-55A6-4E2B-A4FB-D33BD9F56B5F}: NameServer = 10.0.0.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC190D28-1F97-4E3A-AF7C-AE4F9979E369}: Domain = aaaa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aaaa.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{C3DCAA1D-55A6-4E2B-A4FB-D33BD9F56B5F}: NameServer = 10.0.0.25
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = aaaa.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{C3DCAA1D-55A6-4E2B-A4FB-D33BD9F56B5F}: NameServer = 10.0.0.25
O20 - Winlogon Notify: MCD - C:\WINNT\system32\jtr2079oe.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINNT\System32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINNT\System32\CpqRcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINNT\System32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINNT\System32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINNT\System32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Microsoft Search (MSSEARCH) - Unknown owner - C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - E:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - E:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\System32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHP) - Hewlett-Packard Company - C:\hp\hpsmh/bin/smhstart.exe

SRENG 的 LOG


[CODE]

2007-05-02,01:48:24

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Server Service Pack 4 (Build 2195) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf
    HOSTS File


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <internat.exe><internat.exe>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <CPQTEAM><cpqteam.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <vptray><C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe>  [Symantec Corporation]
    <osagent><C:\Program Files\TodaySPC3000\System\bin\osagent.exe>  []
    <CorbaEventServer><C:\Program Files\TodaySPC3000\VbjGui.exe>  []
    <AeXAgentLogon><C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon>  [Altiris, Inc.]
    <!AVG Anti-Spyware><"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized>  [Anti-Malware Development a.s.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows 2000 Publisher]
    <Userinit><C:\WINNT\system32\userinit.exe,>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{57B86673-276A-48B2-BAE7-C6DBB3020EB8}><C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll>  [Anti-Malware Development a.s.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]
    <WinlogonNotify: MCD><C:\WINNT\system32\jtr2079oe.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    <WinlogonNotify: NavLogon><C:\WINNT\system32\NavLogon.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
    <WinlogonNotify: PCANotify><PCANotify.dll>  [Symantec Corporation]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\WINNT\system32\scrnsave.scr>  [(Verified)Microsoft Windows 2000 Publisher]

==================================
Startup Folders
[Service Manager]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk --> C:\PROGRA~1\MICROS~3\80\Tools\Binn\sqlmangr.exe [Microsoft Corporation]><N>

==================================
Services
[Altiris Agent / AeXNSClient][Running/Auto Start]
  <C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe><Altiris, Inc.>
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard][Stopped/Auto Start]
  <C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe><Anti-Malware Development a.s.>
[pcAnywhere Host Service / awhost32][Running/Auto Start]
  <C:\Program Files\Symantec\pcAnywhere\awhost32.exe><Symantec Corporation>
[Backup Exec Remote Agent for Windows Servers / BackupExecAgentAccelerator][Running/Auto Start]
  <"C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe"><VERITAS Software Corporation>
[HP Insight Event Notifier / CIMnotify][Stopped/Disabled]
  <C:\WINNT\System32\CIMntfy\cimntfy.exe><Hewlett-Packard Company>
[HP Insight NIC Agent / CpqNicMgmt][Running/Auto Start]
  <C:\WINNT\System32\CPQNiMgt\cpqnimgt.exe><Hewlett-Packard Company>
[HP ProLiant Remote Monitor Service / CpqRcmc][Running/Auto Start]
  <C:\WINNT\System32\CpqRcmc.exe><Hewlett-Packard Company>
[HP Version Control Agent / cpqvcagent][Running/Auto Start]
  <C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe><Hewlett-Packard Company>
[HP Insight Foundation Agents / CqMgHost][Running/Auto Start]
  <C:\WINNT\System32\CPQMgmt\CqMgHost\cqmghost.exe><Hewlett-Packard Company>
[HP Insight Server Agents / CqMgServ][Running/Auto Start]
  <C:\WINNT\System32\CPQMgmt\CqMgServ\cqmgserv.exe><Hewlett-Packard Company>
[HP Insight Storage Agents / CqMgStor][Running/Auto Start]
  <C:\WINNT\System32\CPQMgmt\CqMgStor\cqmgstor.exe><Hewlett-Packard Company>
[DefWatch / DefWatch][Running/Auto Start]
  <"C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe"><Symantec Corporation>
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[DameWare NT Utilities 2.6 / DNTUS26][Running/Auto Start]
  <C:\WINNT\SYSTEM32\DNTUS26.EXE><DameWare Development LLC>
[DameWare Mini Remote Control / DWMRCS][Running/Auto Start]
  <C:\WINNT\SYSTEM32\DWRCS.EXE -service><DameWare Development LLC>
[Microsoft Search / MSSEARCH][Stopped/Auto Start]
  <"C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe"><N/A>
[MSSQL$TEST / MSSQL$TEST][Running/Auto Start]
  <e:\PROGRA~1\MICROS~1\MSSQL$~1\binn\sqlservr.exe -sTEST><Microsoft Corporation>
[MSSQLSERVER / MSSQLSERVER][Running/Auto Start]
  <e:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe><Microsoft Corporation>
[MSSQLServerADHelper / MSSQLServerADHelper][Stopped/Manual Start]
  <C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe><Microsoft Corporation>
[Symantec AntiVirus Client / Norton AntiVirus Server][Running/Auto Start]
  <"C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe"><Symantec Corporation>
[OracleMTSRecoveryService / OracleMTSRecoveryService][Running/Auto Start]
  <E:\oracle\ora92\bin\omtsreco.exe "OracleMTSRecoveryService"><Oracle Corporation>
[OracleOraHome92ClientCache / OracleOraHome92ClientCache][Stopped/Manual Start]
  <E:\oracle\ora92\BIN\ONRSD.EXE><N/A>
[SQLAgent$TEST / SQLAgent$TEST][Running/Auto Start]
  <e:\PROGRA~1\MICROS~1\MSSQL$~1\binn\sqlagent.exe -i TEST><Microsoft Corporation>
[SQLSERVERAGENT / SQLSERVERAGENT][Running/Auto Start]
  <e:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe><Microsoft Corporation>
[HP ProLiant System Shutdown Service / sysdown][Running/Auto Start]
  <C:\WINNT\System32\sysdown.exe><Compaq Computer Corporation>
[HP System Management Homepage / SysMgmtHP][Running/Auto Start]
  <C:\hp\hpsmh/bin/smhstart.exe><Hewlett-Packard Company>
[Visual Studio Analyzer RPC bridge / Visual Studio Analyzer RPC bridge][Stopped/Manual Start]
  <C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe><Microsoft Corporation>

==================================
Drivers
[adpu160m / adpu160m][Running/Boot Start]
  <\SystemRoot\system32\drivers\adpu160m.sys><Microsoft Corporation>
[ati2mpad / ati2mpad][Running/Manual Start]
  <System32\DRIVERS\ati2mpad.sys><ATI Technologies Inc.>
[atirage3 / atirage3][Stopped/Manual Start]
  <System32\DRIVERS\atimpab.sys><ATI Technologies Inc.>
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver][Running/System Start]
  <\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
  <System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[awlegacy / awlegacy][Running/System Start]
  <\SystemRoot\System32\Drivers\awlegacy.sys><Symantec Corporation>
[AW_HOST / AW_HOST][Running/System Start]
  <system32\drivers\aw_host5.sys><Symantec Corporation>
[Network Management Protocol Driver / CNMPROT][Stopped/Manual Start]
  <System32\DRIVERS\cnmprot.sys><N/A>
[cpqasm2 / cpqasm2][Running/Manual Start]
  <System32\DRIVERS\cpqasm2.sys><Compaq Computer Corporation>
[HP iLO Management Channel Interface Driver / CpqCiDrv][Running/Manual Start]
  <System32\DRIVERS\CpqCiDrv.sys><Hewlett-Packard Company>
[CPQCISSE / CPQCISSE][Running/Manual Start]
  <System32\DRIVERS\CPQCISSE.sys><Hewlett-Packard Company>
[cpqcissm / cpqcissm][Running/Boot Start]
  <\SystemRoot\system32\drivers\cpqcissm.sys><Hewlett-Packard Company>
[HP Network Configuration Utility 7 / CPQTeam][Stopped/Manual Start]
  <System32\DRIVERS\cpqteam.sys><Hewlett-Packard Company>
[dmboot / dmboot][Stopped/Disabled]
  <System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[LsiCsb6 / LsiCsb6][Running/Boot Start]
  <\SystemRoot\system32\drivers\LsiCsb6.sys><LSI Logic Corporation.>
[MegaIDE / MegaIDE][Stopped/Disabled]
  <\SystemRoot\system32\drivers\MegaIDE.sys><LSI Logic Corporation>
[NAVAP / NAVAP][Running/Manual Start]
  <\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys><Symantec Corporation>
[NAVAPEL / NAVAPEL][Running/Auto Start]
  <\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS><Symantec Corporation>
[NAVENG / NAVENG][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070430.018\NAVENG.sys><Symantec Corporation>
[NAVEX15 / NAVEX15][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070430.018\NAVEX15.sys><Symantec Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[HP NC7782 Gigabit Server Adapter / q57w2k][Running/Manual Start]
  <System32\DRIVERS\q57w2k.sys><Hewlett-Packard Company>
[symc810 / symc810][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\symc810.sys><Symbios Logic Inc.>
[symc8xx / symc8xx][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\symc8xx.sys><LSI Logic>
[SymEvent / SymEvent][Running/Manual Start]
  <\??\C:\Program Files\Symantec\SYMEVENT.SYS><Symantec Corporation>
[symmpi / symmpi][Running/Boot Start]
  <\SystemRoot\system32\drivers\symmpi.sys><LSI Logic>
[sym_hi / sym_hi][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\sym_hi.sys><Symbios Inc.>
[HP ProLiant System Management Interface Driver / sysmgmt][Running/Manual Start]
  <System32\DRIVERS\sysmgmt.sys><Compaq Computer Corporation>

==================================
Browser Add-ons
[&Radio]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, >
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\macromed\flash\Flash.ocx, Macromedia, Inc.>

==================================
Running Processes
[PID: 3520][C:\WINNT\Explorer.EXE]  [Microsoft Corporation, 5.00.3700.6690]
    [C:\WINNT\system32\ksdgr.dll]  [N/A, ]
    [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll]  [Symantec Corporation, 8.00.00.9374]
    [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll]  [Anti-Malware Development a.s., 7, 5, 0, 49]
    [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll]  [Anti-Malware Development a.s., 7, 5, 0, 47]
[PID: 3580][C:\WINNT\SYSTEM32\DWRCST.exe]  [DameWare Development, 5, 1, 3, 0]
[PID: 2224][C:\WINNT\system32\cpqteam.exe]  [Hewlett-Packard Company, 7.80.0.9]
[PID: 3408][C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe]  [Symantec Corporation, 8.00.00.9374]
    [C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliproxy.dll]  [Symantec Corporation, 8.00.00.9374]
    [C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVNTUTL.DLL]  [Symantec/Peter Norton Group, 1, 0, 0, 1]
    [C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliscan.dll]  [Symantec Corporation, 8.00.00.9374]
[PID: 3556][C:\Program Files\TodaySPC3000\System\bin\osagent.exe]  [N/A, ]
    [C:\Program Files\TodaySPC3000\System\bin\MFC42.DLL]  [Microsoft Corporation, 6.00.8665.0]
[PID: 3552][C:\Program Files\TodaySPC3000\VbjGui.exe]  [N/A, ]
[PID: 3644][C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe]  [Anti-Malware Development a.s., 7, 5, 0, 50]
    [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll]  [Anti-Malware Development a.s., 4, 2, 0, 15]
[PID: 3652][C:\Program Files\TodaySPC3000\System\bin\vbj.exe]  [N/A, ]
    [c:\program files\oracle\jre\1.3.1\bin\hotspot\jvm.dll]  [N/A, ]
    [c:\program files\oracle\jre\1.3.1\bin\hpi.dll]  [N/A, ]
    [c:\program files\oracle\jre\1.3.1\bin\verify.dll]  [N/A, ]
    [c:\program files\oracle\jre\1.3.1\bin\java.dll]  [N/A, ]
    [c:\program files\oracle\jre\1.3.1\bin\zip.dll]  [N/A, ]
    [C:\Program Files\Oracle\jre\1.3.1\bin\net.dll]  [N/A, ]
    [C:\Program Files\Oracle\jre\1.3.1\bin\ioser12.dll]  [N/A, ]
[PID: 3660][C:\WINNT\system32\internat.exe]  [Microsoft Corporation, 5.00.2920.0000]
[PID: 3680][C:\WINNT\system32\conime.exe]  [Microsoft Corporation, 5.00.2195.6655]
[PID: 3672][C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe]  [Microsoft Corporation, 2000.080.0194.00]
    [C:\Program Files\Microsoft SQL Server\80\Tools\Binn\W95SCM.dll]  [Microsoft Corporation, 2000.080.0194.00]
    [C:\WINNT\system32\SQLUNIRL.dll]  [Microsoft Corporation, 2000.080.0728.00]
    [C:\Program Files\Microsoft SQL Server\80\Tools\Binn\SQLSVC.dll]  [Microsoft Corporation, 2000.080.0194.00]
    [C:\WINNT\system32\odbcbcp.dll]  [Microsoft Corporation, 2000.085.1064.00 built by: (_sqlbld)]
    [C:\Program Files\Microsoft SQL Server\80\Tools\Binn\SQLRESLD.dll]  [Microsoft Corporation, 2000.080.0194.00]
    [C:\Program Files\Microsoft SQL Server\80\Tools\Binn\Resources\1033\SQLSVC.RLL]  [Microsoft Corporation, 2000.080.0194.00]
    [C:\Program Files\Microsoft SQL Server\80\Tools\Binn\Resources\1033\sqlmangr.RLL]  [Microsoft Corporation, 2000.080.0194.00]
[PID: 3864][C:\WINNT\regedit.exe]  [Microsoft Corporation, 5.00.2195.6707]
[PID: 1340][C:\WINNT\System32\rundll32.exe]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\guard.tmp]  [N/A, ]
[PID: 2244][E:\Program Files\sreng2\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
N/A

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================

[PID: 1340][C:\WINNT\System32\rundll32.exe] [Microsoft Corporation, 5.00.2134.1]
[C:\WINNT\system32\guard.tmp] [N/A, ]

把PID 1340的进程rundll32.exe 杀掉后，C:\WINNT\system32\guard.tmp可以被删除了，但是C:\WINNT\system32\下的dll文件仍然无法删除，注册表项删除了还是会重建。

[PID: 3520][C:\WINNT\Explorer.EXE] [Microsoft Corporation, 5.00.3700.6690]
[C:\WINNT\system32\ksdgr.dll] [N/A, ]
把PID 3520的 Explore.exe 杀掉，SHELL都没了，C:\WINNT\system32\ksdgr.dll还是不能删除

试图用unlocker帮助删除，但是得到一个出错信息

用killbox删除，返回出错信息说

This file could not be deleted.


我昏倒！！！！

服务器啊，又不能像台式机那样，拆下硬盘搬到其他电脑上删掉。。。