现象：一台XP系统的微机，每隔一分钟explorer.exe自动连接一次60.28.236.*  发送定长的数据包。内容无意义 估计是某病毒的残余。
措施：杀毒、清理注册表、清空所有启动项、禁用所有服务--->无效
措施2： 终止explorer.exe进程，再启动explorer.exe ---> 有效
        用冰刀比较 加载的摸块，逐个排查,都是正常dll,没发现问题。。

请问专家，还有别的办法吗？ （除了重装）

[用户系统信息]Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)

第二个方法有效??

那就看看这里:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
shell的值是什么?


"Shell"="Explorer.exe"
这个才是对的。如果还有别的在explorer.exe后面，就去掉它,并且干掉那个程序。

【回复“加楠”的帖子】
机器的系统是XP sp2,
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="Explorer.exe" 这个值是对的。

让人百思不得其解的是 这个病毒是怎么注入到explorer进程的？

提问：重启动后的explorer.exe进程 与 开机原始的explorer.exe进程有哪些差别？ 请高手回答

防火墙——禁止explorer.exe访问网络！

【回复“dadani”的帖子】
插explorer.exe进程的病毒很多。
只是这麽简单的描述，无法帮你。
如果SRENG可以运行，建议你扫一份完整的SRENG日志贴上来看看。

【回复“ADL”的帖子】
禁止explorer.exe访问网络！ 这倒是好办法。
不过对于捉病毒三天三夜的人 是不能满足的。呵。

【回复“baohe”的帖子】

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ACTIVE MESSENGER><; C:\Program Files\Activesoft\ActiveMessenger\AMsger.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]

==================================
启动文件夹
N/A

==================================
服务
[Kingbase ES / Kingbase ES][Stopped/Disabled]
  <E:\Program Files\kingbase\server\kbser.exe><Basesoft>
[Macromedia Licensing Service / Macromedia Licensing Service][Stopped/Disabled]
  <"C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"><>
[Apache Tomcat / Tomcat5][Stopped/Disabled]
  <"C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5><Apache Software Foundation>
[Windows Live Setup Service / WLSetupSvc][Stopped/Disabled]
  <"C:\Program Files\Windows Live\installer\WLSetupSvc.exe"><>

==================================
驱动程序
[Intel(r) 82801 Audio Driver Install Service (WDM) / ac97intc][Stopped/Manual Start]
  <system32\drivers\ac97intc.sys><Intel Corporation>
[adpu160m / adpu160m][Stopped/Disabled]
  <\SystemRoot\System32\DRIVERS\adpu160m.sys><Microsoft Corporation>
[adpu320 / adpu320][Stopped/Disabled]
  <\SystemRoot\System32\DRIVERS\adpu320.sys><Adaptec, Inc.>
[aeaudio / aeaudio][Running/Manual Start]
  <system32\drivers\aeaudio.sys><Andrea Electronics Corporation>
[aic78u2 / aic78u2][Stopped/Disabled]
  <\SystemRoot\System32\DRIVERS\aic78u2.sys><Microsoft Corporation>
[aic78xx / aic78xx][Stopped/Disabled]
  <\SystemRoot\System32\DRIVERS\aic78xx.sys><Microsoft Corporation>
[Broadcom NetXtreme Gigabit Ethernet / b57w2k][Running/Manual Start]
  <System32\DRIVERS\b57xp32.sys><Broadcom Corporation>
[Broadcom Advanced Server Program Driver / Blfp][Stopped/Manual Start]
  <System32\DRIVERS\baspxp32.sys><Broadcom Corporation>
[dpti2o / dpti2o][Stopped/Disabled]
  <\SystemRoot\System32\DRIVERS\dpti2o.sys><Microsoft Corporation>
[Intel(R) PRO Adapter Driver / E100B][Stopped/Manual Start]
  <System32\DRIVERS\e100b325.sys><Intel Corporation>
[Compaq Easy Access PS2 Internet Keyboard (Win2K) / eaps2kbd][Running/Manual Start]
  <System32\DRIVERS\eaps2kbd.sys><Compaq Computer Corp.>
[usb Card Device / ft2kEnum][Running/Manual Start]
  <system32\DRIVERS\ic2kenum.sys><OEM Corporation>
[USB Chip Holder Service / GDBaseSmc][Running/Manual Start]
  <system32\DRIVERS\Chip_smc.sys><OEM>
[USB Chip Service / GD_USB][Stopped/Manual Start]
  <system32\DRIVERS\Chip_usb.sys><>
[i81x / i81x][Stopped/Manual Start]
  <System32\DRIVERS\i81xnt5.sys><Intel(R) Corporation>
[iAimFP0 / iAimFP0][Stopped/Manual Start]
  <System32\DRIVERS\wADV01nt.sys><Intel(R) Corporation>
[iAimFP1 / iAimFP1][Stopped/Manual Start]
  <System32\DRIVERS\wADV02NT.sys><Intel(R) Corporation>
[iAimFP2 / iAimFP2][Stopped/Manual Start]
  <System32\DRIVERS\wADV05NT.sys><Intel(R) Corporation>
[iAimFP3 / iAimFP3][Stopped/Manual Start]
  <System32\DRIVERS\wSiINTxx.sys><Intel(R) Corporation>
[iAimFP4 / iAimFP4][Stopped/Manual Start]
  <System32\DRIVERS\wVchNTxx.sys><Intel(R) Corporation>
[iAimTV0 / iAimTV0][Stopped/Manual Start]
  <System32\DRIVERS\wATV01nt.sys><Intel(R) Corporation>
[iAimTV1 / iAimTV1][Stopped/Manual Start]
  <System32\DRIVERS\wATV02NT.sys><Intel(R) Corporation>
[iAimTV2 / iAimTV2][Stopped/Manual Start]
  <System32\DRIVERS\wATV03nt.sys><N/A>
[iAimTV3 / iAimTV3][Stopped/Manual Start]
  <System32\DRIVERS\wATV04nt.sys><Intel(R) Corporation>
[iAimTV4 / iAimTV4][Stopped/Manual Start]
  <System32\DRIVERS\wCh7xxNT.sys><Intel(R) Corporation>
[ialm / ialm][Running/Manual Start]
  <System32\DRIVERS\ialmnt5.sys><Intel Corporation>
[npkycryp / npkycryp][Stopped/Manual Start]
  <\??\UNC\42.1.39.112\amao1\Program Files\Tencent\QQ\npkycryp.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[SmartCard Reader Device  / Reader_Device][Running/Manual Start]
  <system32\DRIVERS\usbic2k.sys><OEM>
[Secdrv / Secdrv][Stopped/Manual Start]
  <System32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[smwdm / smwdm][Running/Manual Start]
  <system32\drivers\smwdm.sys><Analog Devices, Inc.>
[sptd / sptd][Stopped/Boot Start]
  <\SystemRoot\System32\Drivers\sptd.sys><N/A>
[symc810 / symc810][Stopped/Disabled]
  <\SystemRoot\System32\DRIVERS\symc810.sys><Symbios Logic Inc.>
[symc8xx / symc8xx][Stopped/Disabled]
  <\SystemRoot\System32\DRIVERS\symc8xx.sys><LSI Logic>
[SymEvent / SymEvent][Stopped/Manual Start]
  <\??\C:\Program Files\Symantec\SYMEVENT.SYS><N/A>
[Symmpi / Symmpi][Stopped/Disabled]
  <\SystemRoot\System32\DRIVERS\symmpi.sys><LSI Logic>
[sym_hi / sym_hi][Stopped/Disabled]
  <\SystemRoot\System32\DRIVERS\sym_hi.sys><LSI Logic>
[sym_u3 / sym_u3][Stopped/Disabled]
  <\SystemRoot\System32\DRIVERS\sym_u3.sys><LSI Logic>
[ViaIde / ViaIde][Stopped/Disabled]
  <\SystemRoot\System32\DRIVERS\viaide.sys><Microsoft Corporation>
[VMware Virtual Ethernet Adapter Driver / VMnetAdapter][Stopped/Manual Start]
  <system32\DRIVERS\vmnetadapter.sys><N/A>
[Intel(R) Graphics Platform (SoftBIOS) Driver / {6080A529-897E-4629-A488-ABA0C29B635E}][Running/Manual Start]
  <system32\drivers\ialmsbw.sys><Intel Corporation>
[Intel(R) Graphics Chipset (KCH) Driver / {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}][Running/Manual Start]
  <system32\drivers\ialmkchw.sys><Intel Corporation>

==================================
浏览器加载项
N/A

==================================
正在运行的进程
[PID: 320 / SYSTEM][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 440 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 464 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\WINDOWS\system32\dcsws2.dll]  [DiamondCS, 2.110]
[PID: 508 / SYSTEM][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\AppPatch\AcAdProc.dll]  [Microsoft Corporation, 5.1.2600.3008 (xpsp.061004-0027)]
[PID: 520 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\dcsws2.dll]  [DiamondCS, 2.110]
[PID: 668 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 744 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\dcsws2.dll]  [DiamondCS, 2.110]
[PID: 808 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1104 / Administrator][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\dcsws2.dll]  [DiamondCS, 2.110]
    [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1220 / Administrator][C:\WINDOWS\system32\conime.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1460 / Administrator][E:\IE插件屏蔽免疫\sreng2\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
    [E:\IE插件屏蔽免疫\sreng2\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]
    [C:\WINDOWS\system32\dcsws2.dll]  [DiamondCS, 2.110]
[PID: 1476 / Administrator][C:\WINDOWS\system32\userinit.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. ["hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
DiamondCS TCP/IP Layer [TCP]
    C:\WINDOWS\system32\dcsws2.dll(DiamondCS, dcsws2)
DiamondCS TCP/IP Layer [UDP]
    C:\WINDOWS\system32\dcsws2.dll(DiamondCS, dcsws2)
DiamondCS TCP/IP Layer [RAW]
    C:\WINDOWS\system32\dcsws2.dll(DiamondCS, dcsws2)

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
进程特权扫描
N/A

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================


[/CODE]

终于有高手回复了。贴一张 病毒发送的内容上来 请高手看看都是什么

重扫个2.5版本的SRENG日志。

报告保存后,将日志内容复制到空记事本里保存，再以附件形式发来。

不要再改来改去的粘贴了。。