病毒名称：Trojan.PWS.QQPass
路径：C:\Program Files\Common Files\Microsoft Shared\MSInfo\xiaran.lmz

我用超级兔子检测恶意程度和木马的时候，有这样一项(找到未知文件执行挂钩：{08315C1A-9BA9-4B7C-A432-26885F78DF28}(C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz) )．虽然一键清除，但是每次检测的时候都有这玩意．当时用诺盾杀毒的时候也是检测到这玩意是病毒．


当时情况是:用QQ跟朋友聊天，她说要发个搞笑的东西给我看（什么＜黑客与菜鸟的对话＞），通过QQ传过来解压后发现竟然是个应用程序，打开都没有界面在运行，但后来QQ被盗．今天开机，杀毒软件 Symantec AntiVirus（企业版）一直提醒有病毒，但就是隔离不了．后来改用瑞星,都没有查到这个病毒...同时,经常被提示虚拟内存太小...有些进程请求将被拒绝.

哪位达人可否提供帮助．非常感谢！

我按照１楼小聪说的试了下，现把进程运行情况贴上来，请帮忙看看．另外，现在经常被提醒：虚拟内存太小．．．

正在运行的进程
[PID: 616][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 692][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 760][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\system32\Ati2evxx.dll]  <ATI Technologies Inc.><6.14.10.4116>
[PID: 804][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 816][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 988][C:\WINDOWS\System32\Ati2evxx.exe]  <ATI Technologies Inc.><6.14.10.4116>
    [C:\WINDOWS\System32\Ati2edxx.dll]  <ATI Technologies, Inc.><6, 14, 10, 2497>
[PID: 1036][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\cdnns.dll]  <N/A><N/A>
[PID: 1128][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1260][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1292][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1492][C:\WINDOWS\system32\spoolsv.exe]  <Microsoft Corporation><5.1.2600.0 (XPClient.010817-1148)>
    [C:\WINDOWS\System32\cdnns.dll]  <N/A><N/A>
[PID: 1648][C:\WINDOWS\system32\Ati2evxx.exe]  <ATI Technologies Inc.><6.14.10.4116>
    [C:\WINDOWS\system32\Ati2edxx.dll]  <ATI Technologies, Inc.><6, 14, 10, 2497>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
[PID: 1840][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
    [C:\WINDOWS\Downloaded Program Files\Bcrrdo.dll]  <Tencent><4, 0, 5, 50>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\YAlive.dll]  <><2, 1, 1, 1039>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yalliveex.dll]  < ><2, 0, 1, 1007>
    [C:\WINDOWS\System32\mp3infp.dll]  <win32lab.com><2.50.5.0>
[PID: 1920][C:\WINDOWS\System32\alg.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 160][C:\WINDOWS\System32\wdfmgr.exe]  <Microsoft Corporation><5.2.3790.1230 built by: dnsrv(bld4act)>
[PID: 1220][C:\WINDOWS\SOUNDMAN.EXE]  <Realtek Semiconductor Corp.><5.1.0.38>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
[PID: 1232][C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe]  <ATI Technologies, Inc.><6.14.10.5155>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
    [C:\Program Files\ATI Technologies\ATI Control Panel\atipdsxx.dll]  <ATI Technologies, Inc.><6.14.10.5155>
    [C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATRPUIXX.CHS]  <ATI Technologies, Inc.><6.14.10.5155>
    [C:\Program Files\ATI Technologies\ATI Control Panel\atipdxxx.dll]  <ATI Technologies, Inc.><6.14.10.5155>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
[PID: 1244][C:\Program Files\CNNIC\Cdn\cdnup.exe]  <><2, 3, 0, 8>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\cdntdns.dll]  <CNNIC><2, 2, 0, 3>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
[PID: 1252][C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe]  < ><2, 0, 0, 1002>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\YAlive.dll]  <><2, 1, 1, 1039>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yalliveex.dll]  < ><2, 0, 1, 1007>
[PID: 1300][C:\WINDOWS\System32\Rundll32.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\downlo~1\CnsMin.dll]  <北京三七二一科技有限公司><1, 5, 3, 1>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\WINDOWS\downlo~1\CnsMinIO.dll]  <北京三七二一科技有限公司><1, 0, 3, 5>
    [C:\WINDOWS\downlo~1\cnsio.dll]  <北京三七二一科技有限公司><1, 0, 2, 6>
[PID: 1328][C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe]  <Yahoo!><1, 0, 1, 1001>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\PROGRA~1\Yahoo!\Assistant\shell\yAssecblk.dll]  <Yahoo><1, 0, 2, 1002>
    [C:\PROGRA~1\Yahoo!\Assistant\shell\yMenuInfo.dll]  <Yahoo><1, 0, 0, 2>
    [C:\PROGRA~1\Yahoo!\Assistant\shell\yIEAngel.dll]  <Yahoo><1, 0, 1, 1001>
    [C:\PROGRA~1\Yahoo!\Assistant\shell\yAsMenu.dll]  <Yahoo><1, 0, 1, 1006>
[PID: 1376][C:\Program Files\Common Files\Real\Update_OB\realsched.exe]  <RealNetworks, Inc.><0.1.0.3510>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
[PID: 1744][C:\WINDOWS\LSASS.exe]  <newPage><0.00.0066>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>

[PID: 1768][C:\Program Files\Rising\Rav\RavTask.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 22>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
    [C:\Program Files\Rising\Rav\CfgDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
[PID: 1556][C:\WINDOWS\System32\ctfmon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
[PID: 1636][C:\Program Files\MSN Messenger\MsnMsgr.Exe]  <Microsoft Corporation><7.5.0306>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
    [C:\WINDOWS\System32\cdnns.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\msdmo.dll]  <N/A><N/A>
[PID: 1836][C:\Program Files\Super Rabbit\MagicSet\SRIECLI.EXE]  <Super Rabbit Soft><7.00.0005>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
[PID: 2036][C:\Program Files\VIA\RAID\raid_tool.exe]  <VIA Technologies><4, 0, 1, 0>
    [C:\Program Files\VIA\RAID\drvInterface.dll]  <VIA><4, 0, 0, 0>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
[PID: 228][C:\WINDOWS\system32\rundll32.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\Progra~1\IE-BAR\Cast\dmipn.dll]  <千橡互联><2, 1, 5, 0>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
    [C:\Progra~1\IE-BAR\Cast\dmshell.dll]  <千橡互联><2, 1, 5, 0>
    [C:\Progra~1\IE-BAR\Cast\216~1.0\dmplayer.dll]  <千橡互联><2, 1, 6, 0>
    [C:\WINDOWS\System32\cdnns.dll]  <N/A><N/A>
[PID: 2044][C:\Program Files\QQ2005\QQ.exe]  <TENCENT><0, 0, 0, 0>
    [C:\Program Files\QQ2005\QQBaseClassInDll.dll]  <><1, 0, 0, 1>
    [C:\Program Files\QQ2005\QQHelperDll.dll]  <><1, 0, 0, 1>
    [C:\Program Files\QQ2005\BasicCtrlDll.dll]  <Tencent><5, 0, 200, 14>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
    [C:\Program Files\QQ2005\LoginCtrl.dll]  <><1, 0, 0, 1>
    [C:\Program Files\QQ2005\npkcntc.dll]  <INCA Internet Co., Ltd.><2005, 9, 1, 1>
    [C:\Program Files\QQ2005\npkpdb.dll]  <INCA Internet Co., Ltd.><2003, 10, 1, 1>
    [C:\Program Files\QQ2005\QQAPI.dll]  <><1, 0, 0, 1>
    [C:\Program Files\QQ2005\TIMProxy.dll]  <tencent><0, 3, 2, 4>
[PID: 424][C:\Program Files\QQ2005\TIMPlatform.exe]  <tencent><0, 3, 1, 8>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
    [C:\Program Files\QQ2005\TIMProxy.dll]  <tencent><0, 3, 2, 4>
[PID: 2992][C:\Downloads\sreng\SREng.exe]  <Smallfrogs Studio><2.0.12.350>
    [C:\Program Files\CNNIC\Cdn\cdnspie.dll]  <><2, 1, 0, 4>
    [C:\Program Files\CNNIC\Cdn\imaoe.dll]  <CNNIC><2, 2, 0, 1>
    [C:\Program Files\CNNIC\Cdn\cdnforie.dll]  <CNNIC><1, 0, 0, 11>
    [C:\Program Files\CNNIC\Cdn\cdndet.dll]  <CNNIC><2, 2, 0, 4>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll]  <><2, 0, 1, 1018>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz]  <N/A><N/A>
    [C:\WINDOWS\Downloaded Program Files\Xopx.dll]  <Tencent><4, 0, 5, 50>
    [C:\WINDOWS\System32\cdnns.dll]  <N/A><N/A>

现在QQ密码老是被别人改变（幸好有密码保护，郁闷啊）．．．请各位帮忙看下．谢谢！

Logfile of HijackThis v1.99.1
Scan saved at 19:43:08, on 2006-6-3
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LSASS.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CNNIC\Cdn\cdnup.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Super Rabbit\MagicSet\SRIECLI.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\FlashGet\flashget.exe
C:\Downloads\HijackThis.exe

R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
O2 - BHO: 好看123上网精灵 - {00000000-280E-445B-B051-A8B2DA7E798A} - C:\PROGRA~1\SUPERR~1\MagicSet\HAOKAN~2.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CMoveCatchPic Object - {0CF098A0-CBAC-4EFB-8451-3AFC201C7222} - C:\Program Files\xBar\xBarHelper.dll
O2 - BHO: AntiFish Class - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yangling.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\QQ2005\QQIEHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O3 - Toolbar: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - C:\PROGRA~1\Kingsoft\FASTAI~1\IEBand.dll
O3 - Toolbar: BitCometBar - {3F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\BitComet\BitCometBar\BitCometBar0.2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 百度超级搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O3 - Toolbar: 好看123上网精灵 - {FEDF637B-F631-4583-A210-33CC828D42DB} - C:\PROGRA~1\SUPERR~1\MagicSet\HAOKAN~2.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [res] C:\WINDOWS\System32\res.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [xBarUpdate] C:\Program Files\xBar\xBarUpdate.exe
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [ToP] C:\WINDOWS\LSASS.exe
O4 - HKLM\..\Run: [Super Rabbit SRRestore] C:\Program Files\Super Rabbit\MagicSet\srrest.exe /autosave
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\eMule.exe -AutoStart
O4 - HKCU\..\Run: [Super Rabbit IEPro] C:\Program Files\Super Rabbit\MagicSet\SRIECLI.EXE /LOAD
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\QQ2005\QQ.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: IE-BAR.lnk = ?
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\QQ2005\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\QQ2005\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\QQ2005\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\QQ2005\SendMMS.htm
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra button: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra button: 金山词霸 - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\Kingsoft\XDict\IEPlugin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ2005\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ2005\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\QQ2005\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\QQ2005\QQIEHelper.dll
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdnns.dll

O11 - Options group: [!CNS]  上网助手-地址栏搜索
O11 - Options group: [CDNCLIENT]  中文上网
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C86FBB6-39F7-4F91-8E73-18BF9B01D66C}: NameServer = 222.47.62.22 211.98.4.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C51AD769-54A0-4484-8ED7-7C84601F2A68}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{6C86FBB6-39F7-4F91-8E73-18BF9B01D66C}: NameServer = 222.47.62.22 211.98.4.1
O18 - Protocol: koboo - {7DEE9D05-FA0A-4416-A6F3-6537D0EAB6A6} - C:\WINDOWS\System32\mbprot.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: QQFace (Universal Disk Manager) - Unknown owner - C:\Program Files\Common Files\SAND\qqfacerclient.exe (file missing)

我用超级兔子检测恶意程度和木马的时候，有这样一项．虽然一键清除，但是每次检测的时候都有这玩意．当时用诺盾杀毒的时候也是检测到这玩意是病毒．

找到未知文件执行挂钩：{08315C1A-9BA9-4B7C-A432-26885F78DF28}(C:\Program Files\Common Files\Microsoft Shared\MSINFO\xiaran.lmz)

为什么这一项：O23 - Service: QQFace (Universal Disk Manager) - Unknown owner - C:\Program Files\Common Files\SAND\qqfacerclient.exe (file missing)，修复并在备份中删除后，每次扫描还有呢？　


Logfile of HijackThis v1.99.1
Scan saved at 21:11:54, on 2006-6-3
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CNNIC\Cdn\cdnup.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\LSASS.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\Downloads\新建文件夹\HijackThis.exe

R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [ToP] C:\WINDOWS\LSASS.exe
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O9 - Extra button: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdnns.dll
O11 - Options group: [CDNCLIENT]  中文上网
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C86FBB6-39F7-4F91-8E73-18BF9B01D66C}: NameServer = 222.47.62.22 211.98.4.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{6C86FBB6-39F7-4F91-8E73-18BF9B01D66C}: NameServer = 222.47.62.22 211.98.4.1
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: QQFace (Universal Disk Manager) - Unknown owner - C:\Program Files\Common Files\SAND\qqfacerclient.exe (file missing)