这几天不知道是中啥毒了,瑞星防火墙和系统监控都自动关闭(开机无法启动)试了好多方法都无法解决无奈之下从做了系统,可从做了它还是在,真的太无奈了请高手指点下,下面是我用瑞星听诊器诊断出来的数据
文件关联项
HKEY_CLASSES_ROOT .exe ----> winfiles
自启动项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\Currentversion\Run
IMJPMIG8.1 = E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
PHIME2002ASync = E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
Torjan Program = E:\WINDOWS\WINLOGON.EXE
QuickTime Task = "E:\Program Files\Media Player Classic\QTSystem\qttask.exe" -atboottime
RavTask = "E:\Program Files\Rising\Rav\RavTask.exe" -system
RfwMain = "E:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
NvCplDaemon = RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
TkBellExe = "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Thunder = "E:\Program Files\Thunder Network\Thunder\ThunderShell.exe" /s
HKEY_CURRENT_USER Software\Microsoft\Windows\Currentversion\Run
ctfmon.exe = E:\WINDOWS\System32\ctfmon.exe
MSMSGS = "E:\Program Files\Messenger\msmsgs.exe" /background
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\Currentversion\RunOnce
WMC_RebootCheck = E:\WINDOWS\inf\unregmp2.exe /FixUps
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
shell32.dll =
E:\WINDOWS\system32\RavExt.dll= Rising Execute File Exts hook
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\ShellService
ObjectDelayLoad
PostBootReminder = %SystemRoot%\system32\SHELL32.dll
CDBurn = %SystemRoot%\system32\SHELL32.dll
WebCheck = %SystemRoot%\System32\webcheck.dll
SysTray = E:\WINDOWS\System32\st
object.dll
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
%SystemRoot%\System32\browseui.dll= Browseui 预加载程序
%SystemRoot%\System32\browseui.dll= 组件类别缓存程序
SYSTEM.INI BOOT SHELL Explorer.exe 1
其他相关项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon DefaultUserName ----> lxl47
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon AltDefaultUserName ----> lxl47
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit ----> E:\WINDOWS\system32\userinit.exe,
AUTOEXEC.BAT
SET COMSPEC=D:\WINDOWS\COMMAND.COM
SET windir=D:\WINDOWS
SET winbootdir=D:\WINDOWS
SET PATH=D:\WINDOWS;D:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=D:\WINDOWS\TEMP
SET TMP=D:\WINDOWS\TEMP
Hosts
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
诊断信息
1 WINLOGON.EXE 91% 未知木马 E:\WINDOWS\WINLOGON.EXE
2 PAGEFILE.PIF 70% 未知木马 D:\PAGEFILE.PIF
进程列表
[System Process]
System
E:\WINDOWS\WINLOGON.EXE (Made by zJeuKZJHdgr43s)
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Media Player Classic\QTSystem\qttask.exe
E:\Program Files\Rising\Rav\RavTask.exe
E:\WINDOWS\System32\msiexec.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\kugoo\接受到的文件\RavDetect.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
进程详细信息
E:\Program Files\Internet Explorer\IEXPLORE.EXE
