4CD4F692.exe 样本由guyueseng提供。
卡巴斯基报：Trojan_PSW.Win32.OnLineGames.mu

4CD4F692.exe运行后，在C:\Program Files\Common Files\Microsoft Shared\MSInfo文件夹释放下列文件：
XXXXXXXX.dll
XXXXXXXX.dat
在C:\WINDOWS\Help文件夹释放XXXXXXXX.chm
在C:\WINDOWS\system32文件夹释放verclsid.exe（先将原来的verclsid.exe改名为verclsid.exe.bak）

注：XXXXXXXX为随机数字/字母组合

在注册表中添加下列启动项：

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks           
XXXXXXXX.dll（本次感染为：423F27F3.dll    ）
在HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options分支添加N个劫持项，废掉多个杀软、防火墙以及常用手工杀毒工具软件。

手工杀毒流程：

1、将IceSword.exe改名为IS.EXE运行。用IceSword禁止进程创建。
2、结束系统核心进程以外的所有进程。
3、删除下列文件：
C:\Program Files\Common Files\Microsoft Shared\MSInfo文件夹中的：
XXXXXXXX.dll
XXXXXXXX.dat
C:\WINDOWS\Help文件夹中的XXXXXXXX.chm
C:\WINDOWS\system32文件夹中的verclsid.exe
4、展开：HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks           
删除： XXXXXXXX.dll

5、取消IceSword的“禁止进程创建”。将autoruns.exe改名为autorun.exe运行：
找到HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options           
删除：       

360rpt.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

360Safe.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

360tray.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

adam.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

AgentSvr.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

AppSvc32.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

autoruns.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

avp.com            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

avp.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

CCenter.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

ccSvcHst.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

FileDsty.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

FTCleanerShell.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

HijackThis.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

IceSword.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

iparmo.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

Iparmor.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

isPwdSvc.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

kabaload.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KaScrScn.SCR            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KASMain.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KASTask.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KAV32.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KAVDX.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KAVPFW.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KAVStart.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KISLnchr.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KMailMon.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KMFilter.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KPFW32.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KPFW32X.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KPFWSvc.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KRegEx.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KRepair.COM            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KsLoader.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KVCenter.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KvDetect.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KvfwMcl.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KVMonXP.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KVMonXP_1.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

kvol.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

kvolself.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KvReport.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KVScan.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KVSrvXP.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KVStub.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

kvupload.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

kvwsc.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KvXP.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KvXP_1.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KWatch.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KWatch9x.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KWatchX.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

loaddll.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

MagicSet.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

mcconsol.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

mmqczj.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

mmsk.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

nod32.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

nod32krn.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

nod32kui.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

PFW.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

PFWLiveUpdate.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

Ras.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

Rav.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RavMon.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RavMonD.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RavStub.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RavTask.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RegClean.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

rfwcfg.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RfwMain.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

rfwProxy.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

rfwsrv.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RsAgent.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

Rsaupd.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

runiep.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

safelive.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

scan32.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

shcfg32.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

SmartUp.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

SREng.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

symlcsvc.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

TrojanDetector.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

Trojanwall.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

TrojDie.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

UIHost.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

UpLive.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

将C:\WINDOWS\system32文件夹中的verclsid.exe.bak改名为verclsid.exe

至于不能查看隐藏文件问题，请打开注册表编辑器，展开：
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
将"CheckedValue"=dword:00000000改为"CheckedValue"=dword:00000001即可。

此毒貌似不会重复感染同一系统。
杀毒后，再次运行样本————没有任何中毒迹象。

引用:

【guyueseng的贴子】版主大大是用的虚拟机么？ ………………

实机运行样本。
autoruns、SRENG、IceSword——可以改名运行。

引用:

【易寒1125的贴子】Trojan.PSW.OnlineGames.ys我中的是这个 这个病毒是作什么的 ………………

Trojan.PSW....————————盗号木马

引用:

【清风使者欣的贴子】这个东西在我的电脑里那是太多了,我一天看不到他,我心里就难过,哎,其实电脑里有点毒也是很好的,要是一点毒也没有了,那电脑也就不好玩了!是不是啊! ………………

拿病毒当作宠物养？
够另类！
够牛！！

引用:

【guyueseng的贴子】所以说楼主还没有把这个病毒的机制分析清楚 ………………

我也想再次感染，仔细看看。但这个病毒不再给我机会了。
昨天夜里（困的够戗）就粗粗地观察到那么多。

引用:

【天月来了的贴子】就怕这个病毒现在所作的一切，都只是为了转移注意力。 实际上还有更隐藏的木马。那就完了。 不然怎么会：此毒貌似不会重复感染同一系统。 杀毒后，再次运行样本————没有任何中毒迹象。？？？？？？？？？？？？？？？？？？ ………………

我等着吧。
昨天玩儿过之后，一直没GHOST过。
看看再说。目前系统无异常。

引用:

【天月来了的贴子】呵呵！！！！！！！ baohe啊！！！！ 我有件事好奇哩！！！！ 想看看你昨夜处理以后还没GHOST过的系统的SRENG日志。 行吗？ 不知所有楼上的诸位，有没想看的？ 就发这贴里。 行么？？？？ ………………

2007-04-05,17:27:17

System Repair Engineer 2.3.13.690
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\windows\system32\ctfmon.exe>  [(Verified)Microsoft Corporation]
    <AMonitor><C:\Program Files\Tiny Firewall Pro\amon.exe>  [Computer Associates International, Inc.]
    <IDMan><C:\Program Files\Internet Download Manager\IDMan.exe /onboot>  [Internet Download Manager Corp., Tonec Inc. ]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <TP4EX><tp4ex.exe>  [IBM Corporation]
    <RunShadowTip><C:\windows\system32\shadow\ShadowTip.exe>  [PowerShadow]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe,>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><UmxSbxExw.dll,>  [Computer Associates International, Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\windows\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PFW]
    <WinlogonNotify: PFW><UmxWnp.Dll>  [Computer Associates International, Inc.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\System Safety Monitor]
    <WinlogonNotify: System Safety Monitor><SSMWinlogonEx.dll>  [(Verified)System Safety Limited]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\WINDOWS\System32\AMCRYS~1.SCR>  [SereneScreen]

==================================
启动文件夹
N/A

==================================
服务
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
  <C:\windows\System32\Ati2evxx.exe><N/A>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\windows\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[IBM PM Service / IBMPMSVC][Stopped/Disabled]
  <C:\windows\system32\ibmpmsvc.exe><N/A>
[QCONSVC / QCONSVC][Running/Auto Start]
  <System32\QCONSVC.EXE><N/A>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Shadow System Service / ShadowSystemService][Running/Auto Start]
  <C:\windows\system32\shadow\ShadowService.exe><N/A>
[FW Event Manager / UmxAgent][Running/Auto Start]
  <"C:\Program Files\Tiny Firewall Pro\UmxAgent.exe"><Computer Associates International, Inc.>
[FW Configuration Interpreter / UmxCfg][Running/Auto Start]
  <"C:\Program Files\Common Files\PFShared\UmxCfg.exe"><Computer Associates International, Inc.>
[FW User-Mode Helper / UmxFwHlp][Running/Auto Start]
  <"C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe"><Computer Associates International, Inc.>
[FW Live Update / UmxLU][Running/Auto Start]
  <"C:\Program Files\Common Files\PFShared\umxlu.exe"><Tiny Software, Inc.>
[FW Policy Manager / UmxPol][Running/Auto Start]
  <"C:\Program Files\Common Files\PFShared\UmxPol.exe"><Computer Associates International, Inc.>

==================================
驱动程序
[Agere Systems Soft Modem / AgereSoftModem][Running/Manual Start]
  <System32\DRIVERS\AGRSM.sys><Agere Systems>
[ati2mtag / ati2mtag][Running/Manual Start]
  <System32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
  <System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[Intel(R) PRO Adapter Driver / E100B][Running/Manual Start]
  <System32\DRIVERS\e100b325.sys><Intel Corporation>
[IBM eGatherer Diagnostics / EGATHDRV][Stopped/Manual Start]
  <\??\C:\WINDOWS\System32\EGATHDRV.SYS><N/A>
[ExpScaner / ExpScaner][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\ExpScan.sys><>
[HookCont / HookCont][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HookSys.sys><Rising>
[IBMPMDRV / IBMPMDRV][Running/Manual Start]
  <System32\DRIVERS\ibmpmdrv.sys><IBM Corp.>
[IBMTPCHK / IBMTPCHK][Running/System Start]
  <System32\drivers\IBMBLDID.SYS><N/A>
[KmxAgent / KmxAgent][Running/System Start]
  <System32\DRIVERS\kmxagent.sys><Computer Associates International, Inc.>
[KmxBiG / KmxBiG][Running/Auto Start]
  <System32\DRIVERS\KmxBiG.sys><Computer Associates International, Inc.>
[KmxCfg / KmxCfg][Running/Manual Start]
  <System32\DRIVERS\kmxcfg.sys><Computer Associates International, Inc.>
[KmxFile / KmxFile][Running/System Start]
  <System32\DRIVERS\KmxFile.sys><Computer Associates International, Inc.>
[KmxFw / KmxFw][Running/System Start]
  <System32\DRIVERS\kmxfw.sys><Computer Associates International, Inc.>
[KmxIds / KmxIds][Running/System Start]
  <System32\DRIVERS\kmxids.sys><Computer Associates International, Inc.>
[KmxNdis / KmxNdis][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\kmxndis.sys><Computer Associates International, Inc.>
[KmxSbx / KmxSbx][Running/Auto Start]
  <System32\DRIVERS\KmxSbx.sys><Computer Associates International, Inc.>
[MEMSCAN / MEMSCAN][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件有限公司>
[NSC Infrared Device Driver / NSCIRDA][Running/Manual Start]
  <System32\DRIVERS\nscirda.sys><National Semiconductor Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
  <\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\RSPPSYS.sys><Rising>
[System Safety Monitor 2.0 Core Engine / safemon][Running/Boot Start]
  <\SystemRoot\system32\drivers\safemon.sys><System Safety Limited>
[Secdrv / Secdrv][Stopped/Manual Start]
  <System32\DRIVERS\secdrv.sys><N/A>
[Smapint / Smapint][Running/System Start]
  <System32\drivers\Smapint.sys><Microsoft Corporation>
[smwdm / smwdm][Running/Manual Start]
  <system32\drivers\smwdm.sys><Analog Devices, Inc.>
[TDSMAPI / TDSMAPI][Running/System Start]
  <System32\Drivers\TDSMAPI.SYS><N/A>
[IBM PS/2 TrackPoint Driver / Tp4Track][Running/Manual Start]
  <System32\DRIVERS\tp4track.sys><IBM Corporation>
[TPPWR / TPPWR][Running/System Start]
  <System32\drivers\Tppwr.sys><IBM Corp.>

==================================
浏览器加载项
[IDMIEHlprObj Class]
  {0055C089-8582-441B-A0BF-17B458C2A3A8} <C:\Program Files\Internet Download Manager\IDMIECC.dll, Internet Download Manager Corp., Tonec Inc.>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[AcroIEToolbarHelper Class]
  {AE7CD045-E861-484f-8273-0445EE161910} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[Adobe PDF]
  {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[卡卡上网安全助手]
  {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\windows\system32\kakatool.dll, Beijing Rising Technology Co., Ltd.>
[Office Update Installation Engine]
  {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} <C:\WINDOWS\opuc.dll, Microsoft Corporation>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[IDMIEHlprObj Class]
  {0055C089-8582-441B-A0BF-17B458C2A3A8} <C:\Program Files\Internet Download Manager\IDMIECC.dll, Internet Download Manager Corp., Tonec Inc.>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Adobe PDF]
  {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[AcroIEToolbarHelper Class]
  {AE7CD045-E861-484F-8273-0445EE161910} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[使用 IDM 下载]
  <C:\Program Files\Internet Download Manager\IEExt.htm, N/A>
[使用 IDM 下载所有链接]
  <C:\Program Files\Internet Download Manager\IEGetAll.htm, N/A>
[导出到 Microsoft Office Excel(&X)]
  <res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>

==================================
正在运行的进程
[PID: 616][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 688][\??\C:\windows\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 712][\??\C:\windows\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxWnp.Dll]  [Computer Associates International, Inc., 6, 0, 0, 2]
    [C:\windows\system32\SSMWinlogonEx.dll]  [System Safety Limited, 2.4.0.613]
[PID: 760][C:\windows\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 772][C:\windows\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 960][C:\windows\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1052][C:\windows\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1196][C:\windows\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\System32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\System32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1392][C:\windows\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\System32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\System32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1588][C:\windows\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\WINDOWS\System32\AdobePDF.dll]  [Adobe Systems Incorporated., 6.0.000]
    [C:\Program Files\Adobe\Acrobat 6.0\Distillr\adistres.dll]  [Adobe Systems Incorporated., 6.0.0.2003040700]
[PID: 1636][C:\Program Files\Common Files\PFShared\UmxCfg.exe]  [Computer Associates International, Inc., 6.0.1.48]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\Program Files\Common Files\PFShared\xmlsdp.dll]  [Computer Associates International, Inc., 6.2.0.122]
    [C:\windows\system32\msxml4.dll]  [Microsoft Corporation, 4.20.9818.0]
    [C:\Program Files\Common Files\PFShared\pthexp.dll]  [Computer Associates International, Inc., 6.0.0.19]
    [C:\Program Files\Tiny Firewall Pro\SnortImp.dll]  [Computer Associates International, Inc., 6.5.1.2]