事情是这样的,大约半月前,发现电脑中了毒。所有的exe文件被感染,任务管理器里有个进程在上下乱跑,点不到关不掉。怀疑是爱尼,用了卡巴,杀不掉。随后硬盘全格,把老硬盘里备份的文件拿出来用。
ppstream,网游等。就会发现有50M内存被不明程序占用,而且在进程管理器里不显示,正常开机2000系统应该是70M左右,开过一个40多M的ppstream,应该是110M。但系统却显示160M内存在使用,进程管理器里的进程加起来正好少50M内存。之后关ppstream,内存应该回到70多80M。但事实却不是这样,在正常的基础上加50M,什么程序都不开变成了120多M。。。我试试注销windows,没有效果。但重启计算机后一切正常。。。只要再运行 ppstream,浩方之类的程序,就又出现50M内存被占用。(除了正常的程序本身占用的内存)
我试过了很多方法,格了C盘重作,什么都不装。正常了。开机70M,开一个程序关了之后还是70多M。随后试试装上以前的声卡驱动,是.exe文件,结果问题又出现了。50M内存又被不知名的程序占用,进程管理器里根本不显示。。我实在没办法了,因为卡巴以前杀过这些exe文件,杀不到毒。结果一运行exe文件,就出现问题!! 我贴出了进程扫描,请各位老师看看。帮帮忙吧!
2007-05-22,23:39:29
System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)
Windows 2000 Professional Service Pack 4 (Build 2195) - 管理权限用户 - 完整功能
以下内容被选中:
所有的启动项目(包括注册表、启动文件夹、服务等)
浏览器加载项
正在运行的进程(包括进程模块信息)
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Synchronization Manager><mobsync.exe /logon> [(Verified)Microsoft Windows 2000 Publisher]
<NvCplDaemon><RUNDLL32.EXE NvQTwk,NvCplDaemon initialize> [N/A]
<SKYNET Personal FireWall><D:\Program Files\SkyNet\FireWall\PFWmain.exe> [sky.net.cn]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows 2000 Publisher]
<Userinit><C:\WINNT\system32\userinit.exe,> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><(无)> [N/A]
==================================
启动文件夹
N/A
==================================
服务
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
<C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>
==================================
驱动程序
[dmboot / dmboot][Stopped/Disabled]
<System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
<\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
<\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[nv4 / nv4][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[oreans32 / oreans32][Running/System Start]
<\??\C:\WINNT\system32\drivers\oreans32.sys><N/A>
[PfModNT / PfModNT][Running/Auto Start]
<\??\C:\WINNT\system32\PfModNT.sys><Creative Technology Ltd.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
<system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[SB PCI Family Audio Driver (WDM) / sbpci][Running/Manual Start]
<system32\drivers\sbpci.sys><Creative Technology Ltd.>
[SKNFW / SKNFW][Running/System Start]
<\??\C:\WINNT\system32\Drivers\SKNFW.sys><N/A>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
==================================
浏览器加载项
[IeCatch2 Class]
{A5366673-E8CA-11D3-9CD9-0090271D075B} <D:\PROGRA~1\FLASHGET\jccatch.dll, Amaze Soft>
[浩方对战平台]
{0A155D3C-68E2-4215-A47A-E800A446447A} <D:\Program Files\浩方对战平台\GameClient.exe, 上海浩方在线信息技术有限公司>
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[FlashGet]
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <D:\PROGRA~1\FLASHGET\flashget.exe, Amaze Soft>
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[FlashGet Bar]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} <D:\PROGRA~1\FLASHGET\fgiebar.dll, Amaze Soft>
[Shockwave Flash
Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9c.ocx, Adobe Systems, Inc.>
[使用网际快车下载]
<D:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
<D:\Program Files\FlashGet\jc_all.htm, N/A>
==================================
正在运行的进程
[PID: 140][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 164][\??\C:\WINNT\system32\csrss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 184][\??\C:\WINNT\system32\winlogon.exe] [Microsoft Corporation, 5.00.2195.6714]
[C:\WINNT\system32\wdmaud.drv] [Microsoft Corporation, 5.00.2195.6673]
[C:\WINNT\system32\msacm32.drv] [Microsoft Corporation, 5.00.2134.1]
[PID: 212][C:\WINNT\system32\services.exe] [Microsoft Corporation, 5.00.2195.6700]
[C:\WINNT\system32\dmserver.dll] [VERITAS Software Corp., 2195.6605.297.3]
[PID: 224][C:\WINNT\system32\lsass.exe] [Microsoft Corporation, 5.00.2195.6695]
[PID: 416][C:\WINNT\system32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[PID: 672][C:\WINNT\Explorer.EXE] [Microsoft Corporation, 5.00.3700.6690]
[C:\WINNT\AppPatch\AcLayers.DLL] [Microsoft Corporation, 5.00.2195.6717]
[C:\WINNT\system32\msratelc.dll] [Microsoft Corporation, 6.00.2800.1106]
[C:\WINNT\system32\wdmaud.drv] [Microsoft Corporation, 5.00.2195.6673]
[C:\WINNT\system32\msacm32.drv] [Microsoft Corporation, 5.00.2134.1]
[D:\PROGRA~1\FLASHGET\jccatch.dll] [Amaze Soft, 1, 1, 4, 0]
[C:\WINNT\system32\msadp32.acm] [Microsoft Corporation, 5.00.2134.1]
[D:\Program Files\WinRAR\rarext.dll] [N/A, ]
[PID: 652][D:\Program Files\SkyNet\FireWall\PFWmain.exe] [sky.net.cn, 2.5.0.120]
[PID: 668][C:\WINNT\system32\internat.exe] [Microsoft Corporation, 5.00.2920.0000]
[PID: 284][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2800.1106]
[D:\PROGRA~1\FLASHGET\jccatch.dll] [Amaze Soft, 1, 1, 4, 0]
[D:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\WINNT\system32\wdmaud.drv] [Microsoft Corporation, 5.00.2195.6673]
[C:\WINNT\system32\msacm32.drv] [Microsoft Corporation, 5.00.2134.1]
[C:\WINNT\system32\msadp32.acm] [Microsoft Corporation, 5.00.2134.1]
[C:\WINNT\system32\Macromed\Flash\Flash9c.ocx] [Adobe Systems, Inc., 9,0,45,0]
[C:\WINNT\system32\msratelc.dll] [Microsoft Corporation, 6.00.2800.1106]
[PID: 720][C:\WINNT\system32\taskmgr.exe] [Microsoft Corporation, 5.00.2195.6620]
[PID: 968][E:\Downloads\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[E:\Downloads\sreng2\Plugins\NWMON.SRE] [Smallfrogs Studio, 1, 0, 0, 8]
==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================
