我先描述一下现象，启动系统后出现一个进程wmiprvse.exe,这个进程关闭了又重启。然后是无法运行process explorer,taskmgr.exe,icesword等程序，此外还有一些，很奇怪，普通程序倒没什么问题。这个程序非常隐蔽，只有在console下用tasklist才能列出，我只能用ntsd -c q -pn来关，如果用ntsd -c q -p来关，每次关闭后运行tasklist再次出现，pid已经改变。用ntsd -c q -pn来关的话，关了一次后第二次就发现没有这个进程了，但是一运行tasklist，它又出现。经过检查tasklist,发现没有被感染，日期都正常。wmiprvse.exe貌似也没有什么问题，我怀疑是内核rookit所致。每次双击上面谈到的程序图标时，均没反应，好像就是没点过一样。
进入安全模式（命令行方式）wmiprvse照样启动，无法解决，故不太可能为explorer被感染了。
最后我唯有把wmiprvse改名，进入系统后tasklist就无法运行了，提示
C:\Documents and Settings\XXX>tasklist
ERROR: The system cannot find the file specified.
求高人帮小弟想想法子，重装系统之类的就免了，系统有很多重要资料，和很多大型软件，重装的代价太大。这里先谢过了。

补充说明一下，我在这之前已经用process explorer取替了taskmgr.不知道会不会跟这个有关。
还有，hijack等程序也是无法运行，所以无法贴出报告，唯一能运行的几个程序，包括rookit unhooker,却无法发现wmiprvse这个进程，非常奇怪，所以我想dump出来都没办法。

用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; CIBA; TheWorld)

谢谢你的回复，改名了真的能运行了，我再看看

现在是没有了，因为我已经吧wmiprvse改名了，他也无法启动，但是我提到的那些程序还是要通过改名才能运行，说明后门还没清掉。。。

Logfile of HijackThis v1.99.1
Scan saved at 23:19:04, on 2008-5-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TheWorld 2.0\TheWorld.exe
C:\Program Files\WinRAR\WinRAR.exe
D:\Program Files\ViDown\ViDown.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\TheWorld 2.0\TheWorld.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
D:\Tools\Sysinternals\HijackThis1.exe

O1 - Hosts: 210.45.240.16 hfut_server
O1 - Hosts: 64.233.189.104 game1.zj.vnet.cn
O1 - Hosts: 64.233.189.104 search.114.vnet.cn
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: IE2EMBHO Class - {0A0DDBD3-6641-40B9-873F-BBDD26D6C14E} - C:\Program Files\easyMule\modules\IE2EM.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: MiniFlashGetBHO - {C74E94A7-B7BD-4891-9328-455395BCC7AD} - C:\Program Files\FlashGet Network\FlashGet Mini\libMiniBHO.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Net Snippets - {67970B26-F57D-4455-8262-81C3AE3B8B5E} - C:\PROGRA~1\NETSNI~1\NetSnip.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [bgswitch] C:\WINDOWS\system32\bgswitch.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [VirtualWin] "C:\Program Files\VirtuaWin\VirtuaWin.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ClipX] C:\Program Files\ClipX\clipx.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Hoekey] D:\Tools\Hoekey\HoeKey.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
O8 - Extra context menu item: Add to Net Snippets - C:\PROGRA~1\NETSNI~1\Res\Clipper.htm
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O8 - Extra context menu item: Surfulater: Add &new Article - res://D:\Program Files\Surfulater\Surfulater.EXE/SENDTOSURFULATER.HTML
O8 - Extra context menu item: Surfulater: Add Article pl&us Page - res://D:\Program Files\Surfulater\Surfulater.EXE/SENDANDATTACHTOSURFULATER.HTML
O8 - Extra context menu item: Surfulater: Attac&h Page to Article - res://D:\Program Files\Surfulater\Surfulater.EXE/ATTACHTOSURFULATER.HTML
O8 - Extra context menu item: Surfulater: Book&mark this Page - res://D:\Program Files\Surfulater\Surfulater.EXE/BOOKMARKINSURFULATER.HTML
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O8 - Extra context menu item: Use ViDown to download - D:\Program Files\ViDown\vd_link.htm
O8 - Extra context menu item: 使用快车迷你版下载 - res://C:\Program Files\FlashGet Network\FlashGet Mini\libMiniBho.dll /300
O8 - Extra context menu item: 使用电驴下载 - C:\Program Files\easyMule\IE2EM.htm
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Snippets - {7130DF06-BBC1-4e16-83D4-1F875E65B695} - C:\PROGRA~1\NETSNI~1\NetSnip.dll
O9 - Extra button: Surfulater - {A9B34036-3ED6-460a-9C59-696DC24C516F} - D:\Program Files\Surfulater\Surfulater.EXE
O9 - Extra 'Tools' menuitem: SAIG Surfula&ter - {A9B34036-3ED6-460a-9C59-696DC24C516F} - D:\Program Files\Surfulater\Surfulater.EXE
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/1101/aliedit.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: HttpAnalyzerV3 CodeHook service (HttpAnalyzerV3 DllInjectService) - Unknown owner - d:\Program Files\IEInspector\HTTPAnalyzerStdV3\InjectWinSockServiceV3.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - e:\Altera\quartus60\win\JTAGServer.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: PortTunnel - Unknown owner - C:\Program Files\SteelBytes\PortTunnel\PortTunnel.exe" /RUN_SERVICE (file missing)
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

不知道为什么我不能贴图，我把内核模块的列表弄出来了，哪位好心人帮我看看吧。。。
<img>http://photo1.bababian.com/upload11/20080530/C42CE47E74125E094686183F7EDF13ED.jpg</img>

顶顶，谁来帮帮我？求求啦