打印

[求助] 紧急求助!状况有点复杂【beep.sys 感染性的 by vistalong 0819】

QQTTWWMM

新兵

积分: 4
威望: 8
元宝: 0
铜钱: 6

1楼大中小发表于 2008-8-19 20:40 只看该作者

紧急求助!状况有点复杂【beep.sys 感染性的 by vistalong 0819】

下了一个软件之后就弹出了很多网站窗口。INTERNEI初始页也被改了。打开任务管理器有很多名为EXPLORER.EXE的程序在运行.然后电脑就死机了.重启以后电脑自动打开网页并自动下载一个XXX.DAT(我记不住名字了)的程序.然后用毒霸查出了四个恶意插件并删除.删除以后打开任务管理器还是有EXPLORER.EXE在运行.再次重启电脑以后有很多个DOS窗口自动弹出,过了一会儿又自动关闭.然后任务管理器就打不开了,毒霸三件套也打不开.然后我就重装了系统,把C盘格式化了.重装系统之后依然打不开任务管理器,并且无法下载(点击下载的时候窗口闪了一下就消失了).打开网页的时候,窗口打开几分钟就自动关闭了.
我该怎么办?各位帮帮我啊!

[ 本帖最后由 vistalong 于 2008-8-19 22:49 编辑 ]

TOP

vistalong

爱毒霸社区缉毒队

积分: 4308
威望: 9131
元宝: 17
铜钱: 5713

安全精英安全之星勋章周刊评论员

2楼大中小发表于 2008-8-19 20:43 只看该作者

下载sreng：(点击下载sreng)

解压sreng2.zip-->打开SREngLdr.EXE-->勾选智能扫描-->扫描-->保存报告

保存到桌面
将 SREngLOG.log 中内容完整的复制粘贴到论坛上来(快捷提示：ctrl+a全选，ctrl+c复制,ctrl+v粘贴)，不要修改
如无法运行，请重命名文件夹名和文件名，如abc.exe/abc.com/abc.bat/abc.scr/abc.pif等
注意：扫描前请尽量关闭QQ、游戏、下载工具、媒体播放器等应用程序。

1、描述症状、杀软对病毒处理结果，提供病毒文件名和路径。
2、提供清理专家报告或者sreng报告。
3、可疑程序用压缩包形式上报病毒样本上报区
http://bbs.duba.net/forum-3252-1.html

TOP

QQTTWWMM

新兵

积分: 4
威望: 8
元宝: 0
铜钱: 6

3楼大中小发表于 2008-8-19 21:02 只看该作者

复制内容到剪贴板

代码:

2004-01-01,05:41:06

System Repair Engineer 2.6.12.1018

Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：

    所有的启动项目（包括注册表、启动文件夹、服务等）

    浏览器加载项

    正在运行的进程（包括进程模块信息）

    文件关联

    Winsock 提供者

    Autorun.inf

    HOSTS 文件

    进程特权扫描



启动项目

注册表

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]

    <bgswitch><C:\WINDOWS\system32\bgswitch.exe>  []

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

    <load><>  [N/A]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]

    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]

    <AppInit_DLLs><biroas.dll>  []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

    <{021F087F-4378-545F-74FA-37D345AD7A8C}><C:\WINDOWS\system32\mttwfh.dll>  [File is missing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]

    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]

    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]

    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]

    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]

    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]

==================================

启动文件夹

[O67I7F]

  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\O67I7F.lnk --> C:\WINDOWS\OCJHX.exe [drw.kills]><H>

[11FC3P]

  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\11FC3P.lnk --> C:\WINDOWS\YSD22V~1.EXE [drw.kills]><H>

==================================

服务

[SWUMUA2BXX / 17XHF8BL8EMW][Running/Auto Start]

  <C:\WINDOWS\system32\17XHF8BL8EMW.exe -5YFB58VF><drw.kills>

[Human Interface Device Access / HidServ][Stopped/Disabled]

  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>

[QPD7Y / OCJHX][Running/Auto Start]

  <C:\WINDOWS\OCJHX.exe -R3GXQTH><drw.kills>

[NVB7A5Q60YY / YSD22VITBS2W][Stopped/Auto Start]

  <C:\WINDOWS\YSD22VITBS2W.exe -AQG1ZUG7LGU><drw.kills>

[6FKGYI83BBB / 6K7SV][Stopped/Auto Start]

  <C:\WINDOWS\system32\6K7SV.exe -WO7SRHT52I8><drw.kills>

==================================

驱动程序

[Beep / Beep][Stopped/Manual Start]

  <\??\C:\WINDOWS\system32\Drivers\Beep.sys><N/A>

[HBKernel Driver / HBKernel][Stopped/Boot Start]

  <\SystemRoot\system32\drivers\HBKernel.sys><N/A>

[nv / nv][Running/Manual Start]

  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>

[Direct Parallel Link Driver / Ptilink][Running/Manual Start]

  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>

[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]

  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>

[Secdrv / Secdrv][Stopped/Manual Start]

  <system32\DRIVERS\secdrv.sys><N/A>

==================================

浏览器加载项

[番茄花园]

  {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <http://www.tomatolei.com, N/A>

[]

  {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <, >

[Microsoft Web 浏览器]

  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, (Signed) Microsoft Corporation>

[]

  {D82303B7-A754-4DCB-8AFC-8CF99435AACE} <, >

==================================

正在运行的进程

[PID: 416 / SYSTEM][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 464 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 488 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 532 / SYSTEM][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 544 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 696 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 740 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 832 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 908 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 1140 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]

[PID: 1292 / Administrator][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 1380 / Administrator][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 1788 / SYSTEM][C:\WINDOWS\system32\17XHF8BL8EMW.exe]  [drw.kills, 3.0.8.1]

[PID: 1820 / SYSTEM][C:\WINDOWS\OCJHX.exe]  [drw.kills, 3.0.8.1]

[PID: 1840 / LOCAL SERVICE][C:\WINDOWS\system32\wdfmgr.exe]  [Microsoft Corporation, 5.2.3790.1230 built by: dnsrv(bld4act)]

[PID: 212 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 956 / SYSTEM][C:\WINDOWS\system32\17XHF8BL8EMW.exe]  [drw.kills, 3.0.8.1]

[PID: 992 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 224 / Administrator][G:\DUBA2008_down_31_27949.exe]  [Kingsoft Corporation, 2007, 11, 28, 1900]

[PID: 988 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KAV1.EXE]  [N/A, ]

    [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp4.tmp\KASearch.dll]  [Kingsoft Corporation, 2007,11,09,276]

    [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp4.tmp\InstallOptions.dll]  [N/A, ]

[PID: 2856 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sreng2.zip 的临时目录 1\SREngLdr.EXE]  [Smallfrogs Studio, 2.6.12.1018]

[PID: 3956 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sreng2.zip 的临时目录 1\SRE6dcae8a8.EXE]  [Smallfrogs Studio, 2.6.12.1018]

==================================

文件关联

.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]

.EXE  OK. ["%1" %*]

.COM  OK. ["%1" %*]

.PIF  OK. ["%1" %*]

.REG  OK. [regedit.exe "%1"]

.BAT  OK. ["%1" %*]

.SCR  OK. ["%1" /S]

.CHM  OK. ["C:\WINDOWS\hh.exe" %1]

.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]

.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]

.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]

.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]

.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]

.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================

Winsock 提供者

N/A

==================================

Autorun.inf

N/A

==================================

HOSTS 文件

127.0.0.1       localhost

==================================

进程特权扫描

特殊特权被允许： SeLoadDriverPrivilege [PID = 956, C:\WINDOWS\SYSTEM32\17XHF8BL8EMW.EXE]

特殊特权被允许： SeLoadDriverPrivilege [PID = 224, G:\DUBA2008_DOWN_31_27949.EXE]

特殊特权被允许： SeLoadDriverPrivilege [PID = 2856, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SRENG2.ZIP 的临时目录 1\SRENGLDR.EXE]

==================================

API HOOK

N/A

==================================

隐藏进程

N/A

==================================

TOP

vistalong

爱毒霸社区缉毒队

积分: 4308
威望: 9131
元宝: 17
铜钱: 5713

安全精英安全之星勋章周刊评论员

4楼大中小发表于 2008-8-19 21:21 只看该作者

1下载删除工具(无敌删除器)
(DelayDelFile.rar)或参考http://bbs.duba.net/thread-21914617-1-1.html
说明：解压并打开DelayDelFile,复制以下待删除文件列表-->粘贴进(Ctrl+V)第一个空白框中-->按"添加"-->点击"删除"按钮
然后把 BackUp_Auto_.7z _文件夹用 winrar打包,然后上传附件.
C:\WINDOWS\system32\npkcrypt.sys
C:\WINDOWS\system32\npkycryp.sys
c:\docume~1\admini~1\locals~1\temp\kav1.exe
c:\windows\system32\17xhf8bl8emw.exe
c:\windows\ocjhx.exe
c:\docume~1\admini~1\locals~1\temp\nsp4.tmp\installoptions.dll
biroas.dll
c:\documents and settings\all users\「开始」菜单\程序\启动\o67i7f.lnk
c:\documents and settings\all users\「开始」菜单\程序\启动\11fc3p.lnk
c:\windows\system32\17xhf8bl8emw.exe -5yfb58vf
c:\windows\ocjhx.exe -r3gxqth
c:\windows\ysd22vitbs2w.exe -aqg1zug7lgu
c:\windows\system32\6k7sv.exe -wo7srht52i8
c:\windows\system32\drivers\beep.sys
c:\windows\system32\drivers\hbkernel.sys

2.删除重启后使用SREng修复下面各项：

启动项目－－注册表之如下项删除：
注意该项[AppInit_DLLs]修改：把<biroas.dll>修改为<>即清空

启动项目－－　启动文件夹之如下项删除：
[O67I7F] <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\O67I7F.lnk>
[11FC3P] <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\11FC3P.lnk>

启动项目－－服务－－ Win32服务应用程序之如下项禁用：
[SWUMUA2BXX / 17XHF8BL8EMW] <C:\WINDOWS\system32\17XHF8BL8EMW.exe -5YFB58VF>
[QPD7Y / OCJHX] <C:\WINDOWS\OCJHX.exe -R3GXQTH>
[NVB7A5Q60YY / YSD22VITBS2W] <C:\WINDOWS\YSD22VITBS2W.exe -AQG1ZUG7LGU>
[6FKGYI83BBB / 6K7SV] <C:\WINDOWS\system32\6K7SV.exe -WO7SRHT52I8>

启动项目－－服务－－驱动程序之如下项禁用：
[Beep / Beep] <\??\C:\WINDOWS\system32\Drivers\Beep.sys>
[HBKernel Driver / HBKernel] <\SystemRoot\system32\drivers\HBKernel.sys>

关闭IE用下面的工具全选，清理系统临时文件和IE临时文件夹
http://www.xpi386.com.cn/tools/HA-ATF-Cleaner.rar

下载windows清理助手V2.7升级以后在使用全盘清理一遍
http://www.arswp.com/download/arswp2/arswp2.zip

注意：把你的电脑的时间修改过来

[ 本帖最后由 vistalong 于 2008-8-19 21:24 编辑 ]

1、描述症状、杀软对病毒处理结果，提供病毒文件名和路径。
2、提供清理专家报告或者sreng报告。
3、可疑程序用压缩包形式上报病毒样本上报区
http://bbs.duba.net/forum-3252-1.html

TOP

QQTTWWMM

新兵

积分: 4
威望: 8
元宝: 0
铜钱: 6

5楼大中小发表于 2008-8-19 21:59 只看该作者

修改完后再次扫描如下,请问还有没有问题?

复制内容到剪贴板

代码:

2004-01-01,06:37:44

System Repair Engineer 2.6.12.1018

Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：

    所有的启动项目（包括注册表、启动文件夹、服务等）

    浏览器加载项

    正在运行的进程（包括进程模块信息）

    文件关联

    Winsock 提供者

    Autorun.inf

    HOSTS 文件

    进程特权扫描



启动项目

注册表

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]

    <bgswitch><C:\WINDOWS\system32\bgswitch.exe>  []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]

    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]

    <AppInit_DLLs><>  [N/A]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]

    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]

    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]

    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]

    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]

    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]

==================================

启动文件夹

[BXND64O0]

  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\BXND64O0.lnk --> C:\WINDOWS\7E3COAGIB.exe [File is missing]><H>

[WO677FAIT]

  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\WO677FAIT.lnk --> C:\WINDOWS\5VN1RDJZ2796.exe [File is missing]><H>

[WO677FAIT]

  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\WO677FAIT.BAT -->  [File is missing]><N>

[LRNA27W88R75]

  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\LRNA27W88R75.lnk --> C:\WINDOWS\Q0OLNN81MM.exe [File is missing]><H>

==================================

服务

[SWUMUA2BXX / 17XHF8BL8EMW][Stopped/Disabled]

  <C:\WINDOWS\system32\17XHF8BL8EMW.exe -5YFB58VF><(File is missing)>

[77EOIIM / 2EX91X4FD8][Stopped/]

  <2 - 系统找不到指定的文件。

><(File is missing)>

[6FKGYI83BBB / 6K7SV][Stopped/]

  <2 - 系统找不到指定的文件。

><(File is missing)>

[V4KEC8W949WG / 7E3COAGIB][Stopped/]

  <2 - 系统找不到指定的文件。

><(File is missing)>

[W57RHZM / E583TKP33Q][Stopped/Auto Start]

  <2 - 系统找不到指定的文件。

><(File is missing)>

[13RV6IM / H39EE][Stopped/Manual Start]

  <2 - 系统找不到指定的文件。

><(File is missing)>

[Human Interface Device Access / HidServ][Stopped/Disabled]

  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>

[QPD7Y / OCJHX][Stopped/Disabled]

  <C:\WINDOWS\OCJHX.exe -R3GXQTH><(File is missing)>

[NVB7A5Q60YY / YSD22VITBS2W][Stopped/Manual Start]

  <2 - 系统找不到指定的文件。

><(File is missing)>

[YTPMS0C393XY / 5VN1RDJZ2796][Stopped/]

  <2 - 系统找不到指定的文件。

><(File is missing)>

[IDPCI59 / Q0OLNN81MM][Stopped/]

  <2 - 系统找不到指定的文件。

><(File is missing)>

[83ZLBUNYBLB / N2DSPQ9QJZ][Stopped/]

  <2 - 系统找不到指定的文件。

><(File is missing)>

==================================

驱动程序

[Beep / Beep][Stopped/Disabled]

  <\??\C:\WINDOWS\system32\Drivers\Beep.sys><N/A>

[HBKernel Driver / HBKernel][Stopped/Manual Start]

  <2 - 系统找不到指定的文件。

><N/A>

[KAVBootC / KAVBootC][Running/Boot Start]

  <\SystemRoot\system32\Drivers\KAVBootC.sys><Kingsoft Corporation>

[KAVSafe / KAVSafe][Running/Auto Start]

  <\??\C:\WINDOWS\system32\Drivers\KAVSafe.sys><Kingsoft Corporation>

[nv / nv][Running/Manual Start]

  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>

[Direct Parallel Link Driver / Ptilink][Running/Manual Start]

  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>

[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]

  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>

[Secdrv / Secdrv][Stopped/Manual Start]

  <system32\DRIVERS\secdrv.sys><N/A>

==================================

浏览器加载项

[番茄花园]

  {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <http://www.tomatolei.com, N/A>

[]

  {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <, >

[Microsoft Web 浏览器]

  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, (Signed) Microsoft Corporation>

[]

  {D82303B7-A754-4DCB-8AFC-8CF99435AACE} <, >

==================================

正在运行的进程

[PID: 416 / SYSTEM][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 464 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 488 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 532 / SYSTEM][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 544 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 692 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 736 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 804 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 888 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 1172 / Administrator][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]

    [C:\WINDOWS\system32\Audiodev.dll]  [Microsoft Corporation, 5.2.3802.3802 built by: dnsrv(bld4act)]

[PID: 1288 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]

[PID: 1360 / Administrator][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 1412 / Administrator][C:\WINDOWS\system32\conime.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 1980 / LOCAL SERVICE][C:\WINDOWS\system32\wdfmgr.exe]  [Microsoft Corporation, 5.2.3790.1230 built by: dnsrv(bld4act)]

[PID: 608 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 1316 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 1132 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sreng2.zip 的临时目录 4\SREngLdr.EXE]  [Smallfrogs Studio, 2.6.12.1018]

[PID: 1140 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sreng2.zip 的临时目录 4\SRE6dcae8a8.EXE]  [Smallfrogs Studio, 2.6.12.1018]

[PID: 2012 / Administrator][C:\Program Files\Internet Explorer\IEXPLORE.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]

[PID: 1128 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sreng2.zip 的临时目录 2\SREngLdr.EXE]  [Smallfrogs Studio, 2.6.12.1018]

[PID: 336 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sreng2.zip 的临时目录 2\SRE6dcae8a8.EXE]  [Smallfrogs Studio, 2.6.12.1018]

[PID: 780 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sreng2.zip 的临时目录 3\SREngLdr.EXE]  [Smallfrogs Studio, 2.6.12.1018]

[PID: 1588 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sreng2.zip 的临时目录 3\SRE6dcae8a8.EXE]  [Smallfrogs Studio, 2.6.12.1018]

==================================

文件关联

.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]

.EXE  OK. ["%1" %*]

.COM  OK. ["%1" %*]

.PIF  OK. ["%1" %*]

.REG  OK. [regedit.exe "%1"]

.BAT  OK. ["%1" %*]

.SCR  OK. ["%1" /S]

.CHM  OK. ["C:\WINDOWS\hh.exe" %1]

.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]

.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]

.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]

.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]

.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]

.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================

Winsock 提供者

N/A

==================================

Autorun.inf

N/A

==================================

HOSTS 文件

127.0.0.1       localhost

==================================

进程特权扫描

特殊特权被允许： SeLoadDriverPrivilege [PID = 1132, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SRENG2.ZIP 的临时目录 4\SRENGLDR.EXE]

特殊特权被允许： SeLoadDriverPrivilege [PID = 1140, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SRENG2.ZIP 的临时目录 4\SRE6DCAE8A8.EXE]

特殊特权被允许： SeLoadDriverPrivilege [PID = 1128, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SRENG2.ZIP 的临时目录 2\SRENGLDR.EXE]

特殊特权被允许： SeDebugPrivilege [PID = 336, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SRENG2.ZIP 的临时目录 2\SRE6DCAE8A8.EXE]

特殊特权被允许： SeLoadDriverPrivilege [PID = 336, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SRENG2.ZIP 的临时目录 2\SRE6DCAE8A8.EXE]

特殊特权被允许： SeLoadDriverPrivilege [PID = 780, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SRENG2.ZIP 的临时目录 3\SRENGLDR.EXE]

==================================

API HOOK

N/A

==================================

隐藏进程

N/A

==================================

附件

_BackUp_Auto_.zip (147 Bytes): 2008-8-19 21:59, 下载次数: 14

TOP