病毒现象：反复在相同路径发现相同病毒，AV终结者专杀，清理专家及其它工具多次重试无效。

日志很长，看附件

SREngLOG.log (220.7 KB)

SREngLOG.log (220.7 KB)
下载次数: 6564

2008-9-22 10:29

题目已经出好了，敬候各位达人的解决方案

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>  [NVIDIA Corporation]
    <IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [File is missing]
    <PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [File is missing]
    <SoundMan><; SOUNDMAN.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <YY><C:\Program Files\duowan\yy\Start.exe>  [广州多玩信息技术有限公司]
    <3PMmUpdate><rundll32 "C:\WINDOWS\Update.dll",Main>  []
    <MSConfig><C:\WINDOWS\system32\msconfig.exe /auto>  [(Verified)Microsoft Windows Publisher]
    <HBService32><System.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><eskisl.dll lensch.dll micsus.dll cupops.dll jolndyo.dll johandy.dll aotoppt.dll pewire.dll comboaus.dll catower.dll wllame.dll>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{898E02AB-9372-4a2c-9C4A-FFE1AF61097F}><C:\WINDOWS\system32\comuidsg.dll>  [File is missing]
    <{65056902-6E7B-4bd7-95BA-688DB5FA5BEB}><C:\WINDOWS\system32\mstimewd.dll>  [File is missing]
    <{71A78CD4-E470-4a18-8457-E0E0283DD507}><C:\WINDOWS\system32\ecbyllfl.dll>  []
    <{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}><C:\WINDOWS\system32\avicapwm.dll>  []
    <{F0930A2F-D971-4828-8209-B7DFD266ED44}><C:\WINDOWS\system32\iedlemyw.dll>  []
    <{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}><C:\WINDOWS\system32\iedlemyw.dll>  []
    <{434FA69C-5F0A-42e1-82B8-10AF2C8E53C6}><C:\WINDOWS\system32\yabhgmla.dll>  []
    <{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}><C:\WINDOWS\system32\bkwmyndl.dll>  []
    <{D3112B69-A745-4805-874E-ABD480EA1299}><C:\WINDOWS\system32\iedlemyw.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <qxypoqoa.dll><C:\WINDOWS\system32\iedlemyw.dll>  []
    <hqlfnmuc.dll><C:\WINDOWS\system32\iedlemyw.dll>  []
    <sysocmgr><C:\WINDOWS\sysocmgr.dll>  [Microsoft Corporation]
    <comuidsg.dll><C:\WINDOWS\system32\comuidsg.dll>  [File is missing]
    <mstimewd.dll><C:\WINDOWS\system32\mstimewd.dll>  [File is missing]
    <lweurqhx.dll><C:\WINDOWS\system32\ecbyllfl.dll>  []
    <avicapwm.dll><C:\WINDOWS\system32\avicapwm.dll>  []
    <oymtoqph.dll><C:\WINDOWS\system32\iedlemyw.dll>  []
    <rigyyriz.dll><C:\WINDOWS\system32\iedlemyw.dll>  []
    <ThunderAdvise><C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll>  [Thunder Networking Technologies,LTD]
    <msnmsg><C:\Program Files\Messenger\msgmr.dll>  [Microsoft Corporation]
    <ksvkhuzo.dll><C:\WINDOWS\system32\yabhgmla.dll>  []
    <sjrcjuui.dll><C:\WINDOWS\system32\yabhgmla.dll>  []
    <mdgqaqtu.dll><C:\WINDOWS\system32\bkwmyndl.dll>  []
    <mlkxdock.dll><C:\WINDOWS\system32\ecbyllfl.dll>  []
    <gukzxqtm.dll><C:\WINDOWS\system32\iedlemyw.dll>  []
    <gcngsocc.dll><C:\WINDOWS\system32\iedlemyw.dll>  []
    <jttafmec.dll><C:\WINDOWS\system32\iedlemyw.dll>  []
    <yabhgmla.dll><C:\WINDOWS\system32\yabhgmla.dll>  []
    <bkwmyndl.dll><C:\WINDOWS\system32\bkwmyndl.dll>  []
    <ecbyllfl.dll><C:\WINDOWS\system32\ecbyllfl.dll>  []
    <iedlemyw.dll><C:\WINDOWS\system32\iedlemyw.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <HBService32><; System.exe>  [File is missing]
    <iSpeak6><; C:\Program Files\Changetech\iSpeak6.0\iSpeak.exe>  [上海勤和互联网技术软件开发有限公司]

==================================
启动文件夹
N/A

==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
  <C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>

==================================
驱动程序
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[eth8023 / eth8023][Running/Manual Start]
  <\SystemRoot\system32\drivers\eth8023.sys><N/A>
[VIA Rhine-Family Fast-Ethernet Adapter Driver Service / FET5X86V][Running/Manual Start]
  <system32\DRIVERS\fetnd5bv.sys><VIA Technologies, Inc.>
[VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver / FETNDIS][Stopped/Manual Start]
  <system32\DRIVERS\fetnd5.sys><VIA Technologies, Inc.>
[HBKernel32 Driver / HBKernel32][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\HBKernel32.sys><N/A>
[JMicron Hot-Plug Driver / JGOGO][Stopped/Manual Start]
  <system32\DRIVERS\JGOGO.sys><JMicron>
[KAVBootC / KAVBootC][Running/Boot Start]
  <\SystemRoot\system32\Drivers\KAVBootC.sys><Kingsoft Corporation>
[KAVSafe / KAVSafe][Stopped/Auto Start]
  <\??\C:\WINDOWS\system32\Drivers\KAVSafe.sys><N/A>
[KernelCheck / KernelCheck][Stopped/Manual Start]
  <\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bplw\KpCheck.sys><N/A>
[nv / nv][Running/Manual Start]
  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[NVIDIA nForce RAID Driver / nvrd32][Stopped/Manual Start]
  <system32\DRIVERS\nvrd32.sys><NVIDIA Corporation>
[presafe / presafe][Stopped/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\presafe.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[SATALink driver accelerator / SiFilter][Stopped/Manual Start]
  <system32\DRIVERS\SiWinAcc.sys><Silicon Image, Inc.>
[System Restore Filter Driver / sr][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\sr.sys><N/A>
[VIA AGP Filter / viaagp1][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\viaagp1.sys><VIA Technologies, Inc.>
[ViBus / ViBus][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\ViBus.sys><VIA Technologies, Inc.>
[videX32 / videX32][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\videX32.sys><VIA Technologies, Inc.>
[VIA SATA IDE Device Driver / ViPrt][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\ViPrt.sys><VIA Technologies, Inc.>
[VMware Pointing Device / vmmouse][Running/Manual Start]
  <system32\DRIVERS\vmmouse.sys><VMware, Inc.>

==================================
浏览器加载项
[ThunderAtOnce Class]
  {01443AEC-0FD1-40fd-9C87-E93D1494C233} <C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[Thunder Browser Helper]
  {889D2FEB-5411-4565-8998-1DD2C5261283} <C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[ThunderHlpObj Class]
  {97421D0D-E07F-40DF-8F07-99597B9585AD} <C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll, Thunder Networking Technologies,LTD>
[启动迅雷5]
  {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <C:\Program Files\Thunder Network\Thunder\Thunder.exe, Thunder Networking Technologies,LTD>
[ThunderAtOnce Class]
  {01443AEC-0FD1-40FD-9C87-E93D1494C233} <C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[]
  {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <, >
[Thunder Agent Class]
  {485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <C:\Program Files\Thunder Network\Thunder\ComDlls\ThunderAgent_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[XMP Class]
  {6483F145-A768-4C41-AACC-52D4D7845851} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\xplayer.dll_1_work, >
[XDRM]
  {693571CB-54A3-4E90-9D52-EEAE1334E2D3} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\xdrm.dll_1_work, >
[MediaComm Class]
  {7670648D-461B-42AF-BDFE-46D26AF5EFF2} <C:\Program Files\Thunder Network\Thunder\Components\InMedia\MediaAddin17.dll, Thunder Networking Technologies,LTD>
[Thunder Browser Helper]
  {889D2FEB-5411-4565-8998-1DD2C5261283} <C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[ThunderHlpObj Class]
  {97421D0D-E07F-40DF-8F07-99597B9585AD} <C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll, Thunder Networking Technologies,LTD>
[DapCtrl Class]
  {ACACC6EB-1FBA-4E13-A729-53AEB2DF54F8} <C:\Program Files\Common Files\Thunder Network\KanKan\DapCtrl.2.1.5803.60.(441).dll, ShenZhen Thunder Networking Technologies Ltd.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx, (Signed) Adobe Systems, Inc.>
[PlayerCtrl Class]
  {E05BC2A3-9A46-4A32-80C9-023A473F5B23} <C:\Program Files\Tencent\QQMusic\QzoneMusic.dll, (Signed) 深圳腾讯科技>
[Thunder DapPlayer]
  {EEDD6FF9-13DE-496B-9A1C-D78B3215E266} <C:\Program Files\Thunder Network\Thunder\Components\DownAndPlay\DapPlayer3.0.5712.71.441.dll, ShenZhen Thunder Networking Technologies Ltd.>
[XPPlayer Class]
  {F3E70CEA-956E-49CC-B444-73AFE593AD7F} <C:\Program Files\Common Files\Thunder Network\KanKan\PPlayer.2.0.0.181.(441).dll, Xunlei Networking Technologies,LTD>
[使用迅雷下载]
  <C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm, N/A>
[使用迅雷下载全部链接]
  <C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm, N/A>

==================================
正在运行的进程
[PID: 564][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 624][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 648][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 692][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 704][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 876][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 964][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\wrm32.dll]  [N/A, ]
[PID: 1060][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\wrm32.dll]  [N/A, ]
[PID: 1112][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\mshta.dll]  [Microsoft Corporation, 7.00.5730.13 (longhorn(wmbla).070711-1130)]
[PID: 1400][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
    [C:\WINDOWS\system32\mdimon.dll]  [Microsoft Corporation, 11.3.8166.2]
    [C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.dll]  [Microsoft Corporation, 11.3.8166.2]
[PID: 1632][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
    [C:\WINDOWS\system32\ecbyllfl.dll]  [N/A, ]
    [C:\WINDOWS\system32\avicapwm.dll]  [N/A, ]
    [C:\WINDOWS\system32\iedlemyw.dll]  [N/A, ]
    [C:\WINDOWS\system32\yabhgmla.dll]  [N/A, ]
    [C:\WINDOWS\system32\bkwmyndl.dll]  [N/A, ]
    [C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll]  [Thunder Networking Technologies,LTD, 1.0.5.29]
    [C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll]  [Thunder Networking Technologies,LTD, 5, 0, 8, 96]
    [C:\Program Files\Thunder Network\Thunder\Components\ResWorker\DsBho_01.dll]  [Thunder Networking Technologies,LTD, 1, 0, 0, 20]
    [C:\Program Files\Thunder Network\Thunder\Components\ResWorker\DataProcessor_01.dll]  [Thunder Networking Technologies,LTD, 1, 0, 0, 16]
    [C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll]  [Thunder Networking Technologies,LTD, 5, 0, 8, 74]
    [C:\WINDOWS\system32\mshta.dll]  [Microsoft Corporation, 7.00.5730.13 (longhorn(wmbla).070711-1130)]
    [C:\WINDOWS\Fonts\Framdee.ttf]  [N/A, ]
    [C:\WINDOWS\AppPatch\AcXtrnel.sdb]  [N/A, ]
    [C:\WINDOWS\AppPatch\AcSpecf.dll]  [N/A, ]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\WINDOWS\system32\wrm32.dll]  [N/A, ]
    [C:\WINDOWS\system32\kildh3l.dll]  [N/A, ]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\Program Files\Microsoft Office\OFFICE11\msohev.dll]  [Microsoft Corporation, 11.0.5510]
[PID: 1920][C:\WINDOWS\system32\rundll32.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\Update.dll]  [N/A, ]
    [C:\WINDOWS\system32\bkwmyndl.dll]  [N/A, ]
    [C:\WINDOWS\system32\yabhgmla.dll]  [N/A, ]
    [C:\WINDOWS\system32\iedlemyw.dll]  [N/A, ]
    [C:\WINDOWS\system32\avicapwm.dll]  [N/A, ]
    [C:\WINDOWS\system32\ecbyllfl.dll]  [N/A, ]
[PID: 1944][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\bkwmyndl.dll]  [N/A, ]
    [C:\WINDOWS\system32\yabhgmla.dll]  [N/A, ]
    [C:\WINDOWS\system32\iedlemyw.dll]  [N/A, ]
    [C:\WINDOWS\system32\avicapwm.dll]  [N/A, ]
    [C:\WINDOWS\system32\ecbyllfl.dll]  [N/A, ]
[PID: 1956][C:\Program Files\duowan\yy\DuoSpeak.exe]  [广州多玩信息技术有限公司, 1.0.0.1]
    [C:\Program Files\duowan\yy\BIZ.dll]  [广州多玩信息技术有限公司, 1.0.0.1]
    [C:\Program Files\duowan\yy\xgdi.dll]  [N/A, ]
    [C:\Program Files\duowan\yy\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\duowan\yy\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\duowan\yy\LCtrl.dll]  [广州多玩信息技术有限公司, 1.0.0.1]
    [C:\Program Files\duowan\yy\PUBFUNC.dll]  [N/A, ]
    [C:\Program Files\duowan\yy\MFC71U.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\duowan\yy\AudioCodec.dll]  [N/A, ]
    [C:\Program Files\duowan\yy\Timer.dll]  [N/A, ]
    [C:\Program Files\duowan\yy\log.dll]  [广州多玩信息技术有限公司, 1.0.0.1]
    [C:\Program Files\duowan\yy\audio.dll]  [N/A, ]
    [C:\Program Files\duowan\yy\llayout.dll]  [N/A, ]
    [C:\Program Files\duowan\yy\XML.dll]  [N/A, ]
    [C:\Program Files\duowan\yy\XEditor.dll]  [广州多玩信息技术有限公司, 1.0.0.1]
    [C:\Program Files\duowan\yy\XUUID.dll]  [广州多玩信息技术有限公司, 1.0.0.1]
    [C:\Program Files\duowan\yy\ExtraLayout.dll]  [N/A, ]
    [C:\Program Files\duowan\yy\LVDownloader.dll]  [广州多玩信息技术有限公司, 1.0.0.1]
    [C:\Program Files\duowan\yy\Smile.dll]  [广州多玩信息技术有限公司, 1.0.0.1]
    [C:\Program Files\duowan\yy\crashreport.dll]  [N/A, ]
    [C:\WINDOWS\system32\bkwmyndl.dll]  [N/A, ]
    [C:\WINDOWS\system32\yabhgmla.dll]  [N/A, ]
    [C:\WINDOWS\system32\iedlemyw.dll]  [N/A, ]
    [C:\WINDOWS\system32\avicapwm.dll]  [N/A, ]
    [C:\WINDOWS\system32\ecbyllfl.dll]  [N/A, ]
    [C:\Program Files\duowan\yy\protocol.dll]  [N/A, ]
    [C:\WINDOWS\system32\wrm32.dll]  [N/A, ]
    [C:\WINDOWS\system32\kildh3l.dll]  [N/A, ]
[PID: 1996][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\wrm32.dll]  [N/A, ]
[PID: 2040][C:\WINDOWS\system32\nvsvc32.exe]  [NVIDIA Corporation, 6.14.11.6375]
    [C:\WINDOWS\system32\nvapi.dll]  [NVIDIA Corporation, 6.14.11.6375]
[PID: 424][C:\WINDOWS\system32\taskmgr.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\bkwmyndl.dll]  [N/A, ]
    [C:\WINDOWS\system32\yabhgmla.dll]  [N/A, ]
    [C:\WINDOWS\system32\iedlemyw.dll]  [N/A, ]
    [C:\WINDOWS\system32\avicapwm.dll]  [N/A, ]
    [C:\WINDOWS\system32\ecbyllfl.dll]  [N/A, ]
    [C:\WINDOWS\system32\kildh3l.dll]  [N/A, ]
[PID: 280][F:\新建文件夹 (2)\SRE796940c0.EXE]  [Smallfrogs Studio, 2.6.16.1161]
    [C:\WINDOWS\system32\kildh3l.dll]  [N/A, ]
    [C:\WINDOWS\system32\bkwmyndl.dll]  [N/A, ]
    [C:\WINDOWS\system32\yabhgmla.dll]  [N/A, ]
    [C:\WINDOWS\system32\iedlemyw.dll]  [N/A, ]
    [C:\WINDOWS\system32\avicapwm.dll]  [N/A, ]
    [C:\WINDOWS\system32\ecbyllfl.dll]  [N/A, ]
    [C:\WINDOWS\system32\wrm32.dll]  [N/A, ]

==================================
文件关联
.TXT  Error. [C:\WINDOWS\notepad.exe %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. ["hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
MSAPI Tcpip [TCP/IP]
    C:\WINDOWS\system32\wrm32.dll(, N/A)
MSAPI Tcpip [UDP/IP]
    C:\WINDOWS\system32\wrm32.dll(, N/A)

==================================
Autorun.inf
N/A

被修改的hosts文件超长，就不列了

==================================
进程特权扫描
特殊特权被允许： SeDebugPrivilege [PID = 1956, C:\PROGRAM FILES\DUOWAN\YY\DUOSPEAK.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1956, C:\PROGRAM FILES\DUOWAN\YY\DUOSPEAK.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2040, C:\WINDOWS\SYSTEM32\NVSVC32.EXE]

==================================
计划任务
N/A

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================

1.下载删除工具(无敌删除器)
(DelayDelFile.rar)或参考http://bbs.duba.net/thread-21914617-1-1.html
说明：解压并打开DelayDelFile,复制以下待删除文件列表-->粘贴进(Ctrl+V)第一个空白框中-->按"添加"-->点击"删除"按钮
删除以下文件，再把该工具删除时备份的_Backup_文件夹打包传上来

c:\windows\system32\wrm32.dll
c:\windows\system32\yabhgmla.dll
c:\windows\system32\kildh3l.dll
c:\windows\system32\iedlemyw.dll
c:\windows\system32\ecbyllfl.dll
c:\windows\system32\bkwmyndl.dll
c:\windows\system32\avicapwm.dll
c:\program files\duowan\yy\xuuid.dll
c:\program files\duowan\yy\xml.dll
c:\program files\duowan\yy\xgdi.dll
c:\program files\duowan\yy\xeditor.dll
c:\program files\duowan\yy\timer.dll
c:\program files\duowan\yy\smile.dll
c:\program files\duowan\yy\pubfunc.dll
c:\program files\duowan\yy\protocol.dll
c:\program files\duowan\yy\duospeak.exe
c:\program files\duowan\yy\msvcr71.dll
c:\program files\duowan\yy\msvcp71.dll
c:\program files\duowan\yy\mfc71u.dll
c:\program files\duowan\yy\lvdownloader.dll
c:\program files\duowan\yy\log.dll
c:\program files\duowan\yy\lctrl.dll
c:\program files\duowan\yy\llayout.dll
c:\program files\duowan\yy\extralayout.dll
c:\program files\duowan\yy\crashreport.dll
c:\program files\duowan\yy\biz.dll
c:\program files\duowan\yy\audiocodec.dll
c:\program files\duowan\yy\audio.dll
c:\windows\update.dll
c:\windows\system32\mshta.dll
c:\windows\fonts\framdee.ttf
c:\windows\apppatch\acxtrnel.sdb
c:\windows\apppatch\acspecf.dll
eskisl.dll lensch.dll micsus.dll cupops.dll jolndyo.dll johandy.dll aotoppt.dll pewire.dll comboaus.dll catower.dll wllame.dll
rundll32 "c:\windows\update.dll",main
c:\windows\system32\comuidsg.dll
c:\windows\system32\mstimewd.dll
c:\program files\messenger\msgmr.dll
c:\program files\duowan\yy\start.exe
c:\windows\system32\msconfig.exe /auto
system.exe
c:\windows\sysocmgr.dll
c:\windows\system32\drivers\presafe.sys
c:\docume~1\admini~1\locals~1\temp\bplw\kpcheck.sys
c:\windows\system32\drivers\eth8023.sys
C:\WINDOWS\system32\wrm32.dl
c:\windows\system32\drivers\kavsafe.sys
2.删除重启后使用SREng修复下面各项：

    启动项目 －－ 注册表之如下项删除：
[iedlemyw.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[ecbyllfl.dll]    <C:\WINDOWS\system32\ecbyllfl.dll>
[bkwmyndl.dll]    <C:\WINDOWS\system32\bkwmyndl.dll>
[yabhgmla.dll]    <C:\WINDOWS\system32\yabhgmla.dll>
[jttafmec.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[gcngsocc.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[gukzxqtm.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[mlkxdock.dll]    <C:\WINDOWS\system32\ecbyllfl.dll>
[mdgqaqtu.dll]    <C:\WINDOWS\system32\bkwmyndl.dll>
[sjrcjuui.dll]    <C:\WINDOWS\system32\yabhgmla.dll>
[ksvkhuzo.dll]    <C:\WINDOWS\system32\yabhgmla.dll>
[rigyyriz.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[rigyyriz.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[oymtoqph.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[avicapwm.dll]    <C:\WINDOWS\system32\avicapwm.dll>
[lweurqhx.dll]    <C:\WINDOWS\system32\ecbyllfl.dll>
[hqlfnmuc.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[qxypoqoa.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[{D3112B69-A745-4805-874E-ABD480EA1299}]    <C:\WINDOWS\system32\iedlemyw.dll>
[{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}]    <C:\WINDOWS\system32\bkwmyndl.dll>
[{434FA69C-5F0A-42e1-82B8-10AF2C8E53C6}]    <C:\WINDOWS\system32\yabhgmla.dll>
[{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}]    <C:\WINDOWS\system32\iedlemyw.dll>
[{F0930A2F-D971-4828-8209-B7DFD266ED44}]    <C:\WINDOWS\system32\iedlemyw.dll>
[{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}]    <C:\WINDOWS\system32\avicapwm.dll>
[{71A78CD4-E470-4a18-8457-E0E0283DD507}]    <C:\WINDOWS\system32\ecbyllfl.dll>
注意该项[AppInit_DLLs]修改：把<eskisl.dll lensch.dll micsus.dll cupops.dll jolndyo.dll johandy.dll aotoppt.dll pewire.dll comboaus.dll catower.dll wllame.dll>修改为<>即清空
[3PMmUpdate]    <rundll32 "C:\WINDOWS\Update.dll",Main>
[comuidsg.dll]    <C:\WINDOWS\system32\comuidsg.dll>
[mstimewd.dll]    <C:\WINDOWS\system32\mstimewd.dll>
[{898E02AB-9372-4a2c-9C4A-FFE1AF61097F}]    <C:\WINDOWS\system32\comuidsg.dll>
[msnmsg]    <C:\Program Files\Messenger\msgmr.dll>
[{65056902-6E7B-4bd7-95BA-688DB5FA5BEB}]    <C:\WINDOWS\system32\mstimewd.dll>
[YY]    <C:\Program Files\duowan\yy\Start.exe>
[MSConfig]    <C:\WINDOWS\system32\msconfig.exe /auto>
[HBService32]    <System.exe>
[sysocmgr]    <C:\WINDOWS\sysocmgr.dll>

    启动项目 －－ 服务－－ 驱动程序之如下项删除：
[presafe / presafe]    <\??\C:\WINDOWS\system32\drivers\presafe.sys>
[KernelCheck / KernelCheck]    <\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bplw\KpCheck.sys>
[eth8023 / eth8023]    <\SystemRoot\system32\drivers\eth8023.sys>
[KAVSafe / KAVSafe]    <\??\C:\WINDOWS\system32\Drivers\KAVSafe.sys>
    系统修复－－ HOSTS文件－－重置
    系统修复－－ winsock－－重置所有内容为默认
**************以上分析报告由SREngLog分析助手提供******************

[ 本帖最后由 mouse_0232 于 2008-9-22 11:36 编辑 ]

耗子干嘛让人把winrar的右键扩展删除了啊。

引用:

原帖由 铁军 于 2008-9-22 11:23 发表
耗子干嘛让人把winrar的右键扩展删除了啊。

哪个文件是啊????????????

就是这个啊
c:\program files\winrar\rarext.dll

c:\program files\winrar\rarext.dll   这个文件有时破解的多些，有时还是个N/A

引用:

原帖由 铁军 于 2008-9-22 11:31 发表
就是这个啊
c:\program files\winrar\rarext.dll

  误操作

1.下载删除工具(无敌删除器)
(DelayDelFile.rar)或参考http://bbs.duba.net/thread-21914617-1-1.html
由于反复在相同路径发现相同病毒，下载完毕，最好断开网络连接
说明：解压并打开DelayDelFile,复制以下待删除文件列表-->粘贴进(Ctrl+V)第一个空白框中-->按"添加"-->点击"删除"按钮
然后把 _BackUp_Auto_.7z文件夹用 winrar打包,然后上传附件.

c:\windows\system32\iedlemyw.dll
c:\windows\system32\ecbyllfl.dll
c:\windows\system32\bkwmyndl.dll
c:\windows\system32\yabhgmla.dll
c:\windows\system32\avicapwm.dll
c:\windows\system32\eskisl.dll
c:\windows\system32\ lensch.dll
c:\windows\system32\micsus.dll
c:\windows\system32\cupops.dll
c:\windows\system32\ jolndyo.dll
c:\windows\system32\ johandy.dll
c:\windows\system32\aotoppt.dll
c:\windows\system32\pewire.dll
c:\windows\system32\comboaus.dll
c:\windows\system32\catower.dll
c:\windows\system32\wllame.dll
rundll32 "c:\windows\update.dll",main
c:\windows\system32\comuidsg.dll
c:\windows\system32\mstimewd.dll
c:\program files\messenger\msgmr.dll
c:\program files\duowan\yy\start.exe
system.exe
; system.exe
c:\windows\system32\drivers\presafe.sys
c:\docume~1\admini~1\locals~1\temp\bplw\kpcheck.sys
c:\windows\system32\drivers\kavsafe.sys
c:\windows\system32\drivers\hbkernel32.sys
c:\windows\system32\drivers\eth8023.sys
c:\windows\system32\wrm32.dll
c:\windows\apppatch\acspecf.dll
c:\windows\apppatch\acxtrnel.sdb
c:\windows\fonts\framdee.ttf
c:\windows\system32\kildh3l.dll
c:\windows\update.dll


2.删除重启后使用SREng修复下面各项：

    启动项目 －－ 注册表之如下项删除：
[iedlemyw.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[ecbyllfl.dll]    <C:\WINDOWS\system32\ecbyllfl.dll>
[bkwmyndl.dll]    <C:\WINDOWS\system32\bkwmyndl.dll>
[yabhgmla.dll]    <C:\WINDOWS\system32\yabhgmla.dll>
[jttafmec.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[gcngsocc.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[gukzxqtm.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[mlkxdock.dll]    <C:\WINDOWS\system32\ecbyllfl.dll>
[mdgqaqtu.dll]    <C:\WINDOWS\system32\bkwmyndl.dll>
[sjrcjuui.dll]    <C:\WINDOWS\system32\yabhgmla.dll>
[ksvkhuzo.dll]    <C:\WINDOWS\system32\yabhgmla.dll>
[rigyyriz.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[oymtoqph.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[avicapwm.dll]    <C:\WINDOWS\system32\avicapwm.dll>
[lweurqhx.dll]    <C:\WINDOWS\system32\ecbyllfl.dll>
[hqlfnmuc.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[qxypoqoa.dll]    <C:\WINDOWS\system32\iedlemyw.dll>
[{D3112B69-A745-4805-874E-ABD480EA1299}]    <C:\WINDOWS\system32\iedlemyw.dll>
[{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}]    <C:\WINDOWS\system32\bkwmyndl.dll>
[{434FA69C-5F0A-42e1-82B8-10AF2C8E53C6}]    <C:\WINDOWS\system32\yabhgmla.dll>
[{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}]    <C:\WINDOWS\system32\iedlemyw.dll>
[{F0930A2F-D971-4828-8209-B7DFD266ED44}]    <C:\WINDOWS\system32\iedlemyw.dll>
[{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}]    <C:\WINDOWS\system32\avicapwm.dll>
[{71A78CD4-E470-4a18-8457-E0E0283DD507}]    <C:\WINDOWS\system32\ecbyllfl.dll>
注意该项[AppInit_DLLs]修改：把<eskisl.dll lensch.dll micsus.dll cupops.dll jolndyo.dll johandy.dll aotoppt.dll pewire.dll comboaus.dll catower.dll wllame.dll>修改为<>即清空
[3PMmUpdate]    <rundll32 "C:\WINDOWS\Update.dll",Main>
[comuidsg.dll]    <C:\WINDOWS\system32\comuidsg.dll>
[mstimewd.dll]    <C:\WINDOWS\system32\mstimewd.dll>
[{898E02AB-9372-4a2c-9C4A-FFE1AF61097F}]    <C:\WINDOWS\system32\comuidsg.dll>
[msnmsg]    <C:\Program Files\Messenger\msgmr.dll>
[{65056902-6E7B-4bd7-95BA-688DB5FA5BEB}]    <C:\WINDOWS\system32\mstimewd.dll>
[HBService32]    <System.exe>
[HBService32]    <; System.exe>
[MSConfig]    <C:\WINDOWS\system32\msconfig.exe /auto>
[sysocmgr]    <C:\WINDOWS\sysocmgr.dll>

    启动项目 －－ 服务－－ 驱动程序之如下项禁用：
[presafe / presafe]    <\??\C:\WINDOWS\system32\drivers\presafe.sys>
[KernelCheck / KernelCheck]    <\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bplw\KpCheck.sys>
[KAVSafe / KAVSafe]    <\??\C:\WINDOWS\system32\Drivers\KAVSafe.sys>
[HBKernel32 Driver / HBKernel32]    <\SystemRoot\system32\DRIVERS\HBKernel32.sys>
[eth8023 / eth8023]    <\SystemRoot\system32\drivers\eth8023.sys>
    系统修复---文件关联---修复
   系统修复－－ HOSTS文件－－重置(如果是个人免疫的恶意网站的话，就不需要修复)
   系统修复－－ winsock－－重置所有内容为默认
3.关闭IE用下面的工具全选，清理系统临时文件和IE临时文件夹   
.http://www.xpi386.com.cn/tools/HA-ATF-Cleaner.rar
4.下载windows清理助手清理恶意软件   升级以后再使用                    
http://www.arswp.com/download/arswp2/arswp2.zip
5.反复在相同路径发现相同病毒，AV终结者专杀，清理专家及其它工具多次重试无效，最好利用金山毒霸的命令行杀毒在安全模式杀毒，具体的可以参考http://bbs.duba.net/thread-21898192-1-1.html

[ 本帖最后由 vistalong 于 2008-9-23 16:41 编辑 ]

6.病毒分析：
a.该病毒疑为通过msn、游戏进行传播，为木马程序。
b.破坏lsp，造成.WinSock2 注册表键值破坏以后造成的 TCP/IP 协议不能正常工作，从而造成不能登陆网络。
c.有恶意程序修改了AppInit_Dlls键值，其中这个程序默认为空，但是有几个常见的常见的程序修改了这一项，比如瑞星卡卡、comodo、木马克星均为正常的程序。
d.伪装字体程序 c:\windows\fonts\framdee.ttf
e.同时也有伪装微软的数字签名
f.破坏了文件关联方式
g.利用System.exe但是自启动项目下显示文件已经丢失，清理相关的注册表即可，个人认为病毒没有很好的利用这一点，在最近看的一篇日志中这个进程为隐藏的。
h.av终结者那个专杀主要是用来修复“映像劫持（ifeo）”；修复Autorun.inf；修复安全模式

以上均为个人见解，希望大家批评、指正。

[ 本帖最后由 vistalong 于 2008-9-23 16:41 编辑 ]

制作病毒灭菌机应该说对用户比较的方便，只需要导入指令就可以了

vistalong你把病毒灭菌机的使用弄个示例上来吧。