启动程序里面有个{0EA66AD2-CF26-2E23-532B-B292E22F3266}是病毒吗? 我好可怜啊!电脑坏了,高手请进!!!
\u8fd9\u662f\u75c5\u6bd2\u5417\uff1f\u8be5\u600e\u4e48\u5904\u7406\u554a\uff1f\u8fd9\u4e2a\u662fautorun.exe \u81ea\u52a8\u8fd0\u884c\u75c5\u6bd2\uff0c\u8be5\u7a0b\u5e8f\u8fd0\u884c\u540e\u6267\u884c\u5982\u4e0b\u64cd\u4f5c\uff1a
1.\u83b7\u53d6\u7cfb\u7edf\u76ee\u5f55\uff0c\u5224\u65ad\u662f\u5426\u5b58\u5728%SysRoot%\Program Files\Internet Explorer\PLUGINS\NewTemp.bak\u548cNewTemp.DLL,\u82e5\u5b58\u5728\u5219\u5220\u9664\u8be5\u6587\u4ef6;
2. \u62f7\u8d1d\u81ea\u8eab\u5230%SysRoot%\Program Files\Internet Explorer\PLUGINS\NewTemp.bak,\u5e76\u8bbe\u7f6e\u6587\u4ef6\u5c5e\u6027\u4e3aHIDDEN\u548cSYSTEM\u5b9e\u73b0\u6587\u4ef6\u9690\u85cf;
3.\u67e5\u627e\u81ea\u8eab\u8d44\u6e90DATAINFO\u5e76\u91ca\u653e\u5230%SysRoot%\Program Files\Internet Explorer\PLUGINS\NewTemp.DLL;
4. \u5224\u65ad\u7cfb\u7edf\u7248\u672c\uff0c\u82e5\u7cfb\u7edf\u4e3a\u975eNT\u7cfb\u7edf\uff0c\u5219\u521b\u5efawininit.ini\u5b9e\u73b0\u81ea\u542f\u52a8;
5. \u67e5\u627e\u7a97\u53e3\u7c7b\u4e3aListBox\u3001\u7a97\u53e3\u540d\u4e3a1616116\u62161818118\u7684\u7a97\u53e3\uff0c\u82e5\u5931\u8d25\u5219\u521b\u5efa\u4e00\u4e2a\u7a97\u53e3\u7c7b\u4e3aListBox\u3001\u7a97\u53e3\u540d\u4e3a1818118\u7684\u7a97\u53e3\u6765\u63a5\u6536\u6d88\u606f\uff0c\u82e5\u627e\u5230\u5219\u9000\u51fa\uff0c\u9632\u6b62\u5b9e\u4f8b\u91cd\u590d\u8fd0\u884c;
6. \u52a0\u8f7d%SysRoot%\Program Files\Internet Explorer\PLUGINS\NewTemp.DLL\uff0c\u83b7\u53d6\u5bfc\u51fa\u51fd\u6570MsgHookOn\u5e76\u8c03\u7528\uff0c\u4e4b\u540e\u8fdb\u5165\u6d88\u606f\u5faa\u73af\uff0c\u63a5\u6536\u7cfb\u7edf\u6d88\u606f\uff1b
7. \u6d88\u606f\u5faa\u73af\u9000\u51fa\u65f6\u8c03\u7528\u5bfc\u51fa\u51fd\u6570MsgHookOff\u8bbe\u7f6e\u6d88\u606f\u94a9\u5b50\uff0c\u76d1\u89c6\u65b0\u6dfb\u52a0\u7684\u8bbe\u5907\uff1b\u4e4b\u540e\u8bbe\u7f6e\u5982\u4e0b\u6ce8\u518c\u8868\u9879\u5b9e\u73b0\u81ea\u542f\u52a8:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{0EA66AD2-CF26-2E23-532B-B292E22F3266}
HKLM\CLSID\{0EA66AD2-CF26-2E23-532B-B292E22F3266}
InProcServer32
Apartment
ThreadingModel
\u91ca\u653e\u7684\u52a8\u6001\u5e93\u52a0\u8f7d\u65f6\u6267\u884c\u5982\u4e0b\u64cd\u4f5c\uff1a
1.\u83b7\u53d6\u6a21\u5757\u540d\uff0c\u6253\u5f00\u6587\u4ef6\u672c\u8eab\uff0c\u5728\u6587\u4ef6\u672b\u5c3e\u8bfb\u53d6\u56db\u5b57\u8282\uff0c\u4e0e0x35526133\u5f02\u6216\uff0c\u53d6\u8d1f\uff0c\u7136\u540e\u6839\u636e\u8fd9\u4e2a\u504f\u79fb\u91cf\u8bfb\u53d6\u6587\u672b\u5c3e\u7684\u6570\u636e;
2.\u67e5\u627e\u7a97\u53e3\u7c7b\u4e3aListBox\u3001\u7a97\u53e3\u540d\u4e3a1616116\u7684\u7a97\u53e3\uff0c\u82e5\u627e\u5230\u5219\u9000\u51fa\uff0c\u4ee5\u6b64\u6765\u9632\u6b62\u7a0b\u5e8f\u91cd\u590d\u8fd0\u884c;
3.\u521b\u5efa\u7ebf\u7a0b\uff0c\u6267\u884c\u5982\u4e0b\u64cd\u4f5c\uff1a
\u521b\u5efa\u4e00\u7a97\u53e3\u7c7b\u4e3aListBox\u3001\u7a97\u53e3\u540d\u4e3a1616116\u7684\u7a97\u53e3\u63a5\u53d7\u7cfb\u7edf\u6d88\u606f\uff0c\u8bbe\u7f6e\u8be5\u7a97\u53e3\u7684\u7a97\u53e3\u56de\u8c03\u51fd\u6570\uff0c\u5728\u56de\u8c03\u51fd\u6570\u4e2d\u5224\u65ad\u6d88\u606f\u7c7b\u578b\uff1a
\u82e5\u4e3aWM_DEVICECHANGE\uff0c\u5219\u62f7\u8d1d\u81ea\u8eab\u5230\u65b0\u6dfb\u52a0\u8bbe\u5907\u6839\u76ee\u5f55\u4e0b\u5e76\u547d\u540d\u4e3aPegeFile.PIF\uff0c\u4e4b\u540e\u5728\u8bbe\u5907\u6839\u76ee\u5f55\u4e0b\u521b\u5efaautorun.inf,\u5199\u5165\u5982\u4e0b\u5185\u5bb9\uff0c\u5b9e\u73b0\u4f20\u64ad\uff1a
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
\u82e5\u4e3aWM_DESTROY\uff0c\u5219\u9500\u6bc1\u8be5\u7a97\u53e3\uff1b\u5426\u5219\uff0c\u8c03\u7528\u9ed8\u8ba4\u7684\u6d88\u606f\u5904\u7406\u51fd\u6570\u3002
\u67e5\u627e\u7a97\u53e3\u7c7b\u4e3aListBox\uff0c\u7a97\u53e3\u540d\u4e3a1818118\u7684\u7a97\u53e3,\u5e76\u5411\u8be5\u7a97\u53e3\u53d1\u9001WM_QUIT\u6d88\u606f\uff0c\u5173\u95ed\u8be5\u7a97\u53e3;
\u8bbe\u7f6e\u5b9a\u65f6\u5668\uff0c\u6bcf\u96941\u79d2\u6267\u884c\u5982\u4e0b\u64cd\u4f5c\uff1a
a.\u67e5\u65ec\u6ce8\u518c\u8868\u9879HKLM\Software\SetVer\ver\u4e0b\u7684\u952e\u503c\uff0c\u5224\u65ad\u6307\u5b9a\u7a0b\u5e8f\u662f\u5426\u5df2\u4e0b\u8f7d;
b.\u82e5\u952e\u503c\u672a\u8bbe\u7f6e\uff0c\u5219\u5c1d\u8bd5\u4ece\u7f51\u7edc\u4e0a\u4e0b\u8f7d\u6307\u5b9a\u7a0b\u5e8f\u5230\u4e34\u65f6\u76ee\u5f55\u5e76\u6267\u884c;
c.\u82e5\u6210\u529f\u4e0b\u8f7d\u6267\u884c\u5219\u8bbe\u7f6e\u6ce8\u518c\u8868HKLM\Software\SetVer\ver\u4e0b\u7684\u952e\u503c\uff0c\u6807\u8bb0\u5df2\u4e0b\u8f7d;
\u8fdb\u5165\u6d88\u606f\u5faa\u73af\uff0c\u63a5\u53d7\u7cfb\u7edf\u6d88\u606f.\u5bfc\u51fa\u51fd\u6570MsgHookOn\u8bbe\u7f6e\u7cfb\u7edf\u6d88\u606f\u94a9\u5b50\uff0c\u7528\u6765\u83b7\u53d6\u6dfb\u52a0\u8bbe\u5907\u7684\u901a\u77e5\u6d88\u606f;\u5bfc\u51fa\u51fd\u6570MsgHookOff\u5378\u8f7d\u52a0\u8f7d\u6a21\u5757\u7684\u7a97\u53e3\u6d88\u606f\u94a9\u5b50;
\u5b89\u5168\u5efa\u8bae\uff1a
1 \u5b89\u88c5\u6b63\u7248\u6740\u6bd2\u8f6f\u4ef6\u3001\u4e2a\u4eba\u9632\u706b\u5899\u548c\u5361\u5361\u4e0a\u7f51\u5b89\u5168\u52a9\u624b,\u5e76\u53ca\u65f6\u5347\u7ea7\uff0c\u745e\u661f\u6740\u6bd2\u8f6f\u4ef6\u6bcf\u5929\u81f3\u5c11\u5347\u7ea7\u4e09\u6b21\u3002
2 \u4f7f\u7528\u201c\u745e\u661f\u7cfb\u7edf\u5b89\u5168\u6f0f\u6d1e\u626b\u63cf\u201d\uff0c\u6253\u597d\u8865\u4e01\uff0c\u5f25\u8865\u7cfb\u7edf\u6f0f\u6d1e\u3002
3 \u4e0d\u6d4f\u89c8\u4e0d\u826f\u7f51\u7ad9\uff0c\u4e0d\u968f\u610f\u4e0b\u8f7d\u5b89\u88c5\u53ef\u7591\u63d2\u4ef6\u3002
4 \u4e0d\u63a5\u6536QQ\u3001MSN\u3001Emial\u7b49\u4f20\u6765\u7684\u53ef\u7591\u6587\u4ef6\u3002
5 \u4e0a\u7f51\u65f6\u6253\u5f00\u6740\u6bd2\u8f6f\u4ef6\u5b9e\u65f6\u76d1\u63a7\u529f\u80fd\u3002
6 \u628a\u7f51\u94f6\u3001\u7f51\u6e38\u3001QQ\u7b49\u91cd\u8981\u8f6f\u4ef6\u52a0\u5165\u5230\u201c\u745e\u661f\u5e10\u53f7\u4fdd\u9669\u67dc\u201d\u4e2d\uff0c\u53ef\u4ee5\u6709\u6548\u4fdd\u62a4\u5bc6\u7801\u5b89\u5168\u3002
\u6e05\u9664\u529e\u6cd5\uff1a
\u745e\u661f\u6740\u6bd2\u8f6f\u4ef6\u6e05\u9664\u529e\u6cd5\uff1a
\u5b89\u88c5\u745e\u661f\u6740\u6bd2\u8f6f\u4ef6\uff0c\u5347\u7ea7\u523019.45.31\u7248\u4ee5\u4e0a\uff0c\u5bf9\u7535\u8111\u8fdb\u884c\u5168\u76d8\u626b\u63cf\uff0c\u6309\u7167\u8f6f\u4ef6\u63d0\u793a\u8fdb\u884c\u64cd\u4f5c\uff0c\u5373\u53ef\u5f7b\u5e95\u67e5\u6740\u3002
Pegefile.pif\u53ca\u5176\u4e0b\u8f7d\u7684\u6728\u9a6c\u7fa4\u5220\u9664\u529e\u6cd5 \u5e0c\u671b\u5bf9\u4f60\u6709\u5e2e\u52a9
File: PegeFile.pif
Size: 28708 bytes
MD5: E25E943A9281DA3E4260E1D08BF69F26
SHA1: 823420A3760E30915AEA2A272A5A9C81ECDB2393
CRC32: AFF7FD61
\u8fd0\u884c\u540e \u751f\u6210C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll
NewTemp.dll
\u6dfb\u52a0\u6ce8\u518c\u8868\u952e\u503cHKLM\SOFTWARE\Classes\CLSID\{0EA66AD2-CF26-2E23-532B-B292E22F3266} \u6307\u5411\u8be5\u6587\u4ef6\u8fbe\u5230\u5f00\u673a\u542f\u52a8\u76ee\u7684
NewTemp.dll\u8bd5\u56fe\u901a\u8fc7\u6302\u94a9WH_GETMESSAGE\u51fd\u6570\u76d1\u63a7\u53d1\u9001\u5230\u6d88\u606f\u961f\u5217\u7684\u6d88\u606f
\u6bcf\u4e2a\u5206\u533a\u751f\u6210PegeFile.pif\u548cautorun.inf
\u63a7\u5236Explorer\u8fde\u63a5\u7f51\u7edc\u4e0b\u8f7d\u6728\u9a6c\u548c\u75c5\u6bd2
\u8bfb\u53d6http://xxxxx.cn/1.txt\u4e0b\u8f7d\u914d\u7f6e\u6587\u4ef6
\u4e0b\u8f7dhttp://xxxxx.cn/arp/1.exe\uff5e19.exe
\u548chttp://xxxx.net/new/system22.exe\u5230%temp%\u6587\u4ef6\u5939
\u4e0b\u8f7d\u6765\u7684\u5a01\u91d1\u8fd8\u4f1a\u4e0b\u8f7d\u4e00\u4e9b\u75c5\u6bd2\u4e0b\u6765 \u4e0d\u8fc7\u548c\u4e0a\u9762\u7684\u6709\u4e9b\u662f\u76f8\u540c\u7684
\u6728\u9a6c\u690d\u5165\u5b8c\u6bd5\u4ee5\u540esreng\u5982\u4e0b
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[]
[]
[]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
[]
[N/A]
[N/A]
[N/A]
[N/A]
[N/A]
[N/A]
[N/A]
[Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
[]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
\u6e05\u9664\u529e\u6cd5\uff1a
1.\u6253\u5f00sreng
\u542f\u52a8\u9879\u76ee \u6ce8\u518c\u8868 \u5220\u9664\u5982\u4e0b\u9879\u76ee
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[]
[]
[]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
[]
[N/A]
[N/A]
[N/A]
[N/A]
[N/A]
[N/A]
[N/A]
[Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
[]
2.\u91cd\u542f\u8ba1\u7b97\u673a
\u53cc\u51fb\u6211\u7684\u7535\u8111\uff0c\u5de5\u5177\uff0c\u6587\u4ef6\u5939\u9009\u9879\uff0c\u67e5\u770b\uff0c\u5355\u51fb\u9009\u53d6"\u663e\u793a\u9690\u85cf\u6587\u4ef6\u6216\u6587\u4ef6\u5939" \u5e76\u6e05\u9664"\u9690\u85cf\u53d7\u4fdd\u62a4\u7684\u64cd\u4f5c\u7cfb\u7edf\u6587\u4ef6\uff08\u63a8\u8350\uff09"\u524d\u9762\u7684\u94a9\u3002\u5728\u63d0\u793a\u786e\u5b9a\u66f4\u6539\u65f6\uff0c\u5355\u51fb\u201c\u662f\u201d \u7136\u540e\u786e\u5b9a
\u70b9\u51fb \u83dc\u5355\u680f\u4e0b\u65b9\u7684 \u6587\u4ef6\u5939\u6309\u94ae\uff08\u641c\u7d22\u53f3\u8fb9\u7684\u6309\u94ae\uff09
\u4ece\u5de6\u8fb9\u7684\u8d44\u6e90\u7ba1\u7406\u5668 \u8fdb\u5165C\u76d8
\u5220\u9664\u5982\u4e0b\u6587\u4ef6C:\WINDOWS\system32\drivers\usbinte.sys
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\visin.exe
C:\WINDOWS\Logo1_.exe
C:\WINDOWS\RichDll.dll
C:\WINDOWS\uninstall\rundl132.exe
C:\WINDOWS\1Sy.exe~20Sy.exe
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\kulionwm.dll
C:\WINDOWS\video.dll
C:\WINDOWS\winow.dll
C:\WINDOWS\winow.exe
C:\WINDOWS\winwm.exe
C:\WINDOWS\wmsj.exe
C:\pegefile.pif
C:\autorun.inf
\u5355\u51fb\u83dc\u5355\u680f \u641c\u7d22 \u6309\u94ae \u6253\u5f00C:\windows\system32\u6587\u4ef6\u5939
\u5168\u90e8\u6216\u90e8\u5206\u6587\u4ef6\u540d\u4e2d \u8f93\u5165*pri.dll
\u66f4\u591a\u9ad8\u7ea7\u9009\u9879 \u94a9\u9009 \u641c\u7d22\u9690\u85cf\u7684\u6587\u4ef6\u548c\u6587\u4ef6\u5939
\u53f3\u952e\u5206\u522b\u628a \u8fd9\u4e9b\u6587\u4ef6\u91cd\u547d\u540d \u547d\u540d\u7684\u540d\u5b57\u81ea\u5df1\u8981\u8bb0\u4f4f \u6700\u597d\u6709\u89c4\u5f8b
\u6240\u6709\u6587\u4ef6\u5fc5\u987b\u90fd\u8981\u91cd\u547d\u540d
\u7136\u540e\u70b9\u51fb \u5f00\u59cb\u65b0\u7684\u641c\u7d22
\u5168\u90e8\u6216\u90e8\u5206\u6587\u4ef6\u540d\u4e2d \u8f93\u5165*ini.dll \u628a\u627e\u5230\u7684\u6587\u4ef6\u90fd\u91cd\u547d\u540d
\u7136\u540e\u70b9\u51fb \u5f00\u59cb\u65b0\u7684\u641c\u7d22
\u5168\u90e8\u6216\u90e8\u5206\u6587\u4ef6\u540d\u4e2d \u8f93\u5165*ins.exe \u628a\u627e\u5230\u7684\u6587\u4ef6\u90fd\u91cd\u547d\u540d
3. \u91cd\u542f\u8ba1\u7b97\u673a
\u542f\u52a8\u9879\u76ee \u6ce8\u518c\u8868 \u5220\u9664\u5982\u4e0b\u9879\u76ee
[]
[]
[]
[]
[]
[]
[]
[]
[]
\u53cc\u51fbAppInit_DLLs \u628a\u5176\u952e\u503c\u6539\u4e3a\u7a7a
\u5220\u9664\u6240\u6709\u4f60\u521a\u624d\u91cd\u547d\u540d\u7684\u90a3\u4e9b\u6587\u4ef6
\u7136\u540e\u70b9\u51fb \u83dc\u5355\u680f\u4e0b\u65b9\u7684 \u6587\u4ef6\u5939\u6309\u94ae \u4ece\u5de6\u8fb9\u7684\u8d44\u6e90\u7ba1\u7406\u5668 \u8fdb\u5165\u5176\u4ed6\u76d8
\u5220\u9664pegefile.pif\u548cautorun.inf
4.\u4e0b\u8f7d\u5a01\u91d1\u4e13\u6740\u5168\u76d8\u6740\u6bd2
\u53e6\u5916\uff1a
\u5982\u679c\u88c5\u6709QQ\u8bf7\u628aQQ \u5b89\u88c5\u6587\u4ef6\u5939\u4e2d\u7684Timplatform.exe\u5220\u9664 \u628aTimplatfrom.exe\u91cd\u547d\u540d\u4e3aTimplatform.exe
下载 System Repair Engineer
http://www.kztechs.com/sreng/download.html
1 解压缩sreng2.zip
2 将SREng.exe运行.(若不能运行,把它改名了再运行!)
3 智能扫描--->扫描--->保存报告
4 把日志中的报告完整拷贝分段贴上来,不要修改
因为C盘我用还原卡保护了,先不让可疑的PegeFile自运行,结果如下:
[CODE]
2007-06-30,08:30:07
System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)
Windows 2000 Server Service Pack 4 (Build 2195) - 管理权限用户 - 完整功能
以下内容被选中:
所有的启动项目(包括注册表、启动文件夹、服务等)
浏览器加载项
正在运行的进程(包括进程模块信息)
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<FlashPlayerUpdate><C:\WINNT\system32\Macromed\Flash\GetFlash.exe> [(Verified)Adobe Systems Incorporated]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IgfxTray><C:\WINNT\system32\igfxtray.exe> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<HotKeysCmds><C:\WINNT\system32\hkcmd.exe> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<SoundMan><soundman.exe> [Avance Logic, Inc.]
<StormCodec_Helper><"C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti> []
<thunder_mini><C:\Program Files\Sandai Technologies Inc\ThunderMini\ThunderMini.exe> [深圳市三代科技开发有限公司]
<TotalRecorderScheduler><C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe> [High Criteria inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows 2000 Publisher]
<Userinit><C:\WINNT\system32\userinit.exe,> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><APIHookDll.dll> [N/A]
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><(无)> [N/A]
==================================
启动文件夹
N/A
==================================
服务
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
<C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>
==================================
驱动程序
[Service for Avance AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Avance Logic, Inc.>
[dmboot / dmboot][Stopped/Disabled]
<System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
<\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
<\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[ialm / ialm][Running/Manual Start]
<system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
<system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
==================================
浏览器加载项
[ThunderIEHelper Class]
{0005A87D-D626-4B3A-84F9-1D9571695F55} <C:\WINNT\system32\xunleibho_v4.dll, >
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[&使用迷你迅雷下载]
<C:\Program Files\Sandai Technologies Inc\ThunderMini\geturl.htm, N/A>
==================================
正在运行的进程
[PID: 168][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 916][C:\WINNT\Explorer.EXE] [Microsoft Corporation, 5.00.3700.6690]
[C:\WINNT\system32\xunleibho_v4.dll] [, 4, 3, 2, 29]
[PID: 988][C:\WINNT\system32\hkcmd.exe] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\hccutils.DLL] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxdev.dll] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxsrvc.dll] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxhk.dll] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxres.dll] [Intel Corporation, 3.0.0.3924]
[PID: 996][C:\WINNT\soundman.exe] [Avance Logic, Inc., 5, 0, 0, 0]
[PID: 1012][C:\Program Files\Sandai Technologies Inc\ThunderMini\ThunderMini.exe] [深圳市三代科技开发有限公司, 1, 1, 0, 4]
[C:\WINNT\system32\MSVCP60.dll] [Microsoft Corporation, 6.00.8168.0]
[C:\Program Files\Sandai Technologies Inc\ThunderMini\boost_thread-vc6-mt-1_31.dll] [N/A, ]
[PID: 1020][C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe] [High Criteria inc., 4, 0, 0, 1]
[C:\Program Files\HighCriteria\TotalRecorder\DrvTrNTm.dll] [High Criteria inc., 4, 1, 0, 1]
[C:\Program Files\HighCriteria\TotalRecorder\DrvTrNTl.dll] [N/A, ]
[PID: 1028][C:\WINNT\system32\internat.exe] [Microsoft Corporation, 5.00.2920.0000]
[PID: 1168][C:\WINNT\system32\conime.exe] [Microsoft Corporation, 5.00.2195.6655]
[PID: 576][C:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.2800.1106]
[C:\WINNT\system32\xunleibho_v4.dll] [, 4, 3, 2, 29]
[C:\WINNT\system32\DrvTrNTm.dll] [High Criteria inc., 4, 1, 0, 1]
[C:\WINNT\system32\DrvTrNTl.dll] [N/A, ]
[C:\WINNT\system32\Macromed\Flash\Flash9.ocx] [Adobe Systems, Inc., 9,0,16,0]
[PID: 872][C:\Documents and Settings\Administrator\桌面\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\WINNT\system32\DrvTrNTm.dll] [High Criteria inc., 4, 1, 0, 1]
[C:\WINNT\system32\DrvTrNTl.dll] [N/A, ]
==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================
[/CODE]
现在让可疑的PegeFile自运行,结果如下:
[CODE]
2007-06-30,08:36:42
System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)
Windows 2000 Server Service Pack 4 (Build 2195) - 管理权限用户 - 完整功能
以下内容被选中:
所有的启动项目(包括注册表、启动文件夹、服务等)
浏览器加载项
正在运行的进程(包括进程模块信息)
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<FlashPlayerUpdate><C:\WINNT\system32\Macromed\Flash\GetFlash.exe> [(Verified)Adobe Systems Incorporated]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IgfxTray><C:\WINNT\system32\igfxtray.exe> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<HotKeysCmds><C:\WINNT\system32\hkcmd.exe> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<SoundMan><soundman.exe> [Avance Logic, Inc.]
<StormCodec_Helper><"C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti> []
<thunder_mini><C:\Program Files\Sandai Technologies Inc\ThunderMini\ThunderMini.exe> [深圳市三代科技开发有限公司]
<TotalRecorderScheduler><C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe> [High Criteria inc.]
<WinForm><C:\WINNT\WinForm.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows 2000 Publisher]
<Userinit><C:\WINNT\system32\userinit.exe,> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><APIHookDll.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{0EA66AD2-CF26-2E23-532B-B292E22F3266}><C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll> []
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><(无)> [N/A]
==================================
启动文件夹
N/A
==================================
服务
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
<C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>
[Windows DHCP Service / WinDHCPsvc][Stopped/Auto Start]
<C:\WINNT\system32\rundll32.exe windhcp.ocx,input><Microsoft Corporation>
==================================
驱动程序
[Service for Avance AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Avance Logic, Inc.>
[dmboot / dmboot][Stopped/Disabled]
<System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
<\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
<\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[ialm / ialm][Running/Manual Start]
<system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
<system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
==================================
浏览器加载项
[ThunderIEHelper Class]
{0005A87D-D626-4B3A-84F9-1D9571695F55} <C:\WINNT\system32\xunleibho_v4.dll, >
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[&使用迷你迅雷下载]
<C:\Program Files\Sandai Technologies Inc\ThunderMini\geturl.htm, N/A>
==================================
正在运行的进程
[PID: 168][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 192][\??\C:\WINNT\system32\csrss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 212][\??\C:\WINNT\system32\winlogon.exe] [Microsoft Corporation, 5.00.2195.6898]
[PID: 916][C:\WINNT\Explorer.EXE] [Microsoft Corporation, 5.00.3700.6690]
[C:\WINNT\system32\xunleibho_v4.dll] [, 4, 3, 2, 29]
[C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll] [N/A, ]
[C:\WINNT\system32\WinForm.dll] [N/A, ]
[C:\WINNT\system32\ztinetzt.dll] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxso0.dll] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso0.dll] [N/A, ]
[C:\WINNT\system32\nwizAsktao.dll] [N/A, ]
[C:\WINNT\system32\dh2104.dll] [N/A, ]
[C:\WINNT\system32\nwizzhuxians.dll] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\System64.Sys] [N/A, ]
[C:\WINNT\system32\TIMHost.dll] [N/A, ]
[PID: 988][C:\WINNT\system32\hkcmd.exe] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\hccutils.DLL] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxdev.dll] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxsrvc.dll] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxhk.dll] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxres.dll] [Intel Corporation, 3.0.0.3924]
[PID: 996][C:\WINNT\soundman.exe] [Avance Logic, Inc., 5, 0, 0, 0]
[PID: 1012][C:\Program Files\Sandai Technologies Inc\ThunderMini\ThunderMini.exe] [深圳市三代科技开发有限公司, 1, 1, 0, 4]
[C:\WINNT\system32\MSVCP60.dll] [Microsoft Corporation, 6.00.8168.0]
[C:\Program Files\Sandai Technologies Inc\ThunderMini\boost_thread-vc6-mt-1_31.dll] [N/A, ]
[PID: 1020][C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe] [High Criteria inc., 4, 0, 0, 1]
[C:\Program Files\HighCriteria\TotalRecorder\DrvTrNTm.dll] [High Criteria inc., 4, 1, 0, 1]
[C:\Program Files\HighCriteria\TotalRecorder\DrvTrNTl.dll] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\System64.Sys] [N/A, ]
[PID: 1028][C:\WINNT\system32\internat.exe] [Microsoft Corporation, 5.00.2920.0000]
[C:\Program Files\Internet Explorer\PLUGINS\System64.Sys] [N/A, ]
[PID: 1168][C:\WINNT\system32\conime.exe] [Microsoft Corporation, 5.00.2195.6655]
[C:\Program Files\Internet Explorer\PLUGINS\System64.Sys] [N/A, ]
[PID: 576][C:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.2800.1106]
[C:\WINNT\system32\xunleibho_v4.dll] [, 4, 3, 2, 29]
[C:\WINNT\system32\DrvTrNTm.dll] [High Criteria inc., 4, 1, 0, 1]
[C:\WINNT\system32\DrvTrNTl.dll] [N/A, ]
[C:\WINNT\system32\Macromed\Flash\Flash9.ocx] [Adobe Systems, Inc., 9,0,16,0]
[C:\WINNT\system32\ztinetzt.dll] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxso0.dll] [N/A, ]
[C:\WINNT\system32\WinForm.dll] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso0.dll] [N/A, ]
[C:\WINNT\system32\TIMHost.dll] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\System64.Sys] [N/A, ]
[PID: 1264][C:\Documents and Settings\Administrator\桌面\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\WINNT\system32\DrvTrNTm.dll] [High Criteria inc., 4, 1, 0, 1]
[C:\WINNT\system32\DrvTrNTl.dll] [N/A, ]
[C:\WINNT\system32\windhcp.ocx] [N/A, ]
[C:\WINNT\system32\WinForm.dll] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxso0.dll] [N/A, ]
[C:\WINNT\system32\ztinetzt.dll] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso0.dll] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\System64.Sys] [N/A, ]
==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
[C:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
[D:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
[E:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
[F:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
[G:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================
[/CODE]
启动程序里应该有的都是你认识的软件,应该是病毒吧
如果没有其他人动你的电脑
或者你没忘记的话
很可能是
绛旓細璺緞:C:\WINDOWS\system32\smss.exe 鍛戒护琛:C:\WINDOWS\System32\smss.exe 鏂囦欢鎻忚堪:Windows NT Session Manager 鍑哄搧鍏徃:Microsoft Corporation 鏂囦欢澶у皬:49 KB 鏂囦欢鐗堟湰:5.1.2600.5512 MD5鍊:6129c73d0a6402008f7695ddc7b683e2 鎻忚堪锛歸indows鎿嶄綔绯荤粺鐨勭浉鍏绋嬪簭锛岀敤浜庝細璇濈鐞嗙郴缁燂紝璐熻矗鍚姩鐢ㄦ埛浼氳瘽...
绛旓細PdtWzd.exe 鏄痑cer绗旇鏈簲鐢ㄨ蒋浠讹紝瀹夊叏銆侫TSwpNav 鎸囩汗璇嗗埆绋嬪簭锛屽畨鍏ㄣ侾LFSetI 杩欎釜杩涚▼寰堝鎬紝涓嶆槸acer鑷甫鐨勶紝涔熶笉灞炰簬浠讳綍瀹夎绋嬪簭锛岀綉涓婃壘涓嶅埌瀹冪殑鍒堕犺咃紝浣嗗簲璇ヤ笉鏄梾姣掋備粠鍚姩椤逛腑鍒犻櫎鏄彲浠ョ殑銆侼vMediaCenter 鏄惧崱绋嬪簭锛屽畨鍏紝涔熷彲浠ヤ粠鍚姩椤逛腑鍒犻櫎銆
绛旓細001EC0EA X-01澶寸伅閬块毦鎵鐢峰 001EC0E6 X-01澶寸伅鏄庝寒 001831AE X-01浜斿瀷鑷傜敳 001831B6 X-01浜斿瀷韬共鍐呰‖ 001831AC X-01浜斿瀷澶寸洈 001831B0 X-01浜斿瀷鑵跨敳 001D0266 X-01鏍″噯鍐插嚮 00203744 X-01娑插帇鑵曠敳 001D030C X-01鍖荤枟鐢ㄥ府娴 00203743 X-01绉诲姩杈呭姪浼烘湇鏈 00183566 X-01闅愬舰灏忓瓙 00183584 X-01渚﹀療...
