位朋友在使用QQ时,一位网友传来文件“我的照片.rar”,这位朋友接收并打开后,电脑出现问题:无法打网页;桌面莫名其妙地出现了淘宝等图标,无法删除;莫名其妙地多出了115浏览器、IE守护者等软件;有名为nat.exe的命令提示符窗口一闪而过;金山卫士、QQ电脑管家无法打开;以安全模式启动会蓝屏……重启电脑故障依旧,请偶帮忙解决。
从症状看,与之前遇到的鬼影病毒相似。
用U盘将pe_xscan拷入电脑并运行,扫描log并分析,发现如下可疑项:
pe_xscan 09-06-21 by Purple Endurer 2011-1-21 18:14:38Windows XP Service Pack 3(5.1.2600)MSIE:6.0.2900.5512管理员用户组正常模式 [System Process] * 0 C:/WINDOWS/system32/GDI32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32 C:/WINDOWS/system32/netapi32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL C:/WINDOWS/system32/USP10.dll | 2011-1-21 17:36:43 C:/Program Files/Common Files/BOSC.dll | 2011-1-21 18:11:18 C:/WINDOWS/system32/msctfime.ime | 2009-8-11 15:49:15 | Microsoft? Windows? Operating System | 5.1.2600.5768 | Microsoft Text Frame Work Service IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5768 (xpsp_sp3_qfe.090226-1518) | Microsoft Corporation| ? | MSCTFIME | MSCTFIME.IME C:/Program Files/msconfig.dll | 2011-1-21 18:11:18 C:/WINDOWS/system32/csrss.exe* 784 | 2009-3-14 2:3:58 C:/WINDOWS/system32/GDI32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32 C:/WINDOWS/system32/winlogon.exe* 912 | 2009-3-14 2:3:58 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5512 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5512 (xpsp.080413-2113) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE C:/WINDOWS/system32/GDI32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32 C:/WINDOWS/system32/netapi32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL C:/WINDOWS/system32/USP10.dll | 2011-1-21 17:36:43 C:/WINDOWS/system32/msctfime.ime | 2009-8-11 15:49:15 | Microsoft? Windows? Operating System | 5.1.2600.5768 | Microsoft Text Frame Work Service IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5768 (xpsp_sp3_qfe.090226-1518) | Microsoft Corporation| ? | MSCTFIME | MSCTFIME.IME C:/WINDOWS/system32/services.exe* 1004 | 2009-3-14 2:3:58 C:/WINDOWS/system32/GDI32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32 C:/WINDOWS/system32/netapi32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL C:/WINDOWS/system32/USP10.dll | 2011-1-21 17:36:43 C:/WINDOWS/system32/lsass.exe* 1016 | 2009-3-14 2:3:58 C:/WINDOWS/system32/GDI32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32 C:/WINDOWS/system32/netapi32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL C:/WINDOWS/system32/USP10.dll | 2011-1-21 17:36:43 C:/WINDOWS/system32/svchost.exe* 1460 | 2009-3-14 2:3:58 C:/WINDOWS/system32/GDI32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32 C:/WINDOWS/system32/USP10.dll | 2011-1-21 17:36:43 C:/WINDOWS/system32/netapi32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL C:/Program Files/Common Files/System/kb080387.CNT | 2011-1-21 17:40:38 C:/WINDOWS/system32/rasadhlp.dll | 2011-1-21 17:43:11 | Microsoft? Windows? Operating System | 5.1.2600.5512 | Remote Access AutoDial Helper | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5512 (xpsp.080413-0852) | Microsoft Corporation| ? | rasadhlp.dll | rasadhlp.dll C:/Program Files/Common Files/System/kb763371.sig | 2011-1-21 17:42:6 C:/Program Files/Common Files/System/kb064444.dla | 2011-1-21 17:43:11 C:/Program Files/Common Files/System/kb080387.CNT | 2011-1-21 17:40:38 C:/WINDOWS/explorer.exe* 264 | 2009-3-14 2:3:58 C:/WINDOWS/system32/GDI32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32 C:/WINDOWS/system32/netapi32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL C:/WINDOWS/system32/USP10.dll | 2011-1-21 17:36:43 C:/WINDOWS/system32/msctfime.ime | 2009-8-11 15:49:15 | Microsoft? Windows? Operating System | 5.1.2600.5768 | Microsoft Text Frame Work Service IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5768 (xpsp_sp3_qfe.090226-1518) | Microsoft Corporation| ? | MSCTFIME | MSCTFIME.IME C:/Program Files/msconfig.dll | 2011-1-21 18:11:18 C:/Program Files/Common Files/BOSC.dll | 2011-1-21 18:11:18 C:/WINDOWS/system32/bhoexe.dll | 2011-1-21 17:44:6 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2622 | Windows XP USER API Client DLL | Copyright 1997 | 5.1.2600.2622 | Microsoft Corporation| ? | apphelp | apphelp C:/WINDOWS/system32/wefjdxvihc/smss.exe * 1480 | 2011-1-21 17:42:3 C:/WINDOWS/system32/GDI32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32 C:/WINDOWS/system32/USP10.dll | 2011-1-21 17:36:43 C:/Program Files/msconfig.dll | 2011-1-21 18:11:18 C:/Program Files/Common Files/BOSC.dll | 2011-1-21 18:11:18 C:/Program Files/svchost.exe * 1768 | 2011-1-21 17:42:46 C:/WINDOWS/system32/GDI32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32 C:/WINDOWS/system32/USP10.dll | 2011-1-21 17:36:43 C:/Program Files/msconfig.dll | 2011-1-21 18:11:18 C:/Program Files/Common Files/BOSC.dll | 2011-1-21 18:11:18 C:/WINDOWS/system32/msctfime.ime | 2009-8-11 15:49:15 | Microsoft? Windows? Operating System | 5.1.2600.5768 | Microsoft Text Frame Work Service IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5768 (xpsp_sp3_qfe.090226-1518) | Microsoft Corporation| ? | MSCTFIME | MSCTFIME.IME C:/Program Files/Common Files/System/kb080387.CNT | 2011-1-21 17:40:38 C:/WINDOWS/system32/netapi32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL C:/WINDOWS/system32/rasadhlp.dll | 2011-1-21 17:43:11 | Microsoft? Windows? Operating System | 5.1.2600.5512 | Remote Access AutoDial Helper | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5512 (xpsp.080413-0852) | Microsoft Corporation| ? | rasadhlp.dll | rasadhlp.dll C:/Program Files/Common Files/System/kb763371.sig | 2011-1-21 17:42:6 C:/Program Files/Common Files/System/kb064444.dla | 2011-1-21 17:43:11 C:/WINDOWS/system32/ctfmon.exe* 240 | 2009-3-14 2:3:58 C:/WINDOWS/system32/GDI32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32 C:/WINDOWS/system32/USP10.dll | 2011-1-21 17:36:43 C:/WINDOWS/system32/msctfime.ime | 2009-8-11 15:49:15 | Microsoft? Windows? Operating System | 5.1.2600.5768 | Microsoft Text Frame Work Service IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5768 (xpsp_sp3_qfe.090226-1518) | Microsoft Corporation| ? | MSCTFIME | MSCTFIME.IME C:/Program Files/msconfig.dll | 2011-1-21 18:11:18 C:/WINDOWS/system32/alg.exe* 2072 | 2009-3-14 2:3:58 C:/WINDOWS/system32/GDI32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32 C:/WINDOWS/system32/USP10.dll | 2011-1-21 17:36:43 C:/Program Files/Common Files/System/kb080387.CNT | 2011-1-21 17:40:38 C:/WINDOWS/system32/rundll32.exe* 832 | 2009-3-14 2:3:58 C:/WINDOWS/system32/GDI32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32 C:/WINDOWS/system32/USP10.dll | 2011-1-21 17:36:43 C:/WINDOWS/system32/popupk.dll | 2005-1-21 12:12:0 C:/Program Files/Common Files/BOSC.dll | 2011-1-21 18:11:18 C:/WINDOWS/system32/msctfime.ime | 2009-8-11 15:49:15 | Microsoft? Windows? Operating System | 5.1.2600.5768 | Microsoft Text Frame Work Service IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5768 (xpsp_sp3_qfe.090226-1518) | Microsoft Corporation| ? | MSCTFIME | MSCTFIME.IME C:/WINDOWS/system32/netapi32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL C:/WINDOWS/system32/rasadhlp.dll | 2011-1-21 17:43:11 | Microsoft? Windows? Operating System | 5.1.2600.5512 | Remote Access AutoDial Helper | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5512 (xpsp.080413-0852) | Microsoft Corporation| ? | rasadhlp.dll | rasadhlp.dll C:/Program Files/Common Files/System/kb763371.sig | 2011-1-21 17:42:6 C:/Program Files/Common Files/System/kb064444.dla | 2011-1-21 17:43:11 C:/Program Files/Common Files/System/kb080387.CNT | 2011-1-21 17:40:38 C:/Program Files/Internet Explorer/IEXPLORE.EXE* 2364 | 2010-8-2 11:3:54 C:/WINDOWS/system32/GDI32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32 C:/WINDOWS/system32/netapi32.dll | 2009-3-14 2:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL C:/WINDOWS/system32/USP10.dll | 2011-1-21 17:36:43 C:/Program Files/Common Files/BOSC.dll | 2011-1-21 18:11:18 C:/WINDOWS/system32/msctfime.ime | 2009-8-11 15:49:15 | Microsoft? Windows? Operating System | 5.1.2600.5768 | Microsoft Text Frame Work Service IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5768 (xpsp_sp3_qfe.090226-1518) | Microsoft Corporation| ? | MSCTFIME | MSCTFIME.IME C:/WINDOWS/system32/bhoexe.dll | 2011-1-21 17:44:6 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2622 | Windows XP USER API Client DLL | Copyright 1997 | 5.1.2600.2622 | Microsoft Corporation| ? | apphelp | apphelp C:/Program Files/Common Files/System/kb080387.CNT | 2011-1-21 17:40:38 C:/Program Files/msconfig.dll | 2011-1-21 18:11:18 C:/WINDOWS/system32/rasadhlp.dll | 2011-1-21 17:43:11 | Microsoft? Windows? Operating System | 5.1.2600.5512 | Remote Access AutoDial Helper | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5512 (xpsp.080413-0852) | Microsoft Corporation| ? | rasadhlp.dll | rasadhlp.dll C:/Program Files/Common Files/System/kb763371.sig | 2011-1-21 17:42:6 C:/Program Files/Common Files/System/kb064444.dla | 2011-1-21 17:43:11 F2 - REG: system.ini: UserInit = <C:/WINDOWS/system32/userinit.exe, C:/WINDOWS/socks.exe> | 2009-3-14 2:3:58 O2 - BHO BHOApp Class - {CE7C3CEF-4B15-11D1-ABED-FA4C0C0931ED} = C:/WINDOWS/system32/bhoexe.dll | 2011-1-21 17:44:6 O4 - HKLM/../run: [KVP] C:/WINDOWS/system32/drivers/svchost.exe O4 - HKLM/../run: [360safeman] C:/Program Files/svchost.exe O4 - HKLM/../run: [IEProtector] C:/Program Files/IEProtector/ieprotector.exe hide ,start O4 - Global Startup: 1229.tmp O4 - Global Startup: 221.tmp O4 - Global Startup: 228.tmp O4 - Global Startup: yfwkrmowvh.exe AT1.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT2.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT3.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT4.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT5.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT6.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT7.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT8.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT9.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT10.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT11.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT12.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT13.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT14.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT15.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT16.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT17.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT18.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT19.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT20.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT21.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT22.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT23.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT24.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT25.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT26.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT27.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT28.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT29.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT30.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT31.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT32.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT33.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT34.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT35.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT36.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT37.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT38.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT39.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT40.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT41.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT42.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT43.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT44.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT45.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT46.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT47.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT48.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT49.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT50.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT51.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT52.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT53.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT54.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT55.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT56.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT57.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT58.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT59.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT60.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT61.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT62.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT63.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT64.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT65.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT66.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT67.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT68.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT69.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT70.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT71.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe AT72.job -> C:/WINDOWS/system32/Macromadendt/jmqtwd.exe O23 - 服务: ctwxw (ctwxw) - C:/Documents and Settings/Administrator/Application Data/~ctwxw.txt | 2011-1-21 17:48:28(手动) O23 - 服务: dibaf (dibaf) - C:/Documents and Settings/Administrator/Application Data/~dibaf.txt | 2011-1-21 18:11:15(手动) O23 - 服务: DMusic (Microsoft Kernel DLS Syntheiszer) - C:/WINDOWS/system32/drivers/kpscc.sys | 2011-1-21 17:48:31(手动) O23 - 服务: FireFox (FireFox Driver) - C:/WINDOWS/system32/firefox.exe (自动) O23 - 服务: NPF (Netgroup Packet Filter) - system32/drivers/npf.sys | 2011-1-21 17:36:54 | WinPcap Netgroup Packet Filter Driver | 3, 1, 0, 27 | npf | Copyright ? 2005 CACE Technologies. Copyright ? 2003-2005 NetGroup, Politecnico di Torino. | 3, 1, 0, 27 | CACE Technologies | | NPF + TME | npf.sys(手动) O23 - 服务: PciDevice (PciDevice) - C:/Program files/MSDN/PciDisk.sys (手动) O23 - 服务: PCIDump () - C:/WINDOWS/system32/drivers/PCIDump.sys | 2011-1-21 18:11:43(系统) O23 - 服务: SoftDaemo (SoftDaemo) - C:/WINDOWS/system32/drivers/SoftDaemo.sys | 2011-1-21 18:11:9(手动) O26 - IFEO: 360deepscan.exe -> ntsd -d O26 - IFEO: 360hotfix.exe -> ntsd -d O26 - IFEO: 360rp.exe -> ntsd -d O26 - IFEO: 360rpt.exe -> ntsd -d O26 - IFEO: 360Safe.exe -> ntsd -d O26 - IFEO: 360safebox.exe -> ntsd -d O26 - IFEO: 360sd.exe -> ntsd -d O26 - IFEO: 360sdrun.exe -> ntsd -d O26 - IFEO: 360tray.exe -> ntsd -d O26 - IFEO: 799d.exe -> ntsd -d O26 - IFEO: adam.exe -> ntsd -d O26 - IFEO: AgentSvr.exe -> ntsd -d O26 - IFEO: AntiArp.exe -> ntsd -d O26 - IFEO: AntiU.exe -> ntsd -d O26 - IFEO: AoYun.exe -> ntsd -d O26 - IFEO: appdllman.exe -> ntsd -d O26 - IFEO: AppSvc32.exe -> ntsd -d O26 - IFEO: ArSwp.exe -> ntsd -d O26 - IFEO: ArSwp2.exe -> ntsd -d O26 - IFEO: ArSwp3.exe -> ntsd -d O26 - IFEO: arvmon.exe -> ntsd -d O26 - IFEO: AST.exe -> ntsd -d O26 - IFEO: atpup.exe -> ntsd -d O26 - IFEO: auto.exe -> ntsd -d O26 - IFEO: AutoGuarder.exe -> ntsd -d O26 - IFEO: AutoRun.exe -> ntsd -d O26 - IFEO: autoruns.exe -> ntsd -d O26 - IFEO: av.exe -> ntsd -d O26 - IFEO: AvastU3.exe -> ntsd -d O26 - IFEO: avcenter.exe -> ntsd -d O26 - IFEO: avconsol.exe -> ntsd -d O26 - IFEO: avgaurd.exe -> ntsd -d O26 - IFEO: avgnt.exe -> ntsd -d O26 - IFEO: avgrssvc.exe -> ntsd -d O26 - IFEO: AvMonitor.exe -> ntsd -d O26 - IFEO: avp.com -> ntsd -d O26 - IFEO: avp.exe -> ntsd -d O26 - IFEO: AvU3Launcher.exe -> ntsd -d O26 - IFEO: CCenter.exe -> ntsd -d O26 - IFEO: ccSvcHst.exe -> ntsd -d O26 - IFEO: cross.exe -> ntsd -d O26 - IFEO: Discovery.exe -> ntsd -d O26 - IFEO: DSMain.exe -> ntsd -d O26 - IFEO: EGHOST.exe -> ntsd -d O26 - IFEO: egui.exe -> ntsd -d O26 - IFEO: ekrn.exe -> ntsd -d O26 - IFEO: FileDsty.exe -> ntsd -d O26 - IFEO: filmst.exe -> ntsd -d O26 - IFEO: findt2005.exe -> ntsd -d O26 - IFEO: FTCleanerShell.exe -> ntsd -d O26 - IFEO: FYFireWall.exe -> ntsd -d O26 - IFEO: ghost.exe -> ntsd -d O26 - IFEO: guangd.exe -> ntsd -d O26 - IFEO: HijackThis.exe -> ntsd -d O26 - IFEO: IceSword.exe -> ntsd -d O26 - IFEO: iparmo.exe -> ntsd -d O26 - IFEO: Iparmor.exe -> ntsd -d O26 - IFEO: irsetup.exe -> ntsd -d O26 - IFEO: IsHelp.exe -> ntsd -d O26 - IFEO: isPwdSvc.exe -> ntsd -d O26 - IFEO: jisu.exe -> ntsd -d O26 - IFEO: kabaload.exe -> ntsd -d O26 - IFEO: KaScrScn.SCR -> ntsd -d O26 - IFEO: KASMain.exe -> ntsd -d O26 - IFEO: KASTask.exe -> ntsd -d O26 - IFEO: KAV32.exe -> ntsd -d O26 - IFEO: KAVDX.exe -> ntsd -d O26 - IFEO: KAVPF.exe -> ntsd -d O26 - IFEO: KAVPFW.exe -> ntsd -d O26 - IFEO: KAVSetup.exe -> ntsd -d O26 - IFEO: kavstart.exe -> ntsd -d O26 - IFEO: kernelwind32.exe -> ntsd -d O26 - IFEO: killhidepid.exe -> ntsd -d O26 - IFEO: KISLnchr.exe -> ntsd -d O26 - IFEO: kissvc.exe -> ntsd -d O26 - IFEO: KMailMon.exe -> ntsd -d O26 - IFEO: KMFilter.exe -> ntsd -d O26 - IFEO: knsd.exe -> ntsd -d O26 - IFEO: knsdave.exe -> ntsd -d O26 - IFEO: knsdtray.exe -> ntsd -d O26 - IFEO: KPFW32.exe -> ntsd -d O26 - IFEO: KPFW32X.exe -> ntsd -d O26 - IFEO: KPfwSvc.exe -> ntsd -d O26 - IFEO: KRegEx.exe -> ntsd -d O26 - IFEO: KRepair.com -> ntsd -d O26 - IFEO: krnl360svc.exe -> ntsd -d O26 - IFEO: KsLoader.exe -> ntsd -d O26 - IFEO: KSWebShield.exe -> ntsd -d O26 - IFEO: KVCenter.kxp -> ntsd -d O26 - IFEO: KvDetect.exe -> ntsd -d O26 - IFEO: kvfw.exe -> ntsd -d O26 - IFEO: KvfwMcl.exe -> ntsd -d O26 - IFEO: KVMonXP.kxp -> ntsd -d O26 - IFEO: KVMonXP_1.kxp -> ntsd -d O26 - IFEO: kvol.exe -> ntsd -d O26 - IFEO: kvolself.exe -> ntsd -d O26 - IFEO: KvReport.kxp -> ntsd -d O26 - IFEO: KVScan.kxp -> ntsd -d O26 - IFEO: KVSrvXP.exe -> ntsd -d O26 - IFEO: KVStub.kxp -> ntsd -d O26 - IFEO: kvupload.exe -> ntsd -d O26 - IFEO: kvwsc.exe -> ntsd -d O26 - IFEO: KvXP.kxp -> ntsd -d O26 - IFEO: KvXP_1.kxp -> ntsd -d O26 - IFEO: KWatch.exe -> ntsd -d O26 - IFEO: KWatch9x.exe -> ntsd -d O26 - IFEO: KWatchX.exe -> ntsd -d O26 - IFEO: KWSMain.exe -> ntsd -d O26 - IFEO: kwstray.exe -> ntsd -d O26 - IFEO: KWSUpd.exe -> ntsd -d O26 - IFEO: LiveUpdate360.exe -> ntsd -d O26 - IFEO: loaddll.exe -> ntsd -d O26 - IFEO: logogo.exe -> ntsd -d O26 - IFEO: MagicSet.exe -> ntsd -d O26 - IFEO: mcconsol.exe -> ntsd -d O26 - IFEO: McNAsvc.exe -> ntsd -d O26 - IFEO: McProxy.exe -> ntsd -d O26 - IFEO: Mcshield.exe -> ntsd -d O26 - IFEO: Mcsysmon.exe -> ntsd -d O26 - IFEO: mmqczj.exe -> ntsd -d O26 - IFEO: mmsk.exe -> ntsd -d O26 - IFEO: Navapsvc.exe -> ntsd -d O26 - IFEO: Navapw32.exe -> ntsd -d O26 - IFEO: NAVSetup.exe -> ntsd -d O26 - IFEO: niu.exe -> ntsd -d O26 - IFEO: nod32.exe -> ntsd -d O26 - IFEO: nod32krn.exe -> ntsd -d O26 - IFEO: nod32kui.exe -> ntsd -d O26 - IFEO: NPFMntor.exe -> ntsd -d O26 - IFEO: pagefile.exe -> ntsd -d O26 - IFEO: pagefile.pif -> ntsd -d O26 - IFEO: pfserver.exe -> ntsd -d O26 - IFEO: PFW.exe -> ntsd -d O26 - IFEO: PFWLiveUpdate.exe -> ntsd -d O26 - IFEO: qheart.exe -> ntsd -d O26 - IFEO: QHSET.exe -> ntsd -d O26 - IFEO: QQDoctor.exe -> ntsd -d O26 - IFEO: QQDoctorMain.exe -> ntsd -d O26 - IFEO: QQDoctorRtp.exe -> ntsd -d O26 - IFEO: QQKav.exe -> ntsd -d O26 - IFEO: QQPCMgr.exe -> ntsd -d O26 - IFEO: QQPCRTP.exe -> ntsd -d O26 - IFEO: QQPCSmashFile.exe -> ntsd -d O26 - IFEO: QQPCTray.exe -> ntsd -d O26 - IFEO: QQSC.exe -> ntsd -d O26 - IFEO: qsetup.exe -> ntsd -d O26 - IFEO: Ras.exe -> ntsd -d O26 - IFEO: Rav.exe -> ntsd -d O26 - IFEO: ravcopy.exe -> ntsd -d O26 - IFEO: RavMon.exe -> ntsd -d O26 - IFEO: RavMonD.exe -> ntsd -d O26 - IFEO: RavStore.exe -> ntsd -d O26 - IFEO: RavStub.exe -> ntsd -d O26 - IFEO: ravt08.exe -> ntsd -d O26 - IFEO: RavTask.exe -> ntsd -d O26 - IFEO: RegClean.exe -> ntsd -d O26 - IFEO: RegEx.exe -> ntsd -d O26 - IFEO: rfwcfg.exe -> ntsd -d O26 - IFEO: rfwmain.exe -> ntsd -d O26 - IFEO: rfwolusr.exe -> ntsd -d O26 - IFEO: rfwProxy.exe -> ntsd -d O26 - IFEO: rfwsrv.exe -> ntsd -d O26 - IFEO: RsAgent.exe -> ntsd -d O26 - IFEO: Rsaupd.exe -> ntsd -d O26 - IFEO: RsMain.exe -> ntsd -d O26 - IFEO: rsnetsvr.exe -> ntsd -d O26 - IFEO: RsTray.exe -> ntsd -d O26 - IFEO: rstrui.exe -> ntsd -d O26 - IFEO: runiep.exe -> ntsd -d O26 - IFEO: safebank.exe -> ntsd -d O26 - IFEO: safeboxTray.exe -> ntsd -d O26 - IFEO: safelive.exe -> ntsd -d O26 - IFEO: scan32.exe -> ntsd -d O26 - IFEO: ScanFrm.exe -> ntsd -d O26 - IFEO: ScanU3.exe -> ntsd -d O26 - IFEO: SDGames.exe -> ntsd -d O26 - IFEO: SelfUpdate.exe -> ntsd -d O26 - IFEO: servet.exe -> ntsd -d O26 - IFEO: shcfg32.exe -> ntsd -d O26 - IFEO: smartassistant.exe -> ntsd -d O26 - IFEO: SmartUp.exe -> ntsd -d O26 - IFEO: sos.exe -> ntsd -d O26 - IFEO: SREng.EXE -> ntsd -d O26 - IFEO: SREngPS.EXE -> ntsd -d O26 - IFEO: stormii.exe -> ntsd -d O26 - IFEO: SuperKiller.exe -> ntsd -d O26 - IFEO: sxgame.exe -> ntsd -d O26 - IFEO: symlcsvc.exe -> ntsd -d O26 - IFEO: syscheck.exe -> ntsd -d O26 - IFEO: Syscheck2.exe -> ntsd -d O26 - IFEO: SysSafe.exe -> ntsd -d O26 - IFEO: tmp.exe -> ntsd -d O26 - IFEO: TNT.Exe -> ntsd -d O26 - IFEO: ToolsUp.exe -> ntsd -d O26 - IFEO: TrojanDetector.exe -> ntsd -d O26 - IFEO: Trojanwall.exe -> ntsd -d O26 - IFEO: TrojDie.kxp -> ntsd -d O26 - IFEO: TxoMoU.Exe -> ntsd -d O26 - IFEO: UFO.exe -> ntsd -d O26 - IFEO: UIHost.exe -> ntsd -d O26 - IFEO: UmxAgent.exe -> ntsd -d O26 - IFEO: UmxAttachment.exe -> ntsd -d O26 - IFEO: UmxCfg.exe -> ntsd -d O26 - IFEO: UmxFwHlp.exe -> ntsd -d O26 - IFEO: UmxPol.exe -> ntsd -d O26 - IFEO: upiea.exe -> ntsd -d O26 - IFEO: UpLive.exe -> ntsd -d O26 - IFEO: USBCleaner.exe -> ntsd -d O26 - IFEO: vsstat.exe -> ntsd -d O26 - IFEO: wbapp.exe -> ntsd -d O26 - IFEO: webscanx.exe -> ntsd -d O26 - IFEO: WoptiClean.exe -> ntsd -d O26 - IFEO: Wsyscheck.exe -> ntsd -d O26 - IFEO: XDelBox.exe -> ntsd -d O26 - IFEO: XP.exe -> ntsd -d O26 - IFEO: zhudongfangyu.exe -> ntsd -d O26 - IFEO: zjb.exe -> ntsd -d O26 - IFEO: zxsweep.exe -> ntsd -d O26 - IFEO: ~.exe -> ntsd -d O29 - HKCU-Start Page = hxxp://www.155.com/?id=990035 O29 - HKLM-Start Page = hxxp://www.1323.cc/ O30 - IeOpenHomePage = "c:/program files/internet explorer/iexplore.exe" hxxp://www.bcyk.net/?100147
