偶的查杀!

2007-12-12 星期三,11:45:59.12 ----------------进程及其启动命令-------------- PROCESS PID COMMAND LINE smss.exe 564 \SystemRoot\System32\smss.exe csrss.exe 620 C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllinitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 winlogon.exe 648 winlogon.exe services.exe 696 C:\WINDOWS\system32\services.exe lsass.exe 708 C:\WINDOWS\system32\lsass.exe svchost.exe 872 C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe 968 C:\WINDOWS\system32\svchost -k rpcss svchost.exe 1064 C:\WINDOWS\System32\svchost.exe -k NETsvcs svchost.exe 1160 C:\WINDOWS\system32\svchost.exe -k NetworkService svchost.exe 1308 C:\WINDOWS\system32\svchost.exe -k LocalService spoolsv.exe 1404 C:\WINDOWS\system32\spoolsv.exe Explorer.EXE 1656 C:\WINDOWS\Explorer.EXE Ati2evxx.exe 1756 C:\WINDOWS\system32\Ati2evxx.exe stormliv.exe 1776 "C:\Program Files\StormII\stormliv.exe" /asservice wdfmgr.exe 1936 C:\WINDOWS\system32\wdfmgr.exe atiptaxx.exe 592 "C:\WINDOWS\system32\atiptaxx.exe" ctfmon.exe 608 "C:\WINDOWS\system32\ctfmon.exe" alg.exe 1640 C:\WINDOWS\System32\alg.exe svchost.exe 624 C:\WINDOWS\System32\svchost.exe -k HTTPFilter wuauclt.exe 116 "C:\WINDOWS\system32\wuauclt.exe" QQ.exe 1880 "C:\Program Files\QQ\QQ.exe" TXPlatform.exe 496 "C:\Program Files\QQ\TXPlatform.exe" -Embedding QQ.exe 952 "C:\Program Files\QQ\QQ.exe" QQPenguin.exe 2076 "C:\Program Files\QQ\qqpet\QQPenguin\QQPenguin.exe" 514401010A00041200BDA8B9B2BD8C9F8C80B2899AA58C838981880400000092020800040F00A0B5A4AFA09182919DAF9487A5999E040000002285C918061100BEABBAB1BE8F9C8F83B19D9A9CA0878D850C0000005B5244143A02255D24205B52061000BFAABBB0BF8E9D8E82B09C9B9DA48A9640000000FDFE8BF98DFE868D8C878B89FAFC8FFA898C8B8EFC88FB8A8D8DFA8B8F88FEFB88FE8E8BFE8D8CFB89FB8BFCFAF98EFB8EFB89FCFE898F8986F9FE89F98B8686040100AE04000000D8505F47021400BBAEBFB4BB8A998A86B488BB99849392BF929B8E0100000000021400BBAEBFB4BB8A998A86B485BC8E8A9F838E99A2AF0100000002041500BAAFBEB5BA8B988B87B58E9DB99E8B989EA3848C850400000001000000061100BEABBAB1BE8F9C8F83B19D9A9CA58B97DC20000000E8ECEBECE9EAEAE8E9EBEAECE9EAE9ECEBEBE9ECEBEEE9E7E99DE9E6E8EEE89E061600B9ACBDB6B9889B8884B69A9D9BBA808E87889D9C9B8C70000000B7CDB9BACACCBDC9BBCEBFB9CCBCCEBFB8B8BDBBBDC9B8B7B8B9B6BDBEBCCDBACBB6BEB6BBBBC9BECEB9BBBDB9BECCB7BDCACACDBDB8BFB6BDCBBDBDBFBFB8BBB8C9BABDCABFB7BBCEBCCDB8CCB6CAB6B8CACDBDCEB7CACDCABFBBCDBEB7BDB7CCBDB7CCB6B9CCBDBDB9CDBDB8CAB9B9 QQPenguin.exe 2128 "C:\Program Files\QQ\qqpet\QQPenguin\QQPenguin.exe" 514401010A00041200BDA8B9B2BD8C9F8C80B2899AA58C838981880400000094040200040F00A0B5A4AFA09182919DAF9487A5999E040000007CC35C00061100BEABBAB1BE8F9C8F83B19D9A9CA0878D850C0000005B5244143A02255D24205B52061000BFAABBB0BF8E9D8E82B09C9B9DA48A96400000008F8C888DFE878DFB8A868B8A8E8EFBFC8787888C87F98E868AFB898EF987FB89FB8E8FFDFE8AFD898D88F98E8CFE898EFC88FAFA87FCFA8D8F898DFE878887FD040100AE04000000DB505F47021400BBAEBFB4BB8A998A86B488BB99849392BF929B8E0100000000021400BBAEBFB4BB8A998A86B485BC8E8A9F838E99A2AF0100000002041500BAAFBEB5BA8B988B87B58E9DB99E8B989EA3848C850400000001000000061100BEABBAB1BE8F9C8F83B19D9A9CA58B97DC20000000E9EEEBECE8E9EAE7EAEAE8EAE99EECEDE8EDECE6EB9AE99EE9E8EAEEE9EAEB9B061600B9ACBDB6B9889B8884B69A9D9BBA808E87889D9C9B8C70000000BFBCB8CCBFCABDCACAB8B8C9CDBCB6B9BBCEBBBAB6B6B6BBC9BACCB9CAB8BEC9CEBCCBCBC9BFCEBABDBEBECAB6C9BBBFCCB8B9BDB8B8CACDB8BCB7BCB6BFBCB7B7BCBCB8CABAB7BEBACDB6BBCBCAC9BDB8BFBABACABECEC9BCB8B8BACBBCCCCCBBB8C9BFBDCCB9BDCBBAB9CABABDBDBF QQPetNurse.exe 3460 "D:\QQPetNurse\QQPetNurse.exe" iexplore.exe 3504 "C:\Program Files\Internet Explorer\iexplore.exe" TTPlayer.exe 1384 "C:\Program Files\TTPlayer\TTPlayer.exe" 辉少查毒.EXE 2488 "C:\Documents and Settings\天才周君臣\桌面\辉少查毒\辉少查毒.EXE" conime.exe 2508 C:\WINDOWS\system32\conime.exe cmd.exe 2516 cmd.exe /c C:\DOCUME~1\天才周~1\LOCALS~1\Temp\bt0162.bat 辉少查毒.com 2772 "辉少查毒.com" -l - -------------------注册表启动项------------------------- ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ATIModeChange REG_SZ Ati2mdxx.exe AtiPTA REG_SZ atiptaxx.exe ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx ! REG.EXE VERSION 3.0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe REG_SZ C:\WINDOWS\system32\ctfmon.exe bgswitch REG_SZ C:\WINDOWS\system32\bgswitch.exe ! REG.EXE VERSION 3.0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce - -------------------引导执行---------------------------- - -------------------初始程序---------------------------- - -------------------资源管理器加载项--------------------- ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {AEB6717E-7E19-11d0-97EE-00C04FD91972} REG_SZ ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad PostBootReminder REG_SZ {7849596a-48ea-486e-8937-a2a3009f31a9} CDBurn REG_SZ {fbeb8a05-beee-4442-804e-409d6c4515e9} WebCheck REG_SZ {E6FB5E20-DE35-11CF-9C87-00AA005127ED} SysTray REG_SZ {35CEC8A3-2BE6-11D2-8773-92E220524153} ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui 预加? {8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ 组件类别 - -------------------IE加载项---------------------------- ! REG.EXE VERSION 3.0 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlSearchHooks {CFBFAE00-17A6-11D0-99CB-00C04FD64497} REG_SZ ! REG.EXE VERSION 3.0 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - -------------------映像劫持---------------------------- ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jAvai.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVIDEoFX.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qFinder.EXE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\salwrap.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.DLL HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE - -------------------HOSTS文件内容---------------------------- # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost - -------------------各个盘的autorun.inf----------------------------