遭遇Worm.Win32.Viking.lm/Worm.Viking.tc,Trojan.PSW.Win32.OnlineGames等1
endurer 原创
2007-07-25 第1版
昨天中午,一位朋友的电脑开机时出现一堆出错提示框,无法通过任务栏上程序图标切换程序,电脑反应很慢,有时自动重启……让偶帮忙检修。
下载 pe_xscan 扫描 log 并分析,发现(进程模块部分有省略):
/===
pe_xscan 07-07-21 by Purple Endurer
2007-7-24 12:10:41
Windows XP Service Pack 2(5.1.2600)
管理员用户组
[System Process] * 0
C:/WINDOWS/system32/netsrvcs.dll | 2007-7-23 21:24:34
C:/WINDOWS/system32/k118520430110.DAT | 2007-7-23 23:27:8
C:/WINDOWS/system32/k11852042934.DAT | 2007-7-23 23:24:56
C:/WINDOWS/system32/k11852006714.DAT | 2007-7-23 22:24:34
C:/WINDOWS/system32/k118519706310.DAT | 2007-7-23 21:26:24
C:/WINDOWS/system32/k11851970597.DAT | 2007-7-23 21:25:22
C:/WINDOWS/system32/k11851970586.DAT | 2007-7-23 21:25:20
C:/WINDOWS/system32/k11851970564.DAT | 2007-7-23 21:24:18
C:/WINDOWS/system32/mppds.dll | 2007-7-24 10:10:28
C:/WINDOWS/system32/TIMHost.dll | 2007-7-24 8:28:38
C:/WINDOWS/system32/upxdnd.dll | 2007-7-23 21:24:42
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/qjso0.dll | 2007-7-23 21:24:36
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tlso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/daso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wdso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/fyso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/rxso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wlso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wgso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wmso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/ztso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/jtso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/woso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/mhso0.dll | 2007-7-23 21:24:10
C:/WINDOWS/system32/tllpri.dll | 2004-8-4 14:17:36
C:/WINDOWS/system32/dhbpri.dll | 2004-8-4 22:32:0
C:/WINDOWS/system32/myapri1.dll | 2004-8-4 22:29:46
C:/WINDOWS/system32/jhapri.dll | 2004-8-4 22:30:26
C:/WINDOWS/system32/jzdpri.dll | 2004-8-4 22:29:28
C:/WINDOWS/system32/csrss.exe * 520 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Client Server Runtime Process | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CSRSS.Exe | CSRSS.Exe
C:/WINDOWS/system32/A1FB9080.DLL | 2007-7-23 21:24:12 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
C:/WINDOWS/system32/winlogon.exe * 544 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE
C:/WINDOWS/system32/jzdpri.dll | 2004-8-4 22:29:28
C:/WINDOWS/system32/DC4BE6F0.DLL | 2007-7-23 21:24:12 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
C:/WINDOWS/system32/A1FB9080.DLL | 2007-7-23 21:24:12 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
C:/WINDOWS/system32/services.exe * 592 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Services and Controller app | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | services.exe | services.exe
C:/WINDOWS/system32/jzdpri.dll | 2004-8-4 22:29:28
C:/WINDOWS/system32/LYMANGR.DLL | 2007-7-23 21:24:8
C:/WINDOWS/system32/A1FB9080.DLL | 2007-7-23 21:24:12 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
C:/WINDOWS/system32/lsass.exe * 612 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | LSA Shell (Export Version) | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | lsass.exe | lsass.exe
C:/WINDOWS/system32/jzdpri.dll | 2004-8-4 22:29:28
C:/WINDOWS/system32/A1FB9080.DLL | 2007-7-23 21:24:12 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
C:/WINDOWS/system32/svchost.exe * 768 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe
C:/WINDOWS/system32/jzdpri.dll | 2004-8-4 22:29:28
C:/WINDOWS/system32/A1FB9080.DLL | 2007-7-23 21:24:12 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
C:/WINDOWS/Explorer.EXE * 1484 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
C:/WINDOWS/system32/jzdpri.dll | 2004-8-4 22:29:28
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-20 18:11:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/jhapri.dll | 2004-8-4 22:30:26
C:/WINDOWS/system32/dhbpri.dll | 2004-8-4 22:32:0
C:/WINDOWS/system32/myapri1.dll | 2004-8-4 22:29:46
C:/WINDOWS/system32/tllpri.dll | 2004-8-4 14:17:36
C:/WINDOWS/system32/SHQMANGR.DLL | 2007-7-23 21:24:8
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/mhso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/woso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/jtso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/ztso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wlso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wgso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wmso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/rxso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/fyso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wdso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tlso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/daso0.dll | 2007-7-23 21:24:10
C:/WINDOWS/system32/DC4BE6F0.DLL | 2007-7-23 21:24:12 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
C:/WINDOWS/system32/A1FB9080.DLL | 2007-7-23 21:24:12 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
C:/WINDOWS/system32/k11851970564.DAT | 2007-7-23 21:24:18
C:/WINDOWS/system32/upxdnd.dll | 2007-7-24 10:11:0
C:/WINDOWS/system32/k11851970586.DAT | 2007-7-23 21:25:20
C:/WINDOWS/system32/k11851970597.DAT | 2007-7-23 21:25:22
C:/WINDOWS/system32/k118519706310.DAT | 2007-7-23 21:26:24
C:/WINDOWS/system32/k118519706411.DAT | 2007-7-23 21:26:26
C:/WINDOWS/system32/k11852006714.DAT | 2007-7-23 22:24:34
C:/WINDOWS/system32/k11852006746.DAT | 2007-7-23 22:25:36
C:/WINDOWS/system32/k11852006757.DAT | 2007-7-23 22:25:36
C:/WINDOWS/system32/k118520067910.DAT | 2007-7-23 22:26:40
C:/WINDOWS/system32/k118520068011.DAT | 2007-7-23 22:26:42
C:/WINDOWS/system32/k11852042934.DAT | 2007-7-23 23:24:56
C:/WINDOWS/system32/k11852042977.DAT | 2007-7-23 23:26:0
C:/WINDOWS/system32/k11852042966.DAT | 2007-7-23 23:26:2
C:/WINDOWS/system32/k118520430110.DAT | 2007-7-23 23:27:8
C:/WINDOWS/system32/k118520430211.DAT | 2007-7-23 23:27:8
C:/WINDOWS/system32/k11852079114.DAT | 2007-7-24 0:25:12
C:/WINDOWS/system32/k11852079136.DAT | 2007-7-24 0:26:16
C:/WINDOWS/system32/k11852079147.DAT | 2007-7-24 0:26:16
C:/WINDOWS/system32/k118520791810.DAT | 2007-7-24 0:27:20
C:/WINDOWS/system32/k118520791911.DAT | 2007-7-24 0:27:22
C:/WINDOWS/system32/k11852115284.DAT | 2007-7-24 1:25:30
C:/WINDOWS/system32/k11852115316.DAT | 2007-7-24 1:26:32
C:/WINDOWS/system32/k11852115327.DAT | 2007-7-24 1:26:34
C:/WINDOWS/system32/k118521153510.DAT | 2007-7-24 1:27:38
C:/WINDOWS/system32/k118521153711.DAT | 2007-7-24 1:27:38
C:/WINDOWS/system32/k11852151454.DAT | 2007-7-24 2:25:48
C:/WINDOWS/system32/k11852151486.DAT | 2007-7-24 2:26:50
C:/WINDOWS/system32/k11852151497.DAT | 2007-7-24 2:26:50
C:/WINDOWS/system32/k118521515310.DAT | 2007-7-24 2:27:54
C:/WINDOWS/system32/k118521515411.DAT | 2007-7-24 2:27:56
C:/WINDOWS/system32/k11852187634.DAT | 2007-7-24 3:26:4
C:/WINDOWS/system32/k11852187656.DAT | 2007-7-24 3:27:8
C:/WINDOWS/system32/k11852187667.DAT | 2007-7-24 3:27:8
C:/WINDOWS/system32/k118521877010.DAT | 2007-7-24 3:28:12
C:/WINDOWS/system32/k118521877111.DAT | 2007-7-24 3:28:14
C:/WINDOWS/system32/k11852223804.DAT | 2007-7-24 4:26:22
C:/WINDOWS/system32/k11852223836.DAT | 2007-7-24 4:27:24
C:/WINDOWS/system32/k11852223847.DAT | 2007-7-24 4:27:26
C:/WINDOWS/system32/k118522238710.DAT | 2007-7-24 4:28:30
C:/WINDOWS/system32/k118522238911.DAT | 2007-7-24 4:28:30
C:/WINDOWS/system32/k11852259984.DAT | 2007-7-24 5:26:40
C:/WINDOWS/system32/k11852260006.DAT | 2007-7-24 5:27:42
C:/WINDOWS/system32/k11852260017.DAT | 2007-7-24 5:27:42
C:/WINDOWS/system32/k118522600611.DAT | 2007-7-24 5:28:48
C:/WINDOWS/system32/k11852296154.DAT | 2007-7-24 6:27:0
C:/WINDOWS/system32/k11852296176.DAT | 2007-7-24 6:28:0
C:/WINDOWS/system32/k11852296187.DAT | 2007-7-24 6:28:0
C:/WINDOWS/system32/k118522962311.DAT | 2007-7-24 6:29:6
C:/WINDOWS/system32/k11852332356.DAT | 2007-7-24 7:28:16
C:/WINDOWS/system32/k11852332367.DAT | 2007-7-24 7:28:18
C:/WINDOWS/system32/k11852332324.DAT | 2007-7-24 7:28:32
C:/WINDOWS/system32/k118523324010.DAT | 2007-7-24 7:29:22
C:/WINDOWS/system32/k118523324111.DAT | 2007-7-24 7:29:22
C:/WINDOWS/system32/Kvsc3.dll | 2007-7-24 8:27:42
C:/WINDOWS/system32/WinForm.dll | 2007-7-24 8:27:58
C:/WINDOWS/system32/k11852368526.DAT | 2007-7-24 8:28:34
C:/WINDOWS/system32/k11852368537.DAT | 2007-7-24 8:28:34
C:/WINDOWS/system32/TIMHost.dll | 2007-7-24 8:28:38
C:/WINDOWS/system32/k118523685811.DAT | 2007-7-24 8:29:40
C:/WINDOWS/system32/mybpri.dll | 2004-8-4 21:24:38
C:/PROGRA~1/baidu/bar/baidubar.dll | 2007-6-7 15:56:28 | BaiduBar Module | 2, 0, 2, 144 | BaiduBar Module | Copyright 2005 | 2, 0, 2, 144 | Baidu.com, Inc. | | BaiduBar | BaiduBar.DLL
C:/WINDOWS/RichDll.dll | 2007-7-24 9:4:40
C:/WINDOWS/system32/k11852404706.DAT | 2007-7-24 9:28:52
C:/WINDOWS/system32/k11852404717.DAT | 2007-7-24 9:28:54
C:/WINDOWS/system32/k118524047611.DAT | 2007-7-24 9:30:2
C:/Program Files/Common Files/Relive.dll | 2007-7-11 11:44:34 | Microsoft(R) Windows (R) TM | 5.00.1.0.2 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/LYMANGR.DLL | 2007-7-23 21:24:8
C:/WINDOWS/system32/mppds.dll | 2007-7-24 10:10:28
C:/WINDOWS/system32/cmdbcs.dll | 2007-7-24 10:10:48
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/qjso1.dll | 2007-7-24 10:10:54
C:/WINDOWS/system32/ctfmon.exe * 1476 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE
C:/WINDOWS/system32/tllpri.dll | 2004-8-4 14:17:36
C:/WINDOWS/system32/k118520430110.DAT | 2007-7-23 23:27:8
C:/WINDOWS/system32/k11852042934.DAT | 2007-7-23 23:24:56
C:/WINDOWS/system32/k11852006714.DAT | 2007-7-23 22:24:34
C:/WINDOWS/system32/k118519706310.DAT | 2007-7-23 21:26:24
C:/WINDOWS/system32/k11851970597.DAT | 2007-7-23 21:25:22
C:/WINDOWS/system32/k11851970586.DAT | 2007-7-23 21:25:20
C:/WINDOWS/system32/k11851970564.DAT | 2007-7-23 21:24:18
C:/program files/internet explorer/iexplore.exe * 7336 | 2004-8-17 20:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
C:/WINDOWS/system32/jzdpri.dll | 2004-8-4 22:29:28
C:/WINDOWS/system32/k118520430110.DAT | 2007-7-23 23:27:8
C:/WINDOWS/system32/k11852042934.DAT | 2007-7-23 23:24:56
C:/WINDOWS/system32/k11852006714.DAT | 2007-7-23 22:24:34
C:/WINDOWS/system32/k118519706310.DAT | 2007-7-23 21:26:24
C:/WINDOWS/system32/k11851970597.DAT | 2007-7-23 21:25:22
C:/WINDOWS/system32/k11851970586.DAT | 2007-7-23 21:25:20
C:/WINDOWS/system32/k11851970564.DAT | 2007-7-23 21:24:18
C:/PROGRA~1/baidu/bar/baidubar.dll | 2007-6-7 15:56:28 | BaiduBar Module | 2, 0, 2, 144 | BaiduBar Module | Copyright 2005 | 2, 0, 2, 144 | Baidu.com, Inc. | | BaiduBar | BaiduBar.DLL
C:/Program Files/Common Files/Relive.dll | 2007-7-11 11:44:34 | Microsoft(R) Windows (R) TM | 5.00.1.0.2 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-20 18:11:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/jhapri.dll | 2004-8-4 22:30:26
C:/WINDOWS/system32/dhbpri.dll | 2004-8-4 22:32:0
C:/WINDOWS/system32/myapri1.dll | 2004-8-4 22:29:46
C:/WINDOWS/system32/tllpri.dll | 2004-8-4 14:17:36
C:/WINDOWS/system32/mybpri.dll | 2004-8-4 21:24:38
C:/WINDOWS/system32/TIMHost.dll | 2007-7-24 8:28:38
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tlso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/daso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wdso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/fyso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/rxso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wlso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wgso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wmso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/ztso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/jtso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/woso0.dll | 2007-7-23 21:24:10
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/mhso0.dll | 2007-7-23 21:24:10
C:/WINDOWS/RichDll.dll | 2007-7-24 9:4:40
C:/WINDOWS/system32/mppds.dll | 2007-7-24 10:10:28
C:/WINDOWS/Logo1_.exe * 6524 | 2007-7-24 10:10:20 | | 1.0.0.0 | | | 1.0.0.0 | | | |
C:/WINDOWS/Logo1_.exe | 2007-7-24 10:10:20 | | 1.0.0.0 | | | 1.0.0.0 | | | |
C:/WINDOWS/system32/jzdpri.dll | 2004-8-4 22:29:28
C:/WINDOWS/system32/k118520430110.DAT | 2007-7-23 23:27:8
C:/WINDOWS/system32/k11852042934.DAT | 2007-7-23 23:24:56
C:/WINDOWS/system32/k11852006714.DAT | 2007-7-23 22:24:34
C:/WINDOWS/system32/k118519706310.DAT | 2007-7-23 21:26:24
C:/WINDOWS/system32/k11851970597.DAT | 2007-7-23 21:25:22
C:/WINDOWS/system32/k11851970586.DAT | 2007-7-23 21:25:20
C:/WINDOWS/system32/k11851970564.DAT | 2007-7-23 21:24:18
O2 - BHO BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:/PROGRA~1/baidu/bar/baidubar.dll
O2 - BHO - {A1626E66-B26B-C628-A1DF-BDACCFA26EE1} - C:/Program Files/Common Files/Relive.dll
O2 - BHO - {D3626E66-B13B-C628-ACDF-BDABCFA265E1} - C:/Program Files/Common Files/Relive.dll
O3 - IE工具栏: - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:/PROGRA~1/baidu/bar/baidubar.dll
O4 - HKLM/../Run: [mhsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/mhso.exe
O4 - HKLM/../Run: [wosa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/woso.exe
O4 - HKLM/../Run: [ztsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/ztso.exe
O4 - HKLM/../Run: [jtsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/jtso.exe
O4 - HKLM/../Run: [wlsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wlso.exe
O4 - HKLM/../Run: [wgsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wgso.exe
O4 - HKLM/../Run: [wmsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wmso.exe
O4 - HKLM/../Run: [fysa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/fyso.exe
O4 - HKLM/../Run: [qjsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/qjso.exe
O4 - HKLM/../Run: [rxsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/rxso.exe
O4 - HKLM/../Run: [wdsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wdso.exe
O4 - HKLM/../Run: [tlsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tlso.exe
O4 - HKLM/../Run: [dasa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/daso.exe
O4 - HKLM/../Run: [zxsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/zxso.exe
O4 - HKLM/../Run: [dsadlsa14] C:/WINDOWS/system32/dsakfsak14.exe
O4 - HKLM/../Run: [load] C:/WINDOWS/uninstall/rundl132.exe
O4 - HKLM/../Run: [Kvsc3] C:/WINDOWS/Kvsc3.exe
O4 - HKLM/../Run: [mppds] C:/WINDOWS/mppds.exe
O4 - HKLM/../Run: [WinForm] C:/WINDOWS/WinForm.exe
O4 - HKLM/../Run: [TIMHost] C:/WINDOWS/TIMHost.exe
O4 - HKLM/../Run: [cmdbcs] C:/WINDOWS/cmdbcs.exe
O4 - HKLM/../Run: [upxdnd] C:/WINDOWS/upxdnd.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDEG32] LYLoader.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDWG32] LYLoadbr.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDCG32 ] LYLeador.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDOG32] LYLoador.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDSG32] LYLoadar.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDMG32] LYLoadmr.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDHG32] LYLoadhr.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDQG32] LYLoadqr.exe
C:/autorun.inf
/-----
[AutoRun]
open=auto.exe
shellexecute=auto.exe
shell/Auto/command=auto.exe
-----/
D:/autorun.inf
/-----
[AutoRun]
open=auto.exe
shellexecute=auto.exe
shell/Auto/command=auto.exe
-----/
E:/autorun.inf
/-----
[AutoRun]
open=auto.exe
shellexecute=auto.exe
shell/Auto/command=auto.exe
-----/
F:/autorun.inf
/-----
[AutoRun]
open=auto.exe
shellexecute=auto.exe
shell/Auto/command=auto.exe
-----/
O20 - AppInit_DLLs: mybpri.dll
O23 - 服务: 3CC81B56 (3CC81B56) - C:/WINDOWS/system32/70C59D59.EXE -3CC81B56 | 2007-7-24 9:30:2 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?(自动)
O23 - 服务: 8810C4E6 (8810C4E6) - C:/WINDOWS/system32/27E3671A.EXE -k | 2007-7-14 21:33:0 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?(自动)
O23 - 服务: WindowsDown (Windows_SystemDown) - C:/WINDOWS/system32/servet.exe | 2007-7-22 15:20:28(自动)
O23 - 服务: WZCSRVC (Wireless Service) - C:/WINDOWS/system32/rundll32.exe netsrvcs.dll,input(自动)
O24 - ShlExecHook: [] - {0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3} = C:/Program Files/Internet Explorer/msvcrt.dll
O24 - ShlExecHook: [4] - {459AFD5B-159F-ACD8-954C-ACD545FA6584} = C:/WINDOWS/system32/jzdpri.dll
O24 - ShlExecHook: [2] - {252D2432-37A2-324F-2A54-21BF5CF2F1A2} = C:/WINDOWS/system32/jhapri.dll
O24 - ShlExecHook: [2] - {22311A42-AC1B-158F-FD32-5674345F23A2} = C:/WINDOWS/system32/dhbpri.dll
O24 - ShlExecHook: [1] - {1562452F-FA36-BA4F-892A-FF5FBBAC5311} = C:/WINDOWS/system32/myapri1.dll
O24 - ShlExecHook: [1] - {112BC423-3713-224D-3F55-32B35C62B111} = C:/WINDOWS/system32/tllpri.dll
O24 - ShlExecHook: [2] - {2562452F-FA36-BA4F-892A-FF5FBBAC5312} = C:/WINDOWS/system32/mybpri.dll
O24 - ShlExecHook: [] - 0CCE6E12-C2EC-56CD+1A62-AE3FD6EF56E6} = C:/Program Files/Internet Explorer/msvcrt.dll
HKLM/SHOWALL 值非1
===/
有很多项目与前天处理的那个相似。