风云小站 » 『 求助专区 』 » 也是木马问题!trojan/win32.pandex
本页主题: 也是木马问题!trojan/win32.pandex 打印 | 加为IE收藏 | 复制链接 | 收藏主题 | 上一主题 | 下一主题

275164185
级别: 新手上路


精华: 0
发帖: 117
威望: 67 点
风云币: 0 元
专家分: 0 分
在线时间:7(小时)
注册时间:2007-03-17
最后登录:2020-04-22

 也是木马问题!trojan/win32.pandex

trojan/win32.pandex
我也用360卫士杀了!
但重新开机又有了!
奇虎360安全卫士木马查杀历史报告

木马名称:Trojan/Win32.Pandex
路径:C:\WINDOWS\system32\WLCtrl32.dll
顶端 Posted: 2008-02-24 13:25 | [楼 主]
水蜜桃
退休中....
优秀斑竹奖 技术专家奖
级别: 风云元老


精华: 2
发帖: 4630
威望: 2074 点
风云币: 2314 元
专家分: 14 分
论坛群: ★桃源胜地★
在线时间:1507(小时)
注册时间:2007-05-03
最后登录:2018-03-14

 

安全模式下杀毒,或者是killbox等软件抑制其生成。

看到楼主发了好几个病毒求助帖,电脑似乎成了病毒库了,建议重新安装系统吧。
顶端 Posted: 2008-02-24 16:45 | 1 楼
sbkenshin
Network Engineer
级别: 风云精英


精华: 0
发帖: 644
威望: 1081 点
风云币: 156086 元
专家分: 0 分
在线时间:84(小时)
注册时间:2008-01-01
最后登录:2008-04-08

 

真想知道LZ平常上些什么网。

杀马的话推荐用AVG。360杀马能力不太强
顶端 Posted: 2008-02-24 16:50 | 2 楼
freelive
独自等待,悄悄离开~
级别: 风云精英


精华: 1
发帖: 1003
威望: 554 点
风云币: 154183 元
专家分: 5 分
在线时间:105(小时)
注册时间:2007-12-31
最后登录:2008-04-27

 

ms和昨天我的那帖类似,可能是[机器狗]病毒。

下载XDELBOX,使用方法:
使用时一定拔掉所有移动存储设备,一定要完全解压到一个文件夹里运行,不然可能有异常。
将下面的文件信息全部***,然后打开Xdelbox直接在下面大窗口的空白处,使用右键菜单的“剪贴板导入不检查路径”导入,并全选文件选择右键菜单的“立刻重启删除”

C:\WINDOWS\system32\WLCtrl32.dll


重启计算机以后 会有两个系统进入的选择的倒计时界面
第一个是你原来的windows系统
第二个是这个软件给你设定的dos系统
系统会自动选择进入第二个系统
类似dos的界面滚动完毕以后 病毒就被删除了

之后会自动重启进入正常模式
进入系统后,再做下面的:

删除:启动项目注册表
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32]
<WinlogonNotify: WLCtrl32><WLCtrl32.dll>
本帖最近评分记录:
  • 风云币:+5(水蜜桃) 您的贴子很精彩!希望很 ..
  • 风云墙-荣誉会员

    其实一切与我无关~
    顶端 Posted: 2008-02-24 17:34 | 3 楼
    a1630016900
    级别: 资深会员


    精华: 0
    发帖: 2281
    威望: 1338 点
    风云币: 2119 元
    专家分: 0 分
    在线时间:383(小时)
    注册时间:2007-01-13
    最后登录:2008-04-28

     

    扫sreng日志可以看的全面一些  如果病毒太多建议重装
    顶端 Posted: 2008-02-24 18:07 | 4 楼
    yuliguo2001
    级别: 超级会员


    精华: 0
    发帖: 169
    威望: 1606 点
    风云币: 2085 元
    专家分: 0 分
    在线时间:45(小时)
    注册时间:2007-12-31
    最后登录:2008-04-21

     

    扫sreng日志上来吧
    顶端 Posted: 2008-02-25 10:24 | 5 楼
    275164185
    级别: 新手上路


    精华: 0
    发帖: 117
    威望: 67 点
    风云币: 0 元
    专家分: 0 分
    在线时间:7(小时)
    注册时间:2007-03-17
    最后登录:2020-04-22

     

    sreng日志怎么扫
    顶端 Posted: 2008-03-09 18:02 | 6 楼
    freelive
    独自等待,悄悄离开~
    级别: 风云精英


    精华: 1
    发帖: 1003
    威望: 554 点
    风云币: 154183 元
    专家分: 5 分
    在线时间:105(小时)
    注册时间:2007-12-31
    最后登录:2008-04-27

     

    描述:sreng
    图片:
    SRENG的官方下载地址:【2.5.16.900 版本】
    http://www.kztechs.com/sreng/download.html

    下载后双击运行 SREng,选择 "智能扫描","扫描","保存报告",然后把扫描后的SREng.log这个文件(就是所谓的“日志”)把其中的内容 ***到粘贴板(CTRL+A全选, CTRL+C***)。
    风云墙-荣誉会员

    其实一切与我无关~
    顶端 Posted: 2008-03-09 18:07 | 7 楼
    275164185
    级别: 新手上路


    精华: 0
    发帖: 117
    威望: 67 点
    风云币: 0 元
    专家分: 0 分
    在线时间:7(小时)
    注册时间:2007-03-17
    最后登录:2020-04-22

     

    [CODE]

    2008-03-10,15:05:58

    System Repair Engineer 2.5.16.900
    Smallfrogs (http://www.KZTechs.com)

    Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

    以下内容被选中:
        所有的启动项目(包括注册表、启动文件夹、服务等)
        浏览器加载项
        正在运行的进程(包括进程模块信息)
        文件关联
        Winsock 提供者
        Autorun.inf
        HOSTS 文件
        进程特权扫描


    启动项目
    注册表
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
        <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
        <KpopMon><C:\KAV6\KPopMon.EXE>  []
        <KAVRUN><C:\KAV6\KAVRUN.EXE>  [kingsoft]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
        <KAVRun><C:\KAV6\KAVRun.EXE>  [kingsoft]
        <KernelFaultCheck><%systemroot%\system32\dumprep 0 -k>  [N/A]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
        <ArSwp.exe><"F:\新建文件夹 (2)\arswp2\ArSwp.exe" /Auto>  [ArSwp.com]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
        <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
        <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
        <AppInit_DLLs><cru629.dat>  []
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
        <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iebvss32]
        <WinlogonNotify: iebvss32><iebvss32.dll>  [N/A]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sysfldr]
        <WinlogonNotify: sysfldr><sysfldr.dll>  [N/A]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32]
        <WinlogonNotify: WLCtrl32><WLCtrl32.dll>  []
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
        <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [N/A]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
        <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [N/A]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
        <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [N/A]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
        <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [N/A]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
        <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
        <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
        <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
        <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [N/A]

    ==================================
    启动文件夹
    N/A

    ==================================
    服务
    [Distributed Allocated Memory Unit / Distributed Allocated Memory Unit][Stopped/Auto Start]
      <><N/A>
    [FCI / FCI][Stopped/Auto Start]
      <C:\WINDOWS\System32\fci.exe><N/A>
    [Human Interface Device Access / HidServ][Stopped/Disabled]
      <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
    [Kingsoft AntiVirus Service / KAVSvc][Stopped/Auto Start]
      <C:\KAV6\KAVSvc.EXE><kingsoft Antivirus>
    [Kingsoft AntiVirus Service KAVSvcRasMan / KAVSvcRasMan][Stopped/Auto Start]
      <C:\WINDOWS\System32\usmtz.exe srv><N/A>
    [Kingsoft AntiVirus Service KAVSvcSchedule / KAVSvcSchedule][Stopped/Auto Start]
      <C:\WINDOWS\system32\mscmsl.exe srv><N/A>
    [Windows Installer MSIServerTlntSvr / MSIServerTlntSvr][Stopped/Auto Start]
      <C:\WINDOWS\system32\iask.exe srv><N/A>
    [NT LM Security Support Provider NtLmSspImapiService / NtLmSspImapiService][Stopped/Auto Start]
      <C:\WINDOWS\system32\1028i.exe srv><N/A>
    [Remote Procedure Call (RPC) RpcSsWmi / RpcSsWmi][Stopped/Auto Start]
      <C:\WINDOWS\System32\muib.exe srv><Microsoft Corporation>
    [Security Accounts Manager SamSsUPS / SamSsUPS][Stopped/Auto Start]
      <C:\WINDOWS\System32\Setupd.exe srv><Microsoft Corporation>
    [System Event Notification SENSNetDDEdsdm / SENSNetDDEdsdm][Stopped/Auto Start]
      <C:\WINDOWS\system32\1031t.exe srv><Microsoft Corporation>

    ==================================
    驱动程序
    [360AntiArp / 360AntiArp][Running/System Start]
      <\??\C:\WINDOWS\system32\drivers\360AntiArp.sys><奇虎网>
    [Intel(r) 82801 Audio Driver Install Service (WDM) / ac97intc][Stopped/Manual Start]
      <system32\drivers\ac97intc.sys><Intel Corporation>
    [Service for WDM 3D Audio Driver / ALCXSENS][Running/Manual Start]
      <system32\drivers\ALCXSENS.SYS><Sensaura Ltd>
    [Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
      <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
    [AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
      <System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
    [RAS Asynchronous Media Driver / CCDECODE][Stopped/Auto Start]
      <system32\DRIVERS\msconkt.sys><N/A>
    [diperto2322-39a0 / diperto2322-39a0][Running/Auto Start]
      <\??\C:\WINDOWS\system32\diperto2322-39a0.sys><N/A>
    [diperto3352-6256 / diperto3352-6256][Stopped/Auto Start]
      <\??\C:\WINDOWS\system32\diperto3352-6256.sys><N/A>
    [i81x / i81x][Stopped/Manual Start]
      <System32\DRIVERS\i81xnt5.sys><Intel(R) Corporation>
    [iAimFP0 / iAimFP0][Stopped/Manual Start]
      <System32\DRIVERS\wADV01nt.sys><Intel(R) Corporation>
    [iAimFP1 / iAimFP1][Stopped/Manual Start]
      <System32\DRIVERS\wADV02NT.sys><Intel(R) Corporation>
    [iAimFP2 / iAimFP2][Stopped/Manual Start]
      <System32\DRIVERS\wADV05NT.sys><Intel(R) Corporation>
    [iAimFP3 / iAimFP3][Stopped/Manual Start]
      <System32\DRIVERS\wSiINTxx.sys><Intel(R) Corporation>
    [iAimFP4 / iAimFP4][Stopped/Manual Start]
      <System32\DRIVERS\wVchNTxx.sys><Intel(R) Corporation>
    [iAimTV0 / iAimTV0][Stopped/Manual Start]
      <System32\DRIVERS\wATV01nt.sys><Intel(R) Corporation>
    [iAimTV1 / iAimTV1][Stopped/Manual Start]
      <System32\DRIVERS\wATV02NT.sys><Intel(R) Corporation>
    [iAimTV2 / iAimTV2][Stopped/Manual Start]
      <System32\DRIVERS\wATV03nt.sys><N/A>
    [iAimTV3 / iAimTV3][Stopped/Manual Start]
      <System32\DRIVERS\wATV04nt.sys><Intel(R) Corporation>
    [iAimTV4 / iAimTV4][Stopped/Manual Start]
      <System32\DRIVERS\wCh7xxNT.sys><Intel(R) Corporation>
    [ialm / ialm][Running/Manual Start]
      <System32\DRIVERS\ialmnt5.sys><Intel Corporation>
    [KAVBootC / KAVBootC][Running/Boot Start]
      <\SystemRoot\system32\Drivers\KAVBootC.sys><Kingsoft Corporation>
    [KAVSafe / KAVSafe][Running/Auto Start]
      <\??\C:\WINDOWS\System32\Drivers\KAVSafe.sys><Kingsoft Corporation>
    [KWatch / KWatch][Stopped/Manual Start]
      <\??\C:\WINDOWS\System32\drivers\KWatch.Sys><Kingsoft Corporation>
    [KWatch2 / KWatch2][Stopped/Manual Start]
      <\??\C:\WINDOWS\System32\drivers\KWatch2.sys><Kingsoft Antivirus>
    [mp3 audio / mp32][Stopped/System Start]
      <\??\C:\WINDOWS\System32\mp32s.sys><N/A>
    [npkcrypt / npkcrypt][Stopped/Manual Start]
      <\??\C:\WINDOWS\system32\npkcrypt.sys><N/A>
    [npkycryp / npkycryp][Stopped/Manual Start]
      <\??\C:\WINDOWS\system32\npkycryp.sys><N/A>
    [Direct Parallel Link Driver / Ptilink][Running/Manual Start]
      <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
    [Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
      <System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
    [Secdrv / Secdrv][Stopped/Manual Start]
      <System32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
    [symavc32 / symavc32][Stopped/Auto Start]
      <\??\C:\WINDOWS\system32\drivers\symavc32.sys><N/A>
    [TesSafe / TesSafe][Stopped/Manual Start]
      <\??\C:\WINDOWS\System32\TesSafe.sys><TENCENT>
    [Vdj64 / Vdj64][Running/Boot Start]
      <\SystemRoot\System32\Drivers\Vdj64.sys><N/A>
    [xzzlgtlv / xzzlgtlv][Running/Boot Start]
      <\SystemRoot\system32\drivers\nucckxmz.dat><N/A>
    [ytz / ytzw][Stopped/Boot Start]
      <\SystemRoot\System32\DRIVERS\ytzw.sys><N/A>
    [Intel(R) Graphics Platform (SoftBIOS) Driver / {6080A529-897E-4629-A488-ABA0C29B635E}][Running/System Start]
      <system32\drivers\ialmsbw.sys><Intel Corporation>
    [Intel(R) Graphics Chipset (KCH) Driver / {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}][Running/Manual Start]
      <system32\drivers\ialmkchw.sys><Intel Corporation>

    ==================================
    浏览器加载项
    [ThunderAtOnce Class]
      {01443AEC-0FD1-40fd-9C87-E93D1494C233} <D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
    [Thunder Browser Helper]
      {889D2FEB-5411-4565-8998-1DD2C5261283} <D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
    [SafeMon Class]
      {B69F34DD-F0F9-42DC-9EDD-957187DA688D} <C:\Program Files\360safe\safemon\safemon.dll, 奇虎网>
    [Messenger]
      {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
    [WUWebControl Class]
      {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
    [Shockwave Flash Object]
      {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9e.ocx, Adobe Systems, Inc.>
    [ThunderAtOnce Class]
      {01443AEC-0FD1-40FD-9C87-E93D1494C233} <D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
    [DHTML Edit Control Safe for Scripting for IE5]
      {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
    [COM+ Service]
      {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} <C:\WINDOWS\system32\winload.dll, N/A>
    [H]
      {3F6D54BB-34EE-4469-B094-86B09E53BCF8} <C:\WINDOWS\system32\down1.dll, N/A>
    [XML Document]
      {48123BC4-99D9-11D1-A6B3-00C04FD91555} <C:\WINDOWS\system32\msxml3.dll, Microsoft Corporation>
    [Thunder Agent Class]
      {485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <D:\Program Files\Thunder Network\Thunder\ComDlls\ThunderAgent_Now.dll, Thunder Networking Technologies,LTD>
    [Yahoo Toolbar]
      {54C7D1DD-4296-451E-B756-1E94F665B4FF} <C:\WINDOWS\system32\yatool.dll, N/A>
    [XMP Class]
      {6483F145-A768-4C41-AACC-52D4D7845851} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\xplayer.dll_1_work, >
    [XDRM]
      {693571CB-54A3-4E90-9D52-EEAE1334E2D3} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\xdrm.dll_1_work, >
    [Windows Media Player]
      {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
    [360SafeLive]
      {87515F61-A66C-4319-A0E0-D416CB8059E3} <C:\Program Files\360safe\live.dll, 360safe.com>
    [Thunder Browser Helper]
      {889D2FEB-5411-4565-8998-1DD2C5261283} <D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
    [RMGetLicense Class]
      {A9FC132B-096D-460B-B7D5-1DB0FAE0C062} <C:\WINDOWS\System32\msnetobj.dll, Microsoft Corporation>
    [Microsoft Scriptlet Component]
      {AE24FDAE-03C6-11D1-8B76-0080C744F389} <C:\WINDOWS\system32\mshtml.dll, Microsoft Corporation>
    [SearchAssistantOC]
      {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\System32\shdocvw.dll, N/A>
    [SafeMon Class]
      {B69F34DD-F0F9-42DC-9EDD-957187DA688D} <C:\Program Files\360safe\safemon\safemon.dll, 奇虎网>
    [RDS.DataSpace]
      {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
    [Shockwave Flash Object]
      {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9e.ocx, Adobe Systems, Inc.>
    []
      {E1FC9760-7B95-49CD-80B9-8C9E41017B93} <C:\KAV6\KAVEXT.DLL, Kingsoft Corp.>
    [PasswordEditCtrl Class]
      {E787FD25-8D7C-4693-AE67-9406BC6E22DF} <C:\WINDOWS\System32\qqedit\qqedit.dll, 腾讯科技(深圳)有限公司>
    [XPPlayer Class]
      {F3E70CEA-956E-49CC-B444-73AFE593AD7F} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\pplayer.dll_1_work, Thunder>
    [使用迅雷下载]
      <D:\Program Files\Thunder Network\Thunder\Program\geturl.htm, N/A>
    [使用迅雷下载全部链接]
      <D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm, N/A>

    ==================================
    正在运行的进程
    [PID: 448][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 540][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 588][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
        [C:\WINDOWS\system32\WLCtrl32.dll]  [N/A, ]
        [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [PID: 656][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 668][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 848][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 900][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 988][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 1120][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 1192][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 1404][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
        [C:\KAV6\KMailFun.dll]  [Kingsoft Co., Ltd, 2005, 4, 28, 227]
    [PID: 2012][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 596][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 800][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 964][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 1104][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 628][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 1096][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
        [C:\KAV6\KMailFun.dll]  [Kingsoft Co., Ltd, 2005, 4, 28, 227]
    [PID: 1100][C:\KAV6\KPopMon.EXE]  [, 2004, 2, 2, 31]
        [C:\KAV6\KAVMLM.DLL]  [Kingsoft Corporation, 2003.11.12.10]
        [C:\KAV6\KMailFun.dll]  [Kingsoft Co., Ltd, 2005, 4, 28, 227]
    [PID: 1216][C:\KAV6\KWatchUI.EXE]  [, 2004.1.6.119]
        [C:\KAV6\kavcomm.dll]  [Kingsoft Corporation, 2003, 11, 12, 66]
        [C:\KAV6\kavdlg.dll]  [, 2004.7.20.81]
        [C:\KAV6\KAVMLM.DLL]  [Kingsoft Corporation, 2003.11.12.10]
        [C:\KAV6\KMailFun.dll]  [Kingsoft Co., Ltd, 2005, 4, 28, 227]
    [PID: 260][C:\KAV6\MailMon.EXE]  [Kingsoft Co., Ltd, 2004, 2, 6, 245]
        [C:\KAV6\KMFilter.DLL]  [, 2004, 3, 1, 37]
        [C:\KAV6\parse822.dll]  [Quiksoft Corporation, 2, 0, 0, 9]
        [C:\KAV6\MFC42.DLL]  [Microsoft Corporation, 6.00.8665.0]
        [C:\KAV6\KAVLogFn.dll]  [, 2003, 11, 26, 16]
        [C:\KAV6\KAVMLM.DLL]  [Kingsoft Corporation, 2003.11.12.10]
        [C:\KAV6\KAMsgBox.DLL]  [, 2002.9.27.30]
        [C:\KAV6\KAVComm.dll]  [Kingsoft Corporation, 2003, 11, 12, 66]
        [C:\KAV6\RpcBrge.DLL]  [kingsoft, 2003, 11, 12, 64]
        [C:\KAV6\KAVDlg.DLL]  [, 2004.7.20.81]
        [C:\KAV6\KAECall.DLL]  [Kingsoft Corporation, 2003, 11, 14, 66]
        [C:\KAV6\KAEScan.DLL]  [Kingsoft Corp., 2003, 5, 24, 36]
        [C:\KAV6\KAEPlat.DLL]  [Kingsoft Corp., 2005, 12, 29, 56]
        [C:\KAV6\KAEMem.DAT]  [Kingsoft, 2006, 4, 12, 13]
        [C:\KAV6\KMailFun.dll]  [Kingsoft Co., Ltd, 2005, 4, 28, 227]
    [PID: 1920][C:\KAV6\KAVPlus.EXE]  [, 2004, 3, 3, 71]
        [C:\KAV6\MFC42.DLL]  [Microsoft Corporation, 6.00.8665.0]
        [C:\KAV6\KMailFun.dll]  [Kingsoft Co., Ltd, 2005, 4, 28, 227]
    [PID: 404][F:\新建文件夹 (6)\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
        [C:\KAV6\KMailFun.dll]  [Kingsoft Co., Ltd, 2005, 4, 28, 227]
        [F:\新建文件夹 (6)\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]
        [F:\新建文件夹 (6)\Plugins\NTFSTREAM.SRE]  [Smallfrogs Studio, 1, 0, 0, 5]
    [PID: 944][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 972][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [PID: 360][C:\WINDOWS\TEMP\BNB.tmp]  [N/A, ]
    [PID: 388][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
        [D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll]  [Thunder Networking Technologies,LTD, 1.0.5.16]
        [D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll]  [Thunder Networking Technologies,LTD, 5, 0, 8, 55]
        [D:\Program Files\Thunder Network\Thunder\Components\ResWorker\DsBho_00.dll]  [, 1, 0, 0, 12]
        [D:\Program Files\Thunder Network\Thunder\Components\ResWorker\DataProcessor_00.dll]  [Thunder Networking Technologies,LTD, 1, 0, 0, 13]
        [C:\Program Files\360safe\safemon\safemon.dll]  [奇虎网, 4, 0, 3, 1003]
    [PID: 1928][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]

    ==================================
    文件关联
    .TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
    .EXE  OK. ["%1" %*]
    .COM  OK. ["%1" %*]
    .PIF  OK. ["%1" %*]
    .REG  OK. [regedit.exe "%1"]
    .BAT  OK. ["%1" %*]
    .SCR  OK. ["%1" /S]
    .CHM  OK. ["C:\WINDOWS\hh.exe" %1]
    .HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
    .INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
    .INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
    .VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
    .JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
    .LNK  OK. [{00021401-0000-0000-C000-000000000046}]

    ==================================
    Winsock 提供者
    N/A

    ==================================
    Autorun.inf
    N/A

    ==================================
    HOSTS 文件
    N/A

    ==================================
    进程特权扫描
    特殊特权被允许: SeDebugPrivilege [PID = 260, C:\KAV6\MAILMON.EXE]
    特殊特权被允许: SeLoadDriverPrivilege [PID = 360, C:\WINDOWS\TEMP\BNB.TMP]

    ==================================
    API HOOK
    入口点错误:LoadLibraryExW (危险等级: 高,  被下面模块所HOOK: C:\KAV6\KMailFun.dll)

    ==================================
    隐藏进程
    N/A

    ==================================


    [/CODE]
    顶端 Posted: 2008-03-10 15:06 | 8 楼
    275164185
    级别: 新手上路


    精华: 0
    发帖: 117
    威望: 67 点
    风云币: 0 元
    专家分: 0 分
    在线时间:7(小时)
    注册时间:2007-03-17
    最后登录:2020-04-22

     

    大家帮帮忙啊!有什么木马啊!怎么杀!
    顶端 Posted: 2008-03-10 15:07 | 9 楼
    freelive
    独自等待,悄悄离开~
    级别: 风云精英


    精华: 1
    发帖: 1003
    威望: 554 点
    风云币: 154183 元
    专家分: 5 分
    在线时间:105(小时)
    注册时间:2007-12-31
    最后登录:2008-04-27

     

    1、木马文件的自启动注册表位置:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32]
        <WinlogonNotify: WLCtrl32><WLCtrl32.dll>  []

    找到注册表得这个位置,删除上面得键值。

    2、木马文件得实际存储位置:
    [PID: 588][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
        [C:\WINDOWS\system32\WLCtrl32.dll]  [N/A, ]

    文件夹选项-全部文件显示【包括系统保护得文件】
    找到实际得文件,彻底删除。

    注:操作前可能需要你去 任务管理器 强制结束进程[winlogon.exe]。如果不行,可能会提示禁止。

    可以去安全模式尝试一下。

    另:相关得专杀工具也不错哦~

    风云墙-荣誉会员

    其实一切与我无关~
    顶端 Posted: 2008-03-10 15:33 | 10 楼
    freelive
    独自等待,悄悄离开~
    级别: 风云精英


    精华: 1
    发帖: 1003
    威望: 554 点
    风云币: 154183 元
    专家分: 5 分
    在线时间:105(小时)
    注册时间:2007-12-31
    最后登录:2008-04-27

     

    如果无法彻底删除,可以尝试文件粉碎。

    另:LZ集中在1个求助帖子里面就好了,这样便于解决问题~

    风云墙-荣誉会员

    其实一切与我无关~
    顶端 Posted: 2008-03-10 15:54 | 11 楼
    帖子浏览记录 版块浏览记录
    风云小站 » 『 求助专区 』
    感谢,曾经的版主
    Total 0.011866(s) query 6, Time now is:12-22 20:15, Gzip enabled 渝ICP备20004412号-1

    Powered by PHPWind v6.3.2 Certificate Code © 2003-07 PHPWind.com Corporation
    Skin by Chen Bo