收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 软件区 解疑答难区 杀软打不开.打开后自动关闭
返回列表 发新帖
查看: 2047|回复: 8
收起左侧

[已解决] 杀软打不开.打开后自动关闭

 关闭 [复制链接]
zmhuaxia
发表于 2007-7-30 00:27:49 | 显示全部楼层 |阅读模式
主页被改成了:http://www.8749.com/



启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\System32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [N/A]
==================================
启动文件夹
N/A
==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
==================================
驱动程序
[AliIde / AliIde][Stopped/Boot Start]
  <\SystemRoot\System32\DRIVERS\aliide.sys><N/A>
[CmdIde / CmdIde][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\cmdide.sys><CMD Technology, Inc.>
[ialm / ialm][Running/Manual Start]
  <system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><N/A>
[Vinyl AC'97 Audio Controller (WDM) / VIAudio][Running/Manual Start]
  <system32\drivers\viaudios.sys><VIA Technologies, Inc.>
==================================
浏览器加载项
[ThunderAtOnce Class]
  {01443AEC-0FD1-40fd-9C87-E93D1494C233} <F:\Thunder\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
[Thunder Browser Helper]
  {B69F34DC-F0F9-42DC-9EDD-957187DA688D} <F:\Thunder\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
[NavigatMon Class]
  {B69F34DD-F0F9-42DC-9EDD-957187DA688D} <D:\360safe\safemon\safemon.dll, >
[PhotoDraw Class]
  {2375BEE5-F175-4F1C-81EC-8E4E2E72E2DD} <C:\WINDOWS\system32\QQPhotoDraw.dll, TENCENT>
[ThunderAtOnce Class]
  {01443AEC-0FD1-40FD-9C87-E93D1494C233} <F:\Thunder\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
[PhotoDraw Class]
  {2375BEE5-F175-4F1C-81EC-8E4E2E72E2DD} <C:\WINDOWS\system32\QQPhotoDraw.dll, TENCENT>
[Thunder Agent Class]
  {485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <F:\Thunder\ComDlls\ThunderAgent_Now.dll, Thunder Networking Technologies,LTD>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[360SafeLive]
  {87515F61-A66C-4319-A0E0-D416CB8059E3} <D:\360safe\live.dll, 360safe.com>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[Thunder Browser Helper]
  {B69F34DC-F0F9-42DC-9EDD-957187DA688D} <F:\Thunder\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
[NavigatMon Class]
  {B69F34DD-F0F9-42DC-9EDD-957187DA688D} <D:\360safe\safemon\safemon.dll, >
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx, Adobe Systems, Inc.>
[使用迅雷下载]
  <F:\Thunder\Program\geturl.htm, N/A>
[使用迅雷下载全部链接]
  <F:\Thunder\Program\getallurl.htm, N/A>
回复

举报

zmhuaxia
 楼主| 发表于 2007-7-30 00:28:26 | 显示全部楼层
==================================
正在运行的进程
[PID: 448 / SYSTEM][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 496 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 520 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 564 / SYSTEM][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 576 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 720 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 772 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 836 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 892 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 936 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1140 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[PID: 1728 / zbtckj][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\EGIOQ.dll]  [N/A, ]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\WINDOWS\system32\igfxpph.dll]  [Intel Corporation, 3.0.0.3818]
    [C:\WINDOWS\system32\hccutils.DLL]  [Intel Corporation, 3.0.0.3818]
    [C:\WINDOWS\system32\igfxres.dll]  [Intel Corporation, 3.0.0.3818]
    [D:\abcd\a.dll]  [N/A, ]
    [F:\Thunder\ComDlls\TDAtOnce_Now.dll]  [Thunder Networking Technologies,LTD, 1.0.2.9]
    [F:\Thunder\ComDlls\xunleiBHO_Now.dll]  [Thunder Networking Technologies,LTD, 5, 0, 3, 11]
    [F:\Thunder\Components\ResWorker\DsBho_00.dll]  [, 1, 0, 0, 4]
    [F:\Thunder\Components\ResWorker\DataProcessor_00.dll]  [Thunder Networking Technologies,LTD, 1, 0, 0, 6]
    [D:\360safe\safemon\safemon.dll]  [, 3, 5, 0, 1001]
[PID: 1868 / zbtckj][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\EGIOQ.dll]  [N/A, ]
    [D:\abcd\a.dll]  [N/A, ]
[PID: 2192 / zbtckj][C:\Program Files\WinRAR\WinRAR.exe]  [N/A, ]
    [D:\abcd\a.dll]  [N/A, ]
    [C:\WINDOWS\system32\EGIOQ.dll]  [N/A, ]
    [C:\WINDOWS\system32\28isy.dll]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2932 / zbtckj][c:\Temp\Rar$EX00.274\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
    [D:\abcd\a.dll]  [N/A, ]
    [C:\WINDOWS\system32\EGIOQ.dll]  [N/A, ]
    [C:\WINDOWS\system32\28isy.dll]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [c:\Temp\Rar$EX00.274\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
125.91.1.20 www.37021.net
125.91.1.20 37021.net
125.91.1.20 5235.net
125.91.1.20 www.5235.net
125.91.1.20 www.7255.com
125.91.1.20 www.2345.com
125.91.1.20 www.9991.com
125.91.1.20 www.haol23.net
125.91.1.20 www.kzdh.com
125.91.1.20 www.qu123.com
127.0.0.1 www.duba.net
127.0.0.1 duba.net
127.0.0.1 bbs.360safe.com
127.0.0.1 www.okbihoo.cn
127.0.0.1 okbihoo.cn

==================================
进程特权扫描
特殊特权被允许: SeDebugPrivilege [PID = 2192, C:\PROGRAM FILES\WINRAR\WINRAR.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2192, C:\PROGRAM FILES\WINRAR\WINRAR.EXE]

==================================
API HOOK
入口点错误:RegEnumValueA (危险等级: 高,  被下面模块所HOOK: D:\abcd\a.dll)
入口点错误:RegEnumValueW (危险等级: 高,  被下面模块所HOOK: D:\abcd\a.dll)

==================================
隐藏进程
N/A

==================================
回复

举报

shuipao
发表于 2007-7-30 02:43:41 | 显示全部楼层
**************以下分析报告由SREngLog分析助手提供******************

根据SREng扫描日志请按照如下步骤,尝试删除和修复

1.建议使用XDelBox删除以下文件:(XDelBox1.3下载)
使用说明:删除时复制所有要删除文件的路径,在待删除文件列表里点击右键选择从剪贴板导入,导入后在要删除文件上点击右键,选择立刻重启删除,电脑会重启进入DOS界面进行删除操作。运行xdelbox前最好卸载所有可移动存储介质(包括U盘,MP3,手机存储卡等)。

c:\windows\system32\egioq.dll
d:\abcd\a.dll

2.删除重启后使用SREng修复下面各项:

    系统修复-- HOSTS文件--重置

API HOOK
入口点错误:RegEnumValueA (危险等级: 高,  被下面模块所HOOK: D:\abcd\a.dll)
入口点错误:RegEnumValueW (危险等级: 高,  被下面模块所HOOK: D:\abcd\a.dll)

3.下载windows清理助手清理恶意软件
http://www.arswp.com/download/arswp2/arswp2.zip

**************以上分析报告由SREngLog分析助手提供******************
分析:shuipao
时间:2007-7-30
SREngLog分析助手 1.2 (20070420 更新 BY 草莽书生)

[ 本帖最后由 shuipao 于 2007-7-30 02:51 编辑 ]
回复

举报

foxhound
发表于 2007-7-30 07:56:48 | 显示全部楼层
您中了AV终结者~~~~~~~~~~~
回复

举报

danger
发表于 2007-7-30 09:06:47 | 显示全部楼层
好像是最新的流氓8749.。。。360好像有专杀。
回复

举报

ldy381898
发表于 2007-7-30 10:06:53 | 显示全部楼层
同意5楼
回复

举报

ldy381898
发表于 2007-7-30 10:07:36 | 显示全部楼层
这种情况还是重新装系统吧!
回复

举报

lcx7801
发表于 2007-7-30 10:18:29 | 显示全部楼层
恩恩
  滴却是中毒了
  最好就是从装系统了
  我前几天也是中了一个和一差不多的
  从装的时候要把每个硬盘都要格式化才行啊!!!
回复

举报

SONGBOWEN
发表于 2007-7-30 10:58:00 | 显示全部楼层
d:\abcd\a.dll线程插入了Explorer,重启到安全模式删除之。
c:\windows\system32\egioq.dll
c:\windows\system32\28isy.dll
两个文件一并删除,然后清空HOSTS文件,清空临时文件夹(%Tmp%、%Temp%、%Windir%\Temp等目录),重启,试试看!
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-11-26 12:20 , Processed in 0.128919 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表