Wopti 流氓软件清除大师说我中了北斗搜索

景圣临

感染文件：
H:\autorun.inf
I:\autorun.inf
状态潜伏
清理后还报.
那是我帝国三安装盘虚拟的.
怎么清除?

H:
[autorun]
open=autorun.exe
icon=autorun.exe
Name=AOE III TW Disk 1

shell\setup=&Install Age of Empires III - The WarChiefs
shell\setup\command=setup.exe


I:
[autorun]
open=autorun.exe
icon=autorun.exe
Name=AOE III Disk 1

shell\setup=&Install Age of Empires III
shell\setup\command=setup.exe

shell\directx=Install &DirectX 9.0c
shell\directx\command=DirectX9\dxsetup.exe

诊断报告:
诊断时间: 2007-01-09  17:30:29
诊断平台: Microsoft Windows XP  Service Pack 1
IE版本: Internet Explorer V6.0.2800.1106 Build:62800.1106
计算机物理内存:1023MB - 当前可用内存:758MB

100 - 未知 - Process: MemorySaviour.exe [] - D:\工具\MemorySaviour_1_0\MemorySaviour.exe
R0 - 未知 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.ngohq.com
O4 - 未知 - HKLM\..\Run: [Memory Saviour] [] D:\工具\MemorySaviour_1_0\MemorySaviour.exe /autorun
O8 - 未知 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O23 - 未知 - Service: UxTuneUp [Allows for the use of designs without a Microsoft Visual Style signature.] - C:\WINDOWS\System32\uxtuneup.dll - (running)
O23 - 未知 - Service: WINLOGON [Windows NT Logon Application] -  - (not running)

=======================================

100 - 安全 - Process: smss.exe [进程为会话管理子系统用以初始化系统变量，ms-dos驱动名称类似lpt1以及com，调用win32壳子系统和运行在windows登陆过程。] - C:\WINDOWS\System32\smss.exe
100 - 安全 - Process: csrss.exe [客户端服务子系统，用以控制windows图形相关子系统。] - C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=base
100 - 安全 - Process: winlogon.exe [windows nt用户登陆程序。] - C:\WINDOWS\system32\winlogon.exe
100 - 安全 - Process: services.exe [用于管理windows服务系统进程。] - C:\WINDOWS\system32\services.exe
100 - 安全 - Process: lsass.exe [本地安全权限服务控制windows安全机制。] - C:\WINDOWS\system32\lsass.exe
100 - 安全 - Process: svchost.exe [service host process是一个标准的动态连接库主机处理服务。] - C:\WINDOWS\system32\svchost -k rpcss
100 - 安全 - Process: svchost.exe [service host process是一个标准的动态连接库主机处理服务。] - C:\WINDOWS\System32\svchost.exe -k netsvcs
100 - 安全 - Process: svchost.exe [service host process是一个标准的动态连接库主机处理服务。] - C:\WINDOWS\System32\svchost.exe -k NetworkService
100 - 安全 - Process: explorer.exe [windows program manager或者windows explorer用于控制windows图形shell，包括开始菜单、任务栏，桌面和文件管理。] - C:\WINDOWS\Explorer.EXE
100 - 安全 - Process: avp.exe [卡巴斯基杀毒软件相关程序。] -
100 - 安全 - Process: ctfmon.exe [office xp输入法图标。] - C:\WINDOWS\System32\ctfmon.exe
100 - 安全 - Process: avp.exe [卡巴斯基杀毒软件相关程序。] -
100 - 安全 - Process: firefox.exe [mozilla firefox浏览器相关程序，支持弹出广告拦截。] - C:\Program Files\Mozilla Firefox\firefox.exe
100 - 安全 - Process: 360Safe.exe [360安全卫士相关程序。] - C:\Program Files\360safe\360Safe.exe
R1 - 安全 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\system32\blank.htm
O3 - 安全 - Toolbar: (电台(&R)) - [是Windows Media Player播放器ActiveX控制相关文件。] - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - 安全 - HKLM\..\Run: [IMJPMIG8.1] [微软Microsoft输入法编辑器程序。] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 安全 - HKLM\..\Run: [PHIME2002ASync] [输入法软件相关程序。] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 安全 - HKLM\..\Run: [PHIME2002A] [输入法软件相关程序。] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 安全 - HKLM\..\Run: [AVP] [卡巴斯基杀毒软件相关程序。] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - 安全 - HKCU\..\Run: [ctfmon.exe] [office xp输入法图标。] C:\WINDOWS\System32\ctfmon.exe
O9 - 安全 - Extra button: 卡巴斯基Web反病毒保护插件(HKLM) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O23 - 安全 - Service: AVP [卡巴斯基杀毒软件相关程序。] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe -r - (running)
O23 - 安全 - Service: NVSvc [是NVIDIA显示卡相关程序。] - C:\WINDOWS\System32\nvsvc32.exe - (not running)

=======================================

O40 - csrss.exe -  - D:\工具\MemorySaviour_1_0\ClnMem.dll -  - 07e0cb83698048fc1ecbe98acdd9dfc7
O40 - winlogon.exe - Kaspersky Lab - C:\WINDOWS\System32\klogon.dll - Logon Visualizer - 3f97f0f4a9a6d21a1a496c1d8fe84e4e
O40 - winlogon.exe -  - D:\工具\MemorySaviour_1_0\ClnMem.dll -  - 07e0cb83698048fc1ecbe98acdd9dfc7
O40 - services.exe -  - D:\工具\MemorySaviour_1_0\ClnMem.dll -  - 07e0cb83698048fc1ecbe98acdd9dfc7
O40 - lsass.exe -  - D:\工具\MemorySaviour_1_0\ClnMem.dll -  - 07e0cb83698048fc1ecbe98acdd9dfc7
O40 - svchost.exe -  - D:\工具\MemorySaviour_1_0\ClnMem.dll -  - 07e0cb83698048fc1ecbe98acdd9dfc7
O40 - svchost.exe -  - D:\工具\MemorySaviour_1_0\ClnMem.dll -  - 07e0cb83698048fc1ecbe98acdd9dfc7
O40 - svchost.exe - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll - kldialhk - 2dc2daa4bac26ca334b982de709e4064
O40 - svchost.exe -  - D:\工具\MemorySaviour_1_0\ClnMem.dll -  - 07e0cb83698048fc1ecbe98acdd9dfc7
O40 - Explorer.EXE - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scrchpg.dll - Script Checker - e4f4b2a19754604fce54d33ac326cc1a
O40 - Explorer.EXE -  - D:\工具\MemorySaviour_1_0\ClnMem.dll -  - 07e0cb83698048fc1ecbe98acdd9dfc7
O40 - Explorer.EXE - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll - kldialhk - 2dc2daa4bac26ca334b982de709e4064

=======================================

O41 - AvgAsCln - AVG7 Clean Driver - C:\WINDOWS\system32\drivers\AvgAsCln.sys - (running) - AVG7 Clean Driver - GRISOFT, s.r.o. - 6d4a1da6e6d522b3ebbcbff4a3589ec5
O41 - kl1 - Kaspersky Unified Driver - C:\WINDOWS\system32\drivers\kl1.sys - (running) - Kaspersky Unified Driver - Kaspersky Lab - bc02a8e0dd5dc266e5cc3636dd454403
O41 - klif - spuper-ptor - C:\WINDOWS\system32\drivers\klif.sys - (running) - spuper-ptor - Kaspersky Lab - f0653e5e164123cad51edda22418c2a3
O41 - sptd - sptd - C:\WINDOWS\system32\drivers\sptd.sys - (running) -  -  -

=======================================
360Safe.exe=2.2.0.1004
AntiAdwa.dll=2.2.0.1000
AntiEng.dll=2.2.0.1000
AntiActi.dll=2.0.0.3000
CleanHis.dll=2.0.0.1001
safelive.exe=1.0.0.2007
live.dll=1.0.0.1011

是不是误报?

[ 本帖最后由 景圣临 于 2007-1-9 17:26 编辑 ]

丫头

感觉像中了ROSE病毒~~~

景圣临

卡巴&AVG均未报