系统出现新问题，开机提示出现windows无效映像

显示全部楼层 · 发表于 2007-5-30 16:08:25

正在运行的进程
[PID: 504][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 588][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 612][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Ati2evxx.dll]  [ATI Technologies Inc., 6.14.10.4111]
[C:\WINDOWS\system32\klogon.dll]  [Kaspersky Lab, 6.0.0.299]
[C:\WINDOWS\system32\WgaLogon.dll]  [Microsoft Corporation, 1.7.0018.5]
[C:\WINDOWS\system32\SOGOUPY.IME]  [Sohu.com Inc., 3, 0, 0, 0]
[C:\WINDOWS\system32\dllMergeDict.dll]  [Sogou.com Inc., 3, 0, 0, 0]
[f:\Program Files\SogouInput\Plugin\SgImeWord.dll]  [, 1, 0, 0, 31]
[C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 660][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\AppPatch\AcAdProc.dll]  [Microsoft Corporation, 5.1.2600.3008 (xpsp.061004-0027)]
[PID: 672][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 800][C:\WINDOWS\system32\Ati2evxx.exe]  [ATI Technologies Inc., 6.14.10.4111]
[C:\WINDOWS\system32\Ati2edxx.dll]  [ATI Technologies, Inc., 6, 14, 10, 2496]
[PID: 852][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 912][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 976][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Normaliz.dll]  [Microsoft Corporation, 6.0.5441.0 (winmain(wmbla).060628-1735)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16441 (vista_gdr.070219-1500)]
[C:\WINDOWS\system32\wups2.dll]  [Microsoft Corporation, 7.0.6000.374 (winmain(wmbla).070416-2057)]
[PID: 248][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Normaliz.dll]  [Microsoft Corporation, 6.0.5441.0 (winmain(wmbla).060628-1735)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16441 (vista_gdr.070219-1500)]
[C:\WINDOWS\system32\SOGOUPY.IME]  [Sohu.com Inc., 3, 0, 0, 0]
[C:\WINDOWS\system32\dllMergeDict.dll]  [Sogou.com Inc., 3, 0, 0, 0]
[f:\Program Files\SogouInput\Plugin\SgImeWord.dll]  [, 1, 0, 0, 31]
[C:\WINDOWS\system32\ieframe.dll]  [Microsoft Corporation, 7.00.6000.16441 (vista_gdr.070219-1500)]
[C:\WINDOWS\system32\WPDShServiceObj.dll]  [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\PortableDeviceTypes.dll]  [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\PortableDeviceApi.dll]  [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scr_ch_pg.dll]  [Kaspersky Lab, 1.0.6.299]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\klscav.dll]  [Kaspersky Lab, 6.0.0.299]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\pr_remote.dll]  [Kaspersky Lab, 6.0.0.299]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prloader.dll]  [Kaspersky Lab, 6.0.0.299]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prkernel.ppl]  [Kaspersky Lab, 6.0.0.304]
[c:\program files\kaspersky lab\kaspersky anti-virus 6.0\params.ppl]  [Kaspersky Lab, 6.0.0.299]
[c:\program files\kaspersky lab\kaspersky anti-virus 6.0\pxstub.ppl]  [Kaspersky Lab, 6.0.0.299]
[c:\program files\kaspersky lab\kaspersky anti-virus 6.0\tempfile.ppl]  [Kaspersky Lab, 6.0.0.299]
[f:\Program Files\Unlocker\UnlockerCOM.dll]  [N/A, ]
[C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll]  [Kaspersky Lab, 6.0.0.299]
[C:\WINDOWS\system32\mscoree.dll]  [Microsoft Corporation, 1.1.4322.573]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Shfusion.dll]  [Microsoft Corporation, 1.1.4322.573]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\msadp32.acm]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[F:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_007.dll]  [Thunder Networking Technologies,LTD, 5, 0, 1, 4]
[F:\Program Files\Microsoft Office\OFFICE11\msohev.dll]  [Microsoft Corporation, 11.0.5510]
[PID: 564][C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe]  [HP, 2.327.1.0]
[C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZR3211.dll]  [HP, 2.327.1.0]
[C:\WINDOWS\system32\SOGOUPY.IME]  [Sohu.com Inc., 3, 0, 0, 0]
[C:\WINDOWS\system32\dllMergeDict.dll]  [Sogou.com Inc., 3, 0, 0, 0]
[f:\Program Files\SogouInput\Plugin\SgImeWord.dll]  [, 1, 0, 0, 31]
[PID: 580][C:\Program Files\HP\hpcoretech\hpcmpmgr.exe]  [Hewlett-Packard Company, 2.1.1.0]
[C:\Program Files\HP\hpcoretech\HPVCR70.dll]  [Microsoft Corporation, 7.00.9466.0]
[C:\WINDOWS\system32\SOGOUPY.IME]  [Sohu.com Inc., 3, 0, 0, 0]
[C:\WINDOWS\system32\dllMergeDict.dll]  [Sogou.com Inc., 3, 0, 0, 0]
[f:\Program Files\SogouInput\Plugin\SgImeWord.dll]  [, 1, 0, 0, 31]
[C:\WINDOWS\system32\MSXML4.dll]  [Microsoft Corporation, 4.20.9841.0]
[C:\WINDOWS\system32\Normaliz.dll]  [Microsoft Corporation, 6.0.5441.0 (winmain(wmbla).060628-1735)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16441 (vista_gdr.070219-1500)]
[PID: 116][C:\WINDOWS\system32\hphmon06.exe]  [Hewlett-Packard, 6,0,72]
[C:\WINDOWS\system32\hpzjrd01.dll]  [Hewlett Packard, 1, 0, 0, 4]
[C:\WINDOWS\system32\HPZJSN01.dll]  [Hewlett Packard Company, 1, 0, 0, 3]
[C:\WINDOWS\system32\SOGOUPY.IME]  [Sohu.com Inc., 3, 0, 0, 0]
[C:\WINDOWS\system32\dllMergeDict.dll]  [Sogou.com Inc., 3, 0, 0, 0]
[f:\Program Files\SogouInput\Plugin\SgImeWord.dll]  [, 1, 0, 0, 31]
[PID: 676][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\SOGOUPY.IME]  [Sohu.com Inc., 3, 0, 0, 0]
[C:\WINDOWS\system32\dllMergeDict.dll]  [Sogou.com Inc., 3, 0, 0, 0]
[f:\Program Files\SogouInput\Plugin\SgImeWord.dll]  [, 1, 0, 0, 31]
[PID: 2484][C:\WINDOWS\system32\conime.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\SOGOUPY.IME]  [Sohu.com Inc., 3, 0, 0, 0]
[C:\WINDOWS\system32\dllMergeDict.dll]  [Sogou.com Inc., 3, 0, 0, 0]
[f:\Program Files\SogouInput\Plugin\SgImeWord.dll]  [, 1, 0, 0, 31]
[PID: 2712][C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe]  [Microsoft Corporation, 4.100.313.1]
[C:\Program Files\Common Files\Microsoft Shared\Windows Live\msidcrl40.dll]  [Microsoft Corporation, 4.100.313.1]
[C:\WINDOWS\system32\Normaliz.dll]  [Microsoft Corporation, 6.0.5441.0 (winmain(wmbla).060628-1735)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16441 (vista_gdr.070219-1500)]
[PID: 3624][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 7.00.6000.16441 (vista_gdr.070219-1500)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16441 (vista_gdr.070219-1500)]
[C:\WINDOWS\system32\IEFRAME.dll]  [Microsoft Corporation, 7.00.6000.16441 (vista_gdr.070219-1500)]
[C:\WINDOWS\system32\SOGOUPY.IME]  [Sohu.com Inc., 3, 0, 0, 0]
[C:\WINDOWS\system32\dllMergeDict.dll]  [Sogou.com Inc., 3, 0, 0, 0]
[f:\Program Files\SogouInput\Plugin\SgImeWord.dll]  [, 1, 0, 0, 31]
[C:\WINDOWS\system32\IEUI.dll]  [Microsoft Corporation, 7.00.5730.11 (winmain(wmbla).061017-1135)]
[C:\WINDOWS\system32\xmllite.dll]  [Microsoft Corporation, 1.00.1018.0]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1    localhost

==================================
API HOOK
RVA  错误： LoadLibraryA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xF05BDB25)
RVA  错误： LoadLibraryExA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xF05BDD67)
RVA  错误： LoadLibraryExW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xF05BDF0B)
RVA  错误： LoadLibraryW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xF05BDC49)
RVA  错误： GetProcAddress (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0xF05BDE8F)

==================================
隐藏进程
N/A

==================================

[/CODE]

显示全部楼层 · 发表于 2007-5-30 16:10:11

原帖由 batti 于 2007-5-30 15:58 发表
基本肯定是病毒
看看是不是注册表这个位置
HKEY_LOCALMACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\
有这个DLL
是的话是被印象劫持了

具体情况还是SRENG扫描个L ...

ls,注册表怎么看？还有我看不明白日志，不好意思

显示全部楼层 · 发表于 2007-5-31 08:53:20

删除
启动
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
<IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe>

到安全模式,用SRENG看看启动里有没DYPS_R.DLL,有的话删除
以上没解决的话,开始-运行-REGEDIT,在注册表里查找DYPS_R.DLL,看是在哪些位置

显示全部楼层 · 发表于 2007-5-31 09:29:24

原帖由 angelecho 于 2007-5-26 19:05 发表
根本没有相关启动项
郁闷

认为直接在注册表中搜该DLL会比较好。看相关路径。
再者对启动项目。一大堆哦

。。是在有点自己的看法。最起码那个DUM开头的，我看到就不爽。是系统出某些错误时才有的。
看我启动项目

显示全部楼层 · 发表于 2007-5-31 11:08:08

晕，你怎么那么多奇怪的启动项
删除一些吧

显示全部楼层 · 发表于 2007-6-1 22:41:02

我找到注册表里的dyps_r了，可是看不懂，大家帮忙

[ 本帖最后由 angelecho 于 2007-6-1 22:49 编辑 ]

显示全部楼层 · 发表于 2007-6-1 22:43:30

原帖由 batti 于 2007-5-31 08:53 发表
删除
启动
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\

那个东西怎么删啊

，我不会

显示全部楼层 · 发表于 2007-6-3 08:54:52

在注册表里还发现了这个

显示全部楼层 · 发表于 2007-6-3 09:54:52

原帖由 angelecho 于 2007-6-3 08:54 发表
在注册表里还发现了这个

看你所搜索到的，在其他地方有没有相关路径。如果没有。建议你备份后全部删除。另外你的开机启动项，建议除了杀毒软件和ctfmon外，都取消。（当然对于你知道的你想运行也没什么）
注册表中开机启动的内容
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex

  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce 通过查找取消你不想启动的

msconfig启动中被取消的项目在注册表中的位置HKLM-SOFTWARE-MICROSOFT-Shared Tools-MSCONFIG下面的startupreg和startupfolder两个键值下面找清除！这下面的是完全可以安全删除的（为防止误删还是建议备份）。你别说想留着msconfig中的启动项目，什么时候方便了再钩上。我是看着那么多东西。。。。不爽。。你说呢！~！

显示全部楼层 · 发表于 2007-6-3 12:39:48

谢谢了，呵呵

[已解决] 系统出现新问题，开机提示出现windows无效映像

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源