(原创)rouge clean与kksiautorun恶意插件的真正解释～～

云瑞

rouge clean与kksiautorun恶意插件的真正解释～～原创～～
PS：作为前PYG成员，也来这里看看～～哈哈～～～
今天看到rouge clean又升级了（2.77b015，当前最新）～～用它扫描了一下，说我有两个恶意软件

1 未知恶意软件    风险 3

2KKSIAUTORUN    风险4

以前这两个东西也存在，而且经过多次清理都是无效，想弄明白到底是啥子？

用Windows清理助手（ARSwp）查了一下，一无所获，当然这个也升级到最新～～

用金山清理专家，恶意软件扫描～～～nothing～～～

安全卫士360，升级到最新，用木马扫描已经恶意软件扫描～～～nothing～～～

用AVG antispyware 7.5143升级到最新，快速系统扫描～～～nothing～～～

用remove it pro 4.0升级到最新～～居然查出来两个东西～～

!Infected internat.exe=;e:\windows\system32\;sys32.internat;2061f6ff47f6938d95c18e3a1a8cf7e2;21264;Ok;
!Infected isun0804.exe=;e:\windows\;sys32.isun0804;55b1518574cd43213aa67b40805077b5;299520;Ok;

当然，我清理了这两个东西，你看到的就是清理后的日志的一部分。

用Advanced Spyware Remover pro扫描，病毒库是10.27日的，无最新升级～～

Advanced Spyware Remover Scan Report
Program Version Info: v1.98 Registered to king
Generated on 2007-12-27 20:37:18
Operation System: Windows XP
HomePage: www.Evonsoft.com
Technical Support: support@evonsoft.com
------------

Infection Type            Object Name                                Risk   Entry
Cache Tracking Cookie          Red Sheriff    Low   Cookie:king@imrworldwide.com/cgi-bin

没发现所谓的那个啥子～～～

用绿鹰PC万能精灵5.80免费版本，扫描system32发现～～

trojan。delf-2177 在system32的wextract。exe。也就是说这个是木马？由于不确定，我就用ESS3.0566 病毒库2747-12.25的扫描这个文件～～～没报毒，再用红伞C版本，12.27的病毒库。扫描，未报毒～～将dr。web4.33.4升级病毒库，扫描～～无毒～～

用木马克星降解版，查杀系统文件，得到e:\windows\microsoft.net\framework\v2.0.50727\webdev.webserver.exe 怀疑木马83.
E:\WINDOWS\system32\userinit.exe 怀疑为木马.————winXP系统文件
E:\WINDOWS\system32\genman.dll 怀疑为木马.
E:\WINDOWS\system32\upimlib.dll 怀疑为传奇木马___紫光输入法组件
E:\WINDOWS\system32\upimlib.dll 怀疑为传奇木马
E:\WINDOWS\system32\whlb32g.dll 怀疑为木马.
E:\WINDOWS 扫描完成.


用hijackthis扫描：

Logfile of HijackThis v1.99.1
Scan saved at 23:16:35, on 2007-12-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\ESET\ESET Smart Security\egui.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\SuperRam\superram.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\ESET\ESET Smart Security\ekrn.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
M:\green software test\VMwareWorkstation-v6.0\vmnat.exe
M:\green software test\VMwareWorkstation-v6.0\VMnetDHCP.exe
E:\WINDOWS\system32\wscntfy.exe
M:\green software test\removeit_pro\RemoveIT Pro v4\removeit.exe
E:\Program Files\TheWorld 2.0\TheWorld.exe
F:\soft\安全相关\安全分析软件\HijackThis.exe

O2 - BHO: ThunderAtOnce Class - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - E:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: ThunderBHO - {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - M:\green software test\FlashGet188\jccatch.dll
O2 - BHO: Kingsoft Trojan Webshield - {4E8A5278-C04E-4FE3-BF78-8A7CCD6EF333} - E:\Program Files\Kingsoft Antispy\IEBuddy.DLL
O2 - BHO: Microsoft Web Test Recorder Helper - {62355041-605D-4469-84FD-5D66ED67A7E3} - E:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live 登录帮助程序 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SafeMon Class - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - E:\Program Files\360safe\safemon\safemon.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - E:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] ; "H:\DAEMON Tools\daemon.exe" -lang 2052
O4 - HKLM\..\Run: [IMSCMig] E:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] ; E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] ; "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google IME Autoupdater] ; "E:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SpIDerMail] "M:\green software test\DrWeb4\spiderml.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SuperRam] E:\Program Files\SuperRam\superram.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?SystemRoot%\Installer\{AC76BA86-2052-0000-7760-100000000002}\SC_Acrobat.exe
O8 - Extra context menu item: &使用快车(FlashGet)下载 - M:\green software test\FlashGet188\jc_link.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - M:\green software test\FlashGet188\jc_all.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://E:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: 使用迅雷下载 - E:\Program Files\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - E:\Program Files\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 用Free Download Manager下载全部项 - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: 用Free Download Manager下载所选项 - file://E:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: 用比特精灵下载(&B) - E:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: 转换为 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 通过Free Download Manager - file://E:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: 金山网页防挂马模块设置 - {3AECD3C1-7085-4731-96DC-47B6CF7EF749} - E:\Program Files\Kingsoft Antispy\IEBuddyExt.DLL
O9 - Extra 'Tools' menuitem: 金山网页防挂马模块设置 - {3AECD3C1-7085-4731-96DC-47B6CF7EF749} - E:\Program Files\Kingsoft Antispy\IEBuddyExt.DLL
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 快车 - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - M:\green software test\FlashGet188\flashget.exe
O9 - Extra 'Tools' menuitem: 快车(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - M:\green software test\FlashGet188\flashget.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\espi11.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\espi11.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\espi11.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\espi11.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\espi11.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\drwebsp.dll
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/ ... e.cab?1182280685218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/ ... e.cab?1182280596968
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - E:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Virus Chaser Spider NT (SpiderNt) - Unknown owner - (no file)
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - M:\green software test\VMwareWorkstation-v6.0\VMnetDHCP.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - M:\green software test\VMwareWorkstation-v6.0\VMMount\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - M:\green software test\VMwareWorkstation-v6.0\vmnat.exe

今天用那个lavasoft的adware扫描了一下，貌似没发现问题，到底怎么了？是误报吗？

360的安全报告2007年12月27日 星期四 23:22各位高手：
非常感谢您留心我这份系统诊断报告，小菜鸟十万火急等待您的帮助！
该诊断报告由360安全卫士提供 http://www.360safe.com
诊断时间: 2007-12-27 23:20:38
诊断平台: Microsoft Windows XP Service Pack 2
IE版本: Internet Explorer V6.0.2900.2180 Build:62900.2180
计算机物理内存:511.48MB - 当前可用内存:213.30MB

100 - 未知 - Process: egui.exe [Eset GUI] - E:\Program Files\ESET\ESET Smart Security\egui.exe
100 - 未知 - Process: superram.exe [SuperRam 狐狸少爷汉化版] - E:\Program Files\SuperRam\superram.exe
100 - 未知 - Process: guard.exe [AVG Anti-Spyware guard] - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
100 - 未知 - Process: ekrn.exe [Eset Service] - E:\Program Files\ESET\ESET Smart Security\ekrn.exe
100 - 未知 - Process: sqlservr.exe [SQL Server Windows NT] - E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
100 - 未知 - Process: vmnat.exe [VMware NAT Service] - M:\green software test\VMwareWorkstation-v6.0\vmnat.exe
100 - 未知 - Process: VMnetDHCP.exe [VMware VMnet DHCP service] - M:\green software test\VMwareWorkstation-v6.0\VMnetDHCP.exe
100 - 未知 - Process: removeit.exe [] - M:\green software test\removeit_pro\RemoveIT Pro v4\removeit.exe
100 - 未知 - Process: TheWorld.exe [TheWorld Browser] - E:\Program Files\TheWorld 2.0\TheWorld.exe
R0 - 未知 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.haoda123.com/?sdhp
O1 - 未知 - Host: 127.0.0.1 yu.8s7.net
O1 - 未知 - Host: 127.0.0.1 2.joppnqq.com
O1 - 未知 - Host: 127.0.0.1 wg.47255.com
O1 - 未知 - Host: 127.0.0.1 1.joppnqq.com
O1 - 未知 - Host: 127.0.0.1 xxx.m111.biz
O1 - 未知 - Host: 127.0.0.1 1.jopenqc.com
O1 - 未知 - Host: 127.0.0.1 1.jopenkk.com
O1 - 未知 - Host: 127.0.0.1 xxx.vh7.biz
O1 - 未知 - Host: 127.0.0.1 xxx.j41m.com
O1 - 未知 - Host: 127.0.0.1 3.joppnqq.com
O1 - 未知 - Host: 127.0.0.1 d.93se.com
O1 - 未知 - Host: 127.0.0.1 www.868wg.com
O1 - 未知 - Host: 127.0.0.1 xxx.mmma.biz
O1 - 未知 - Host: 127.0.0.1 ilove.com
O1 - 未知 - Host: 127.0.0.1 tp.shpzhan.cn
O1 - 未知 - Host: 127.0.0.1 www.tomwg.com
O1 - 未知 - Host: 127.0.0.1 www.177dvd.cn
O1 - 未知 - Host: 127.0.0.1 www.cike007.cn
O1 - 未知 - Host: 127.0.0.1 www.22aaa.com
O1 - 未知 - Host: 127.0.0.1 xx.exiao01.com
O1 - 未知 - Host: 127.0.0.1 www.exiao01.com
O1 - 未知 - Host: 127.0.0.1 www.exiao01.com
O2 - 未知 - BHO: (ThunderAtOnce Class) - [迅雷浏览器高级特性支持模块] - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - E:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - 未知 - BHO: (Thunder Browser Helper) - [XunLeiBHO] - {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - 未知 - BHO: (Kingsoft Trojan Webshield) - [Kingsoft Trojan Webshield] - {4E8A5278-C04E-4FE3-BF78-8A7CCD6EF333} - E:\Program Files\Kingsoft Antispy\IEBuddy.DLL
O2 - 未知 - BHO: (Microsoft Web Test Recorder Helper) - [Microsoft Web Test Recorder Helper] - {62355041-605D-4469-84FD-5D66ED67A7E3} - E:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
O2 - 未知 - BHO: (浏览器辅助对象(BHO)) - [无效的CLSID:{7E853D72-626A-48EC-A868-BA8D5E23E045}] - {7E853D72-626A-48EC-A868-BA8D5E23E045} -
O2 - 未知 - BHO: (Adobe PDF Conversion Toolbar Helper) - [Adobe IE plugin] - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - 未知 - BHO: (FDMIECookiesBHO Class) - [] - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - E:\Program Files\Free Download Manager\iefdm2.dll
O3 - 未知 - Toolbar: (Adobe PDF) - [Adobe IE plugin] - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - 未知 - HKLM\..\Run: [Google IME Autoupdater] [] ; "E:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - 未知 - HKLM\..\Run: [egui] [Eset GUI] "E:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - 未知 - HKLM\..\Run: [SpIDerMail] [SpIDer Mail ? for Windows Workstation] "M:\green software test\DrWeb4\spiderml.exe"
O4 - 未知 - HKCU\..\Run: [SuperRam] [SuperRam 狐狸少爷汉化版] E:\Program Files\SuperRam\superram.exe
O8 - 未知 - Extra context menu item: &使用快车(FlashGet)下载 - M:\green software test\FlashGet188\jc_link.htm
O8 - 未知 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - M:\green software test\FlashGet188\jc_all.htm
O8 - 未知 - Extra context menu item: Download video with Free Download Manager - file://E:\Program Files\Free Download Manager\dlfvideo.htm
O8 - 未知 - Extra context menu item: 使用迅雷下载 - E:\Program Files\Thunder\Program\geturl.htm
O8 - 未知 - Extra context menu item: 使用迅雷下载全部链接 - E:\Program Files\Thunder\Program\getallurl.htm
O8 - 未知 - Extra context menu item: 用Free Download Manager下载全部项 - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - 未知 - Extra context menu item: 用Free Download Manager下载所选项 - file://E:\Program Files\Free Download Manager\dlselected.htm
O8 - 未知 - Extra context menu item: 用比特精灵下载(&B) - E:\Program Files\BitSpirit\bsurl.htm
O8 - 未知 - Extra context menu item: 设为 Messenger Live 头像 -
O8 - 未知 - Extra context menu item: 转换为 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - 未知 - Extra context menu item: 转换为现有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - 未知 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - 未知 - Extra context menu item: 转换选定的链接为现有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - 未知 - Extra context menu item: 转换选项为 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - 未知 - Extra context menu item: 转换选项为现有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - 未知 - Extra context menu item: 转换链接目标为 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - 未知 - Extra context menu item: 转换链接目标为现有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - 未知 - Extra context menu item: 通过Free Download Manager - file://E:\Program Files\Free Download Manager\dllink.htm
O9 - 未知 - Extra button: 金山网页防挂马模块设置(HKLM) - E:\Program Files\Kingsoft Antispy\IEBuddyExt.DLL
O9 - 未知 - Extra button: 信息检索(HKLM) - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - 未知 - Extra button: 快车(FlashGet)(HKLM) - M:\green software test\FlashGet188\flashget.exe
O10 - 未知 - Winsock LSP: [Dr.Web Winsock Provider Hook] [{6C8C43C8-F7A1-4C2A-A748-447F5A60B18E}]E:\WINDOWS\system32\DRWEBSP.DLL
O10 - 未知 - Winsock LSP: [Dr.Web Winsock Provider Hook] [{D830CCED-0652-46B9-B556-99930525C120}]E:\WINDOWS\system32\DRWEBSP.DLL
O10 - 未知 - Winsock LSP: [Dr.Web Winsock Provider Hook] [{57C6AA56-7C95-4B18-BE82-D29E7049ADFB}]E:\WINDOWS\system32\DRWEBSP.DLL
O10 - 未知 - Winsock LSP: [Dr.Web Winsock Provider Hook] [{1BE1ECAC-47C8-4BC2-8F4C-618EDB8B8BE6}]E:\WINDOWS\system32\DRWEBSP.DLL
O10 - 未知 - Winsock LSP: [Dr.Web Winsock Provider Hook] [{B827E68F-0D81-429B-ABF4-E9F7A3DB68E5}]E:\WINDOWS\system32\DRWEBSP.DLL
O10 - 未知 - Winsock LSP: [ESPI] [{E70F1AA0-AB8B-11CF-8CA3-00805F48A192}]E:\WINDOWS\system32\ESPI11.dll
O10 - 未知 - Winsock LSP: [ESPI] [{E70F1AA0-AB8B-11CF-8CA3-00805F48A192}]E:\WINDOWS\system32\ESPI11.dll
O10 - 未知 - Winsock LSP: [ESPI] [{E70F1AA0-AB8B-11CF-8CA3-00805F48A192}]E:\WINDOWS\system32\ESPI11.dll
O10 - 未知 - Winsock LSP: [ESPI] [{9D60A9E0-337A-11D0-BD88-0000C082E69A}]E:\WINDOWS\system32\ESPI11.dll
O10 - 未知 - Winsock LSP: [ESPI] [{9D60A9E0-337A-11D0-BD88-0000C082E69A}]E:\WINDOWS\system32\ESPI11.dll
O10 - 未知 - Winsock LSP: [Dr.Web Winsock Provider Hook] [{F27D5FDD-1040-42DB-A6D7-3A9FFF83138C}]E:\WINDOWS\system32\DRWEBSP.DLL
O16 - 未知 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl) - http://www.update.microsoft.com/ ... e.cab?1182280596968
O18 - 未知 - Protocol: 电子书编译工具Web Compiler相关 - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - E:\WINDOWS\wc98pp.dll
O18 - 未知 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - 未知 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O21 - 未知 - Protocol Icons: HKCR\ftp\shell\open\command - "E:\Program Files\TheWorld 2.0\TheWorld.exe" "%1"
O21 - 未知 - Protocol Icons: HKCR\https\shell\open\command - "E:\Program Files\TheWorld 2.0\TheWorld.exe" "%1"
O21 - 未知 - Protocol Icons: HKCR\htmlfile\shell\open\command - "E:\Program Files\TheWorld 2.0\TheWorld.exe" "%1"
O22 - 未知 - Filename Extention: .hta - mshta.exe "%1" %*
O23 - 未知 - Service: EhttpSrv [Eset HTTP Server] - "E:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe" - (not running)
O23 - 未知 - Service: ekrn [Eset Service] - "E:\Program Files\ESET\ESET Smart Security\ekrn.exe" - (running)
O23 - 未知 - Service: FLEXnet Licensing Service [This service performs licensing functions on behalf of FLEXnet enabled products.] - "E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" - (not running)
O23 - 未知 - Service: MSSQL$SQLEXPRESS [提供数据的存储、处理和受控访问，并提供快速的事务处理。] - "E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS - (running)
O23 - 未知 - Service: NMIndexingService [NMIndexingService] - "E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" - (not running)
O23 - 未知 - Service: SpiderNt [Anti Virus System - Virus Chaser] - - (not running)
O23 - 未知 - Service: SQLBrowser [将 SQL Server 连接信息提供给客户端计算机。] - "E:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" - (running)
O23 - 未知 - Service: SQLWriter [提供通过 Windows VSS 基础结构备份/还原 Microsoft SQL server 的接口。] - "E:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" - (running)
O23 - 未知 - Service: usnjsvc [Messenger 上安装的启用共享情况的服务] - "E:\Program Files\Windows Live\Messenger\usnsvc.exe" - (not running)
O23 - 未知 - Service: VMnetDHCP [VMware DHCP Service] - M:\green software test\VMwareWorkstation-v6.0\VMnetDHCP.exe - (running)
O23 - 未知 - Service: vmount2 [VMware Virtual Mount Manager Extended] - M:\green software test\VMwareWorkstation-v6.0\VMMount\vmount2.exe - (not running)
O23 - 未知 - Service: VMware NAT Service [VMware NAT Service] - M:\green software test\VMwareWorkstation-v6.0\vmnat.exe - (running)
O23 - 未知 - Service: WLSetupSvc [Windows Live Setup Service] - "E:\Program Files\Windows Live\installer\WLSetupSvc.exe" - (not running)

=======================================

100 - 安全 - Process: smss.exe [进程为会话管理子系统用以初始化系统变量，ms-dos驱动名称类似lpt1以及com，调用win32壳子系统和运行在windows登陆过程。] - E:\WINDOWS\System32\smss.exe
100 - 安全 - Process: csrss.exe [客户端服务子系统，用以控制windows图形相关子系统。] - E:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=base
100 - 安全 - Process: winlogon.exe [windows nt用户登陆程序。] - E:\WINDOWS\system32\winlogon.exe
100 - 安全 - Process: services.exe [用于管理windows服务系统进程。] - E:\WINDOWS\system32\services.exe
100 - 安全 - Process: lsass.exe [本地安全权限服务控制windows安全机制。] - E:\WINDOWS\system32\lsass.exe
100 - 安全 - Process: svchost.exe [service host process是一个标准的动态连接库主机处理服务。] - E:\WINDOWS\system32\svchost -k DcomLaunch
100 - 安全 - Process: svchost.exe [service host process是一个标准的动态连接库主机处理服务。] - E:\WINDOWS\system32\svchost -k rpcss
100 - 安全 - Process: svchost.exe [service host process是一个标准的动态连接库主机处理服务。] - E:\WINDOWS\System32\svchost.exe -k netsvcs
100 - 安全 - Process: svchost.exe [service host process是一个标准的动态连接库主机处理服务。] - E:\WINDOWS\system32\svchost.exe -k NetworkService
100 - 安全 - Process: svchost.exe [service host process是一个标准的动态连接库主机处理服务。] - E:\WINDOWS\system32\svchost.exe -k LocalService
100 - 安全 - Process: explorer.exe [windows program manager或者windows explorer用于控制windows图形shell，包括开始菜单、任务栏，桌面和文件管理。] - E:\WINDOWS\Explorer.EXE
100 - 安全 - Process: spoolsv.exe [windows打印任务控制程序，用以打印机就绪。] - E:\WINDOWS\system32\spoolsv.exe
100 - 安全 - Process: soundman.exe [一个软声卡控制台软件。] - E:\WINDOWS\SOUNDMAN.EXE
100 - 安全 - Process: acrotray.exe [acrobat distiller的一部分，用于打印pdf文档。] - E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
100 - 安全 - Process: ctfmon.exe [office xp输入法图标。] - E:\WINDOWS\system32\ctfmon.exe
100 - 安全 - Process: MDM.EXE [debug除错管理用于调试应用程序和microsoft office中的microsoft script editor脚本编辑器。] - E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
100 - 安全 - Process: nvsvc32.exe [nvidia driver helper service在nvida显卡驱动中被安装。] - E:\WINDOWS\system32\nvsvc32.exe
100 - 安全 - Process: sqlbrowser.exe [sql server数据库相关进程。] - E:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
100 - 安全 - Process: sqlwriter.exe [sql server 相关进程。] - E:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
100 - 安全 - Process: wdfmgr.exe [windows media player播放器相关程序。] - E:\WINDOWS\system32\wdfmgr.exe
100 - 安全 - Process: wscntfy.exe [是microsoft windows安全系统和输出当前安全身份的一部分，用于其电脑的稳定性以及安全运行的。] - E:\WINDOWS\system32\wscntfy.exe
100 - 安全 - Process: alg.exe [这是一个应用层网关服务用于网络共享。] - E:\WINDOWS\System32\alg.exe
100 - 安全 - Process: notepad.exe [notepad字符编辑器用于打开文档。在windows中附带。] - E:\WINDOWS\system32\NOTEPAD.EXE
100 - 安全 - Process: 360安全卫士诊断工具.exe [诊断报告工具] - F:\soft\安全相关\安全分析软件\CheckTool\CheckTool\360安全卫士诊断工具.exe
R1 - 安全 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=E:\WINDOWS\system32\blank.htm
R1 - 安全 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=E:\WINDOWS\system32\blank.htm
O2 - 安全 - BHO: (Adobe PDF Reader Link Helper) - [Adobe Reader， 查看和打印 Adobe 便携文档格式 (PDF) 文件。] - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - 安全 - BHO: (FGCatchUrl) - [网际快车，支持下载后的文件管理] - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - M:\green software test\FlashGet188\jccatch.dll
O2 - 安全 - BHO: (Windows Live 登录帮助程序) - [windows live多用户登陆助手相关插件。] - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - 安全 - HKLM\..\Run: [PHIME2002ASync] [输入法软件相关程序。] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 安全 - HKLM\..\Run: [PHIME2002A] [输入法软件相关程序。] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 安全 - HKLM\..\Run: [SoundMan] [Realtek声卡相关程序。] SOUNDMAN.EXE
O4 - 安全 - HKLM\..\Run: [NvCplDaemon] [是NVIDIA显示卡相关动态链接库文件。] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - 安全 - HKLM\..\Run: [nwiz] [是NVidia的Nview特性相关程序。该程序用于用户对其特性进行配置，将桌面扩展到多台显示器上。 ] nwiz.exe /install
O4 - 安全 - HKLM\..\Run: [NvMediaCenter] [是NVidia显示卡相关文件。] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - 安全 - HKLM\..\Run: [DAEMON Tools] [一款虚拟光驱工具。] ; "H:\DAEMON Tools\daemon.exe" -lang 2052
O4 - 安全 - HKLM\..\Run: [IMSCMig] [微软拼音输入法安装工具。 ] E:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - 安全 - HKLM\..\Run: [Acrobat Assistant 7.0] [adobe公司出品的acrobat distiller软件，用于打印pdf文档。] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - 安全 - HKLM\..\Run: [ISUSPM Startup] [installshield安装包服务计划任务升级程序。] ; E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - 安全 - HKLM\..\Run: [ISUSScheduler] [installshield 公司出品的相关软件。] ; "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - 安全 - HKCU\..\Run: [ctfmon.exe] [office xp输入法图标。] E:\WINDOWS\system32\ctfmon.exe
O4 - 安全 - HKCU\..\Run: [MsnMsgr] [微软msn即时通讯工具] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - 安全 - Startup folder: [Adobe Acrobat Speed Launcher.lnk] [Adobe Reader启动项相关程序。] E:\Documents and Settings\All Users\「开始」菜单\程序\启动\Adobe Acrobat Speed Launcher.lnk
O8 - 安全 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - 安全 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (招商银行个人版) - https://site.cmbchina.com/download/CMBEdit.cab
O16 - 安全 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (Windows升级工具V5) - http://www.update.microsoft.com/ ... e.cab?1182280685218
O18 - 安全 - Protocol: OFFICE 相关 - {807553E5-5146-11D5-A672-00B0D022E945} - E:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O18 - 安全 - Protocol: OFFICE 相关 - {32505114-5902-49B2-880A-1F7738E5A384} - E:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O23 - 安全 - Service: AVG Anti-Spyware Guard [一款杀毒软件AVG的相关服务。] - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe - (running)
O23 - 安全 - Service: MSSQLServerADHelper [sql server，microsoft开发的企业级数据库相关程序。] - "E:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" - (not running)
O23 - 安全 - Service: NVSvc [是NVIDIA显示卡相关程序。] - E:\WINDOWS\system32\nvsvc32.exe - (running)

=======================================

O31 - 未知 - Folder Menu: {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} - "E:\Program Files\RedOffice 3.0\program\shlxthdl.dll" - - - - 0 -
O31 - 未知 - Folder Menu: {F9DB5320-233E-11D1-9F84-707F02C10627} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll - Adobe Systems, Inc. - PDF Shell Extension - 7.0.0.0 - 110592 - 4b0991cd076b617a2231b19a6663c1c9
O31 - 未知 - SEApproved: {42071714-76d4-11d1-8b24-00a0c9068ff3} - deskpan.dll - - - - 0 -
O31 - 未知 - SEApproved: 无效的CLSID：Shell extensions for file compression - - - - - 0 -
O31 - 未知 - SEApproved: 无效的CLSID：加密上下文菜单 - - - - - 0 -
O31 - 未知 - SEApproved: {0DF44EAA-FF21-4412-828E-260A8728E7F1} - - - - - 0 -
O31 - 未知 - SEApproved: {00E7B358-F65B-4dcf-83DF-CD026B94BFD4} - - - - - 0 -
O31 - 未知 - SEApproved: {7A9D77BD-5403-11d2-8785-2E0420524153} - - - - - 0 -
O31 - 未知 - SEApproved: {1CDB2949-8F65-4355-8456-263E7C208A5D} - E:\WINDOWS\system32\nvshell.dll - - - 6.14.10.11060 - 466944 - 4450bbaf1b77f2b87ab9c5ee4e69532c
O31 - 未知 - SEApproved: {1E9B04FB-F9E5-4718-997B-B8DA88302A47} - E:\WINDOWS\system32\nvshell.dll - - - 6.14.10.11060 - 466944 - 4450bbaf1b77f2b87ab9c5ee4e69532c
O31 - 未知 - SEApproved: {1E9B04FB-F9E5-4718-997B-B8DA88302A48} - E:\WINDOWS\system32\nvshell.dll - - - 6.14.10.11060 - 466944 - 4450bbaf1b77f2b87ab9c5ee4e69532c
O31 - 未知 - SEApproved: {B41DB860-8EE4-11D2-9906-E49FADC173CA} - E:\Program Files\WinRAR\rarext.dll - - - - 129024 - de449c94c4c9e3db84e32029f20dd989
O31 - 未知 - SEApproved: 无效的CLSID：Portable Media Devices - - - - - 0 -
O31 - 未知 - SEApproved: 无效的CLSID：Portable Media Devices Menu - - - - - 0 -
O31 - 未知 - SEApproved: {AD392E40-428C-459F-961E-9B147782D099} - E:\Program Files\UltraISO\isoshell.dll - EZB Systems, Inc. - ISOShell - 1.0.0.1 - 53248 - 48344c676169e401508673c794598f26
O31 - 未知 - SEApproved: {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll - Adobe Systems Inc. - Adobe Acrobat Context Menu - 7.0.7.142 - 581632 - f72f179a6a23c77988f31cee8c5d2326
O31 - 未知 - SEApproved: {e82a2d71-5b2f-43a0-97b8-81be15854de8} - E:\WINDOWS\system32\dfshim.dll - Microsoft Corporation - Application Deployment Support Library - 2.0.50727.42 - 83456 - b3511383c8be3a8c5b88a78971fc1141
O31 - 未知 - SEApproved: {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} - E:\WINDOWS\system32\dfshim.dll - Microsoft Corporation - Application Deployment Support Library - 2.0.50727.42 - 83456 - b3511383c8be3a8c5b88a78971fc1141
O31 - 未知 - SEApproved: {e7593602-124b-47c9-9f73-a69308edc973} - M:\green software test\DrWeb4\drwsxtn.dll - Doctor Web, Ltd. - Dr.Web ? Shell Extension - 4.44.0.8080 - 65536 - b305e0404d805053ab8fc8f578b01966
O31 - 未知 - SEApproved: {F49C55B9-D417-45A1-A6E7-D6E057946280} - E:\Program Files\Free Download Manager\FUM\fumshext.dll - - - 600.0.0.2 - 86016 - 9a1fa2881372b0b2c09af7e128c43fee
O31 - 未知 - SEApproved: {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} - E:\Program Files\PowerISO\PWRISOSH.DLL - PowerISO Computing, Inc. - PowerISOShell DLL - 3.4.0.0 - 200704 - f7e17e04c770e7802cba5452ca4d4c5b
O31 - 未知 - SEApproved: {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} - "E:\Program Files\RedOffice 3.0\program\shlxthdl.dll" - - - - 0 -
O31 - 未知 - SEApproved: {087B3AE3-E237-4467-B8DB-5A38AB959AC9} - "E:\Program Files\RedOffice 3.0\program\shlxthdl.dll" - - - - 0 -
O31 - 未知 - SEApproved: {63542C48-9552-494A-84F7-73AA6A7C99C1} - "E:\Program Files\RedOffice 3.0\program\shlxthdl.dll" - - - - 0 -
O31 - 未知 - SEApproved: {3B092F0C-7696-40E3-A80F-68D74DA84210} - "E:\Program Files\RedOffice 3.0\program\shlxthdl.dll" - - - - 0 -
O31 - 未知 - Directory Menu: {e7593602-124b-47c9-9f73-a69308edc973} - M:\green software test\DrWeb4\drwsxtn.dll - Doctor Web, Ltd. - Dr.Web ? Shell Extension - 4.44.0.8080 - 65536 - b305e0404d805053ab8fc8f578b01966
O31 - 未知 - Directory Menu: {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} - E:\Program Files\PowerISO\PWRISOSH.DLL - PowerISO Computing, Inc. - PowerISOShell DLL - 3.4.0.0 - 200704 - f7e17e04c770e7802cba5452ca4d4c5b
O31 - 未知 - Directory Menu: {45AC2688-0253-4ED8-97DE-B5370FA7D48A} - M:\AntiVir PersonalEdition Classic\shlext.dll - Avira GmbH - ShlExt.dll - 7.0.0.10 - 61480 - 985d428316105bae82b9c0eb4f91a191
O31 - 未知 - Directory Menu: {AD392E40-428C-459F-961E-9B147782D099} - E:\Program Files\UltraISO\isoshell.dll - EZB Systems, Inc. - ISOShell - 1.0.0.1 - 53248 - 48344c676169e401508673c794598f26
O31 - 未知 - Directory Menu: {B41DB860-8EE4-11D2-9906-E49FADC173CA} - E:\Program Files\WinRAR\rarext.dll - - - - 129024 - de449c94c4c9e3db84e32029f20dd989
O31 - 未知 - BootExecute: - - - - 0 -
O31 - 未知 - LSA: Security Packages - sv1_0.dll - - - - 0 -
O31 - 未知 - LSA: Security Packages - channel.dll - - - - 0 -

=======================================

O40 - lsass.exe - Doctor Web, Ltd. - E:\WINDOWS\system32\DRWEBSP.DLL - Dr.Web Winsock Provider Hook - a9eb7f70fe7ac3954594189269695427
O40 - lsass.exe - DYWT - E:\WINDOWS\system32\ESPI11.dll - ESPI - a40c0fe0f88b36893388aab3dbaf629c
O40 - svchost.exe - Doctor Web, Ltd. - E:\WINDOWS\system32\DRWEBSP.DLL - Dr.Web Winsock Provider Hook - a9eb7f70fe7ac3954594189269695427
O40 - svchost.exe - DYWT - E:\WINDOWS\system32\ESPI11.dll - ESPI - a40c0fe0f88b36893388aab3dbaf629c
O40 - svchost.exe - Doctor Web, Ltd. - E:\WINDOWS\system32\DRWEBSP.DLL - Dr.Web Winsock Provider Hook - a9eb7f70fe7ac3954594189269695427
O40 - svchost.exe - DYWT - E:\WINDOWS\system32\ESPI11.dll - ESPI - a40c0fe0f88b36893388aab3dbaf629c
O40 - svchost.exe - Doctor Web, Ltd. - E:\WINDOWS\system32\DRWEBSP.DLL - Dr.Web Winsock Provider Hook - a9eb7f70fe7ac3954594189269695427
O40 - svchost.exe - DYWT - E:\WINDOWS\system32\ESPI11.dll - ESPI - a40c0fe0f88b36893388aab3dbaf629c
O40 - svchost.exe - Doctor Web, Ltd. - E:\WINDOWS\system32\DRWEBSP.DLL - Dr.Web Winsock Provider Hook - a9eb7f70fe7ac3954594189269695427
O40 - svchost.exe - DYWT - E:\WINDOWS\system32\ESPI11.dll - ESPI - a40c0fe0f88b36893388aab3dbaf629c
O40 - Explorer.EXE - Sun Microsystems, Inc. - E:\Program Files\RedOffice 3.0\program\shlxthdl.dll - - df71293879104c5006a682ee2d4e9d7d
O40 - Explorer.EXE - Sun Microsystems, Inc. - E:\Program Files\RedOffice 3.0\program\uwinapi.dll - - 0bd4dc5c9de80a81f1c2dae4946490e7
O40 - Explorer.EXE - Microsoft Corporation - E:\Program Files\RedOffice 3.0\program\MSVCR71.dll - Microsoft? C Runtime Library - 2d6e1bfc465cf826c8e21e6adacbbd53
O40 - Explorer.EXE - STLport Consulting, Inc. - E:\Program Files\RedOffice 3.0\program\stlport_vc7145.dll - STLport - 94a27e31cb08dfb4e7bcdcecbfe99f7b
O40 - Explorer.EXE - Microsoft Corporation - E:\Program Files\RedOffice 3.0\program\MSVCP71.dll - Microsoft? C++ Runtime Library - b8af461f6c66932e1ac554ad162164c5
O40 - Explorer.EXE - Adobe Systems, Inc. - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll - PDF Shell Extension - 4b0991cd076b617a2231b19a6663c1c9
O40 - Explorer.EXE - NVIDIA Corporation - E:\WINDOWS\system32\NVRSZHC.DLL - NVIDIA Simplified Chinese language resource library - 253c0aec6300a219a274a60a0800ccbf
O40 - Explorer.EXE - - E:\WINDOWS\system32\nvshell.dll - - 4450bbaf1b77f2b87ab9c5ee4e69532c
O40 - Explorer.EXE - Thunder Networking Technologies,LTD - E:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll - XunLeiBHO - 916cc49b23a2cea6edc789cd9bf90cfd
O40 - Explorer.EXE - Microsoft Corporation - E:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll - Microsoft Web Test Recorder Helper - 39e5e5d82557130a95cdc97cf2dcb1f7
O40 - Explorer.EXE - Microsoft Corporation - E:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll - Microsoft? C Runtime Library - e4fece18310e23b1d8fee993e35e7a6f
O40 - Explorer.EXE - - E:\Program Files\Free Download Manager\FUM\fumshext.dll - - 9a1fa2881372b0b2c09af7e128c43fee
O40 - Explorer.EXE - Avira GmbH - M:\AntiVir PersonalEdition Classic\shlext.dll - ShlExt.dll - 985d428316105bae82b9c0eb4f91a191
O40 - Explorer.EXE - Microsoft Corporation - M:\AntiVir PersonalEdition Classic\MFC71U.DLL - MFCDLL Shared Library - Retail Version - 7b93c623333f121dc9e689ccb1b7a733
O40 - Explorer.EXE - Microsoft Corporation - E:\WINDOWS\system32\MFC71CHS.DLL - MFC Language Specific Resources - ecfff2dffbb1cae3a00cb2ab9bff8cef
O40 - Explorer.EXE - PowerISO Computing, Inc. - E:\Program Files\PowerISO\PWRISOSH.DLL - PowerISOShell DLL - f7e17e04c770e7802cba5452ca4d4c5b
O40 - Explorer.EXE - Doctor Web, Ltd. - M:\green software test\DrWeb4\drwsxtn.dll - Dr.Web ? Shell Extension - b305e0404d805053ab8fc8f578b01966
O40 - Explorer.EXE - Adobe Systems Inc. - E:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll - Adobe Acrobat Context Menu - f72f179a6a23c77988f31cee8c5d2326
O40 - Explorer.EXE - Microsoft Corporation - E:\WINDOWS\system32\MFC71.DLL - MFCDLL Shared Library - Retail Version - f35a584e947a5b401feb0fe01db4a0d7
O40 - Explorer.EXE - EZB Systems, Inc. - E:\Program Files\UltraISO\isoshell.dll - ISOShell - 48344c676169e401508673c794598f26

=======================================

O41 - AvgAsCln - AVG7 Clean Driver - E:\WINDOWS\system32\drivers\AvgAsCln.sys - (running) - AVG7 Clean Driver - GRISOFT, s.r.o. - 6d4a1da6e6d522b3ebbcbff4a3589ec5
O41 - ISODrive - ISO CD-ROM Device Driver - E:\Program Files\UltraISO\drivers\ISODrive.sys - (running) - ISO CD-ROM Device Driver - EZB Systems, Inc. - d9ad7755d58e69f96093e866cc20e131
O41 - npkcrypt - nProtect KeyCrypt Driver - E:\Program Files\Tencent\TM\TMDLLS\npkcrypt.sys - (running) - nProtect KeyCrypt Driver - INCA Internet Co., Ltd. - 8bcb281a2540e7aff0cd00f9878fe21f
O41 - pcouffin - low level access layer for CD/DVD/BD devices - E:\WINDOWS\system32\drivers\pcouffin.sys - (running) - low level access layer for CD/DVD/BD devices - VSO Software - 5b6c11de7e839c05248ced8825470fef
O41 - sptd - sptd - E:\WINDOWS\system32\drivers\sptd.sys - (running) - - -
O41 - drwebnet - drwebnet - E:\WINDOWS\system32\drivers\drwebnet.sys - (not running) - - -
O41 - GPU-Z - GPU-Z - E:\DOCUME~1\king\LOCALS~1\Temp\GPU-Z.sys - (not running) - - -
O41 - SPIDERCTL - SPIDERCTL - M:\杀软绿色测试区\Virus Chaser\spider.sys - (not running) - - -
O41 - VSPerfDrv - VSPerf - Profiling Control Driver - E:\Program Files\Microsoft Visual Studio 8\Team Tools\Performance

安全分析专家的报告2007年12月27日 星期四 23:25#T0 SecAnalyst 分析报告 版本:0, 3, 2, 42
#操作系统 : Microsoft Windows XP Professional Service Pack 2 (Build 2600) (CHS)
#系统目录 : E:\WINDOWS\system32
#浏览器   : Internet Explorer 6.0.2900.2180
#生成时间 : 2007-12-27 23:25:3

#T2 请把报告贴到安全救援中心bbs.s-sos.net,我们的专家会为你做出诊断，另外，报告中的安全风险值仅仅表示可疑程度。
#Q1 (请在此输入你的电脑遇到的问题和异常情况..)


#O4 警告     自启动:[hkml\software\microsoft\windows\currentversion\shell extensions\approved\PowerISO]-e:\program files\poweriso\pwrisosh.dll
#O4 警告     自启动:[hkml\software\microsoft\windows\currentversion\run\Acrobat Assistant 7.0]-"E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
#O4 警告     自启动:[\System Volume Information]-\System Volume Information
#O4 警告     自启动:[\soft]-\soft
#O4 警告     自启动:[\RECYCLER]-\RECYCLER
#O4 警告     自启动:[\recycled]-\recycled
#O4 警告     自启动:[\MSOCache]-\MSOCache
#O4 警告     自启动:[\autorun.inf]-\autorun.inf
#O4 警告     自启动:[hkml\software\microsoft\windows\currentversion\run\SpIDerMail]-"M:\green software test\DrWeb4\spiderml.exe"
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\shell extensions\approved\FdmUplShlExt]-e:\program files\free download manager\fum\fumshext.dll
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\shell extensions\approved\UltraISO]-e:\program files\ultraiso\isoshell.dll
#O4 低风险   自启动:[hkcu\software\microsoft\windows\currentversion\run\SuperRam]-E:\Program Files\SuperRam\superram.exe
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\shell extensions\approved\WinRAR shell extension]-e:\program files\winrar\rarext.dll
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\shell extensions\approved\Shell Icon Handler for Application References]-e:\windows\system32\dfshim.dll
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\shell extensions\approved\ShellLink for Application References]-e:\windows\system32\dfshim.dll
#O4 低风险   自启动:[e:\documents and settings\all users\「开始」菜单\程序\启动]-Adobe Acrobat Speed Launcher.lnk [file not found]
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\shell extensions\approved\Shell Extension for DrWeb]-m:\green software test\drweb4\drwsxtn.dll
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\shell extensions\approved\Display Panning CPL Extension]-deskpan.dll [file not found]
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\run\Google IME Autoupdater]-; "E:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [file not found]
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\run\ISUSScheduler]-; "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [file not found]
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\run\ISUSPM Startup]-; E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [file not found]
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\run\DAEMON Tools]-; "H:\DAEMON Tools\daemon.exe" -lang 2052 [file not found]
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\shell extensions\approved\Eset Smart Security - Context Menu Shell Extension]-e:\program files\eset\eset smart security\shellext.dll
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\shell extensions\approved\nView Desktop Context Menu]-e:\windows\system32\nvshell.dll
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\shell extensions\approved\Desktop Explorer Menu]-e:\windows\system32\nvshell.dll
#O4 低风险   自启动:[hkml\software\microsoft\windows\currentversion\shell extensions\approved\Desktop Explorer]-e:\windows\system32\nvshell.dll


#R0 警告     Homepage: http://www.haoda123.com/?sdhp - HKCU\Software\Microsoft\Internet Explorer\Main, Start Page


#O2 警告     BHO: {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - E:\Program Files\360safe\safemon\safemon.dll
#O2 警告     BHO: {4E8A5278-C04E-4FE3-BF78-8A7CCD6EF333} - E:\Program Files\Kingsoft Antispy\IEBuddy.DLL
#O2 警告     BHO: {62355041-605D-4469-84FD-5D66ED67A7E3} - E:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
#O2 警告     BHO: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - M:\green software test\FlashGet188\jccatch.dll
#O2 低风险   BHO: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - E:\Program Files\Free Download Manager\iefdm2.dll
#O2 低风险   BHO: {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll
#O2 低风险   BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
#O2 低风险   BHO: {01443AEC-0FD1-40fd-9C87-E93D1494C233} - E:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll
#O2 低风险   BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - [file not found]


#M0 危险     DLL:E:\WINDOWS\system32\MFC71CHS.DLL
#M0 危险     DLL:E:\WINDOWS\system32\NVRSZHC.DLL
#M0 警告     DLL:E:\Program Files\360safe\safemon\safemon.dll
#M0 警告     DLL:E:\Program Files\PowerISO\PWRISOSH.DLL
#M0 警告     DLL:E:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
#M0 警告     DLL:E:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
#M0 警告     DLL:E:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
#M0 警告     DLL:M:\AntiVir PersonalEdition Classic\shlext.dll
#M0 低风险   DLL:E:\Program Files\Free Download Manager\FUM\fumshext.dll
#M0 低风险   DLL:E:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll
#M0 低风险   DLL:E:\Program Files\UltraISO\isoshell.dll
#M0 低风险   DLL:E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
#M0 低风险   DLL:E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
#M0 低风险   DLL:E:\Program Files\RedOffice 3.0\program\MSVCR71.dll
#M0 低风险   DLL:E:\Program Files\WinRAR\rarext.dll
#M0 低风险   DLL:M:\green software test\DrWeb4\drwsxtn.dll
#M0 低风险   DLL:E:\Program Files\RedOffice 3.0\program\uwinapi.dll
#M0 低风险   DLL:E:\Program Files\ESET\ESET Smart Security\shellExt.dll
#M0 低风险   DLL:E:\WINDOWS\system32\nvshell.dll
#M0 低风险   DLL:E:\Program Files\RedOffice 3.0\program\MSVCP71.dll
#M0 低风险   DLL:E:\Program Files\RedOffice 3.0\program\stlport_vc7145.dll

#P0 危险     进程:e:\program files\eset\eset smart security\ekrn.exe
#P0 危险     进程:m:\green software test\vmwareworkstation-v6.0\vmnat.exe
#P0 警告     进程:e:\program files\grisoft\avg anti-spyware 7.5\guard.exe
#P0 警告     进程:m:\green software test\removeit_pro\removeit pro v4\removeit.exe
#P0 警告     进程:e:\program files\adobe\acrobat 7.0\distillr\acrotray.exe
#P0 警告     进程:e:\program files\theworld 2.0\theworld.exe
#P0 低风险   进程:e:\program files\superram\superram.exe
#P0 低风险   进程:m:\green software test\vmwareworkstation-v6.0\vmnetdhcp.exe

#S0 危险     NT 服务: ekrn - 启动方式: 自动 - 当前状态: 已启动 - "E:\Program Files\ESET\ESET Smart Security\ekrn.exe"
#S0 危险     NT 服务: VMware NAT Service - 启动方式: 自动 - 当前状态: 已启动 - M:\green software test\VMwareWorkstation-v6.0\vmnat.exe
#S0 警告     NT 服务: AVG Anti-Spyware Guard - 启动方式: 自动 - 当前状态: 已启动 - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
#S0 警告     NT 服务: EhttpSrv - 启动方式: 手动 - 当前状态: 已停止 - "E:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe"
#S0 低风险   NT 服务: VMnetDHCP - 启动方式: 自动 - 当前状态: 已启动 - M:\green software test\VMwareWorkstation-v6.0\VMnetDHCP.exe
#S0 低风险   NT 服务: WLSetupSvc - 启动方式: 手动 - 当前状态: 已停止 - "E:\Program Files\Windows Live\installer\WLSetupSvc.exe"
#S0 低风险   NT 服务: vmount2 - 启动方式: 手动 - 当前状态: 已停止 - M:\green software test\VMwareWorkstation-v6.0\VMMount\vmount2.exe
#S0 低风险   NT 服务: FLEXnet Licensing Service - 启动方式: 手动 - 当前状态: 已停止 - "E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"

#O1 低风险   Hosts: 127.0.0.1 www.exiao01.com
#O1 低风险   Hosts: 127.0.0.1 www.exiao01.com
#O1 低风险   Hosts: 127.0.0.1 xx.exiao01.com
#O1 低风险   Hosts: 127.0.0.1 www.22aaa.com
#O1 低风险   Hosts: 127.0.0.1 www.cike007.cn
#O1 低风险   Hosts: 127.0.0.1 www.177dvd.cn
#O1 低风险   Hosts: 127.0.0.1 www.tomwg.com
#O1 低风险   Hosts: 127.0.0.1 tp.shpzhan.cn
#O1 低风险   Hosts: 127.0.0.1 ilove.com
#O1 低风险   Hosts: 127.0.0.1 xxx.mmma.biz
#O1 低风险   Hosts: 127.0.0.1 www.868wg.com
#O1 低风险   Hosts: 127.0.0.1 d.93se.com
#O1 低风险   Hosts: 127.0.0.1 3.joppnqq.com
#O1 低风险   Hosts: 127.0.0.1 xxx.j41m.com
#O1 低风险   Hosts: 127.0.0.1 xxx.vh7.biz
#O1 低风险   Hosts: 127.0.0.1 1.jopenkk.com
#O1 低风险   Hosts: 127.0.0.1 1.jopenqc.com
#O1 低风险   Hosts: 127.0.0.1 xxx.m111.biz
#O1 低风险   Hosts: 127.0.0.1 1.joppnqq.com
#O1 低风险   Hosts: 127.0.0.1 wg.47255.com
#O1 低风险   Hosts: 127.0.0.1 2.joppnqq.com
#O1 低风险   Hosts: 127.0.0.1 yu.8s7.net

#O10 警告     Winsock LSP: (Protocol handler) - E:\WINDOWS\system32\DRWEBSP.DLL
#O10 低风险   Winsock LSP: (Protocol handler) - E:\WINDOWS\system32\ESPI11.dll

#O18 警告     Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - E:\WINDOWS\wc98pp.dll
#O18 低风险   Protocol: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
#O18 低风险   Protocol: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
#O18 低风险   Protocol: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll

#F0 警告     文件关联: .html - "E:\Program Files\TheWorld 2.0\TheWorld.exe" "%1"
#F0 警告     文件关联: .htm - "E:\Program Files\TheWorld 2.0\TheWorld.exe" "%1"

您的电脑整体安全风险为高(127分)，可能已经被破坏，请尽快处理!

经过bark和桃子cici的分析，我用sreng扫描的日志，以及hijackthis的日志，已经好几款杀软和反木马间谍软件的扫描，让我觉得这个是rouge clean的问题，如果说是注册表，那个软件却又找不出路径，到底是什么原因呢？bug还是？而本身这个软件是免费的啊，并不存在什么动机，而且我下载的地址，是新浪的下载站，不会出现啥子问题啊～～不明白，真的不明白～～不知道那个软件的作者是否明白～

在网络上百度了一下，看见很多人也遇到类似问题，确实，用360以及那个windows清理助手也是无效的～～

我看查到用usbkiller，也就是U盘防火墙试试，OK，清理干净，其实这个KKautorun并非是病毒也不是什么恶意软件，是某个杀软为了预防auturun形的病毒在硬盘里面预先留下的，到此问题彻底明白了～～看来前面冤枉了rougeclean了～～～