启动程序里面有个{0EA66AD2-CF26-2E23-532B-B292E22F3266}是病毒吗?
发布网友
发布时间:2022-04-29 22:20
共3个回答
热心网友
时间:2023-10-09 17:09
下载 System Repair Engineer
http://www.kztechs.com/sreng/download.html
1 解压缩sreng2.zip
2 将SREng.exe运行.(若不能运行,把它改名了再运行!)
3 智能扫描--->扫描--->保存报告
4 把日志中的报告完整拷贝分段贴上来,不要修改
因为C盘我用还原卡保护了,先不让可疑的PegeFile自运行,结果如下:
[CODE]
2007-06-30,08:30:07
System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)
Windows 2000 Server Service Pack 4 (Build 2195) - 管理权限用户 - 完整功能
以下内容被选中:
所有的启动项目(包括注册表、启动文件夹、服务等)
浏览器加载项
正在运行的进程(包括进程模块信息)
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<FlashPlayerUpdate><C:\WINNT\system32\Macromed\Flash\GetFlash.exe> [(Verified)Adobe Systems Incorporated]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IgfxTray><C:\WINNT\system32\igfxtray.exe> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<HotKeysCmds><C:\WINNT\system32\hkcmd.exe> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<SoundMan><soundman.exe> [Avance Logic, Inc.]
<StormCodec_Helper><"C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti> []
<thunder_mini><C:\Program Files\Sandai Technologies Inc\ThunderMini\ThunderMini.exe> [深圳市三代科技开发有限公司]
<TotalRecorderScheler><C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe> [High Criteria inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows 2000 Publisher]
<Userinit><C:\WINNT\system32\userinit.exe,> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><APIHookDll.dll> [N/A]
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><(无)> [N/A]
==================================
启动文件夹
N/A
==================================
服务
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
<C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>
==================================
驱动程序
[Service for Avance AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Avance Logic, Inc.>
[dmboot / dmboot][Stopped/Disabled]
<System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
<\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
<\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[ialm / ialm][Running/Manual Start]
<system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
<system32\DRIVERS\RTL8139.SYS><Realtek Semiconctor Corporation>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
==================================
浏览器加载项
[ThunderIEHelper Class]
{0005A87D-D626-4B3A-84F9-1D9571695F55} <C:\WINNT\system32\xunleibho_v4.dll, >
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[&使用迷你迅雷下载]
<C:\Program Files\Sandai Technologies Inc\ThunderMini\geturl.htm, N/A>
==================================
正在运行的进程
[PID: 168][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 916][C:\WINNT\Explorer.EXE] [Microsoft Corporation, 5.00.3700.6690]
[C:\WINNT\system32\xunleibho_v4.dll] [, 4, 3, 2, 29]
[PID: 988][C:\WINNT\system32\hkcmd.exe] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\hccutils.DLL] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxdev.dll] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxsrvc.dll] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxhk.dll] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxres.dll] [Intel Corporation, 3.0.0.3924]
[PID: 996][C:\WINNT\soundman.exe] [Avance Logic, Inc., 5, 0, 0, 0]
[PID: 1012][C:\Program Files\Sandai Technologies Inc\ThunderMini\ThunderMini.exe] [深圳市三代科技开发有限公司, 1, 1, 0, 4]
[C:\WINNT\system32\MSVCP60.dll] [Microsoft Corporation, 6.00.8168.0]
[C:\Program Files\Sandai Technologies Inc\ThunderMini\boost_thread-vc6-mt-1_31.dll] [N/A, ]
[PID: 1020][C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe] [High Criteria inc., 4, 0, 0, 1]
[C:\Program Files\HighCriteria\TotalRecorder\DrvTrNTm.dll] [High Criteria inc., 4, 1, 0, 1]
[C:\Program Files\HighCriteria\TotalRecorder\DrvTrNTl.dll] [N/A, ]
[PID: 1028][C:\WINNT\system32\internat.exe] [Microsoft Corporation, 5.00.2920.0000]
[PID: 1168][C:\WINNT\system32\conime.exe] [Microsoft Corporation, 5.00.2195.6655]
[PID: 576][C:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.2800.1106]
[C:\WINNT\system32\xunleibho_v4.dll] [, 4, 3, 2, 29]
[C:\WINNT\system32\DrvTrNTm.dll] [High Criteria inc., 4, 1, 0, 1]
[C:\WINNT\system32\DrvTrNTl.dll] [N/A, ]
[C:\WINNT\system32\Macromed\Flash\Flash9.ocx] [Adobe Systems, Inc., 9,0,16,0]
[PID: 872][C:\Documents and Settings\Administrator\桌面\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\WINNT\system32\DrvTrNTm.dll] [High Criteria inc., 4, 1, 0, 1]
[C:\WINNT\system32\DrvTrNTl.dll] [N/A, ]
==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================
[/CODE]
现在让可疑的PegeFile自运行,结果如下:
[CODE]
2007-06-30,08:36:42
System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)
Windows 2000 Server Service Pack 4 (Build 2195) - 管理权限用户 - 完整功能
以下内容被选中:
所有的启动项目(包括注册表、启动文件夹、服务等)
浏览器加载项
正在运行的进程(包括进程模块信息)
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<FlashPlayerUpdate><C:\WINNT\system32\Macromed\Flash\GetFlash.exe> [(Verified)Adobe Systems Incorporated]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IgfxTray><C:\WINNT\system32\igfxtray.exe> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<HotKeysCmds><C:\WINNT\system32\hkcmd.exe> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<SoundMan><soundman.exe> [Avance Logic, Inc.]
<StormCodec_Helper><"C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti> []
<thunder_mini><C:\Program Files\Sandai Technologies Inc\ThunderMini\ThunderMini.exe> [深圳市三代科技开发有限公司]
<TotalRecorderScheler><C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe> [High Criteria inc.]
<WinForm><C:\WINNT\WinForm.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows 2000 Publisher]
<Userinit><C:\WINNT\system32\userinit.exe,> [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><APIHookDll.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{0EA66AD2-CF26-2E23-532B-B292E22F3266}><C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll> []
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><(无)> [N/A]
==================================
启动文件夹
N/A
==================================
服务
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
<C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>
[Windows DHCP Service / WinDHCPsvc][Stopped/Auto Start]
<C:\WINNT\system32\rundll32.exe windhcp.ocx,input><Microsoft Corporation>
==================================
驱动程序
[Service for Avance AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Avance Logic, Inc.>
[dmboot / dmboot][Stopped/Disabled]
<System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
<\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
<\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[ialm / ialm][Running/Manual Start]
<system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
<system32\DRIVERS\RTL8139.SYS><Realtek Semiconctor Corporation>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
==================================
浏览器加载项
[ThunderIEHelper Class]
{0005A87D-D626-4B3A-84F9-1D9571695F55} <C:\WINNT\system32\xunleibho_v4.dll, >
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[&使用迷你迅雷下载]
<C:\Program Files\Sandai Technologies Inc\ThunderMini\geturl.htm, N/A>
==================================
正在运行的进程
[PID: 168][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 192][\??\C:\WINNT\system32\csrss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 212][\??\C:\WINNT\system32\winlogon.exe] [Microsoft Corporation, 5.00.2195.6898]
[PID: 916][C:\WINNT\Explorer.EXE] [Microsoft Corporation, 5.00.3700.6690]
[C:\WINNT\system32\xunleibho_v4.dll] [, 4, 3, 2, 29]
[C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll] [N/A, ]
[C:\WINNT\system32\WinForm.dll] [N/A, ]
[C:\WINNT\system32\ztinetzt.dll] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxso0.dll] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso0.dll] [N/A, ]
[C:\WINNT\system32\nwizAsktao.dll] [N/A, ]
[C:\WINNT\system32\dh2104.dll] [N/A, ]
[C:\WINNT\system32\nwizzhuxians.dll] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\System64.Sys] [N/A, ]
[C:\WINNT\system32\TIMHost.dll] [N/A, ]
[PID: 988][C:\WINNT\system32\hkcmd.exe] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\hccutils.DLL] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxdev.dll] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxsrvc.dll] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxhk.dll] [Intel Corporation, 3.0.0.3924]
[C:\WINNT\system32\igfxres.dll] [Intel Corporation, 3.0.0.3924]
[PID: 996][C:\WINNT\soundman.exe] [Avance Logic, Inc., 5, 0, 0, 0]
[PID: 1012][C:\Program Files\Sandai Technologies Inc\ThunderMini\ThunderMini.exe] [深圳市三代科技开发有限公司, 1, 1, 0, 4]
[C:\WINNT\system32\MSVCP60.dll] [Microsoft Corporation, 6.00.8168.0]
[C:\Program Files\Sandai Technologies Inc\ThunderMini\boost_thread-vc6-mt-1_31.dll] [N/A, ]
[PID: 1020][C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe] [High Criteria inc., 4, 0, 0, 1]
[C:\Program Files\HighCriteria\TotalRecorder\DrvTrNTm.dll] [High Criteria inc., 4, 1, 0, 1]
[C:\Program Files\HighCriteria\TotalRecorder\DrvTrNTl.dll] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\System64.Sys] [N/A, ]
[PID: 1028][C:\WINNT\system32\internat.exe] [Microsoft Corporation, 5.00.2920.0000]
[C:\Program Files\Internet Explorer\PLUGINS\System64.Sys] [N/A, ]
[PID: 1168][C:\WINNT\system32\conime.exe] [Microsoft Corporation, 5.00.2195.6655]
[C:\Program Files\Internet Explorer\PLUGINS\System64.Sys] [N/A, ]
[PID: 576][C:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.2800.1106]
[C:\WINNT\system32\xunleibho_v4.dll] [, 4, 3, 2, 29]
[C:\WINNT\system32\DrvTrNTm.dll] [High Criteria inc., 4, 1, 0, 1]
[C:\WINNT\system32\DrvTrNTl.dll] [N/A, ]
[C:\WINNT\system32\Macromed\Flash\Flash9.ocx] [Adobe Systems, Inc., 9,0,16,0]
[C:\WINNT\system32\ztinetzt.dll] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxso0.dll] [N/A, ]
[C:\WINNT\system32\WinForm.dll] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso0.dll] [N/A, ]
[C:\WINNT\system32\TIMHost.dll] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\System64.Sys] [N/A, ]
[PID: 1264][C:\Documents and Settings\Administrator\桌面\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\WINNT\system32\DrvTrNTm.dll] [High Criteria inc., 4, 1, 0, 1]
[C:\WINNT\system32\DrvTrNTl.dll] [N/A, ]
[C:\WINNT\system32\windhcp.ocx] [N/A, ]
[C:\WINNT\system32\WinForm.dll] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxso0.dll] [N/A, ]
[C:\WINNT\system32\ztinetzt.dll] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso0.dll] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\System64.Sys] [N/A, ]
==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
[C:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
[D:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
[E:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
[F:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
[G:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================
[/CODE]
热心网友
时间:2023-10-09 17:09
热心网友
时间:2023-10-09 17:10
或者你没忘记的话
很可能是
