【求助】请问高手trojan.mnless.kbx这个病毒怎么杀呀？

先看一下置顶~ :)~

没有很明显的症状，但会不停的弹出病毒,大概每秒弹两三次，最后就系统资源不足死机了……在C:\WINDOWS\system32目录下有bofang.dll，hbcmd.dll，lfrmewrk.exe三个文件，创建时间与中病毒时间相同，删除后会自动生成。关掉进程中的lfrmewrk.exe和spoolsv.exe后，病毒就不再弹出了，每次开机时瑞星监控会弹出提示：explorer.exe要删除HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下yvvsxs13。 用HijackThis扫了下，生成的报告是这样的:(已关掉spoolsv.exe) Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 19:08:48, on 2007-4-18 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe d:\Program Files\Rising\Rav\CCenter.exe C:\WINDOWS\System32\svchost.exe D:\PROGRAM FILES\RISING\RAV\Ravmond.exe d:\program files\rising\rfw\rfwsrv.exe d:\program files\rising\rfw\RfwMain.exe d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\ATK0100\HControl.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\ATK0100\ATKOSD.exe D:\Program Files\Rising\Rav\RavTask.exe D:\Program Files\Rising\Rav\Ravmon.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\sistray.exe C:\WINDOWS\explorer.exe D:\Program Files\Tencent\QQ\QQ.exe d:\Program Files\Tencent\QQ\TIMPlatform.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\天网Maze\MazeSvr.exe D:\Program Files\TheWorld 2.0\TheWorld.exe D:\Program Files\Tencent\QQ\QZone\QZone.exe D:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe C:\WINDOWS\system32\NOTEPAD.EXE d:\Program Files\WinRAR\WinRAR.exe C:\WINDOWS\explorer.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX03.000\HiJackThis_v2.exe O2 - BHO: ThunderBHO - {077FD0C2-1291-4104-A356-41E36B252682} - D:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_002.dll O2 - BHO: Ad Engine - {077FD0C3-1291-4104-A356-41E36B252682} - (no file) O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll (file missing) O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file) O2 - BHO: CPPIE Class - {C6844939-C324-41E0-84D0-D42F8DA5EBAD} - C:\WINDOWS\system32\hbcmd.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [RavTask] "d:\Program Files\Rising\Rav\RavTask.exe" -system O4 - HKLM\..\Run: [RfwMain] "d:\Program Files\Rising\Rfw\rfwmain.exe" -Startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user') O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\geturl.htm O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm O8 - Extra context menu item: 用比特精灵下载(&B) - D:\Program Files\BitSpirit\bsurl.htm O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - E:\游戏\浩方对战平台\GameClient.exe O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ\QQ.EXE O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ\QQ.EXE O16 - DPF: {BAC112DD-C51E-4712-A622-77C1D8075072} (ChinaCache加速下载客户端) - http://p2spdownload.chinacache.com/p2spcp4ie.cab O16 - DPF: {BF8C499A-AC6E-4F58-82EA-9E5FCC41C34B} (PicUploadCtrl Class) - http://tb.sogou.com/PicUpload.cab?pp O22 - SharedTaskScheduler: Browseui 预加载程序 - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: 组件类别缓存程序 - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: CADopia License Manager - Unknown owner - D:\PROGRA~1\OrCAD_10.5\INTELL~1\LicenseManager\lmgrd.exe (file missing) O23 - Service: error monitor (EmonSrv) - Unknown owner - C:\WINDOWS\system32\lfrmewrk.exe O23 - Service: Flexlm (lmgrd) - Unknown owner - D:\Program Files\OrCAD_10.5\IntelliCAD 4\LicenseManager\lmgrd.exe (file missing) O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - d:\program files\rising\rfw\rfwproxy.exe O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - d:\program files\rising\rfw\rfwsrv.exe O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - d:\Program Files\Rising\Rav\CCenter.exe O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe

O23 - Service: error monitor (EmonSrv) - Unknown owner - C:\WINDOWS\system32\lfrmewrk.exe O16 - DPF: {BAC112DD-C51E-4712-A622-77C1D8075072} (ChinaCache加速下载客户端) - http://p2spdownload.chinacache.com/p2spcp4ie.cab O16 - DPF: {BF8C499A-AC6E-4F58-82EA-9E5FCC41C34B} (PicUploadCtrl Class) - http://tb.sogou.com/PicUpload.cab?pp O22 - SharedTaskScheduler: Browseui 预加载程序 - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: 组件类别缓存程序 - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O2 - BHO: CPPIE Class - {C6844939-C324-41E0-84D0-D42F8DA5EBAD} - C:\WINDOWS\system32\hbcmd.dll O2 - BHO: Ad Engine - {077FD0C3-1291-4104-A356-41E36B252682} - (no file) 进程之类的我没太仔细看~ 另外为保险，用autoruns再看下，可以先隐藏掉微软的东东，然后再解决没隐藏的不正常的~

主要的应该是那个服务~ 就是023那个~

我觉得应该会与lfrmewrk.exe这个文件有关 autoruns我不是很会用，大概扫了一遍：服务中有这样的： EmonSrv c:\windows\system32\lfrmewrk.exe qpki C:\PROGRA~1\ihca\vupn.dll 其他比较奇怪的就是IE浏览器选项中： HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsCPPIE Class c:\windows\system32\hbcmd.dll 还有驱动中的： yvvsxs13 System32\DRIVERS\yvvsxs13.sys szfggz87 System32\DRIVERS\szfggz87.sys 我是应该把这些都禁用吗？