sorry, no chinese input, but here are the stepsdownload [process explorer] and [rootkit revealer] from sysinternals.com
you shouldn't see any suspicious processes from tool 1. for diagnosis, you can copy and paste the list of processing running on your computer here.
for the second tool, you might need to run it in safe mode. to do that, reboot and press F8 and select Safe Mode.
for more information, refer to
http://research.microsoft.com/rootkit/
http://www.sysinternals.com/utilities/rootkitrevealer.html
感谢斑主大师.贴上用process explorer得到的processing runing
Process PID CPU Description Company Name
System Idle Process 0 84.07
Interrupts n/a Hardware Interrupts
DPCs n/a 0.88 Deferred Procedure Calls
System 4
smss.exe 904 Windows NT Session Manager Microsoft Corporation
csrss.exe 992 0.88 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1016 Windows NT Logon Application Microsoft Corporation
services.exe 1060 1.77 Services and Controller app Microsoft Corporation
ibmpmsvc.exe 1284
svchost.exe 1324 Generic Host Process for Win32 Services Microsoft Corporation
1XConfig.exe 3236 8021XConfig Module Intel
wmiprvse.exe 232 WMI Microsoft Corporation
svchost.exe 1416 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1564 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 3816 Automatic Updates Microsoft Corporation
EvtEng.exe 1668 EvtEng Module Intel Corporation
S24EvMon.exe 1704 Event Monitor - Supports driver extensions to NIC Driver for wireless adapters. Intel Corporation
WLKEEPER.exe 1748 WLKEEPER Intel® Corporation
svchost.exe 1820 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1948 Generic Host Process for Win32 Services Microsoft Corporation
ccSetMgr.exe 416 Common Client Settings Manager Service Symantec Corporation
ccEvtMgr.exe 440 Common Client Event Manager Service Symantec Corporation
spoolsv.exe 688 Spooler SubSystem App Microsoft Corporation
blackd.exe 820 blackd Internet Security Systems, Inc.
DefWatch.exe 840 Virus Definition Daemon Symantec Corporation
ntrtscan.exe 932 Trend Micro Inc.
BL515.EXE 1308
OfcPfwSvc.exe 984 OfcPfwSvc Trend Micro Inc.
OProtSvc.exe 1364 Ownership protocol service Intel Corporation
QCONSVC.EXE 1528 IBM Access Connections - Service Component. IBM Corp.
RapApp.exe 1676 1.77 appcomply Internet Security Systems, Inc.
RegSrvc.exe 1904 RegSrvc Module Intel Corporation
SavRoam.exe 2008 SAVRoam symantec
svchost.exe 396 Generic Host Process for Win32 Services Microsoft Corporation
Rtvscan.exe 1348 Symantec AntiVirus Symantec Corporation
tmlisten.exe 2112 Trend Micro Inc.
PccNTUpd.exe 2372 Trend Micro Inc.
TpKmpSvc.exe 2272
wdfmgr.exe 2292 Windows User Mode Driver Manager Microsoft Corporation
Vpatch.exe 2324 Virtual Patch Protection System Internet Security Systems, Inc.
lsass.exe 1072 LSA Shell (Export Version) Microsoft Corporation
ZCfgSvc.exe 2900 ZeroCfgSvc MFC Application Intel Corporation
explorer.exe 3176 Windows Explorer Microsoft Corporation
SynTPLpr.exe 3684 TouchPad Driver Helper Application Synaptics, Inc.
SynTPEnh.exe 3760 Synaptics TouchPad Enhancements Synaptics, Inc.
igfxtray.exe 3780 igfxTray Module Intel Corporation
hkcmd.exe 3792 hkcmd Module Intel Corporation
TpShocks.exe 3988 IBM Active Protection System IBM Corp.
TPHKMGR.exe 4000
TPONSCR.exe 896
TpScrex.exe 2056 ThinkPad UltraZoom IBM Corporation
rundll32.exe 4056 Run a DLL as an App Microsoft Corporation
EzEjMnAp.Exe 236 IBM ThinkPad EasyEject Support Application IBM Corp.
ibmmessages.exe 596 ibmmessages IBM
QCTRAY.EXE 764 IBM Access Connections - Taskbar Application. IBM Corp.
QCWLICON.EXE 944 IBM Access Connections - Wireless Status Icon. IBM Corp.
rundll32.exe 1192 Run a DLL as an App Microsoft Corporation
PccNTMon.exe 1516 I/O Monitor Trend Micro Inc.
iFrmewrk.exe 1876 Intel Framework MFC Application Intel Corporation
EOUWiz.exe 2396 Ease Of Use Wizard Application Intel Corporation
tfswctrl.exe 2488 Drive Letter Access Component Sonic Solutions
ccApp.exe 1208 Common Client User Session Symantec Corporation
VPTray.exe 2580 Symantec AntiVirus Symantec Corporation
ctfmon.exe 3508 CTF Loader Microsoft Corporation
msnmsgr.exe 4044 MSN Messenger Microsoft Corporation
DLG.exe 1716 Digital Line Detection BVRP Software
iexplore.exe 2896 Internet Explorer Microsoft Corporation
iexplore.exe 3732 Internet Explorer Microsoft Corporation
iexplore.exe 3256 Internet Explorer Microsoft Corporation
procexp.exe 3292 10.62 Sysinternals Process Explorer Sysinternals
Process: wmiprvse.exe Pid: 232
Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event \BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
File \Device\WMIDataDevice
File \Device\KsecDD
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\WINDOWS\system32
Key HKLM
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR\CLSID
Key HKCR
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR\CLSID
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
Key HKCR
Key HKU\S-1-5-20_CLASSES
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKCR
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Port \RPC Control\OLEE41DBB9743004CB1A5E3046B12B1
Section \BaseNamedObjects\__R_000000000013_SMem__
Section \BaseNamedObjects\Wmi Provider Sub System Counters
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Thread wmiprvse.exe(232): 2240
Thread wmiprvse.exe(232): 2688
Thread wmiprvse.exe(232): 3996
Thread wmiprvse.exe(232): 3600
Thread wmiprvse.exe(232): 2240
Thread wmiprvse.exe(232): 3200
Thread wmiprvse.exe(232): 3600
Thread wmiprvse.exe(232): 2688
Thread wmiprvse.exe(232): 700
Token NT AUTHORITY\NETWORK SERVICE
Token NT AUTHORITY\SYSTEM
WindowStation \Windows\WindowStations\Service-0x0-3e4$
WindowStation \Windows\WindowStations\Service-0x0-3e4$
System Idle Process 0 84.07
Interrupts n/a Hardware Interrupts
DPCs n/a 0.88 Deferred Procedure Calls
System 4
smss.exe 904 Windows NT Session Manager Microsoft Corporation
csrss.exe 992 0.88 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1016 Windows NT Logon Application Microsoft Corporation
services.exe 1060 1.77 Services and Controller app Microsoft Corporation
ibmpmsvc.exe 1284
svchost.exe 1324 Generic Host Process for Win32 Services Microsoft Corporation
1XConfig.exe 3236 8021XConfig Module Intel
wmiprvse.exe 232 WMI Microsoft Corporation
svchost.exe 1416 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1564 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 3816 Automatic Updates Microsoft Corporation
EvtEng.exe 1668 EvtEng Module Intel Corporation
S24EvMon.exe 1704 Event Monitor - Supports driver extensions to NIC Driver for wireless adapters. Intel Corporation
WLKEEPER.exe 1748 WLKEEPER Intel® Corporation
svchost.exe 1820 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1948 Generic Host Process for Win32 Services Microsoft Corporation
ccSetMgr.exe 416 Common Client Settings Manager Service Symantec Corporation
ccEvtMgr.exe 440 Common Client Event Manager Service Symantec Corporation
spoolsv.exe 688 Spooler SubSystem App Microsoft Corporation
blackd.exe 820 blackd Internet Security Systems, Inc.
DefWatch.exe 840 Virus Definition Daemon Symantec Corporation
ntrtscan.exe 932 Trend Micro Inc.
BL515.EXE 1308
OfcPfwSvc.exe 984 OfcPfwSvc Trend Micro Inc.
OProtSvc.exe 1364 Ownership protocol service Intel Corporation
QCONSVC.EXE 1528 IBM Access Connections - Service Component. IBM Corp.
RapApp.exe 1676 1.77 appcomply Internet Security Systems, Inc.
RegSrvc.exe 1904 RegSrvc Module Intel Corporation
SavRoam.exe 2008 SAVRoam symantec
svchost.exe 396 Generic Host Process for Win32 Services Microsoft Corporation
Rtvscan.exe 1348 Symantec AntiVirus Symantec Corporation
tmlisten.exe 2112 Trend Micro Inc.
PccNTUpd.exe 2372 Trend Micro Inc.
TpKmpSvc.exe 2272
wdfmgr.exe 2292 Windows User Mode Driver Manager Microsoft Corporation
Vpatch.exe 2324 Virtual Patch Protection System Internet Security Systems, Inc.
lsass.exe 1072 LSA Shell (Export Version) Microsoft Corporation
ZCfgSvc.exe 2900 ZeroCfgSvc MFC Application Intel Corporation
explorer.exe 3176 Windows Explorer Microsoft Corporation
SynTPLpr.exe 3684 TouchPad Driver Helper Application Synaptics, Inc.
SynTPEnh.exe 3760 Synaptics TouchPad Enhancements Synaptics, Inc.
igfxtray.exe 3780 igfxTray Module Intel Corporation
hkcmd.exe 3792 hkcmd Module Intel Corporation
TpShocks.exe 3988 IBM Active Protection System IBM Corp.
TPHKMGR.exe 4000
TPONSCR.exe 896
TpScrex.exe 2056 ThinkPad UltraZoom IBM Corporation
rundll32.exe 4056 Run a DLL as an App Microsoft Corporation
EzEjMnAp.Exe 236 IBM ThinkPad EasyEject Support Application IBM Corp.
ibmmessages.exe 596 ibmmessages IBM
QCTRAY.EXE 764 IBM Access Connections - Taskbar Application. IBM Corp.
QCWLICON.EXE 944 IBM Access Connections - Wireless Status Icon. IBM Corp.
rundll32.exe 1192 Run a DLL as an App Microsoft Corporation
PccNTMon.exe 1516 I/O Monitor Trend Micro Inc.
iFrmewrk.exe 1876 Intel Framework MFC Application Intel Corporation
EOUWiz.exe 2396 Ease Of Use Wizard Application Intel Corporation
tfswctrl.exe 2488 Drive Letter Access Component Sonic Solutions
ccApp.exe 1208 Common Client User Session Symantec Corporation
VPTray.exe 2580 Symantec AntiVirus Symantec Corporation
ctfmon.exe 3508 CTF Loader Microsoft Corporation
msnmsgr.exe 4044 MSN Messenger Microsoft Corporation
DLG.exe 1716 Digital Line Detection BVRP Software
iexplore.exe 2896 Internet Explorer Microsoft Corporation
iexplore.exe 3732 Internet Explorer Microsoft Corporation
iexplore.exe 3256 Internet Explorer Microsoft Corporation
procexp.exe 3292 10.62 Sysinternals Process Explorer Sysinternals
Process: wmiprvse.exe Pid: 232
Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event \BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
File \Device\WMIDataDevice
File \Device\KsecDD
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\WINDOWS\system32
Key HKLM
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR\CLSID
Key HKCR
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR\CLSID
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
Key HKCR
Key HKU\S-1-5-20_CLASSES
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKCR
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Port \RPC Control\OLEE41DBB9743004CB1A5E3046B12B1
Section \BaseNamedObjects\__R_000000000013_SMem__
Section \BaseNamedObjects\Wmi Provider Sub System Counters
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Thread wmiprvse.exe(232): 2240
Thread wmiprvse.exe(232): 2688
Thread wmiprvse.exe(232): 3996
Thread wmiprvse.exe(232): 3600
Thread wmiprvse.exe(232): 2240
Thread wmiprvse.exe(232): 3200
Thread wmiprvse.exe(232): 3600
Thread wmiprvse.exe(232): 2688
Thread wmiprvse.exe(232): 700
Token NT AUTHORITY\NETWORK SERVICE
Token NT AUTHORITY\SYSTEM
WindowStation \Windows\WindowStations\Service-0x0-3e4$
WindowStation \Windows\WindowStations\Service-0x0-3e4$
Huasing Association 1999 - 2013