致求助者－电脑病毒重在预防　一个典型教材及其查杀 bbs.ikaka.com

森林小子11 - 2006-9-5 23:11:00

会员们，花点心思维护一下自己的电脑吧……

mopery:"平常只要花一点点小时间对自己心爱的电脑,进行一次小维护.可大大预防病毒..反之..如果不好好维护..你们的电脑就会跟楼主电脑一样..甚至更糟..
卡卡病毒区天天人来人往..有的都是常客...如果你们肯玩点心思..卡卡估计也能少来N次.."

本来想请楼主贴SREng的log ..但是楼主已经对电脑处理...SREng的log 能看出的不止这些..

鸣谢：
1.baohe版主，落雪木马查杀方法
2.yanmings，帖子的发现者和新标题提议者

提醒:
严禁在此帖内贴日志...禁止灌水...违者严惩...
by:mopery
 轩辕小聪

原标题：我电脑中了好多Backdoor.Gpigeon.2006.zb 怎么办?求救啊!谢谢!

有七个那么多啊,有谁能帮我啊.杀了开机也有,怎么办?

Logfile of HijackThis v1.99.1
Scan saved at 22:57:43, on 2006-9-5
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CNNIC\Cdn\cdnup.exe
C:\WINDOWS\system32\conime.exe
C:\Mysql\bin\mysqld-max.exe
C:\Program Files\Common Files\Sogou PXP\p2psvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\ylive.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\system32\intenat.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rising\Rav\Rav.exe
C:\Program Files\Rising\Rav\RsAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\svhost32.exe
C:\DOCUME~1\user\LOCALS~1\Temp\65492.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Rar$EX54.125\HijackThis.exe

R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
R3 - URLSearchHook: (no name) - {51707E60-11C0-44FB-BAC8-83EB0C93651C} - C:\WINDOWS\system32\Feve.dll (file missing)
R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 61.188.38.64 www.gamezt.com.cn
O1 - Hosts: 61.188.38.64 meng.nicemm.cn
O1 - Hosts: 61.188.38.64 upd.etsoft.com.cn
O1 - Hosts: 61.188.38.64 www.essonarts.com
O1 - Hosts: 61.188.38.64 ert0003.e76.163ns.com
O1 - Hosts: 61.188.38.64 sky001.e11.163ns.com
O1 - Hosts: 61.188.38.64 woool.100888290cs.com
O1 - Hosts: 61.188.38.64 rxjh.100888290cs.com
O1 - Hosts: 61.188.38.64 www.yowoool.com
O1 - Hosts: 61.188.38.64 13511.com
O1 - Hosts: 61.188.38.64 www.13511.com
O1 - Hosts: 61.188.38.64 ywg.cn
O1 - Hosts: 61.188.38.64 www.hyap98.com
O2 - BHO: (no name) - _{0005A87D-D626-4B3A-84F9-1D9571695F55} - (no file)
O2 - BHO: 搜索助手 - _{04844102-FC0B-4f44-9E93-0C4293BB5E80} - (no file)
O2 - BHO: (no name) - _{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: yPhtb - _{33BBE430-0E42-4f12-B075-8D21ACB10DCB} - (no file)
O2 - BHO: (no name) - _{35980F6E-A137-4E50-953D-813BB8556899} - (no file)
O2 - BHO: Anti Fish - _{38928D50-8A48-44C2-945F-D2F23F771410} - (no file)
O2 - BHO: YDragSearch - _{62EED7C6-9F02-42f9-B634-98E2899E147B} - (no file)
O2 - BHO: (no name) - _{669751ED-D558-49AE-B01A-3B374CC7910E} - (no file)
O2 - BHO: stdup - _{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - (no file)
O2 - BHO: (no name) - _{9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - _{A9930D97-9CF0-42A0-A10D-4F28836579D5} - (no file)
O2 - BHO: (no name) - _{F5824EFB-728A-4726-A5A5-85A68B20EDC3} - (no file)
O2 - BHO: 搜搜地址栏搜索 - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: (no name) - {51707E60-11C0-44FB-BAC8-83EB0C93651C} - C:\WINDOWS\system32\Feve.dll (file missing)
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O2 - BHO: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Corel Reminder] rem
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [dl_accel] rem C:\Program Files\3721\Dlaccel\YDownloader.exe
O4 - HKLM\..\Run: [thunder_mini] rem C:\Program Files\Thunder Network\ThunderMini\ThunderMini.exe
O4 - HKLM\..\Run: [TkBellExe] rem "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HupooShell] rem "C:\DOCUME~1\user\LOCALS~1\Temp\HupShell.exe "
O4 - HKLM\..\Run: [ToP] rem C:\WINDOWS\LSASS.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [yassistse] rem "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [WangWang] rem "C:\Program Files\淘宝网\淘宝旺旺\WangWang.EXE"
O4 - HKLM\..\Run: [runnn] rem C:\WINDOWS\system32\xskjab.exe
O4 - HKLM\..\Run: [runn] rem C:\WINDOWS\system32\xskjad.exe
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [Net] rem C:\WINDOWS\system32\SVCH0ST.EXE
O4 - HKLM\..\Run: [MSSER] rem C:\WINDOWS\system32\appmgmt\msser.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [] C:\WINDOWS\system32\intenat.exe
O4 - HKLM\..\Run: [wdfmgr32] C:\WINDOWS\system32\wdfmgr32.exe
O4 - HKLM\..\Run: [Tray] C:\WINDOWS\command\rundll32.exe
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: !搜一搜(&S) - res://C:\Program Files\yisou\yisou.dll/232

森林小子11 - 2006-9-5 23:12:00

还有啊,

O8 - Extra context menu item: &使用下载加速专家下载 - C:\Program Files\3721\Dlaccel\geturl.htm
O8 - Extra context menu item: &使用迷你迅雷下载 - C:\Program Files\Thunder Network\ThunderMini\geturl.htm
O8 - Extra context menu item: >>彩信发送<< - res://C:\PROGRA~1\MMSASS~1\mmsass~1.dll/mms.htm
O8 - Extra context menu item: 使用KuGoo3下载(&K) - C:\Program Files\KuGoo3\KuGoo3DownX.htm
O8 - Extra context menu item: 访问通用网址 - C:\Program Files\CNNIC\Cdn\cnnic.htm
O9 - Extra button: Yahoo 3.5G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra button: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O9 - Extra 'Tools' menuitem: 彩E精灵设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdnns.dll
O11 - Options group: [!CNS] 中文上网
O11 - Options group: [CDNCLIENT] 中文上网
O11 - Options group: [TBH] 搜搜地址栏搜索
O16 - DPF: _{05C1004E-2596-48E5-8E26-39362985EEB9} - http://p3p.sogou.com/MMCShell.cab
O16 - DPF: _{0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: _{39044F32-421E-4CE0-A595-EF66D42C363C} - http://hot1.vdown.21cn.com/rmdownload/drm/data3/eyejoy/21cnPptv.cab
O16 - DPF: _{488A4255-3236-44B3-8F27-FA1AECAA8844} - https://img.alipay.com/download/1007/aliedit.cab
O16 - DPF: _{6414512B-B978-451D-A0D8-FCFDF33E833C} - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121909430468
O16 - DPF: _{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121910343468
O16 - DPF: _{88734439-46D0-42C0-A13F-7E881EE550CF} - http://www.bluesky.cn/download/filetran.cab
O16 - DPF: _{8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: _{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: _{D57A1919-CB3C-461C-8F34-A87A1CD9127E} - http://www.9158.com/launcher/99launch_1000.cab
O16 - DPF: _{F138084D-84D7-48CD-BEA8-04772457516E} - http://218.85.138.27/vqqsdl1009.cab
O16 - DPF: _{F2EB8999-766E-4BF6-AAAD-188D398C0D0B} - http://www4.cmbchina.com/download/pb45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AB00110-D2F1-490B-9E47-1335235A1832}: NameServer = 202.96.134.133,210.21.196.8
O18 - Protocol: koboo - {7DEE9D05-FA0A-4416-A6F3-6537D0EAB6A6} - C:\WINDOWS\system32\mbprot.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Messenger - Unknown owner - C:\WINDOWS\system32\AUTOEXEC.BAT (file missing)
O23 - Service: Microsoft Winsock5 Service - Unknown owner - C:\WINDOWS\Microsoft Winsock5.exe
O23 - Service: MySql - Unknown owner - C:/Mysql/bin/mysqld-max.exe
O23 - Service: P4P Service - Sohu.com Inc. - C:\Program Files\Common Files\Sogou PXP\p2psvr.exe
O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Unknown owner - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\发信息.exe (file missing)
O23 - Service: sys - Unknown owner - C:\WINDOWS\988510
O23 - Service: system - Unknown owner - C:\WINDOWS\system.exe

森林小子11 - 2006-9-5 23:14:00

还有瑞星都搞得没有启动了,右下角没有图表的.怎么搞啊?

笨鸟慢飞 - 2006-9-5 23:22:00

朋友咱俩情况差不多一样被这里的人告知才知道是病毒你看一下别人给我回的帖子参考一下吧都是好心人努力学习吸取教训。

Mcgrady001 - 2006-9-5 23:25:00

呵呵你那里有那么多流氓软件啊

janny620 - 2006-9-5 23:27:00

我的电脑也都是这个病毒 Backdoor.Gpigeon.2006.zk 和 Backdoor.Gpigeon.2006.re ，re这个杀掉了以后没出现了，可是Backdoor.Gpigeon.2006.zk这个杀完了在开机还是有，都快晕了！我根据网上说的在安全模式下查找_hook.dll文件，没有找到，注册表中也没有找到网上说的那些信息，是不是这些都是变种了！有什么办法可以杀啊！而且在防火墙—》系统状态－》svchost.exe->udp下面有一项Local 0。0。0。0。1042『Bla木马』

森林小子11 - 2006-9-5 23:33:00

都快晕了,昨天才一个,今天下班回来想杀的,后来一查,七个啊,怎么办?有没有高人指点?感谢啊!

janny620 - 2006-9-5 23:39:00

4楼那位大哥，你的帖子在哪里啊，发个链接过来看看

轩辕小聪 - 2006-9-6 0:04:00

引用:

【森林小子11的贴子】都快晕了,昨天才一个,今天下班回来想杀的,后来一查,七个啊,怎么办?有没有高人指点?感谢啊!
………………

楼主，你知道当yanmings把这个帖的链接发到我们的Q群里去的时候，包括我和mopery、前反浏览器劫持论坛版主魔法学徒，有多少人看到你的帖？！大家都不敢下手啊

经大家讨论，决定由mopery动手将整个手工查杀流程一一罗列，其中最疑难的部分即11楼至13楼引用自本版baohe版主的原创帖子。为了全面，对于落雪木马的查杀并没有使用专杀。
由于HijackThis日志有其局限性，实际情况可能更加复杂，因此在作出如下处理后，还需等待楼主的SREng日志才能最后完成。

yanmings - 2006-9-6 0:20:00

收藏，的确难得

如果我们的会员对待病毒不“以防为主”，情况比楼主更严重也不是没有可能

mopery - 2006-9-6 0:40:00

O23 - Service: Messenger - Unknown owner - C:\WINDOWS\system32\AUTOEXEC.BAT (file missing)
O23 - Service: Microsoft Winsock5 Service - Unknown owner - C:\WINDOWS\Microsoft Winsock5.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\发信息.exe (file missing)
O23 - Service: sys - Unknown owner - C:\WINDOWS\988510
O23 - Service: system - Unknown owner - C:\WINDOWS\system.exe
鸽子..安全模式...打开注册表编辑器，展开：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
搜索Messenger
Microsoft Winsock5 Service
Schedule
sys 和 system 删除...
删除
C:\WINDOWS\988510
C:\WINDOWS\system.exe
C:\WINDOWS\Microsoft Winsock5.exe

修复
R3 - URLSearchHook: (no name) - {51707E60-11C0-44FB-BAC8-83EB0C93651C} - C:\WINDOWS\system32\Feve.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 61.188.38.64 www.gamezt.com.cn
O1 - Hosts: 61.188.38.64 meng.nicemm.cn
O1 - Hosts: 61.188.38.64 upd.etsoft.com.cn
O1 - Hosts: 61.188.38.64 www.essonarts.com
O1 - Hosts: 61.188.38.64 ert0003.e76.163ns.com
O1 - Hosts: 61.188.38.64 sky001.e11.163ns.com
O1 - Hosts: 61.188.38.64 woool.100888290cs.com
O1 - Hosts: 61.188.38.64 rxjh.100888290cs.com
O1 - Hosts: 61.188.38.64 www.yowoool.com
O1 - Hosts: 61.188.38.64 13511.com
O1 - Hosts: 61.188.38.64 www.13511.com
O1 - Hosts: 61.188.38.64 ywg.cn
O1 - Hosts: 61.188.38.64 www.hyap98.com
O2 - BHO: (no name) - _{0005A87D-D626-4B3A-84F9-1D9571695F55} - (no file)
O2 - BHO: 搜索助手 - _{04844102-FC0B-4f44-9E93-0C4293BB5E80} - (no file)
O2 - BHO: (no name) - _{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: yPhtb - _{33BBE430-0E42-4f12-B075-8D21ACB10DCB} - (no file)
O2 - BHO: (no name) - _{35980F6E-A137-4E50-953D-813BB8556899} - (no file)
O2 - BHO: Anti Fish - _{38928D50-8A48-44C2-945F-D2F23F771410} - (no file)
O2 - BHO: YDragSearch - _{62EED7C6-9F02-42f9-B634-98E2899E147B} - (no file)
O2 - BHO: (no name) - _{669751ED-D558-49AE-B01A-3B374CC7910E} - (no file)
O2 - BHO: stdup - _{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - (no file)
O2 - BHO: (no name) - _{9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - _{A9930D97-9CF0-42A0-A10D-4F28836579D5} - (no file)
O2 - BHO: (no name) - _{F5824EFB-728A-4726-A5A5-85A68B20EDC3} - (no file)
O2 - BHO: (no name) - {51707E60-11C0-44FB-BAC8-83EB0C93651C} - C:\WINDOWS\system32\Feve.dll (file missing)
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O2 - BHO: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll
O4 - HKLM\..\Run: [Corel Reminder] rem
O4 - HKLM\..\Run: [runnn] rem C:\WINDOWS\system32\xskjab.exe
O4 - HKLM\..\Run: [runn] rem C:\WINDOWS\system32\xskjad.exe
O4 - HKLM\..\Run: [Net] rem C:\WINDOWS\system32\SVCH0ST.EXE
O4 - HKLM\..\Run: [] C:\WINDOWS\system32\intenat.exe
O4 - HKLM\..\Run: [wdfmgr32] C:\WINDOWS\system32\wdfmgr32.exe
O4 - HKLM\..\Run: [Tray] C:\WINDOWS\command\rundll32.exe
O8 - Extra context menu item: >>彩信发送<< - res://C:\PROGRA~1\MMSASS~1\mmsass~1.dll/mms.htm
O9 - Extra button: Yahoo 3.5G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O9 - Extra 'Tools' menuitem: 彩E精灵设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
删除
C:\WINDOWS\SYSTEM32\stdup.dll
C:\WINDOWS\system32\xskjab.exe
C:\WINDOWS\system32\xskjad.exe
C:\WINDOWS\system32\SVCH0ST.EXE
C:\WINDOWS\system32\intenat.exe
C:\WINDOWS\system32\wdfmgr32.exe
C:\WINDOWS\command\rundll32.exe

http://www.pctutu.com/srmsdown.asp
下载超级兔子..用超级兔子清理王卸载流氓软件...(安全模式...)

处理完后...

http://forum.ikaka.com/topic.asp?board=28&artid=6979213 ⒊楼下载System Repair Engineer
解压-运行SREng.exe-智能扫描-扫描-保存日志
然后把日志内容复制上来

mopery - 2006-9-6 1:15:00

O4 - HKLM\..\Run: [ToP] rem C:\WINDOWS\LSASS.exe
处理方法:
1、断开网络连接。关闭瑞星杀软及瑞星防火墙（已被木马进程插入）。
2、结束木马进程C:\windows\LSASS.EXE。
3、删除木马文件（见附图）
4、重启。清理注册表：
先将RegFix或SREng的后缀改为.com 或.bat，再运行之。（恢复HKEY_CLASSES_ROOT\.exe的键值）。
展开：HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command
将@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.com\" %1"改为@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.exe\" %1"
展开：HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
将@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.com\" %1"改为@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.exe\" %1"
展开：HKEY_CLASSES_ROOT\ftp\shell\open\command
将@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.com\" %1"改为@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.exe\" %1"
展开HKEY_CLASSES_ROOT\htmlfile\shell\open\command
将@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.com\" -nohome"改为@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.exe\" -nohome"
展开HKEY_CLASSES_ROOT\.exe
删除WindowFiles
展开HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Microsoft Soft Debuger\Settings
删除"GUID"="{BI5AP8-6K55T9-8LJY6K-64M1EC-LTW624}"
展开HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
删除Top
展开HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
删除wextract_cleanup0
————————————————————
【要删除的木马文件见下图】

mopery - 2006-9-6 1:17:00

查杀方法如下：

一、结束WINLOGON.EXE进程。注意，装在C盘的NT系统：木马路径：C:\WINDOWS\WINLOGON.EXE；正常系统进程路经：C:\WINDOWS\SYSTEM32\WINLOGON.EXE。为避免误将系统进程WINLOGON.EXE结束而导致系统崩溃，动手前务必用IceSword等可以显示进程路径的工具鉴别一下。不要用微软自带的任务管理器（它根本就不显示进程路径！）。
二、下载RegFix（一个注册表修复工具）。将Regfix.exe的后缀改为scr，按确定。双击Regfix.scr，自动修复注册表主要文件关联项。
三、找到并删除下列文件（见附图）。
四、修改被木马篡改的注册表项：

1、HKEY_CLASSES_ROOT\.lnk\ShellNew
"Command"="rundll32.com appwiz.cpl,NewLinkHere %1"
删除"Command"="rundll32.com
2、HKEY_CLASSES_ROOT\.bfc\ShellNew
"Command"="%SystemRoot%\\system32\\rundll32.com %SystemRoot%\\system32\\syncui.dll,Briefcase_Create %2!d! %1"
将"Command"="%SystemRoot%\\system32\\rundll32.com改为"Command"="%SystemRoot%\\system32\\rundll32.exe
3、HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command
将@="\"C:\\Program Files\\Internet Explorer\\iexplore.com\" %1"改为@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

4、HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command

将@="\"C:\\Program Files\\Internet Explorer\\iexplore.com\""改为@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\""

5、HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command
@="rundll32.com shell32.dll,Control_RunDLL \"%1\",%*"
删除@="rundll32.com
6、HKEY_CLASSES_ROOT\Drive\shell\find\command

将@="%SystemRoot%\\explorer.com"改为@="%SystemRoot%\\explorer.exe"

7、HKEY_CLASSES_ROOT\dunfile\shell\open\command

将@="%SystemRoot%\\system32\\rundll32.com NETSHELL.DLL,InvokeDunFile %1"改为@="%SystemRoot%\\system32\\rundll32.exe NETSHELL.DLL,InvokeDunFile %1"

8、HKEY_CLASSES_ROOT\ftp\shell\open\command
将@="\"C:\\Program Files\\Internet Explorer\\iexplore.com\" %1"改为@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

9、HKEY_CLASSES_ROOT\htmlfile\shell\open\command
将@="\"C:\\Program Files\\Internet Explorer\\iexplore.com\" -nohome"改为@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" -nohome"

10、HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command

删除@="\"C:\\Program Files\\common~1\\iexplore.pif\" %1"

11、HKEY_CLASSES_ROOT\htmlfile\shell\print\command
删除@=rundll32.com

12、HKEY_CLASSES_ROOT\inffile\shell\Install\command
删除@="%SystemRoot%\\System32\\rundll32.com

13、HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command
删除@="finder.com

14、HKEY_CLASSES_ROOT\scrfile\shell\install\command
删除@="finder.com
15、HKEY_CLASSES_ROOT\scriptletfile\Shell\Generate Typelib\command
删除@="\"C:\\WINDOWS\\system32\\finder.com\"

16、HKEY_CLASSES_ROOT\telnet\shell\open\command
删除@="finder.com

17、HKEY_CLASSES_ROOT\Unknown\shell\openas\command
删除@="%SystemRoot%\\system32\\finder.com
18、HKEY_CLASSES_ROOT\winfiles\Shell\Open\Command
删除@="C:\\WINDOWS\\ExERoute.exe \"%1\" %*"

19、HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
删除"Torjan Program"="C:\\WINDOWS\\WINLOGON.EXE"

20、HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
将"Shell"="Explorer.exe 1"改为"Shell"="Explorer.exe"

瑞星卡卡安全论坛