瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 高手们啊,帮帮俺~~~有日志~
日不懂啊 - 2008-4-30 16:30:00
麻烦啊~~

这个破东西~~

带感染的,会感染系统文件

样本在附件~~有密码

日志在附件

用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

附件: MSDOS.pif.rar

附件: SREngLOG.log
天月来了 - 2008-4-30 16:34:00
文件上报了么???

密码是什么???

至于日志,你自己将那些都砍了呗

不打开任何磁盘,不使用非系统盘的任何文件。

卸载安装在非系统Windows文件夹里的所有能开机自启动的软件,或终止它们的开机自启动。

就基本上可以解决系统里的问题了

至于被感染不能使用的系统Windows文件以外的所有可执行文件,等杀毒软件能清理时再说吧。

否则就只能全格了。
日不懂啊 - 2008-4-30 16:36:00
瑞星报毒了~~~~~在可疑文件上传搞了~~

密码我短消息你
tjcum210210 - 2008-4-30 16:38:00
额,天月也换成猫头像了:kaka19:
天月来了 - 2008-4-30 16:39:00
确实瑞星报了
那应该可以清除感染了。

你还有什么问题呢???
日不懂啊 - 2008-4-30 16:55:00
呵呵,先整整再说
UFO不幸外人 - 2008-4-30 16:58:00
天月 那只小猫好可爱哦
天月来了 - 2008-4-30 17:12:00
就这些:
要删除的文件:
c:\windows\system32\bjrvm.dll
c:\windows\system32\fghshj.dll
c:\windows\system32\fjnbv.dll
c:\windows\system32\frntrn.dll
c:\windows\system32\gjjte.dll
c:\windows\system32\hfjg.dll
c:\windows\system32\ijatnaw.dll
c:\windows\system32\jwlah.dll
c:\windows\system32\jyjlt.dll
c:\windows\system32\lariytrz.dll
c:\windows\system32\mgmgmm.dll
c:\windows\system32\rgfjj.dll
c:\windows\system32\sehhter.dll
c:\windows\system32\sperls.dll
c:\windows\system32\xgnfn.dll
c:\windows\system32\uresdqjknzxbrtyq.dll
c:\windows\system32\ayfkkfkk1055.dll
c:\windows\system32\msepbe.dll
c:\windows\system32\ttezzezz1046.dll
c:\windows\system32\ttnnbnnb1047.dll
c:\windows\system32\ttqacqac1038.dll
c:\windows\system32\ttvufvuf1011.dll
c:\windows\system32\lwias16_080427.dll
c:\windows\system32\inf\svchosts.exe
c:\windows\system32\qxxxxx.dll
c:\windows\system32\dld.exe
c:\windows\system32\lwias16_080427.dll
c:\windows\system32\uresdqjknzxbrtyq.dll
c:\windows\system32\kernel32.exe
c:\windows\system32\qwer.exe
c:\windows\system32\netsyssem.exe
c:\windows\system32\asdf.exe
c:\windows\ime\winupgrade.exe
c:\windows\system32\drivers\bd63.sys
c:\windows\system32\drivers\msosmsfpfis64.sys
c:\windows\system32\nessery.sys
c:\windows\system32\drivers\obj2.sys
c:\windows\system32\figsel.dll
c:\windows\system32\ietool.dll
D:\Autorun.inf
D:\MSDOS.PIF
E:\Autorun.inf
E:\MSDOS.PIF

启动项目
注册表
    <LUOM><C:\WINDOWS\system32\DLD.exe>  []
    <nyuserinit><C:\WINDOWS\system32\inf\svchosts.exe C:\WINDOWS\system32\lwias16_080427.dll tanlt88>  [N/A]
    <{05922c2d-da84-48e8-a3e4-e797c58c39cf}><C:\WINDOWS\system32\ttEZZEZZ1046.dll>  []
    <{dc546cb1-0be7-4957-98c5-469b55a6923d}><C:\WINDOWS\system32\ttQACQAC1038.dll>  []
    <{29fab913-d0cd-477b-a3f0-3d7c3a90379b}><C:\WINDOWS\system32\ttVUFVUF1011.dll>  []
    <{c4bf46a2-1c05-427d-992f-4e24f7d57f68}><C:\WINDOWS\system32\ttNNBNNB1047.dll>  []
    <{6ce08af1-5f70-4c1a-8d1a-8aba11619e87}><C:\WINDOWS\system32\ayFKKFKK1055.dll>  []
启动项目
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]    <AppInit_DLLs><ghjdtry.dll,dgxsrr.dll,fdght.dll,rgghjj.dll,sefawe.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gjjte.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,hktrre.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,fghshj.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,rdthr.dll,rgfjj.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,sperls.dll,>  [N/A]
==================================
服务
[Windows Presentation Foundation (WPF) / applications][Running/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k applications-->C:\WINDOWS\system32\UrEsdqJKNzxBrTYq.dll><N/A>
[kernel32 / kernel32][Running/Auto Start]
  <c:\windows\system32\KERNEL32.exe><N/A>
[Distributed Link Tracking Client Service / LinkServic][Stopped/Auto Start]
  <C:\WINDOWS\system32\qwer.exe><N/A>
[Networj System / NetSzstem][Stopped/Auto Start]
  <C:\WINDOWS\system32\NetSyssem.exe><N/A>
[服务名 / svcname][Running/Auto Start]
  <C:\WINDOWS\system32\asdf.exe><N/A>
[winfirewall / winfirewall][Running/Auto Start]
  <C:\WINDOWS\ime\winupgrade.exe><N/A>
==================================
驱动程序
[bd6 / bd63][Stopped/Boot Start]
  <\SystemRoot\System32\DRIVERS\bd63.sys><N/A>
[msfpfis64 / msfpfis64][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\msosmsfpfis64.sys><N/A>
[Nessery / Nessery][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\Nessery.sys><N/A>
[obj2 / obj2][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\DRIVERS\obj2.sys><N/A>
下面这个就不知道了
==================================
驱动程序
[RESSDT / RESSDT][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\ssdtti.sys><N/A>
==================================
浏览器加载项
[HTML Doucment]
  {1B0A105E-5FB9-4507-835D-68794062C367} <C:\WINDOWS\system32\figsel.dll, >
[Thunder]
  {BE830FD4-E393-417F-9F4B-CC70ABB3384C} <C:\WINDOWS\system32\IETool.dll, >
[HTML Doucment]
  {1B0A105E-5FB9-4507-835D-68794062C367} <C:\WINDOWS\system32\figsel.dll, >
[Thunder]
  {BE830FD4-E393-417F-9F4B-CC70ABB3384C} <C:\WINDOWS\system32\IETool.dll, >
下面这两个谨慎点看看文件。
==================================
正在运行的进程
[PID: 352 / SYSTEM][C:\WINDOWS\system32\acs.exe]  [Atheros, 5.0.0.359] 
[PID: 1468 / SYSTEM][C:\WINDOWS\system32\sc.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
==================================
HOSTS 文件
127.0.0.1      localhost
124.238.254.113        www.10280011.com
124.238.254.113        10280011.com
124.238.254.113        www.10289900.com
124.238.254.113        10289900.com
124.238.254.113        www.78877788.com
124.238.254.113        78877788.com
124.238.254.113        www.11051122.com
124.238.254.113        11051122.com
124.238.254.113        1.ehai01.com
124.238.254.113        da.ehai01.com
124.238.254.113        ehai01.com
124.238.254.113        2008.sekart.cn
124.238.254.113        www.sekart.cn
124.238.254.113        sekart.cn
124.238.254.113        www.11309988.com
124.238.254.113        www.12100088.com
124.238.254.113        www.12108899.com
124.238.254.113        d2.llsging.com
124.238.254.113            llsging.com
124.238.254.113        dd.749571.com
124.238.254.113            749571.com
124.238.254.113        pr.749571.com
124.238.254.113            txwm1204.com
124.238.254.113        www.txwm1204.com
其他盘看看有没Autorun.inf和MSDOS.PIF
UFO不幸外人 - 2008-4-30 17:14:00
给你补充一下操作流程 哈哈哈
UFO不幸外人 - 2008-4-30 17:17:00
下载常用软件:
冰刃:http://www.skycn.com/soft/37828.html
System Repair Engineer:http://www.skycn.com/soft/23312.html
XDelBox:http://www.dodudou.com/down/index.php?dirpath=./01.原创软件&order=0 下载XDelBox1.7版本
1、使用XDelBox删除以下文件:
先将系统分区下的重要文件转移到其它分区,以免系统删除文件后系统崩溃增加文件备份的难度。使用时一定拔掉所有移动存储设备,将下面分隔线中的的文件路径全部复制,然后打开XDelBox直接使用右键菜单的“剪贴板导入不检查路径”导入,勾选“抑制再生”、“驱动安全删除模式”、“备份文件”,最后选择右键菜单的“立刻重启删除”。
c:\windows\system32\bjrvm.dll
c:\windows\system32\fghshj.dll
c:\windows\system32\fjnbv.dll
c:\windows\system32\frntrn.dll
c:\windows\system32\gjjte.dll
c:\windows\system32\hfjg.dll
c:\windows\system32\ijatnaw.dll
c:\windows\system32\jwlah.dll
c:\windows\system32\jyjlt.dll
c:\windows\system32\lariytrz.dll
c:\windows\system32\mgmgmm.dll
c:\windows\system32\rgfjj.dll
c:\windows\system32\sehhter.dll
c:\windows\system32\sperls.dll
c:\windows\system32\xgnfn.dll
c:\windows\system32\uresdqjknzxbrtyq.dll
c:\windows\system32\ayfkkfkk1055.dll
c:\windows\system32\msepbe.dll
c:\windows\system32\ttezzezz1046.dll
c:\windows\system32\ttnnbnnb1047.dll
c:\windows\system32\ttqacqac1038.dll
c:\windows\system32\ttvufvuf1011.dll
c:\windows\system32\lwias16_080427.dll
c:\windows\system32\inf\svchosts.exe
c:\windows\system32\qxxxxx.dll
c:\windows\system32\dld.exe
c:\windows\system32\lwias16_080427.dll
c:\windows\system32\uresdqjknzxbrtyq.dll
c:\windows\system32\kernel32.exe
c:\windows\system32\qwer.exe
c:\windows\system32\netsyssem.exe
c:\windows\system32\asdf.exe
c:\windows\ime\winupgrade.exe
c:\windows\system32\drivers\bd63.sys
c:\windows\system32\drivers\msosmsfpfis64.sys
c:\windows\system32\nessery.sys
c:\windows\system32\drivers\obj2.sys
c:\windows\system32\figsel.dll
c:\windows\system32\ietool.dll
D:\Autorun.inf
D:\MSDOS.PIF
E:\Autorun.inf
E:\=MSDOS.PIF



重启计算机后会看到一个请选择要启动的操作系统的提示,倒计时5秒,第一个选项是你自己的Windows系统,第二个选项是XDelBox的Go XDelBox To Del Files,默认自动选择第二项,会进入类似DOS的界面,这期间什么操作都不用做,等待它自动运行即可,待病毒文件删除后会自动重启进入Windows系统。

2、使用System Repair Engineer
打开启动项目——注册表项目 删除以下项目:
<LUOM><C:\WINDOWS\system32\DLD.exe>  []
    <nyuserinit><C:\WINDOWS\system32\inf\svchosts.exe C:\WINDOWS\system32\lwias16_080427.dll tanlt88>  [N/A]
    <{05922c2d-da84-48e8-a3e4-e797c58c39cf}><C:\WINDOWS\system32\ttEZZEZZ1046.dll>  []
    <{dc546cb1-0be7-4957-98c5-469b55a6923d}><C:\WINDOWS\system32\ttQACQAC1038.dll>  []
    <{29fab913-d0cd-477b-a3f0-3d7c3a90379b}><C:\WINDOWS\system32\ttVUFVUF1011.dll>  []
    <{c4bf46a2-1c05-427d-992f-4e24f7d57f68}><C:\WINDOWS\system32\ttNNBNNB1047.dll>  []
    <{6ce08af1-5f70-4c1a-8d1a-8aba11619e87}><C:\WINDOWS\system32\ayFKKFKK1055.dll>  []
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]    <AppInit_DLLs><ghjdtry.dll,dgxsrr.dll,fdght.dll,rgghjj.dll,sefawe.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gjjte.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,hktrre.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,fghshj.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,rdthr.dll,rgfjj.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,sperls.dll,>  [N/A]

打开启动项目——服务——Win32服务,删除以下服务:
Windows Presentation Foundation (WPF) / applications][Running/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k applications-->C:\WINDOWS\system32\UrEsdqJKNzxBrTYq.dll><N/A>

[kernel32 / kernel32][Running/Auto Start]
  <c:\windows\system32\KERNEL32.exe><N/A>

[Distributed Link Tracking Client Service / LinkServic][Stopped/Auto Start]
  <C:\WINDOWS\system32\qwer.exe><N/A>

[Networj System / NetSzstem][Stopped/Auto Start]
  <C:\WINDOWS\system32\NetSyssem.exe><N/A>

[服务名 / svcname][Running/Auto Start]
  <C:\WINDOWS\system32\asdf.exe><N/A>

[winfirewall / winfirewall][Running/Auto Start]
  <C:\WINDOWS\ime\winupgrade.exe><N/A>


打开启动项目——服务——驱动程序,删除以下驱动:
bd6 / bd63][Stopped/Boot Start]
  <\SystemRoot\System32\DRIVERS\bd63.sys><N/A>

[msfpfis64 / msfpfis64][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\msosmsfpfis64.sys><N/A>

[Nessery / Nessery][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\Nessery.sys><N/A>

[obj2 / obj2][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\DRIVERS\obj2.sys><N/A>
RESSDT / RESSDT][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\ssdtti.sys><N/A>

打开系统修复——浏览器加载项,删除以下项目:
HTML Doucment]
  {1B0A105E-5FB9-4507-835D-68794062C367} <C:\WINDOWS\system32\figsel.dll, >
[Thunder]
  {BE830FD4-E393-417F-9F4B-CC70ABB3384C} <C:\WINDOWS\system32\IETool.dll, >
[HTML Doucment]
  {1B0A105E-5FB9-4507-835D-68794062C367} <C:\WINDOWS\system32\figsel.dll, >
[Thunder]
  {BE830FD4-E393-417F-9F4B-CC70ABB3384C} <C:\WINDOWS\system32\IETool.dll, >

打开系统修复——HOST文件 修复HOST
127.0.0.1      localhost
124.238.254.113        www.10280011.com
124.238.254.113        10280011.com
124.238.254.113        www.10289900.com
124.238.254.113        10289900.com
124.238.254.113        www.78877788.com
124.238.254.113        78877788.com
124.238.254.113        www.11051122.com
124.238.254.113        11051122.com
124.238.254.113        1.ehai01.com
124.238.254.113        da.ehai01.com
124.238.254.113        ehai01.com
124.238.254.113        2008.sekart.cn
124.238.254.113        www.sekart.cn
124.238.254.113        sekart.cn
124.238.254.113        www.11309988.com
124.238.254.113        www.12100088.com
124.238.254.113        www.12108899.com
124.238.254.113        d2.llsging.com
124.238.254.113            llsging.com
124.238.254.113        dd.749571.com
124.238.254.113            749571.com
124.238.254.113        pr.749571.com
124.238.254.113            txwm1204.com
124.238.254.113        www.txwm1204.com
人在逍遥 - 2008-4-30 17:19:00
我要样本密码
天月来了 - 2008-4-30 17:20:00
要死了
这能删么
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]    <AppInit_DLLs><ghjdtry.dll,dgxsrr.dll,fdght.dll,rgghjj.dll,sefawe.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gjjte.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,hktrre.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,fghshj.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,rdthr.dll,rgfjj.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,sperls.dll,>  [N/A]
UFO不幸外人 - 2008-4-30 17:52:00
说错了 是清空  哈哈哈哈哈
日不懂啊 - 2008-5-16 15:14:00
UFO大哥好久不见啦~~~~

问个好
1
查看完整版本: 高手们啊,帮帮俺~~~有日志~
© 2000 - 2026 Rising Corp. Ltd.