引用:

【fzzfzz的贴子】很遗憾地向baohe 斑竹报告,做了上面的各项后,发现inetsrv 里的情况依旧,删了csrss.exe 还会恢复. 晕死了! ………………

高度怀疑你的系统有问题
再扫日志吧。
估计是“春风吹又生”。

用Hijackthis 发现:
O2 - BHO: Sun Java2 - {C61A70F3-505E-4B90-916F-627A8706B4BC} - c:\WINDOWS\system32\COMBoHEvent.dll

这个BHO也是修复后会自动恢复的.文件删了也会自动复活的.
这有关系吗?

重装系统倒没有什么大关系,有ghost做的备份的,可以恢复.这个备份用过多次了,没有发现过这样的问题.

但有点不太甘心.呵呵

baohe 斑竹,特别要谢谢你啦,你花费了很多时间帮助我分析.
我也学到了很多的东西.谢谢!

没事,大不了全祼

引用:

【fzzfzz的贴子】用SSM阻止了csrss后,csrss 在  SSM的拦截下,不能运行,不再出现csrss进程. 清理注册表,删除csrss.exe后,虽然系统还在SSM的监控下,但是,inetsrv 文件夹中还是会自动产生csrss.exe文件. 看来,病毒的主体可能不是csess.exe本身,也许另有源头. ………………

兄弟，我已经用SSM控制住了，清理垃圾就得慢慢做了
具体做法是：
1.运行net stop comeventhelper.dll
删除\system32\comeventhelper.dll  comeventhelper.bat
删除\system32\update  因其下面有comeventhelper.dll备份
分析comeventhelper.bat得知comeventhelper.dll并不是windowns自带文件
删除\system32\inetsrv\*.*
查看SSM日志，显示已经不再生成新csrss进程
2.搜索csrss.* comeventhelper.* 删之
分别搜索包含csrss、comeventhelper，应该能找到病毒的原始文件夹，清空
注意：和找到病毒文件夹并列的还有3个文件夹，都有相关文件，同样清空
注册表项目因不太了解，不敢多动，只删了csrss相关项和版主提供的一些键及文件

现在状态是srvhost还经常要写service和comeventhelper相关项，都被SSM拦住了
只是BHO的Sun java2 COMBoHEvent.dll删了，又自动恢复，而且SSM无法监测到
这是我block的一点心得，还是希望大家尽早找出彻底清除方案
以下是和病毒同一时间生成的文件，请大家帮忙研究。
COMEvent.dat
COMEventHelper.dll
ComHelper.local
unins000.dat
unins000.exe
COMBoHEvent.dll
COMAdEvent.dll
SystemID.dll
C1C003E6.dll
nvapps.xml
AddrConfig.bin

是,早发现sun java2会自动恢复

[Sun Java2]
  {C61A70F3-505E-4B90-916F-627A8706B4BC} <c:\WINDOWS\system32\COMBoHEvent.dll

COMBoHEvent.dll和注册表项删除了会恢复

我的日志显示已经没有新创建的进程了，srvhost也不调用其它服务了，兄弟你的还有吗

引用:

【baohe的贴子】 高度怀疑你的系统有问题 再扫日志吧。 估计是“春风吹又生”。 ………………

稍微做了点清理后扫描,日志如下:
2006-09-07,09:09:42

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 1 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe>  [Microsoft Corporation]
    <msnmsgr><; ; ; ; ; ; "C:\Program Files\MSN Messenger\msnmsgr.exe" /background>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <ShStatEXE><"C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE>  [Network Associates, Inc.]
    <gcasServ><; ; ; ; ; ; ; ; ; "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe">  []
    <IMJPMIG8.1><; ; ; ; ; ; ; ; ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [Microsoft Corporation]
    <McAfeeUpdaterUI><; ; ; ; ; ; ; ; ; "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey>  []
    <MSPY2002><; ; ; ; ; ; ; ; ; C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC>  []
    <NeroFilterCheck><; ; ; ; ; ; ; ; ; C:\WINDOWS\system32\NeroCheck.exe>  [Ahead Software Gmbh]
    <Network Associates Error Reporting Service><; ; ; ; ; ; ; ; ; "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe">  []
    <PHIME2002A><; ; ; ; ; ; ; ; ; C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [Microsoft Corporation]
    <PHIME2002ASync><; ; ; ; ; ; ; ; ; C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [Microsoft Corporation]
    <RealTray><; ; ; ; ; ; ; ; ; C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER>  []
    <SysExplr><; ; ; ; ; ; ; ; ; C:\HEROSOFT\Hero3000\SYSEXPLR.EXE>  []
    <TkBellExe><; ; ; ; ; ; ; ; ; "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [Microsoft Corporation]
    <UIHost><logonui.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\System Safety Monitor]
    <WinlogonNotify: System Safety Monitor><SSMWinlogonEx.dll>  [System Safety Limited]

==================================
启动文件夹
服务
[Adobe LM Service / Adobe LM Service]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[McAfee Framework 服务 / McAfeeFramework]
  <C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart><Network Associates, Inc.>
[Network Associates McShield / McShield]
  <"C:\Program Files\Network Associates\VirusScan\Mcshield.exe"><Network Associates, Inc.>
[Network Associates Task Manager / McTaskManager]
  <"C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"><Network Associates, Inc.>
[SoundMAX Agent Service / SoundMAX Agent Service (default)]
  <C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe><Analog Devices, Inc.>
[Update Service For Windows / winupdate]
  <C:\WINDOWS\winupdate.exe><N/A>

==================================
浏览器加载项
[QQBrowserHelperObject Class]
  {54EBD53A-9BC1-480B-966A-843A333CA162} <D:\Tencent2006\QQ\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[Windows Live Sign-in Helper]
  {9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[Sun Java2]
  {C61A70F3-505E-4B90-916F-627A8706B4BC} <c:\WINDOWS\system32\COMBoHEvent.dll, N/A>
[金山词霸]
  {9A687CA6-D585-4947-9ED9-BE96071F5CD9} <C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll, 金山软件股份有限公司>
[QQIEFloatBarCfgCmd Class]
  {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} <D:\Tencent2006\QQ\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, Microsoft Corporation>
[Edit Class]
  {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} <C:\WINDOWS\System32\CMBEdit.dll, >
[safeInput Class]
  {ECCBA953-80E5-11D3-9285-0080ADB811C5} <C:\WINDOWS\Downloaded Program Files\safein.dll, Beijing eChannels Century Technology Co.,Ltd>
[上传到QQ网络硬盘]
  <D:\Tencent\qq\AddToNetDisk.htm, N/A>
[导出到 Microsoft Excel(&x)]
  <res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000, N/A>
[添加到QQ自定义面板]
  <D:\Tencent\qq\AddPanel.htm, N/A>
[添加到QQ表情]
  <D:\Tencent\qq\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <D:\Tencent\qq\SendMMS.htm, N/A>

==================================
正在运行的进程
[PID: 448][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 504][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 528][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\System32\SYNCOR11.DLL]  <SoundMAX><1.2.3>
    [C:\WINDOWS\system32\SSMWinlogonEx.dll]  <System Safety Limited><2.0.8.582>
[PID: 572][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 584][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 744][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 792][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\SYNCOR11.DLL]  <SoundMAX><1.2.3>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 856][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 896][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 1208][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\System32\SYNCOR11.DLL]  <SoundMAX><1.2.3>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 1408][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
    [C:\WINDOWS\System32\SYNCOR11.DLL]  <SoundMAX><1.2.3>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 1440][C:\Program Files\Network Associates\Common Framework\FrameworkService.exe]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\Common Framework\nailog.dll]  <Network Associates, Inc.><3.5.0.474>
    [C:\Program Files\Network Associates\Common Framework\naXML.dll]  <Network Associates, Inc.><3.5.0.474>
    [C:\Program Files\Network Associates\Common Framework\naCmnLib.dll]  <Network Associates, Inc.><3.5.0.474>
    [C:\Program Files\Network Associates\Common Framework\applib.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\Common Framework\0804\AgentRes.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\Common Framework\Logging.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\Common Framework\InternetManager.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\Common Framework\naInet.dll]  <Network Associates, Inc.><3.5.0.474>
    [C:\Program Files\Network Associates\Common Framework\UserSpace.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\Common Framework\SecureFrameworkFactory.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\Common Framework\Management.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\Common Framework\cmalib.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\Common Framework\naPolicyManager.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\Common Framework\ScriptSubSys.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\Common Framework\UpdateSubSys.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\Common Framework\Scheduler.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\Common Framework\TCSubSys.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
    [C:\WINDOWS\System32\SYNCOR11.DLL]  <SoundMAX><1.2.3>
[PID: 1468][C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\SHUTIL.dll]  <Network Associates, Inc.><8.0.0.989>
    [C:\Program Files\Network Associates\VirusScan\naiwmain.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\RES04\shstat.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\RES04\Product.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\RES04\McShield.dll]  <Network Associates, Inc.><8.0.0.251>
    [C:\Program Files\Network Associates\VirusScan\RES04\Shutilrc.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\Graphics.dll]  <Network Associates, Inc.><8.0.0.912>
[PID: 1484][C:\Program Files\Network Associates\VirusScan\Mcshield.exe]  <Network Associates, Inc.><8.0.0.251>
    [C:\Program Files\Network Associates\VirusScan\Res04\McShield.DLL]  <Network Associates, Inc.><8.0.0.251>
    [C:\Program Files\Network Associates\VirusScan\FTL.Dll]  <Network Associates, Inc.><8.0.0.133>
    [C:\Program Files\Network Associates\VirusScan\naiann.dll]  <Network Associates, Inc.><8.0.0.306>
    [C:\Program Files\Network Associates\VirusScan\mytilus.dll]  <Network Associates, Inc.><8.0.0.306>
    [C:\Program Files\Network Associates\Common Framework\GenEvtInf.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\VirusScan\NaEventU.DLL]  <Network Associates, Inc.><8.0.0.342>
    [C:\Program Files\Network Associates\VirusScan\Res04\naEvtRes.dll]  <Network Associates, Inc.><8.0.0.342>
    [C:\Program Files\Network Associates\VirusScan\VSIDSvr.dll]  <Network Associates, Inc.><8.0.0.251>
    [C:\Program Files\Common Files\Network Associates\Engine\MCSCAN32.DLL]  <McAfee, Inc.><4.4.00>
    [C:\Program Files\Network Associates\Common Framework\SecureFrameworkFactory.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\VirusScan\EntSrv.Dll]  <Network Associates, Inc><8.0.0.240>
[PID: 1528][C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe]  <Network Associates, Inc.><3.5.0.412>
    [C:\PROGRA~1\NETWOR~1\COMMON~1\nailog.dll]  <Network Associates, Inc.><3.5.0.474>
    [C:\PROGRA~1\NETWOR~1\COMMON~1\naCmnLib.dll]  <Network Associates, Inc.><3.5.0.474>
    [C:\PROGRA~1\NETWOR~1\COMMON~1\naXML.dll]  <Network Associates, Inc.><3.5.0.474>
    [C:\PROGRA~1\NETWOR~1\COMMON~1\0804\AgentRes.dll]  <Network Associates, Inc.><3.5.0.412>
    [C:\Program Files\Network Associates\VirusScan\VsPlugin.dll]  <Network Associates, Inc.><8.0.0.989>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
[PID: 1648][C:\WINDOWS\System32\ctfmon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 1660][C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\SHUTIL.dll]  <Network Associates, Inc.><8.0.0.989>
    [C:\Program Files\Network Associates\VirusScan\naiwmain.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\naicondl.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\RES04\VsTskMgr.dll]  <Network Associates, Inc.><8.0.0.912>
    [C:\Program Files\Network Associates\VirusScan\MIDUtil.Dll]  <Network Associates, Inc.><8.0.0.145>
[PID: 1772][C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe]  <Analog Devices, Inc.><3, 2, 6, 0>
[PID: 676][C:\Program Files\Internet Explorer\iexplore.exe]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\System32\EntApi.dll]  <Network Associates, Inc><8.0.0.240>
    [D:\Tencent2006\QQ\QQIEHelper.dll]  <深圳市腾讯计算机系统有限公司><1, 1, 0, 5>
    [c:\WINDOWS\system32\COMBoHEvent.dll]  <N/A><N/A>
    [c:\WINDOWS\system32\COMAdEvent.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\SYNCOR11.DLL]  <SoundMAX><1.2.3>
    [C:\WINDOWS\System32\Macromed\Flash\Flash9.ocx]  <Adobe Systems, Inc.><9,0,16,0>
[PID: 1348][D:\悲愤\优选工具\新18种工具\SREng2\SREng.exe]  <Smallfrogs Studio><2.0.21.505>
    [C:\WINDOWS\System32\SYNCOR11.DLL]  <SoundMAX><1.2.3>

==================================
文件关联
.TXT  Error. [NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  Error. [超级解霸3000]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者