瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 Worm.Mail.Brontok.GEN这个病毒怎么清除啊 急!!!!!有日志

1   1  /  1  页   跳转

Worm.Mail.Brontok.GEN这个病毒怎么清除啊 急!!!!!有日志

收藏
J絕配戀
头像
初生襁褓狮
  • 帖子:10
  • 注册: 2007-06-01
  • 来自:
发表于: 2007-06-01 22:40 | 只看楼主 短消息 资料
字号: 1楼

Worm.Mail.Brontok.GEN这个病毒怎么清除啊 急!!!!!有日志

Logfile of Kaka v2. 0. 3. 0 Scan Module v1. 0. 6. 1
Scan saved at 22:26:53, on 2007-06-01
Platform: Microsoft Windows XP Professional Service Pack 2 (Build 2600)
MSIE: Internet Explorer v6.00 SP2; (6.00.2900.2180 (xpsp_sp2_rtm.040803-2158))


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://seek.3721.com/srchasst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.yahoo.com.cn
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.jujumao.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O1 - Hosts: "http://www.w3.org/TR/html4/loose.dtd">
O1 - Hosts: <html>
O1 - Hosts: <head>
O1 - Hosts: <!--
O1 - Hosts: </script>
O1 - Hosts: body{text-align:center;}
O1 - Hosts: .bodywrap{display:block;height:470px;}
O1 - Hosts: .adttl{font-weight:bold;margin-bottom:3px;}
O1 - Hosts: </style>
O1 - Hosts: </head>
O1 - Hosts: <body>
O1 - Hosts: </div></div>
O1 - Hosts: </div>
O1 - Hosts: </div>
O1 - Hosts: </div>
O1 - Hosts: </div>
O1 - Hosts: </div>
O1 - Hosts: </div>
O1 - Hosts: </div>
O1 - Hosts: </div>
O1 - Hosts: </div>
O1 - Hosts: </div>
O1 - Hosts: </body>
O1 - Hosts: </html>
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: Thunder Browser Helper - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_002.dll
O2 - BHO: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RavTask] "D:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [runeip] C:\Program Files\Rising\AntiSpyware\runiep.exe
O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe
O4 - Startup: desktop.ini =
O4 - Global Startup: desktop.ini =
O8 - Extra context menu item: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra Button: 启动迅雷 - {0062C9BD-B349-40DE-91A0-755F37ACD559} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷 - {0062C9BD-B349-40DE-91A0-755F37ACD559} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra Button: JUJU猫 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.jujumao.com (file missing)
O9 - Extra Button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra Button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [!CNS]  网络实名
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O16 - DPF: {C09B522F-8AED-4E21-A65C-DC1AB652BAEE} (Tencent Safety Online Base Module) - http://safe.qq.com/cgi-bin/tso/TSOBase.ocx
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O20 - Winlogon Notify: AtiExtEvent
O23 - Service: Ati HotKey Poller (Ati HotKey Poller) - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart (ATI Smart) -  - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Human Interface Device Access (HidServ) -  - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - "D:\Program Files\Rising\Rav\CCenter.exe"
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Technology Co., Ltd. - "D:\PROGRAM FILES\RISING\RAV\Ravmond.exe"
O23 - Service: User Privilege Service (usprserv) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe -k netsvcs

附件附件:

下载次数:352
文件类型:application/octet-stream
文件大小:
上传时间:2007-6-1 22:40:48
描述:



最后编辑2007-06-01 22:41:16
分享到:
gototop
 
糊涂的芯
头像
强壮不惑狮
  • 帖子:914
  • 注册: 2006-11-15
  • 来自:
发表于: 2007-06-01 22:47 | 短消息 资料
字号: 2楼

这是布郎病毒,进安全模式全盘杀毒,清空病毒隔离区中所有文件试试
gototop
 
J絕配戀
头像
初生襁褓狮
  • 帖子:10
  • 注册: 2007-06-01
  • 来自:
发表于: 2007-06-01 22:48 | 只看楼主 短消息 资料
字号: 3楼

谢谢了 我试一下
gototop
 
糊涂的芯
头像
强壮不惑狮
  • 帖子:914
  • 注册: 2006-11-15
  • 来自:
发表于: 2007-06-01 22:51 | 短消息 资料
字号: 4楼

如果不行参考以下文章


病毒症状:
[explorer]核心启动中附带有木马C:\WINDOWS\KesenjanganSosial
注册表被锁、文件夹选项消失等等。
病毒添加启动项:
[开始-程序-启动] Empty.pif
[Bron-Spizaetus] C:\WINDOWS\ShellNew\RakyatKelaparan.exe
[Tok-Cirrhatus]
[Tok-Cirrhatus-969] C:\Documents and Settings\[Users]\Local Settings\Application Data\br2961on.exe (数字有可能不是2961)
病毒文件:
C:\Documents and Settings\[用户名]\Application Data\

C:\Documents and Settings\[用户名]\Local Settings\Application Data
中有大量病毒程序,比如csrss.exe、inetinfo.exe、winlogon.exe、services.exe、smss.exe、lsass.exe、svchost.exe、Bron.tok-17-x.exe(x为数字)、以及带有“Bron tok”名字的文件,[Users]是指每一个用户名。
准备工具:最新版木马杀客或者恶意软件清理助手。
杀毒步骤:
1、进安全模式,用木马杀客或者恶意软件清理助手结束所有带有Application Data路径的进程。
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\csrss.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\inetinfo.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\services.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\smss.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\svchost.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\lsass.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\winlogon.exe

2、在记事本里面输入以下内容(如果禁止了右键,我们可以从“文件”这里新建一个):
dim wsh
set wsh=wscript.createobject("wscript.shell")
wsh.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled",""
wsh.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","0"
wsh.popup ("已经成功解开注册表")
另存为1.vbs或者1.vbe 运行这个文件,注册表就解开了。
3、文件夹选项消失,无法显示隐藏文件、扩展名解决方法,用记事本写以下内容:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
另存为2.reg文件然后双击运行这个文件。
4、恢复显示“文件夹选项”,以便查看隐藏文件即文件扩展名:
运行-gpedit.msc-按回车启动“组策略”,展开——用户配置——管理模板——系统,找到“阻止访问注册表编辑工具”,右键单击将它禁止。同时将“阻止访问命令提示符”也禁止。回到“管理模板”,展开——windows组件——windows资源管理器,找到“工具菜单删除文件夹选项菜单”,选择已禁用即可。
5、开始--运行
输入regedit
确定
进入注册表

修改
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe"C:\WINDOWS\KesenjanganSosial.exe">

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe>

修改
[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\]
AlternateShell = "cmd-brontok.exe"

[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\]
AlternateShell = "cmd.exe"

修改
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"Hidden"="0"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"Hidden"="1"

修改
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"ShowSuperHidden" = "0"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"ShowSuperHidden" = "1"

修改
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"HideFileExt"="1"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"HideFileExt"="0"

修改
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoFolderOptions="1"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoFolderOptions="0"
以上数值请对照仔细修改,如果正确则不用修改

删除如下自启动项:
[HKLM\software\microsoft\windows\currentversion\run\]
Bron-Spizaetus = "C:\WINDOWS\ShellNew\RakyatKelaparan.exe"

[HKCU\software\microsoft\windows\currentversion\run\]
Tok-Cirrhatus-1464 = "C:\Documents and Settings\用户名\Local Settings\Application Data\br3951on.exe"

[HKCU\software\microsoft\windows\currentversion\run\]
Tok-Cirrhatus = ""

[HKLM\SoftWare\Microsoft\Windows\CurrentVersionWinlogon\Shell]
Bron-Spizaetus="C:\WINDOWS\ShellNew\RakyatKelaparan.exe"
6、注册表中搜索含有“Bron”“Tok-Cirrhatus” 字符的所有项目,然后删除,保存退出。
7、删除如下文件:
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\csrss.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\inetinfo.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\services.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\smss.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\svchost.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\lsass.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\winlogon.exe
C:\Documents and Settings\用户名\Local Settings\Application Data\br3951on.exe
C:\Documents and Settings\用户名\[开始]菜单\程序\启动\empty.pif
C:\Documents and Settings\用户名\Templates\WowTumpeh.com
C:\WINDOWS\System32\用户名'ssetting.exe
C:\WINDOWS\System32\cmd-brontok.exe
C:\WINDOWS\KesenjanganSosial.exe
C:\WINDOWS\ShellNew\RakyatKelaparan.exe

8、删除开始菜单里面的:
c:\Documents and Settings\[用户名\[开始]菜单\程序\启动\empty.pif
9、删除C:\Windows及C:\WINDOWS\system32目录下的[用户名]'s Setting.scr文件,
10、修改C:\Autoexec.bat,删除里面的字符:"pause",保存退出。
11、清理IE临时文件、用超级兔子或者优化大师等工具清理临时文件。
14、附件-系统工具中删除所有计划任务,再用瑞星全盘杀毒结束
gototop
 
<<上一主题|下一主题>>
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT