C:\WINDOWS\system32\csrss.dll这个文件比较奇怪,不知道删除后是否系统会异常
只有删除看了,没办法。
既然你有PE系统,那么就简单了
你做好所有准备后,进PE系统里操作下面:
这里下载费尔木马强力清除助手,点选“抑制文件再生”删除。
http://bbs.ikaka.com/attachment.aspx?attachmentid=446804删除:
C:\WINDOWS\SYSTEM\ctfmon.exe
C:\WINDOWS\system32\zesttnsk.exe
C:\WINDOWS\system32\wins\6561\svchost.exe
D:\Personal\Temp\98315
C:\WINDOWS\system32\A4B30.exe
C:\WINDOWS\system32\inf\svch0st.exe
C:\WINDOWS\system32\wicheck081025.dll
C:\WINDOWS\SYSTEM\ctfmon.exe
C:\WINDOWS\system32\weiai.exe
C:\WINDOWS\system32\System.exe
C:\WINDOWS\system32\alalin.exe
C:\WINDOWS\system32\inf\svch0st.exe
C:\WINDOWS\system32\lwizyy16_081027.dll
C:\WINDOWS\system32\64DB7.exe
C:\WINDOWS\system32\test3.exe
C:\Windows\system32\wbem\AFKQXBHNTYE.DLL
C:\WINDOWS\system32\liveplay.exe
C:\WINDOWS\system32\wins\auevhirey.dll
C:\WINDOWS\system32\19b5406.sys
C:\WINDOWS\system32\4901228.sys
C:\WINDOWS\system32\4c70249.sys
C:\WINDOWS\system32\5102a80.sys
C:\97ad809c2839e84f.dat
C:\WINDOWS\system32\9fd8db.sys
C:\WINDOWS\system32\aecff9.sys
C:\WINDOWS\System32\Drivers\aliimz.sys
C:\WINDOWS\system32\c551839.sys
C:\WINDOWS\system32\ca99d57.sys
C:\WINDOWS\system32\d4f876.sys
C:\WINDOWS\system32\drivers\riwmq.sys
C:\WINDOWS\system32\drivers\taqka.sys
C:\WINDOWS\system32\drivers\xuikl.sys
C:\WINDOWS\system32\drivers\ytntc.sys
C:\WINDOWS\system32\drivers\HBKernel32.sys
C:\WINDOWS\system32\d7b49fa.sys
C:\PROGRA~1\INTERN~1\PLUGINS\b54321.bho
C:\Program Files\Common Files\PushWare\cpush0.dll
C:\Program Files\Internet Explorer\Vv54321t.321
C:\WINDOWS\Poss\pctools_2004111_7847.dll
C:\Program Files\Internet Explorer\7v54321t.321
C:\Program Files\Internet Explorer\Explo2eMt.456
C:\WINDOWS\system32\csrss.dll
C:\WINDOWS\system32\gdipro.dll
C:\WINDOWS\system32\sh05003.dll
C:\WINDOWS\system32\sh18005.dll
C:\WINDOWS\system32\sh18008.dll
C:\WINDOWS\system32\B3721C07.dll
C:\WINDOWS\system32\DA63E650.dll
C:\WINDOWS\system32\4BF9CBA3.dll
C:\WINDOWS\system32\9F684DE8.dll
C:\WINDOWS\system32\12B02216.dll
C:\WINDOWS\system32\122B901E.dll
C:\WINDOWS\system32\D7C79813.dll
C:\WINDOWS\system32\E3367679.dll
C:\WINDOWS\system32\43ACDCC5.dll
C:\WINDOWS\system32\DE02F764.dll
C:\WINDOWS\system32\3D144530.dll
C:\WINDOWS\system32\CABA599D.dll
C:\WINDOWS\system32\495271CA.dll
C:\WINDOWS\system32\E4814792.dll
C:\WINDOWS\system32\C56BCC10.dll
C:\WINDOWS\system32\22D75360.dll
C:\WINDOWS\system32\7ADC2AB1.dll
C:\WINDOWS\system32\3474A8C2.dll
C:\WINDOWS\system32\58FF3024.dll
C:\WINDOWS\system32\D91BC61E.dll
C:\WINDOWS\system32\xsgotxsy.dll
C:\WINDOWS\system32\svztotcx.dll
C:\WINDOWS\system32\naswahvn.dll
C:\WINDOWS\system32\kalrwdhv.dll
C:\WINDOWS\system32\efeniyil.dll
C:\WINDOWS\system32\yswiumbb.dll
C:\WINDOWS\system32\ksuserfy.dll
C:\WINDOWS\system32\sypegivy.dll
C:\WINDOWS\system32\8566F82E.dll
C:\WINDOWS\system32\08223B03.dll
C:\WINDOWS\system32\9CA963CA.dll
C:\WINDOWS\system32\E0D39066.dll
C:\WINDOWS\system32\DFEC5CB7.dll
C:\WINDOWS\system32\2EF0D734.dll
C:\WINDOWS\system32\F65BDEC7.dll
C:\WINDOWS\system32\66AFCB56.dll
C:\WINDOWS\system32\F8E07BB2.dll
C:\WINDOWS\system32\E5D39975.dll
C:\WINDOWS\system32\BA7EDF54.dll
C:\WINDOWS\system32\F2CBFAC4.dll
C:\WINDOWS\system32\C8FFD223.dll
C:\WINDOWS\system32\3F21AA0C.dll
C:\WINDOWS\system32\alalin.dll
C:\WINDOWS\system32\wicheck081025.dll
C:\WINDOWS\system32\mwiszcyys32_081027.dll
C:\WINDOWS\system32\HBmhly.dll
C:\WINDOWS\system32\HBJTLQ.dll
D:\Personal\Temp\WowInitcode.dat
C:\WINDOWS\system32\HBDNF.dll
C:\WINDOWS\system32\HBASKTAO.dll
C:\WINDOWS\system32\HBWOW.dll
C:\WINDOWS\system32\HBZHUXIAN.dll
C:\WINDOWS\system32\HBQQFFO.dll
C:\WINDOWS\system32\HBBO.dll
C:\WINDOWS\system32\HBQQXX.dll
C:\WINDOWS\system32\HBWD.dll
C:\WINDOWS\system32\HBTL.dll
C:\Autorun.inf
C:\weiai.exe
D:\Autorun.inf
D:\weiai.exe
E:\Autorun.inf
E:\weiai.exe
F:\Autorun.inf
F:\weiai.exe
不管删除结果如何,继续下面的操作:
————————————————————————————————————
去找相同系统里的userinit.exe和ctfmon.exe文件。仍然在PE系统里继续操作替换掉下面文件夹里的相同文件
先复制到C:\WINDOWS\system32\dllcache文件夹里替换。
再复制到C:\WINDOWS\system32文件夹里替换。
可以这贴里找相关文件下载。
http://bbs.ikaka.com/showtopic-8417665.aspx————————————————————————————————————
去这贴找rpcss.dll文件,仍然在PE系统里继续操作替换
http://bbs.ikaka.com/showtopic-8561436.aspx先复制到C:\WINDOWS\system32\dllcache文件夹里替换。
再复制到C:\WINDOWS\system32文件夹里替换。
————————————————————————————————
文件替换成功后就可以重启电脑,维持断网状态下进入正常系统里继续下面操作:
————————————————————————————————————————
运行下载的删除映像劫持工具,清除检测到的所有映像劫持项。
http://bbs.ikaka.com/attachment.aspx?attachmentid=429561————————————————————————————————————
在扫日志的SRENG工具》启动项目》注册表》里将<AppInit_DLLs>项目置空(就是选择“编辑”)这必须关闭杀毒软件的监控,否则改不了可能。
启动项目
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><zesttns.dll lenyuns.dll,HBmhly.dll meyotme.dll xsisco.dll qanhllao.dll rexljeh.dll kandoftt.dll,HBJTLQ.dll cenbezn.dll jonzyan.dll batteo.dll jolends.dll,HBDNF.dll,HBASKTAO.dll,HBWOW.dll,HBZHUXIAN.dll,HBQQFFO.dll,HBBO.dll,HBQQXX.dll,HBWD.dll,HBTL.dll,HBQQSG.dll> [N/A]
就是将 <AppInit_DLLs> 的“值”项编辑置空
你可以选择其中一个红色项,然后编辑时你可能看不到什么,只需要在值项里输入任意一个字母或数字即可。
————————————————————————————————————
在扫日志的SRENG工具》启动项目》注册表》里面找下面项目删除:
启动项目
注册表
<msacheck><rundll32.exe "C:\WINDOWS\system32\wicheck081025.dll" myjkl> [File is missing]
<ctfmon.exe><C:\WINDOWS\SYSTEM\ctfmon.exe> [微软中国]
<weiai><C:\WINDOWS\system32\weiai.exe> []
<HBService32><System.exe> []
<nwiz><alalin.exe> []
<zuoyue><C:\WINDOWS\system32\inf\svch0st.exe C:\WINDOWS\system32\lwizyy16_081027.dll zyd1_6> [File is missing]
<{BB4E3499-0132-4d3f-849A-2BE1B26D84E1}><C:\WINDOWS\system32\xsgotxsy.dll> []
<{D91BC61E-7D78-4A2A-A336-7B97E8E52F0B}><D91BC61E.dll> []
<{71A78CD4-E470-4a18-8457-E0E0283DD507}><C:\WINDOWS\system32\brmvyjqz.dll> [File is missing]
<{58FF3024-8A83-4B1A-88E9-302F47646EEE}><58FF3024.dll> []
<{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}><C:\WINDOWS\system32\yhzxcxba.dll> [File is missing]
<{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}><C:\WINDOWS\system32\ibmivvgl.dll> [File is missing]
<{F0C9FBC2-6FA2-479d-B65D-F9D65C613ECC}><C:\WINDOWS\system32\svztotcx.dll> []
<{3474A8C2-BEF9-46C8-983A-A26A0030EC30}><3474A8C2.dll> []
<{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}><C:\WINDOWS\system32\naswahvn.dll> []
<{7ADC2AB1-5C6A-4178-82DA-94863354AF7C}><7ADC2AB1.dll> []
<{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}><C:\WINDOWS\system32\yrxqufba.dll> [File is missing]
<{D3112B69-A745-4805-874E-ABD480EA1299}><C:\WINDOWS\system32\idlandym.dll> [File is missing]
<{22D75360-199D-4F79-880D-82E766675F06}><22D75360.dll> []
<{F0930A2F-D971-4828-8209-B7DFD266ED44}><C:\WINDOWS\system32\cqdwhqzb.dll> [File is missing]
<{C56BCC10-503E-43AB-B208-3CD37FCFCE40}><C56BCC10.dll> []
<{DA56B183-A731-402b-9235-2CB8803E212D}><C:\WINDOWS\system32\agygdnlk.dll> [File is missing]
<{BA4B5EBD-AB43-4c2b-84F5-F1AD85E79E4A}><C:\WINDOWS\system32\kalrwdhv.dll> []
<{432BDC7C-DE5B-43f4-AA81-E7F8AFB0182D}><C:\WINDOWS\system32\efeniyil.dll> []
<{EA4D8F95-8F2E-4658-A234-E8F4C9AC21C5}><C:\WINDOWS\system32\yswiumbb.dll> []
<{C4C78494-4D05-4614-8CF2-03F1C4276C8A}><C:\WINDOWS\system32\ksuserfy.dll> []
<{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}><C:\WINDOWS\system32\sypegivy.dll> []
<{D1CC9DC6-F0BC-40fc-9552-E497B05E05B8}><C:\WINDOWS\system32\pwjgkwoy.dll> [File is missing]
<{E4814792-EFA3-4C20-93D0-8B130A59F9A8}><E4814792.dll> []
<{495271CA-D0C6-4052-ABE6-5B01C73CDFB0}><495271CA.dll> []
<{581C5299-BEA6-4619-8218-BE539A98812A}><C:\Program Files\Internet Explorer\7v54321t.321> []
<{AD862DC6-37FA-4D56-B7EA-59C2522A5FC4}><C:\Program Files\Internet Explorer\Explo2eMt.456> []
<{16FF142F-BEBD-47CE-A3A6-D52A1A2ECB54}><C:\Program Files\Internet Explorer\Vv54321t.321> []
<{CABA599D-5089-4865-9420-E41FA3C1F55F}><CABA599D.dll> []
<{3D144530-43DA-47CC-B7C7-A3A9F3B9A6B2}><3D144530.dll> []
<{DE02F764-C51A-4788-9597-D78ECC2AC08F}><DE02F764.dll> []
<{43ACDCC5-9009-4AF4-B80A-93BC656EF298}><43ACDCC5.dll> []
<{E3367679-4775-4244-A62E-4CFE58FC850B}><E3367679.dll> []
<{D7C79813-9233-4AE0-832C-99B2E8019673}><D7C79813.dll> []
<{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}><122B901E.dll> []
<{12B02216-AC3F-42A7-8313-449771237061}><12B02216.dll> []
<{9F684DE8-3E87-4174-9033-E02A3DFD8B61}><9F684DE8.dll> []
<{4BF9CBA3-8DEE-41A1-8BDB-FC28D30E949F}><4BF9CBA3.dll> []
<{DA63E650-537C-4042-87BB-9D19D844680B}><DA63E650.dll> []
<{B3721C07-62B3-411A-9DC7-F5F27E3E21FF}><B3721C07.dll> []
<{8566F82E-03A4-416E-AEAC-66600D8881F1}><8566F82E.dll> []
<{08223B03-1B38-4A33-A83A-A4D3CC1D6E4E}><08223B03.dll> []
<{9CA963CA-107C-4089-B0AB-31380F90D7E3}><9CA963CA.dll> []
<{E0D39066-96D7-4891-8527-488ADAFCD60F}><E0D39066.dll> []
<{DFEC5CB7-E2AA-4B0A-BEB3-D140E59ED53A}><DFEC5CB7.dll> []
<{2EF0D734-21FD-4225-A1A2-BCD296182AAF}><2EF0D734.dll> []
<{F65BDEC7-4BF3-4512-840F-68B166B6D7AC}><F65BDEC7.dll> []
<{66AFCB56-FAA9-42D2-8C72-2767A46C7FA8}><66AFCB56.dll> []
<{F8E07BB2-7A19-4057-80F1-E14646E630B4}><F8E07BB2.dll> []
<{E5D39975-A103-4A21-9EE9-A638E9DD9EB4}><E5D39975.dll> []
<{BA7EDF54-8408-4B21-B351-7B447B344BA4}><BA7EDF54.dll> []
<{F2CBFAC4-6FF9-4DE9-BCB1-0F2FA2AA0B4C}><F2CBFAC4.dll> []
<{C8FFD223-C0FB-40C5-94A0-FD7891AC18E9}><C8FFD223.dll> []
<{E59C8BDA-489C-47EC-8967-A33C6A730B10}><C:\Program Files\Internet Explorer\Explo2eMt.456> []
<{3F21AA0C-2A9E-4BE9-9083-9E58AB41BA01}><3F21AA0C.dll> []
<xsgotxsy.dll><C:\WINDOWS\system32\xsgotxsy.dll> []
<brmvyjqz.dll><C:\WINDOWS\system32\brmvyjqz.dll> [File is missing]
<yhzxcxba.dll><C:\WINDOWS\system32\yhzxcxba.dll> [File is missing]
<ibmivvgl.dll><C:\WINDOWS\system32\ibmivvgl.dll> [File is missing]
<svztotcx.dll><C:\WINDOWS\system32\svztotcx.dll> []
<naswahvn.dll><C:\WINDOWS\system32\naswahvn.dll> []
<yrxqufba.dll><C:\WINDOWS\system32\yrxqufba.dll> [File is missing]
<idlandym.dll><C:\WINDOWS\system32\idlandym.dll> [File is missing]
<cqdwhqzb.dll><C:\WINDOWS\system32\cqdwhqzb.dll> [File is missing]
<agygdnlk.dll><C:\WINDOWS\system32\agygdnlk.dll> [File is missing]
<kalrwdhv.dll><C:\WINDOWS\system32\kalrwdhv.dll> []
<efeniyil.dll><C:\WINDOWS\system32\efeniyil.dll> []
<yswiumbb.dll><C:\WINDOWS\system32\yswiumbb.dll> []
<ksuserfy.dll><C:\WINDOWS\system32\ksuserfy.dll> []
<sypegivy.dll><C:\WINDOWS\system32\sypegivy.dll> []
<pwjgkwoy.dll><C:\WINDOWS\system32\pwjgkwoy.dll> [File is missing]
—————————————————————————————————————
在扫日志的SRENG工具》启动项目》服务》Win32服务应用程序》里面找下面项删除,
==================================
服务
[64DB7 / 64DB7][Stopped/Auto Start]
<C:\WINDOWS\system32\64DB7.exe><N/A>
[dasd1s2d2 / dd3133sdd2][Stopped/Manual Start]
<C:\WINDOWS\system32\test3.exe -r><N/A>
[RXEKRX / IOUAGMKPXDIPU][Running/Auto Start]
<C:\WINDOWS\system32\svchost.exe -k AGMSZFLRXCIOT-->C:\Windows\system32\wbem\AFKQXBHNTYE.DLL><N/A>
[Servicelivehelp / Servicelivehelp][Stopped/Auto Start]
<C:\WINDOWS\system32\liveplay.exe><(File is missing)>
[Windows Time / W32Time][Running/Auto Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\wins\auevhirey.dll><Microsoft LTD.>
————————————————————————————————————
在扫日志的SRENG工具》启动项目》服务》驱动程序》里面找下面项删除,
==================================
驱动程序
[19b5406 / 19b5406][Running/Manual Start]
<\??\C:\WINDOWS\system32\19b5406.sys><N/A>
[4901228 / 4901228][Running/Manual Start]
<\??\C:\WINDOWS\system32\4901228.sys><N/A>
[4c70249 / 4c70249][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\4c70249.sys><N/A>
[5102a80 / 5102a80][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\5102a80.sys><N/A>
[97ad809c2839e84f / 97ad809c2839e84f][Stopped/Manual Start]
<\??\C:\97ad809c2839e84f.dat><N/A>
[9fd8db / 9fd8db][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\9fd8db.sys><N/A>
[aecff9 / aecff9][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\aecff9.sys><N/A>
[aliimz / aliimz][Stopped/Manual Start]
<System32\Drivers\aliimz.sys><N/A>
[c551839 / c551839][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\c551839.sys><N/A>
[ca99d57 / ca99d57][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\ca99d57.sys><N/A>
[d4f876 / d4f876][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\d4f876.sys><N/A>
[riwmq / riwmq][Stopped/Boot Start]
<\SystemRoot\system32\drivers\riwmq.sys><N/A>
[taqka / taqka][Running/Boot Start]
<\SystemRoot\system32\drivers\taqka.sys><N/A>
[xuikl / xuikl][Stopped/Boot Start]
<\SystemRoot\system32\drivers\xuikl.sys><N/A>
[ytntc / ytntc][Stopped/Boot Start]
<\SystemRoot\system32\drivers\ytntc.sys><N/A>
[HBKernel32 Driver / HBKernel32][Stopped/Boot Start]
<\SystemRoot\system32\drivers\HBKernel32.sys><N/A>
[d7b49fa / d7b49fa][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\d7b49fa.sys><N/A>
—————————————————————————————
在扫日志的SRENG工具》系统修复》浏览器加载项》里面找下面删除
==================================
浏览器加载项
[]
{09EB15FA-17D8-4D60-8598-3F549A848DF2} <C:\PROGRA~1\INTERN~1\PLUGINS\b54321.bho, N/A>
[CAdLogic Object]
{11F09AFD-75AD-4E51-AB43-E09E9351CE16} <C:\Program Files\Common Files\PushWare\cpush0.dll, >
[]
{16FF142F-BEBD-47CE-A3A6-D52A1A2ECB54} <C:\Program Files\Internet Explorer\Vv54321t.321, N/A>
[Info cache]
{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\WINDOWS\Poss\pctools_2004111_7847.dll, Polls>
[]
{581C5299-BEA6-4619-8218-BE539A98812A} <C:\Program Files\Internet Explorer\7v54321t.321, N/A>
[]
{AD862DC6-37FA-4D56-B7EA-59C2522A5FC4} <C:\Program Files\Internet Explorer\Explo2eMt.456, N/A>
[]
{E59C8BDA-489C-47EC-8967-A33C6A730B10} <C:\Program Files\Internet Explorer\Explo2eMt.456, N/A>
[]
{09EB15FA-17D8-4D60-8598-3F549A848DF2} <C:\PROGRA~1\INTERN~1\PLUGINS\b54321.bho, N/A>
[CAdLogic Object]
{11F09AFD-75AD-4E51-AB43-E09E9351CE16} <C:\Program Files\Common Files\PushWare\cpush0.dll, >
[]
{16FF142F-BEBD-47CE-A3A6-D52A1A2ECB54} <C:\Program Files\Internet Explorer\Vv54321t.321, N/A>
[Info cache]
{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\WINDOWS\Poss\pctools_2004111_7847.dll, Polls>
[]
{581C5299-BEA6-4619-8218-BE539A98812A} <C:\Program Files\Internet Explorer\7v54321t.321, N/A>
[]
{AD862DC6-37FA-4D56-B7EA-59C2522A5FC4} <C:\Program Files\Internet Explorer\Explo2eMt.456, N/A>
[]
{E59C8BDA-489C-47EC-8967-A33C6A730B10} <C:\Program Files\Internet Explorer\Explo2eMt.456, N/A>
—————————————————————————————————————
用下载的“清理临时文件工具ATF-Cleaner-cn”,全选所有项目,点击“立即清理”
下载:
http://bbs.ikaka.com/attachment.aspx?attachmentid=447126用W i n d o w s 清理助手 ,清理你那系统。
W i n d o w s 清理助手 下载:
http://www.arswp.com/————————————————————————————————————
再重启电脑,反复检查,操作的结果,
杀毒软件如果有异常,可能需要卸载重装,升级至最新版本全盘杀。
记得打打系统漏洞补丁
SRENG工具的各项操作看这里:
http://bbs.ikaka.com/showtopic-8545446.aspx
