特征比较明显,中了ms_2fax流氓……
--------------------
注册表
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
(stup.exe)(; ) [N/A]
服务
[ms_2fax / ms_2fax][Running/Auto Start]
(C:\WINDOWS\system32\a57d1.exe)(Microsoft Corporation)
[Windows psfg RunThem / psfg][Running/Auto Start]
(C:\WINDOWS\System32\svchost.exe -k netsvcs--)C:\PROGRA~1\knab\uxkl.dll)()
驱动程序
[rnwutq6 / rnwutq65][Stopped/Boot Start]
(\SystemRoot\System32\DRIVERS\rnwutq65.sys)(N/A)
浏览器加载项
[Invoke Class]
{3AA0903B-1E13-4865-B114-15792D413C41} (C:\WINDOWS\system32\9a51.dll, )
[]
{2F429BA5-3EF4-40BD-AE4B-5561C8AF3E72} (C:\WINDOWS\system32\weegkxnslvkcc.dll, )
[Invoke Class]
{3AA0903B-1E13-4865-B114-15792D413C41} (C:\WINDOWS\system32\9a51.dll, )
正在运行的进程
[PID: 1000 / SYSTEM][C:\WINDOWS\system32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4162]
[c:\progra~1\knab\xano.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\cfst.dll] [, 5, 0, 1, 1]
[PID: 1568 / SYSTEM][C:\WINDOWS\system32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4162]
[c:\progra~1\knab\xano.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\cfst.dll] [, 5, 0, 1, 1]
[PID: 1864 / may][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
[C:\WINDOWS\system32\9a51.dll] [, 1, 0, 0, 2]
[c:\progra~1\knab\xano.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\cfst.dll] [, 5, 0, 1, 1]
[PID: 1980 / may][C:\Program Files\Eset\nod32kui.exe] [Eset , 2, 70, 39 ]
[c:\progra~1\knab\xano.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\cfst.dll] [, 5, 0, 1, 1]
[PID: 1988 / may][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[c:\progra~1\knab\xano.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\cfst.dll] [, 5, 0, 1, 1]
[PID: 252 / SYSTEM][C:\Program Files\Eset\nod32krn.exe] [Eset , 2, 70, 39 ]
[c:\progra~1\knab\xano.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\cfst.dll] [, 5, 0, 1, 1]
[PID: 456 / may][C:\Program Files\TENCENT\TT\TTraveler.exe] [Tencent, 3, 8, 308, 201]
[c:\progra~1\knab\xano.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\cfst.dll] [, 5, 0, 1, 1]
[PID: 504 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[c:\progra~1\knab\uxkl.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\xano.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\cfst.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\zcpq.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\qtgh.dll] [, 5, 0, 1, 1]
[PID: 3760 / may][C:\Program Files\Eset\nod32.exe] [Eset , 2, 70, 39 ]
[c:\progra~1\knab\xano.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\cfst.dll] [, 5, 0, 1, 1]
[PID: 216 / SYSTEM][C:\WINDOWS\system32\a57d1.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 720 / may][C:\WINDOWS\system32\rundll32.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\691.dll] [ , 1, 0, 0, 3]
[c:\progra~1\knab\xano.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\cfst.dll] [, 5, 0, 1, 1]
[PID: 3912 / may][D:\sreng2\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[c:\progra~1\knab\xano.dll] [, 5, 0, 1, 1]
[c:\progra~1\knab\cfst.dll] [, 5, 0, 1, 1]
------------------------------
用XDelBox删除(方法置顶帖有)
C:\WINDOWS\system32\a57d1.exe
C:\WINDOWS\system32\9a51.dll
C:\WINDOWS\system32\weegkxnslvkcc.dll
C:\PROGRA~1\knab\uxkl.dll
c:\progra~1\knab\xano.dll
c:\progra~1\knab\cfst.dll
c:\progra~1\knab\zcpq.dll
c:\progra~1\knab\qtgh.dll
(感觉c:\progra~1\knab\文件夹很有问题,把这个文件夹整体清除!)
进入安全模式,清除服务、驱动、注册表、浏览器加载项相关项目
[ms_2fax / ms_2fax][Running/Auto Start]
(C:\WINDOWS\system32\a57d1.exe)(Microsoft Corporation)
[Windows psfg RunThem / psfg][Running/Auto Start]
(C:\WINDOWS\System32\svchost.exe -k netsvcs--)C:\PROGRA~1\knab\uxkl.dll)()
[rnwutq6 / rnwutq65][Stopped/Boot Start]
(\SystemRoot\System32\DRIVERS\rnwutq65.sys)(N/A)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
(stup.exe)(; ) [N/A]
[Invoke Class]
{3AA0903B-1E13-4865-B114-15792D413C41} (C:\WINDOWS\system32\9a51.dll, )
[]
{2F429BA5-3EF4-40BD-AE4B-5561C8AF3E72} (C:\WINDOWS\system32\weegkxnslvkcc.dll, )
[Invoke Class]
{3AA0903B-1E13-4865-B114-15792D413C41} (C:\WINDOWS\system32\9a51.dll, )
