瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 中了木马了,扫了LOG,请看下,谢谢!

1   1  /  1  页   跳转

[原创] 中了木马了,扫了LOG,请看下,谢谢!

中了木马了,扫了LOG,请看下,谢谢!

进入流行病毒专区,看到有置顶的[原创] 警惕假冒的“windows自动更新” 我觉得我也有可能中了,因为昨天中木马时,也出现windows自动更新,我看了是好象是资源管理器的系统更新,这是我扫的LOG,帮忙看下,谢谢!我本来的帖子是:http://bbs.ikaka.com/showtopic-8519659.aspx

附件: SREngLOG.log (2008-7-2 11:09:20, 55.23 K)
该附件被下载次数 163



用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; QQDownload 1.7; Alexa Toolbar)
分享到:
gototop
 

回复: 中了木马了,扫了LOG,请看下,谢谢!



引用:
原帖由 ayin267 于 2008-7-2 11:09:00 发表
进入流行病毒专区,看到有置顶的[原创] [url=http:


1.建议使用XDelBox删除以下文件(XDelBox1.7支持奥运版下载) 下载地址:www.dodudou.com)
使用说明:删除时复制所有要删除文件的路径,在待删除文件列表里点击右键选择从剪贴板导入,导入后在要删除文件上点击右键,选择立刻重启删除,电脑会重启进入DOS界面进行删除操作。运行xdelbox前最好卸载所有可移动存储介质(包括U盘,MP3,手机存储卡等)。

c:\windows\system32\cliconfgzx.dll
c:\windows\system32\dispexcb.dll
c:\windows\system32\ksuserfy.dll
c:\windows\system32\mstimewd.dll
c:\windows\system32\oaimgpom.dll
c:\windows\system32\adsntzt.dll
c:\windows\system32\midimappt.dll
c:\windows\system32\ypdjgbmp.dll
c:\windows\system32\mnmhgsrv.dll
c:\windows\system32\ptjhehlp.dll
c:\windows\system32\apsggjba.dll
c:\windows\system32\mndhfdwd.dll
c:\windows\system32\opshcbty.dll
c:\windows\system32\portmap.exe
c:\windows\system32\drivers\xinstall.sys
c:\documents and settings\lvqiuying\桌面\p2pzzz\p2pfilter.sys
c:\windows\system32\drivers\xinstall.sys
c:\documents and settings\lvqiuying\桌面\p2pzzz\p2pfilter.sys
c:\docume~1\lvqiuy~1\locals~1\temp\1.tmp
c:\windows\system32\d32dx9.sys
c:\windows\system32\drivers\ds1410d.sys
res://d:\adobe\acrobat 7.0\acrobat\acroiefavclient.dll/acroieappend.html
res://d:\adobe\acrobat 7.0\acrobat\acroiefavclient.dll/acroiecapture.html
res://d:\adobe\acrobat 7.0\acrobat\acroiefavclient.dll/acroieappendsellinks.html
res://d:\adobe\acrobat 7.0\acrobat\acroiefavclient.dll/acroiecapturesellinks.html
c:\program files\yahoo!\assistant\assist\yphtb.dll
c:\program files\yahoo!\assistant\assist\yangling.dll
c:\progra~1\alisoft\toolbar\assist\yangling.dll
c:\program files\yahoo!\assistant\assist\yasbar.dll
c:\program files\tencent\qqtoolbar\iebar.dll

2.删除重启后使用SREng修复下面各项:

    启动项目 -- 注册表之如下项删除:
[cliconfgzx.dll]    <C:\WINDOWS\system32\cliconfgzx.dll>
[dispexcb.dll]    <C:\WINDOWS\system32\dispexcb.dll>
[ksuserfy.dll]    <C:\WINDOWS\system32\ksuserfy.dll>
[mstimewd.dll]    <C:\WINDOWS\system32\mstimewd.dll>
[oaimgpom.dll]    <C:\WINDOWS\system32\oaimgpom.dll>
[adsntzt.dll]    <C:\WINDOWS\system32\adsntzt.dll>
[midimappt]    <C:\WINDOWS\system32\midimappt.dll>
[{91954FAC-1023-154F-895A-1458258AD819}]    <C:\WINDOWS\system32\ypdjgbmp.dll>
[{7C8D1401-A58D-A81C-CD24-A5915C4517C7}]    <C:\WINDOWS\system32\mnmhgsrv.dll>
[{528DF602-9541-A985-210A-984A698C6F25}]    <C:\WINDOWS\system32\ptjhehlp.dll>
[{7FD45A54-9875-698F-E56E-65102358FDF7}]    <C:\WINDOWS\system32\apsggjba.dll>
[{6C648541-1025-9650-9057-6541258720C6}]    <C:\WINDOWS\system32\mndhfdwd.dll>
[{32596546-2036-9451-6058-658402589723}]    <C:\WINDOWS\system32\opshcbty.dll>
[{4F4F0064-71E0-4f0d-0021-708476C7815F}]    <C:\WINDOWS\system32\midimappt.dll>
[{00010001-0001-0001-0001-00010001BB15}]    <C:\WINDOWS\system32\adsntzt.dll>
[{00150015-0015-0015-0015-00150015BB15}]    <C:\WINDOWS\system32\oaimgpom.dll>
[{00180018-0018-0018-0018-00180018BB15}]    <C:\WINDOWS\system32\mstimewd.dll>
[{00130013-0013-0013-0013-00130013BB15}]    <C:\WINDOWS\system32\ksuserfy.dll>
[{00060006-0006-0006-0006-00060006BB15}]    <C:\WINDOWS\system32\dispexcb.dll>
[{00050005-0005-0005-0005-00050005BB15}]    <C:\WINDOWS\system32\cliconfgzx.dll>
注意该项[AppInit_DLLs]修改:把<toolbo.dll wocronce.dll pocolieov.dll qqtmd.dll womsoy.dll zipyqld.dll jelens.dll wcpome.dll verptw.dll qananp.dll>修改为<>即清空
[cliconfgzx.dll]    <C:\WINDOWS\system32\cliconfgzx.dll>
[dispexcb.dll]    <C:\WINDOWS\system32\dispexcb.dll>
[ksuserfy.dll]    <C:\WINDOWS\system32\ksuserfy.dll>
[mstimewd.dll]    <C:\WINDOWS\system32\mstimewd.dll>
[oaimgpom.dll]    <C:\WINDOWS\system32\oaimgpom.dll>
[adsntzt.dll]    <C:\WINDOWS\system32\adsntzt.dll>
[midimappt]    <C:\WINDOWS\system32\midimappt.dll>
[{91954FAC-1023-154F-895A-1458258AD819}]    <C:\WINDOWS\system32\ypdjgbmp.dll>
[{7C8D1401-A58D-A81C-CD24-A5915C4517C7}]    <C:\WINDOWS\system32\mnmhgsrv.dll>
[{528DF602-9541-A985-210A-984A698C6F25}]    <C:\WINDOWS\system32\ptjhehlp.dll>
[{7FD45A54-9875-698F-E56E-65102358FDF7}]    <C:\WINDOWS\system32\apsggjba.dll>
[{6C648541-1025-9650-9057-6541258720C6}]    <C:\WINDOWS\system32\mndhfdwd.dll>
[{32596546-2036-9451-6058-658402589723}]    <C:\WINDOWS\system32\opshcbty.dll>
[{4F4F0064-71E0-4f0d-0021-708476C7815F}]    <C:\WINDOWS\system32\midimappt.dll>
[{00010001-0001-0001-0001-00010001BB15}]    <C:\WINDOWS\system32\adsntzt.dll>
[{00150015-0015-0015-0015-00150015BB15}]    <C:\WINDOWS\system32\oaimgpom.dll>
[{00180018-0018-0018-0018-00180018BB15}]    <C:\WINDOWS\system32\mstimewd.dll>
[{00130013-0013-0013-0013-00130013BB15}]    <C:\WINDOWS\system32\ksuserfy.dll>
[{00060006-0006-0006-0006-00060006BB15}]    <C:\WINDOWS\system32\dispexcb.dll>
[{00050005-0005-0005-0005-00050005BB15}]    <C:\WINDOWS\system32\cliconfgzx.dll>

[IFEO[QQDoctor.exe]]    <TASKMAN.EXE>
[IFEO[QQDoctorMain.exe]]    <TASKMAN.EXE>
[IFEO[SelfUpdate.exe]]    <TASKMAN.EXE>

    启动项目 -- 服务 -- Win32服务应用程序之如下项删除:
[ONC Portmapper / Portmapper]    <C:\WINDOWS\system32\portmap.exe>

    启动项目 -- 服务-- 驱动程序之如下项删除:
[xinstall / xinstall]    <\??\C:\WINDOWS\system32\drivers\xinstall.sys>
[p2pfilter / p2pfilter]    <\??\C:\Documents and Settings\lvqiuying\桌面\P2Pzzz\p2pfilter.sys>
[xinstall / xinstall]    <\??\C:\WINDOWS\system32\drivers\xinstall.sys>
[p2pfilter / p2pfilter]    <\??\C:\Documents and Settings\lvqiuying\桌面\P2Pzzz\p2pfilter.sys>
[IIS Manager  / IIS Manager ]    <\??\C:\DOCUME~1\LVQIUY~1\LOCALS~1\Temp\1.tmp>
[HiddFldy / HiddFldy]    <\??\C:\WINDOWS\system32\d32dx9.sys>
[DS1410D / DS1410D]    <\??\C:\WINDOWS\system32\drivers\ds1410d.sys>

    系统修复-- 浏览器加载项之如下项删除:
[转换链接目标为现有 PDF]    <res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html>
[转换链接目标为 Adobe PDF]    <res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html>
[转换选项为现有 PDF]    <res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html>
[转换选项为 Adobe PDF]    <res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html>
[转换选定的链接为现有 PDF]    <res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html>
[转换选定的链接为 Adobe PDF]    <res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html>
[转换为现有 PDF]    <res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html>
[转换为 Adobe PDF]    <res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html>
[Yahoo!Photo]    <C:\Program Files\Yahoo!\Assistant\Assist\yphtb.dll>
[AntiFish Class]    <C:\Program Files\Yahoo!\Assistant\Assist\yAngling.dll>
[AliAntiFish Class]    <C:\PROGRA~1\Alisoft\Toolbar\assist\yangling.dll>
[雅虎助手]    <C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll>
[QQToolbar]    <C:\Program Files\Tencent\QQToolbar\IEBar.dll
最后编辑小九的寒 最后编辑于 2008-07-02 11:21:49
gototop
 

回复:中了木马了,扫了LOG,请看下,谢谢!

1.点击官网下载费尔木马强力清除助手,勾选“清除,并抑制文件再次生成”后删除以下文件:
(不管文件是否存在,删一次没坏处,如果提示文件不存在,不管他,直接继续下面的修复)。

c:\program files\internet explorer\plugins\windows64.sys
c:\progra~1\tencent\ssplus\splus1.dll
c:\program files\tencent\ssplus\saddr.dll
c:\windows\system32\adsntzt.dll
c:\windows\system32\apsggjba.dll
c:\windows\system32\cliconfgzx.dll
c:\windows\system32\dispexcb.dll
c:\windows\system32\ksuserfy.dll
c:\windows\system32\midimappt.dll
c:\windows\system32\mndhfdwd.dll
c:\windows\system32\mnmhgsrv.dll
c:\windows\system32\mstimewd.dll
c:\windows\system32\oaimgpom.dll
c:\windows\system32\opshcbty.dll
c:\windows\system32\ptjhehlp.dll
c:\windows\system32\ypdjgbmp.dll
c:\progra~1\tencent\ssplus\splus1.dll
c:\windows\system32\portmap.exe
c:\ads2005a\licenses\bin\lmgrd.exe
c:\windows\system32\drivers\xinstall.sys
c:\docume~1\lvqiuy~1\locals~1\temp\1.tmp
c:\windows\system32\d32dx9.sys
c:\windows\system32\drivers\ds1410d.sys
c:\windows\system32\drivers\adprot.sys
c:\windows\system32\nrewcjwrwtync.dll
c:\windows\system32\ssup.dll

2.删除重启后使用SREng修复下面各项:

    启动项目 -- 注册表之如下项删除:
[cliconfgzx.dll]
[dispexcb.dll] 
[ksuserfy.dll] 
[mstimewd.dll] 
[oaimgpom.dll] 
[adsntzt.dll] 
[midimappt]   
[{91954FAC-1023-154F-895A-1458258AD819}]
[{7C8D1401-A58D-A81C-CD24-A5915C4517C7}]
[{528DF602-9541-A985-210A-984A698C6F25}]
[{7FD45A54-9875-698F-E56E-65102358FDF7}]
[{6C648541-1025-9650-9057-6541258720C6}]
[{32596546-2036-9451-6058-658402589723}]
[{4372FE4D-E2C2-45FE-A893-E2B1691A7DD0}]
[{4F4F0064-71E0-4f0d-0021-708476C7815F}]
[{00010001-0001-0001-0001-00010001BB15}]
[{00150015-0015-0015-0015-00150015BB15}]
[{00180018-0018-0018-0018-00180018BB15}]
[{00130013-0013-0013-0013-00130013BB15}]
[{00060006-0006-0006-0006-00060006BB15}]
[{00050005-0005-0005-0005-00050005BB15}]
注意该项[AppInit_DLLs]修改:把<toolbo.dll wocronce.dll pocolieov.dll qqtmd.dll womsoy.dll zipyqld.dll jelens.dll wcpome.dll verptw.dll qananp.dll>修改为<>即清空
[stup.exe] 
[IFEO[QQDoctor.exe]]   
[IFEO[QQDoctorMain.exe]] 
[IFEO[SelfUpdate.exe]]   

    启动项目 -- 服务 -- Win32服务应用程序之如下项删除:
[ONC Portmapper / Portmapper]
[ADS2005A / ADS2005A]       

    启动项目 -- 服务-- 驱动程序之如下项删除:
[xinstall / xinstall]   
[IIS Manager  / IIS Manager ]   
[HiddFldy / HiddFldy]
[DS1410D / DS1410D] 
[ADProt / ADProt]   

    系统修复-- 浏览器加载项之如下项删除:
[]    <C:\WINDOWS\system32\ypdjgbmp.dll>
[]    <C:\WINDOWS\system32\apsggjba.dll>
[]    <C:\WINDOWS\system32\mnmhgsrv.dll>
[]    <C:\WINDOWS\system32\mndhfdwd.dll>
[]    <C:\WINDOWS\system32\ptjhehlp.dll>
[]    <C:\WINDOWS\system32\nrewcjwrwtync.dll>
[]    <C:\Program Files\Internet Explorer\PLUGINS\Windows64.Sys>
[]    <C:\WINDOWS\system32\opshcbty.dll>
[]    <C:\WINDOWS\system32\ypdjgbmp.dll>
[]    <C:\WINDOWS\system32\apsggjba.dll>
[]    <C:\WINDOWS\system32\mnmhgsrv.dll>
[]    <C:\WINDOWS\system32\mndhfdwd.dll>
[]    <C:\WINDOWS\system32\ptjhehlp.dll>
[]    <C:\WINDOWS\system32\opshcbty.dll>
[]    <C:\WINDOWS\system32\SSup.dll>

做完下载以下软件清理一次并更新杀毒软件至最新进行全盘杀毒一次

清理系统临时文件和IE临时文件夹
http://www.atribune.org/public-beta/ATF-Cleaner.exe
用金山清理专家清理恶意软件
http://www.duba.net/zt/ksc/down.shtml
下载 windows清理助手清理一遍
http://www.arswp.com/download/arswp2/arswp2.zip
不认识我没关系,因为我也不认识你。
gototop
 

回复:中了木马了,扫了LOG,请看下,谢谢!

注意该项[AppInit_DLLs]修改:把<toolbo.dll wocronce.dll pocolieov.dll qqtmd.dll womsoy.dll zipyqld.dll jelens.dll wcpome.dll verptw.dll qananp.dll>修改为<>即清空
找不到
[]    <C:\Program Files\Internet Explorer\PLUGINS\Windows64.Sys找不到
[]    <C:\WINDOWS\system32\ypdjgbmp.dll>
[]    <C:\WINDOWS\system32\apsggjba.dll>
[]    <C:\WINDOWS\system32\mnmhgsrv.dll>
[]    <C:\WINDOWS\system32\mndhfdwd.dll>
[]    <C:\WINDOWS\system32\ptjhehlp.dll>
怎么重复了
gototop
 
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT