==================================
日志中的异常项目如下:
注册表
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<gsyjdvwj.dll><> [N/A]
<ilwglifh.dll><> [N/A]
<oysrokqc.dll><> [N/A]
<vlpkrlby.dll><> [N/A]
<bglucfmt.dll><> [N/A]
<ishnggxx.dll><> [N/A]
<rqylbisd.dll><> [N/A]
<ycuvmkdy.dll><> [N/A]
<lknztfzp.dll><> [N/A]
<vhlxohud.dll><> [N/A]
<lzyfvcif.dll><> [N/A]
<yzrikfew.dll><> [N/A]
<lhcmqasv.dll><> [N/A]
<veakmcvb.dll><> [N/A]
<ktiwhijm.dll><> [N/A]
<qgehsjup.dll><> [N/A]
<tqymccma.dll><> [N/A]
<kaldjfsb.dll><> [N/A]
<yjibbnwe.dll><> [N/A]
<yxeoziyc.dll><> [N/A]
<vycdgbqf.dll><> [N/A]
<zbfqycip.dll><> [N/A]
<fsqozznq.dll><> [N/A]
<jkvhmypr.dll><> [N/A]
<mmpneyhc.dll><> [N/A]
<fnngguet.dll><> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acasp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ahnsd.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrogAgent.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\katmain.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvprescan.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Logo1_.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SnipeSword.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TBMon.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdaterUI.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.exe]
==================================
服务
[MSECom / MSECom][Running/Auto Start]
<C:\WINDOWS\system32\ejfc.exe><Microsoft Corporation>
[Protected Storage Manager / Protectedstori][Stopped/Auto Start]
<C:\WINDOWS\system32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\config\sam2.log><N/A>
[sraqok / sraqok][Stopped/Auto Start]
<C:\WINDOWS\system32\svchoSt.exe -k sraqok-->%SystemRoot%\System32\.zsjxtm><N/A>
==================================
驱动程序
[IIS Manager / IIS Manager ][Stopped/Manual Start]
<\??\C:\DOCUME~1\new\LOCALS~1\Temp\1.tmp><N/A>
==================================
建议按步骤操作:
1、拔掉网线,之后用c:\windows\system32\dllcache目录下的userinit.exe替换C:\WINDOWS\System32\userinit.exe这个文件;同时,将以下文件用WINRAR分别压缩,将压缩包提交“可疑文件交流区”:
C:\WINDOWS\system32\ejfc.exe
C:\WINDOWS\System32\LeftPlug.dll
C:\WINDOWS\system32\MainCtrl.dll
C:\WINDOWS\System32\.zsjxtm
C:\WINDOWS\system32\config\sam2.log
2、自己检测下以下文件是否正常:
C:\WINDOWS\System32\LeftPlug.dll
C:\WINDOWS\system32\MainCtrl.dll
3、如果上一步经检测两个文件为不安全文件,用XDELBOX的“导入剪贴板不检查路径”,配合“抑制再生”,最后执行“立即重启执行删除”,在DOS状态下一次性删除以下病毒文件(如果上一步两个文件经检测为正常文件,请将对应文件从以下列表中删除):
C:\MMM.exe
C:\WINDOWS\System32\LeftPlug.dll
C:\WINDOWS\system32\MainCtrl.dll
C:\WINDOWS\system32\ejfc.exe
C:\WINDOWS\System32\.zsjxtm
C:\WINDOWS\system32\config\sam2.log
C:\DOCUME~1\new\LOCALS~1\Temp\1.tmp
4、等待XDELBOX在DOS下杀毒并重启电脑;
5、删除所有能删除的系统临时文件和IE缓存;
6、用注册表编辑器或SRENG扫描工具删除以上所有异常的注册表项、服务及驱动程序。
