单位有九台主机组成局域网，有四台出现病症，大约是在3月中旬开始的，现象为

1.在线状态会出现倒计时关机提示，硬盘文件会被删除或格式化
2.非在线状态大约在早上8时或13时无法进入系统，提示c:\windows\system32\hal.dll文件丢失，并且会有选择的格式化E和F盘
（用过KV、KV－DOS、瑞星、卡巴、诺顿全盘扫描都无发现病毒提示）

之后我们将这四台主机的主机板BIOS重刷或升级过，硬盘用DM将磁道写零、低格、重新分区装系统，问题依然没解决
用IceSword监视进程，发现c:\windows\system32\csrss.exe出现红色提示，被cmd调用。还有msmsgs.exe也会出现红色警示。

四月初一天早上，又出现关机倒计时提示，多出一条信息：要求我们汇款200元给指定帐户，要不每天格式化硬盘。这时才知被黑客入侵。按照要求我们汇了款，黑客发来两个注册

表文件，称之为解密文件。

要求我们：请在ZZH-01（主机名）上使用ZZH-01，在EWW（主机名）上使用EWW，
以上2个文件需重新装系统后使用此2个文件,使用后请安装瑞星杀毒,并需要保持网络,需要检测每天更新内容,不必每天升级,并一周必须升级一次。  解密文件请勿重复使用,会造

成主板烧辉,后果自负。关于ZZH-02.03.04 需要重新汇款解决.另外3台优惠200,汇款后请通知.
解密文件请勿重复使用,会造成主板烧辉,后果自负


我们在中毒的主机上打开注册表文件，显示内容如下：

<!-- CoreMail Version 2.5 Copyright (c) 2002-2003  www.tebie.com -->





























































































































<!-- warning.htm -->


<!-- IP:16, ServerInfo:bjapp3.mail.tom.com -->
<!-- GroupId:0, IP:16, HostID:bjapp34
   

ServerID:16, Weight:10, ServerInfo:bjapp3.mail.tom.com
GroupId:3, IP:16, HostID:bjapp34
    ServerID:16, Weight:10, ServerInfo:bjapp3.mail.tom.com
-->
<head>
<title>warning!警告!</title>
<script src="/script/util.js"></script>
<link rel="stylesheet" href="http://mail.tom.com/script/mail_style_01.css">
<script src="/style.js"></script>
<script language="JavaScript">
<!--
var sid='OAJnfKFTuwQAydgE';
//-->
</script>
</head>

<body id="htmlbody"

bgcolor="#59B806" topmargin="0" leftmargin="5" marginwidth="5">
<table width="99%" border="0" cellspacing="0" cellpadding="0" height="100%"

bgcolor="#FFFFFF">
  <tr valign="top">
    <td>
      <table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="#5AB907" height="10">
       

<tr>
          <td><img src="http://mail.tom.com/images/mail/050328/shim.gif" width="575" height="1"><nobr></td>
        </tr>
      </table>
      <!-- 导

航 -->
      <script language="JavaScript"  src="http://mail.tom.com/script/contnav_01.js"></script>
      <!-- 导航 -->
<table width="100%" border="0"

cellspacing="0" cellpadding="0" bgcolor="#5AB907" height="5">
        <tr>
          <td><nobr></td>
        </tr>
      </table>
      <table width="100%"

border="0" cellspacing="0" cellpadding="0" bgcolor="#FFFFFF">
        <tr>
          <td width="9" valign="top"><img

src="http://mail.tom.com/images/mail/050328/l_1_1.gif" width="9" height="10"></td>
          <td align="center" valign="top">
<table width="627" border="0"

cellspacing="0" cellpadding="0" style="margin-top:4">
        <tr>
          <td width="36" align="right"><img

src="http://mail.tom.com/images/mail/050328/c_biao.gif" width="36" height="31"></td>
          <td width="150" class="tit"><font color="#205C06">警告

</font></td>
          <td valign="bottom"><script language="javascript" src="http://news.tom.com/script/scroll20030612.js"></script></td>
        </tr>
   

</table>

        <table width="627" border="0" cellspacing="0" cellpadding="0" style="margin-top:5">
        <tr>
          <td>
<p> </p>
<p> </p>

<p align="center">非法请求。 </p>

<p> </p>
<p> </p>

<p align="center">


      <input type="image"

src="http://mail.tom.com/images/mail/050328/an_qd.gif" value="确定" onclick="javascript:document.location='/';">

   





</p>
         </td>
     

  </tr>
      </table>
<center>
<br><br><br><br>
<a target=_blank href="http://adfarm.mediaplex.com/ad/ck/4080-34465-9520-19?

cn=tom;pimpai060327wl;lp;20&mpro=http://pages.ebay.com.cn/im/landing/top/brand.html"><img border=0 width=468 height=60 src="http://ad.tom.com/jd/ebay/0327-

fc468.gif"></a><!--jd/ebay/b-->

</center>    
       
    </td>
          <td valign="top" align="right" width="9"><img

src="http://mail.tom.com/images/mail/050328/l_1_2.gif" width="9" height="10"></td>
        </tr>
      </table>
    </td>
  </tr>
  <tr valign="bottom">
   

<td>
      <table width="100%" border="0" cellspacing="0" cellpadding="0">
        <tr>
          <td><img

src="http://mail.tom.com/images/mail/050328/l_1_3.gif" width="9" height="10"></td>
          <td align="right"><img

src="http://mail.tom.com/images/mail/050328/l_1_4.gif" width="9" height="10"></td>
        </tr>
      </table>
      <table width="100%" border="0"

cellspacing="0" cellpadding="0" bgcolor="#5AB907">
        <tr>
          <td> </td>
        </tr>
      </table>
    </td>
  </tr>
</table>

</body>
</html>


在正常的主机上，注册表显示内容如下：

REGEDIT4

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>]
"Rebar"=hex:03,00,00,00,64,00,00,00,00,02,00,00,00,00,00,00,65,00,00,00,01,02,\
  00,00,00,00,00,00,66,00,00,00,01,00,00,00,00,00,00,00
"ControlBarState-103"=hex:c8,00,00,00,64,00,00,00,f6,00,00,00,c0,00,00,00,c8,\
  00,00,00,64,00,00,00
"ControlBarState-104"=hex:c8,00,00,00,64,00,00,00,f6,00,00,00,c4,00,00,00,c8,\
  00,00,00,64,00,00,00
"ControlBarState-105"=hex:24,03,00,00,64,00,00,00,d0,01,00,00,82,01,00,00,90,\
  01,00,00,64,00,00,00
"ControlBarState-102"=hex:24,03,00,00,36,00,00,00,c8,00,00,00,c8,00,00,00,c8,\
  00,00,00,c8,00,00,00
"ControlBarState-107"=hex:1d,03,00,00,64,00,00,00,d0,01,00,00,82,01,00,00,c8,\
  00,00,00,64,00,00,00
"Version"=dword:00000002
"PaneVisibility"=hex:01,01,01,01,01,01,01,00,00,00
"ButtonLabels"=dword:00000002
"zzh-01"=dword:00000001  (和正常文件相比，不同的信息。正常主机这里写 "CEButtonLabels"=dword:00000001）

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Bar0]
"BarID"=dword:0000e801

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Bar1]
"BarID"=dword:0000e800

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Bar10]
"BarID"=dword:00000066
"Visible"=dword:00000000
"XPos"=dword:fffffffe
"YPos"=dword:fffffffe
"Docking"=dword:00000001
"MRUDockID"=dword:00000000
"MRUDockLeftPos"=dword:fffffffe
"MRUDockTopPos"=dword:fffffffe
"MRUDockRightPos"=dword:00000322
"MRUDockBottomPos"=dword:00000034
"MRUFloatStyle"=dword:00002004
"MRUFloatXPos"=dword:80000000
"MRUFloatYPos"=dword:000003e0

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Bar11]
"BarID"=dword:0000006b
"Visible"=dword:00000000
"XPos"=dword:fffffffe
"YPos"=dword:fffffffe
"Docking"=dword:00000001
"MRUDockID"=dword:0000e81d
"MRUDockLeftPos"=dword:fffffffe
"MRUDockTopPos"=dword:fffffffe
"MRUDockRightPos"=dword:000001ce
"MRUDockBottomPos"=dword:00000180
"MRUFloatStyle"=dword:00002004
"MRUFloatXPos"=dword:80000000
"MRUFloatYPos"=dword:00000000

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Bar12]
"BarID"=dword:0000006a
"XPos"=dword:fffffffe
"YPos"=dword:fffffffe
"Docking"=dword:00000001
"MRUDockID"=dword:00000000
"MRUDockLeftPos"=dword:fffffffe
"MRUDockTopPos"=dword:fffffffe
"MRUDockRightPos"=dword:00000326
"MRUDockBottomPos"=dword:00000049
"MRUFloatStyle"=dword:00001000
"MRUFloatXPos"=dword:80000000
"MRUFloatYPos"=dword:00000000

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Bar2]
"BarID"=dword:0000e7ff

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Bar3]
"BarID"=dword:0000e804

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Bar4]
"BarID"=dword:0000e81e
"Bars"=dword:00000005
"Bar#0"=dword:00000000
"Bar#1"=dword:00000066
"Bar#2"=dword:00000000
"Bar#3"=dword:0000006a
"Bar#4"=dword:00000000

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Bar5]
"BarID"=dword:0000e81c
"Bars"=dword:00000004
"Bar#0"=dword:00000000
"Bar#1"=dword:00000067
"Bar#2"=dword:00000068
"Bar#3"=dword:00000000

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Bar6]
"BarID"=dword:0000e81d
"Bars"=dword:00000004
"Bar#0"=dword:00000000
"Bar#1"=dword:0000006b
"Bar#2"=dword:00000069
"Bar#3"=dword:00000000

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Bar7]
"BarID"=dword:00000067
"XPos"=dword:fffffffe
"YPos"=dword:fffffffe
"Docking"=dword:00000001
"MRUDockID"=dword:00000000
"MRUDockLeftPos"=dword:fffffffe
"MRUDockTopPos"=dword:fffffffe
"MRUDockRightPos"=dword:000000f4
"MRUDockBottomPos"=dword:000000be
"MRUFloatStyle"=dword:00002004
"MRUFloatXPos"=dword:80000000
"MRUFloatYPos"=dword:00000000

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Bar8]
"BarID"=dword:00000068
"XPos"=dword:fffffffe
"YPos"=dword:000000bc
"Docking"=dword:00000001
"MRUDockID"=dword:0000e81c
"MRUDockLeftPos"=dword:fffffffe
"MRUDockTopPos"=dword:000001a2
"MRUDockRightPos"=dword:000000f4
"MRUDockBottomPos"=dword:00000348
"MRUFloatStyle"=dword:00002004
"MRUFloatXPos"=dword:80000000
"MRUFloatYPos"=dword:00000000

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Bar9]
"BarID"=dword:00000069
"Visible"=dword:00000000
"XPos"=dword:fffffffe
"YPos"=dword:fffffffe
"Docking"=dword:00000001
"MRUDockID"=dword:0000e81d
"MRUDockLeftPos"=dword:fffffffe
"MRUDockTopPos"=dword:fffffffe
"MRUDockRightPos"=dword:000001ce
"MRUDockBottomPos"=dword:00000180
"MRUFloatStyle"=dword:00000004
"MRUFloatXPos"=dword:80000000
"MRUFloatYPos"=dword:00000000

[HKEY_CURRENT_USER\Software\ACD Systems\ACDSeeCS\PaneLayouts\<Default>\BarState-Summary]
"Bars"=dword:0000000d
"ScreenCX"=dword:00000500
"ScreenCY"=dword:00000400


有点纳闷，这个解密文件怎会是ACD SEE看图软件的注册信息，在正常和非正常的主机上相同文件却显示不同的内容?

望各位高手指点，救援!!!

【回复“smart001”的帖子】
唉

查找机器中的可疑的.js文件和.gif
确定是可疑文件后
删除之

很明显机器被植入了恶意代码

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
另外：

http://forum.ikaka.com/topic.asp?board=28&artid=6979213
下载System Repair Engineer 2.0.12.350
导出全部日志

引用:

【不言放弃的贴子】【回复“smart001”的帖子】 唉 查找机器中的可疑的.js文件和.gif 确定是可疑文件后 删除之 很明显机器被植入了恶意代码 ＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝ 另外： http://forum.ikaka.com/topic.asp?board=28&artid=6979213 下载System Repair Engineer 2.0.12.350 导出全部日 ...........................

这也太厉害了，从装系统和刷新主版BIOS都不行？？？？？是什么恶意代码？？？？？顶一下

多谢"不言放弃"兄. 大家还有什么方法吗

【回复“smart001”的帖子】
照他的说法做就可以 你们有防火墙吗