类似AV终结者
appinit_dlls启动加载N多dll,类似jzijj.dll,sehhter.dll===
则所有进程都被加载这些dll..
无法卸除,一旦在进程中卸除这些dll,马上会重新加载
破坏安全模式和隐藏文件模式
用改名sreng2.5无法删除appinit_dlls中项目,
IFEO,
用改名ICESWORD找不到可疑进程,估计被隐藏,
如果要卸除这些dll,应该要结束一些关键进程,可是进程找不到,ICESWORD下也发现不了
安全模式也一样,没办法找出那些进程,现在的问题是,sreng无法删除appinit_dlls中的项目,则进入安全模式也是一样的,还是会被加载这些dll,各位有什么办法?
这些DLL是找的到的,都在system32下面,但是appinit_dlls加载项目会被所有进程加载~所以你基本上没办法删除他们
除非先把appinit_dlls项目清空,才能删除dll们,现在appinit_dlls被隐藏进程控制,无法清空,隐藏进程找不到,就是这么个问题~
[用户系统信息]Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MAXTHON 2.0)启动项目:
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<WINSvr32><C:\WINDOWS\WINSvr32.exE> [] <SoundMan><SoundMan.exe> [1]
<DbgHlp32><C:\WINDOWS\DbgHlp32.exe> [] <Acrobat Assistant 7.0><; "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"> [Adobe Systems Inc.]
<upxdnd><C:\WINDOWS\upxdnd.exe> []
<cmdbcs><C:\WINDOWS\cmdbcs.exe> []
<PTSShell><C:\WINDOWS\PTSShell.exe> []
<LotusHlp><C:\WINDOWS\LotusHlp.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><mrjhtjd.dll,qrhhb.dll,xdfntt.dll,hgfhk.dll,hjaiq.dll,kduy.dll,frntrn.dll,dnteh.dll,chmfcmh.dll,jwlah.dll,crugd.dll,lariytrz.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,ydgn.dll,dbfb.dll,fjnbv.dll,wmsat.dll,gmnait.dll,hfjg.dll,xdndn.dll,rgfjj.dll,dscef.dll,xfng.dll,njritc.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,fehom.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,rhs.dll,atehhz.dll,gjjte.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,hkfgh.dll,drghszd.dll,fngn.dll,xdhdg.dll,zdbfbd.dll,fjyjy.dll,awef.dll,msepbe.dll,> [N/A][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll> [(Verified)Beijing Rising Science and Technology Corporation Limited]
<{50632D5C-B71B-4ba0-B012-3DC6F15C011B}><C:\WINDOWS\system32\msosiocp.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Loader.exe]
<IFEO[360Loader.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe]
<IFEO[ctfmon.exe]><SoundMan.exe> [1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword]
<IFEO[IceSword]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras]
<IFEO[ras]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep]
<IFEO[runiep]><svchost.exe> [(Verified)Microsoft Windows Publisher][font_color=#0][font_color=#0][font_color=#0]
可疑驱动程序
[Atixeve2296 / Atixeve2296][Stopped/Manual Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~wxp2ins.126.tmp><N/A>
[cqit / cqit][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp111.tmp><N/A>
[dohs / dohs][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp10D.tmp><N/A>
[fmsq / fmsq][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp135.tmp><N/A>
[jtio / jtio][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp131.tmp><N/A>
[LT Modem Driver / ltmodem5][Running/Manual Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp8.tmp><N/A>
[mnsf / mnsf][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp123.tmp><N/A>
