木马Trojan.Agent.awa的手工查杀流程：

1、断开网络连接。关闭瑞星杀软及瑞星防火墙（已被木马进程插入）。
2、结束木马进程C:\windows\LSASS.EXE。
3、删除木马文件（见附图）
4、重启。清理注册表：
先将RegFix或SREng的后缀改为.com 或.bat，再运行之。（恢复HKEY_CLASSES_ROOT\.exe的键值）。
展开：HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command
将@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.com\" %1"改为@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.exe\" %1"
展开：HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
将@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.com\" %1"改为@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.exe\" %1"
展开：HKEY_CLASSES_ROOT\ftp\shell\open\command
将@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.com\" %1"改为@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.exe\" %1"
展开HKEY_CLASSES_ROOT\htmlfile\shell\open\command
将@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.com\" -nohome"改为@="\"C:\\Program Files\\Internet Explorer\\INTEXPLORE.exe\" -nohome"
展开HKEY_CLASSES_ROOT\.exe
删除WindowFiles
展开HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Microsoft Soft Debuger\Settings
删除"GUID"="{BI5AP8-6K55T9-8LJY6K-64M1EC-LTW624}"
展开HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
删除Top
展开HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
删除wextract_cleanup0
————————————————————
【要删除的木马文件见下图】




此贴于2006-2-27 11:05:03被baohe修改




“禁止进线程创建”，这个我没找到。

先将RegFix或SREng的后缀改为.com 或.bat    这个是到哪里改的呀？我找不到啊？

4、重启。清理注册表：注册表如何清理啊？到哪里清理啊？是不是用IceSword?

附图里的有几个木马文件找不到，没有的，怎么办啊？
[img][/img][img][/img][img][/img][img][/img]

我的日志
HijackThis_zww汉化版扫描日志 V1.99.1
保存于      19:14:04, 日期 2006-05-30
操作系统：  Windows XP SP2 (WinNT 5.01.2600)
浏览器：    Unable to get Internet Explorer version!

当前运行的进程：         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\瑞星\Rising\Rav\RavTask.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Tencent\TT\TTraveler.exe
D:\反病毒常用工具\HijackThis1991zww.exe

R3 - URLSearchHook: (no name) - {1F30F974-CE03-4F2D-A8FE-0B744F1137D1} - C:\WINDOWS\system32\Zsfxcg.dll
F2 - REG:system.ini: Shell=explorer.exe 1
O2 - BHO: ThunderIEHelper - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v13.dll
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
O2 - BHO: (no name) - {1C26C495-0820-4330-87EC-21D8BD4F61FE} - C:\WINDOWS\system32\Sxtcj.dll (file missing)
O2 - BHO: (no name) - {1F30F974-CE03-4F2D-A8FE-0B744F1137D1} - C:\WINDOWS\system32\Zsfxcg.dll
O2 - BHO: (no name) - {2D0DC722-9A17-4A73-9A15-EA1E55E4B034} - C:\WINDOWS\system32\Zcxxz.dll
O2 - BHO: (no name) - {31F56AF9-3D07-42D8-9234-9A4CBEBF07DE} - C:\WINDOWS\system32\Nihtj.dll
O2 - BHO: (no name) - {376DCF54-895F-4A5B-A1B9-ACFEA46F26EF} - C:\WINDOWS\system32\Kduuf.dll
O2 - BHO: (no name) - {380A4205-F317-4781-856C-2DEBD0228944} - C:\WINDOWS\system32\Imduo.dll
O2 - BHO: (no name) - {3B0978B7-B13F-4A62-AD69-6C87E9893B4D} - C:\WINDOWS\system32\Pvfzzi.dll
O2 - BHO: (no name) - {41FFBD87-9AAD-4A88-A9AD-D4DF55B0B3F5} - C:\WINDOWS\system32\Tkxqev.dll
O2 - BHO: (no name) - {436B93E8-8C38-43C3-8AF1-F6BB8B7BC3A1} - C:\WINDOWS\system32\Ylrr.dll (file missing)
O2 - BHO: (no name) - {4947F68C-B249-43A6-AD0F-1B525B7656C4} - C:\WINDOWS\system32\Gpfmuf.dll
O2 - BHO: (no name) - {512BCA20-E269-41B6-9174-8E9A18AAB518} - C:\WINDOWS\system32\Gosir.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll (file missing)
O2 - BHO: (no name) - {68E34D7E-8D8D-43B2-9797-CAC1EE01D0EA} - C:\WINDOWS\system32\Cliq.dll
O2 - BHO: (no name) - {6EBE433A-655B-48CB-8306-9218D5CCE703} - C:\WINDOWS\system32\Gaup.dll
O2 - BHO: (no name) - {71D91700-D759-4DE0-A01D-11C99999BF97} - C:\WINDOWS\system32\Ufre.dll (file missing)
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O2 - BHO: (no name) - {79159DA6-045D-4EDD-9CEF-FD14EFCE69A5} - C:\WINDOWS\system32\Tyfncx.dll
O2 - BHO: (no name) - {847E64E9-ED18-4A83-945D-6081CEE497B7} - C:\WINDOWS\system32\Cyajn.dll (file missing)
O2 - BHO: (no name) - {A29D055F-3649-43DC-892F-8C29F7798264} - C:\WINDOWS\system32\Ewbtn.dll
O2 - BHO: (no name) - {B957CF2A-A9EE-4433-B973-91055C151B90} - C:\WINDOWS\system32\Mcrcck.dll
O2 - BHO: (no name) - {C8CB3080-0615-4957-9FA7-BCA7E0081405} - C:\WINDOWS\system32\Xtpsv.dll (file missing)
O2 - BHO: BDHlprObj Class - {CA92B524-BC8A-4610-BD2C-6BD3E28155D0} - C:\WINDOWS\DOWNLO~1\BDHelper.dll
O2 - BHO: (no name) - {E24C20A6-C73A-49A6-BE11-564FE9A4AA31} - C:\WINDOWS\system32\Hhpxu.dll
O2 - BHO: (no name) - {E7753257-246B-4FA7-A792-6E69B4AAD71E} - C:\WINDOWS\system32\Awsyfe.dll
O2 - BHO: (no name) - {E8D5DA3D-4DB4-4E74-853A-F42102176D0F} - C:\WINDOWS\system32\Essf.dll
O2 - BHO: (no name) - {F26267E1-AAF9-4F43-975A-13975EC102AC} - C:\WINDOWS\system32\Smpmw.dll
O3 - IE工具栏增项: 百度超级搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O3 - IE工具栏增项: BitComet工具栏 - {3F1ABCDB-A875-46c1-8345-B72A4567E486} - F:\马柏松\软件\BitComet\BitCometBar\BitCometBar0.5.dll
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - 启动项HKLM\\Run: [SoundMan] SOUNDMAN.EXE
O4 - 启动项HKLM\\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - 启动项HKLM\\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - 启动项HKLM\\Run: [RavTask] "D:\瑞星\Rising\Rav\RavTask.exe" -system
O4 - 启动项HKLM\\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - 启动项HKLM\\Run: [BIE] Rundll32 C:\WINDOWS\DOWNLO~1\BDPlugin.dll,Rundll32
O4 - 启动项HKLM\\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - 启动项HKLM\\Run: [ToP] C:\WINDOWS\LSASS.exe
O4 - 启动项HKLM\\Run: [KAVPersonal50] "D:\新建文件夹 (3)\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SDO2005] C:\Program Files\盛大圈圈\SDOClient.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: 服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - IE右键菜单中的新增项目: &使用迅雷下载 - F:\迅雷\迅雷\geturl.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载全部链接 - F:\迅雷\迅雷\getallurl.htm
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - D:\Tencent\QQ\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 加入POCO网摘(&K) - http://my.poco.cn/fav/rightClick.php
O8 - IE右键菜单中的新增项目: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - IE右键菜单中的新增项目: 我的POCO网摘(&O) - http://my.poco.cn/fav/open_myfav.php
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - D:\Tencent\QQ\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - D:\Tencent\QQ\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - D:\Tencent\QQ\SendMMS.htm
O8 - IE右键菜单中的新增项目: 百度--MP3搜索 - RES://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUMP3.HTM
O8 - IE右键菜单中的新增项目: 百度--图片搜索 - RES://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUIMG.HTM
O8 - IE右键菜单中的新增项目: 百度--新闻搜索 - RES://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUNEWS.HTM
O8 - IE右键菜单中的新增项目: 百度--歌词搜索 - RES://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDULYRIC.HTM
O8 - IE右键菜单中的新增项目: 百度--网页搜索 - RES://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUSEARCH.HTM
O8 - IE右键菜单中的新增项目: 百度--词典搜索 - RES://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDU_DIC.HTM
O8 - IE右键菜单中的新增项目: 百度--贴吧搜索 - RES://C:\PROGRA~1\baidu\bar\baidubar.dll/BAIDUPOST.HTM
O9 - 浏览器额外的按钮: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - 浏览器额外的按钮: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - 浏览器额外的“工具”菜单项: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - 浏览器额外的按钮: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll (file missing)
O9 - 浏览器额外的“工具”菜单项: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll (file missing)
O9 - 浏览器额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - 浏览器额外的“工具”菜单项: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [TBH]  搜搜地址栏搜索
O23 - NT 服务: kavsvc - Unknown owner - D:\新建文件夹 (3)\Kaspersky Anti-Virus Personal\kavsvc.exe (file missing)
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - D:\瑞星\Rising\Rav\CCenter.exe
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\瑞星\Rising\Rav\Ravmond.exe