发表于: 2007-08-24 13:59 | 显示全部 短消息 资料
字号: 1楼

vhho8ssh.dll 驱动级木马 高手来帮忙!

C:\WINDOWS\system32\drivers\0dpv93t.sys
C:\WINDOWS\system32\vhho8ssh.dll

Trojan.Win32.Agent.vnx

小弟在安全模式下杀毒也不能清除

看来是驱动程序级别的木马 高手来指点一下!


程序关联项

HKEY_CLASSES_ROOT chm.file\shell\open\command ----> "hh.exe" %1


自启动项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\Currentversion\Run
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef

/Migration32
PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
RavTask = "C:\Program Files\Rising\Rav\RavTask.exe" -system
RTHDCPL = RTHDCPL.EXE
Alcmtr = ALCMTR.EXE
Picasa Media Detector = C:\Program Files\Picasa2\PicasaMediaDetector.exe
HControl = C:\WINDOWS\ATK0100\HControl.exe
Power_Gear = C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
Microsoft Pinyin IME Migration= C:\PROGRA~1\COMMON~1\MICROS~1\IME12

\IMESC\IMSCMIG.EXE /INSTALL
NeroFilterCheck = C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
DAEMON Tools-2052 = "C:\Program Files\D-Tools\daemon.exe" -lang 2052
Storm2Set = C:\WINDOWS\system32\rundll32.exe "C:\PROGRA~1

\StormII\StormSet.dll",CheckEnv
ATIPTA = "C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe"
360Safetray = D:\software工具\360safeXP\safemon\360Tray.exe /start

HKEY_CURRENT_USER Software\Microsoft\Windows\Currentversion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_LOCAL_MACHINE

Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
C:\WINDOWS\system32\RavExt.dll= Rising Execute File Exts hook
shell32.dll = Rising Execute File Exts hook

HKEY_LOCAL_MACHINE

Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder = %SystemRoot%\system32\SHELL32.dll
CDBurn = %SystemRoot%\system32\SHELL32.dll
WebCheck = %SystemRoot%\system32\webcheck.dll
SysTray = C:\WINDOWS\system32\stobject.dll

HKEY_LOCAL_MACHINE

Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
%SystemRoot%\system32\browseui.dll= Browseui 预加载程序
%SystemRoot%\system32\browseui.dll= 组件类别缓存程序


SYSTEM.INI BOOT SHELL Explorer.exe
SYSTEM.INI BOOT SCRNSAVE.EXE C:\WINDOWS\system32\logon.scr


其他相关项
HKEY_CURRENT_USER Software\Microsoft\Internet Explorer\Main start page -

---> http://www.google.cn/
HKEY_LOCAL_MACHINE Software\Microsoft\Internet Explorer\Main

default_search_url ----> http://www.google.com/ie
HKEY_CURRENT_USER Software\Microsoft\internet explorer\search

searchassistant ----> http://www.google.com/ie
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon

DefaultUserName ----> wolves
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon

AltDefaultUserName ----> wolves
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit ----> C:\WINDOWS\system32\userinit.exe,


Hosts
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


诊断信息


1 RTHDCPL.EXE 39% 未知木马 C:\WINDOWS\RTHDCPL.EXE

进程列表

[System Process]
System
C:\WINDOWS\system32\Ati2evxx.exe (Made by ATI Technologies Inc.)
CCenter.exe
RavMonD.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE (Made by Macrovision)
C:\WINDOWS\system32\Ati2evxx.exe (Made by ATI Technologies Inc.)
RavTask.exe
RavMon.exe
C:\WINDOWS\RTHDCPL.EXE (Made by Realtek Semiconductor Corp.)
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\D-Tools\daemon.exe (Made by DAEMON'S HOME)
C:\WINDOWS\ATK0100\ATKOSD.exe
Rav.exe

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\software工具\360safeXP\safemon\360Tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Opera\Opera.exe
D:\software工具\瑞星听诊器.exe

进程详细信息

[用户系统信息]Opera/9.22 (Windows NT 5.1; U; zh-cn)
最后编辑2007-08-24 14:34:56