具体尾巴发的内容是
ㄣ緑嗏ジ崧 极速网络公司因业务需要现招聘可长时间在线上网的工作人员 操作简单 月工资1千到5千元不等 试用3日 联系QQ714220 |
我让那朋友发扫描日志,报告我分析如下
病毒的启动....
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><avzxdmn.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{66650011-3344-6688-4899-345FABCD1566}><C:\WINDOWS\system32\ratbfpi.dll> [N/A]
<{334345F1-DACF-3452-CB7D-4620F34A1533}><C:\WINDOWS\system32\rsztcpm.dll> [N/A]
<{57D81718-1314-5200-2597-587901018075}><C:\WINDOWS\system32\kaqhezy.dll> [N/A]
<{444D7AB0-639D-445F-9143-3B3FFB2A7F39}><C:\WINDOWS\system32\dh3vpw0.dll> []
<{0F7A277A-4B2A-4673-8CC0-957C72ECFC6E}><C:\Program Files\Internet Explorer\Info_Ms.Sys> []
<{4859245F-345D-BC13-AC4F-145D47DA34F4}><C:\WINDOWS\system32\avzxdmn.dll> []
<{28907901-1416-3389-9981-372178569982}><C:\WINDOWS\system32\kawdbzy.dll> [N/A]
<{3C87A354-ABC3-DEDE-FF33-3213FD7447C3}><C:\WINDOWS\system32\kvdxcma.dll> [N/A]
<{2960356A-458E-DE24-BD50-268F589A56A2}><C:\WINDOWS\system32\avwlbmn.dll> [N/A]
<{18847374-8323-FADC-B443-4732ABCD3781}><C:\WINDOWS\system32\sidjazy.dll> [N/A]
<{2598FF45-DA60-F48A-BC43-10AC47853D52}><C:\WINDOWS\system32\rarjbpi.dll> [N/A]
驱动
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
文件关联修复
.CHM Error. ["hh.exe" %1]
.HLP Error. [winhlp32.exe %1]
.INI Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
病毒进程--插入所有进程.....
[PID: 696 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[PID: 744 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[PID: 756 / SYSTEM][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[PID: 920 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[PID: 992 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[PID: 1124 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\System32\avzxdmn.dll] [N/A, ]
[PID: 1204 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[PID: 1272 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[PID: 1636 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[PID: 1860 / SYSTEM][C:\WINDOWS\ATKKBService.exe] [ASUSTeK COMPUTER INC., 1, 0, 0, 0]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[PID: 1444 / SYSTEM][c:\program files\rising\rfw\rfwsrv.exe] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 35]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[PID: 1860 / SYSTEM][C:\WINDOWS\ATKKBService.exe] [ASUSTeK COMPUTER INC., 1, 0, 0, 0]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[PID: 2000 / LOCAL SERVICE][C:\WINDOWS\system32\wdfmgr.exe] [Microsoft Corporation, 5.2.3790.1230 built by: dnsrv(bld4act)]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[PID: 880 / new][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[C:\WINDOWS\system32\dh3vpw0.dll] [N/A, ]
[PID: 1876 / new][c:\program files\rising\rfw\RfwMain.exe] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 72]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[C:\WINDOWS\system32\dh3vpw0.dll] [N/A, ]
[PID: 280 / new][C:\Program Files\Rising\Rav\Ravmon.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 45]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[C:\Program Files\Internet Explorer\Info_Ms.Sys] [N/A, ]
[C:\WINDOWS\system32\dh3vpw0.dll] [N/A, ]
[PID: 304 / new][C:\Program Files\360safe\safemon\360Tray.exe] [奇虎网, 3, 6, 3, 1001]
[C:\Program Files\Internet Explorer\Info_Ms.Sys] [N/A, ]
[PID: 1704 / new][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[C:\Program Files\Internet Explorer\Info_Ms.Sys] [N/A, ]
[C:\WINDOWS\system32\dh3vpw0.dll] [N/A, ]
[PID: 3756 / new][F:\qq\QQ.exe] [TENCENT, 7,0,431,1723]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[C:\WINDOWS\system32\dh3vpw0.dll] [N/A, ]
[PID: 3792 / new][F:\qq\TIMPlatform.exe] [TENCENT, 7,0,431,1723]
[C:\Program Files\Internet Explorer\Info_Ms.Sys] [N/A, ]
[F:\qq\TIMProxy.dll] [tencent, 0, 3, 2, 4]
[PID: 932 / new][G:\新建文件夹 (3)\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[C:\WINDOWS\system32\avzxdmn.dll] [N/A, ]
[C:\Program Files\Internet Explorer\Info_Ms.Sys] [N/A, ]
[C:\WINDOWS\system32\dh3vpw0.dll] [N/A, ]
我给出以下的处理方法
打开冰刃和SRENG(down.45its.com下载sreng2.zip和IceSword120_cn.zip(以下简称冰刃)),
将冰刃设置为禁止进程创建,如图1
右键EXPLORER.EXE--模块信息打开后如图2
找到 C:\WINDOWS\system32\avzxdmn.dll
C:\Program Files\Internet Explorer\Info_Ms.Sys
C:\WINDOWS\system32\dh3vpw0.dll
全部卸除,请仔细检查每一个进程里面的DLL,确保无病毒残留,然后打开冰刃里面的文件,找到那病毒路径,删除...应该可以解决掉那家伙...
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><avzxdmn.dll> []
用SRENG置空为<AppInit_DLLs><> []
把以下注册表删除掉!~
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{66650011-3344-6688-4899-345FABCD1566}><C:\WINDOWS\system32\ratbfpi.dll> [N/A]
<{334345F1-DACF-3452-CB7D-4620F34A1533}><C:\WINDOWS\system32\rsztcpm.dll> [N/A]
<{57D81718-1314-5200-2597-587901018075}><C:\WINDOWS\system32\kaqhezy.dll> [N/A]
<{444D7AB0-639D-445F-9143-3B3FFB2A7F39}><C:\WINDOWS\system32\dh3vpw0.dll> []
<{0F7A277A-4B2A-4673-8CC0-957C72ECFC6E}><C:\Program Files\Internet Explorer\Info_Ms.Sys> []
<{4859245F-345D-BC13-AC4F-145D47DA34F4}><C:\WINDOWS\system32\avzxdmn.dll> []
<{28907901-1416-3389-9981-372178569982}><C:\WINDOWS\system32\kawdbzy.dll> [N/A]
<{3C87A354-ABC3-DEDE-FF33-3213FD7447C3}><C:\WINDOWS\system32\kvdxcma.dll> [N/A]
<{2960356A-458E-DE24-BD50-268F589A56A2}><C:\WINDOWS\system32\avwlbmn.dll> [N/A]
<{18847374-8323-FADC-B443-4732ABCD3781}><C:\WINDOWS\system32\sidjazy.dll> [N/A]
<{2598FF45-DA60-F48A-BC43-10AC47853D52}><C:\WINDOWS\system32\rarjbpi.dll> [N/A]
文件关联修复好
.CHM Error. ["hh.exe" %1]
.HLP Error. [winhlp32.exe %1]
.INI Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
据说我写的P处理无法正常运行......就手动处理下那家伙吧!~