QQ尾巴病毒(极速网络公司)分析及解决参考

　　具体尾巴发的内容是

ㄣ緑嗏ジ崧
极速网络公司因业务需要现招聘可长时间在线上网的工作人员操作简单月工资1千到5千元不等试用3日联系QQ714220

　　我让那朋友发扫描日志,报告我分析如下

　　病毒的启动....

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
         <AppInit_DLLs><avzxdmn.dll>       []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
         <{66650011-3344-6688-4899-345FABCD1566}><C:\WINDOWS\system32\ratbfpi.dll>       [N/A]
         <{334345F1-DACF-3452-CB7D-4620F34A1533}><C:\WINDOWS\system32\rsztcpm.dll>       [N/A]
         <{57D81718-1314-5200-2597-587901018075}><C:\WINDOWS\system32\kaqhezy.dll>       [N/A]
         <{444D7AB0-639D-445F-9143-3B3FFB2A7F39}><C:\WINDOWS\system32\dh3vpw0.dll>       []
         <{0F7A277A-4B2A-4673-8CC0-957C72ECFC6E}><C:\Program Files\Internet Explorer\Info_Ms.Sys>       []
         <{4859245F-345D-BC13-AC4F-145D47DA34F4}><C:\WINDOWS\system32\avzxdmn.dll>       []
         <{28907901-1416-3389-9981-372178569982}><C:\WINDOWS\system32\kawdbzy.dll>       [N/A]
         <{3C87A354-ABC3-DEDE-FF33-3213FD7447C3}><C:\WINDOWS\system32\kvdxcma.dll>       [N/A]
         <{2960356A-458E-DE24-BD50-268F589A56A2}><C:\WINDOWS\system32\avwlbmn.dll>       [N/A]
         <{18847374-8323-FADC-B443-4732ABCD3781}><C:\WINDOWS\system32\sidjazy.dll>       [N/A]
         <{2598FF45-DA60-F48A-BC43-10AC47853D52}><C:\WINDOWS\system32\rarjbpi.dll>       [N/A]
　　驱动
[Secdrv / Secdrv][Stopped/Manual Start]
       <system32\DRIVERS\secdrv.sys><N/A>
文件关联修复
.CHM       Error. ["hh.exe" %1]
.HLP       Error. [winhlp32.exe %1]
.INI       Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]

　　病毒进程--插入所有进程.....
[PID: 696 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]       [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
[PID: 744 / SYSTEM][C:\WINDOWS\system32\services.exe]       [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
[PID: 756 / SYSTEM][C:\WINDOWS\system32\lsass.exe]       [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
[PID: 920 / SYSTEM][C:\WINDOWS\system32\svchost.exe]       [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
[PID: 992 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]       [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
[PID: 1124 / SYSTEM][C:\WINDOWS\System32\svchost.exe]       [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
         [C:\WINDOWS\System32\avzxdmn.dll]       [N/A, ]
[PID: 1204 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]       [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
[PID: 1272 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]       [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
[PID: 1636 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]       [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
[PID: 1860 / SYSTEM][C:\WINDOWS\ATKKBService.exe]       [ASUSTeK COMPUTER INC., 1, 0, 0, 0]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
[PID: 1444 / SYSTEM][c:\program files\rising\rfw\rfwsrv.exe]       [Beijing Rising Technology Co., Ltd., 5, 0, 0, 35]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
[PID: 1860 / SYSTEM][C:\WINDOWS\ATKKBService.exe]       [ASUSTeK COMPUTER INC., 1, 0, 0, 0]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
[PID: 2000 / LOCAL SERVICE][C:\WINDOWS\system32\wdfmgr.exe]       [Microsoft Corporation, 5.2.3790.1230 built by: dnsrv(bld4act)]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
[PID: 880 / new][C:\WINDOWS\Explorer.EXE]       [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
         [C:\WINDOWS\system32\dh3vpw0.dll]       [N/A, ]
[PID: 1876 / new][c:\program files\rising\rfw\RfwMain.exe]       [Beijing Rising Technology Co., Ltd., 5, 0, 0, 72]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
         [C:\WINDOWS\system32\dh3vpw0.dll]       [N/A, ]
[PID: 280 / new][C:\Program Files\Rising\Rav\Ravmon.exe]       [Beijing Rising Technology Co., Ltd., 19, 0, 0, 45]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
         [C:\Program Files\Internet Explorer\Info_Ms.Sys]       [N/A, ]
         [C:\WINDOWS\system32\dh3vpw0.dll]       [N/A, ]
[PID: 304 / new][C:\Program Files\360safe\safemon\360Tray.exe]       [奇虎网, 3, 6, 3, 1001]
         [C:\Program Files\Internet Explorer\Info_Ms.Sys]       [N/A, ]
[PID: 1704 / new][C:\WINDOWS\system32\ctfmon.exe]       [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
         [C:\Program Files\Internet Explorer\Info_Ms.Sys]       [N/A, ]
         [C:\WINDOWS\system32\dh3vpw0.dll]       [N/A, ]
[PID: 3756 / new][F:\qq\QQ.exe]       [TENCENT, 7,0,431,1723]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
         [C:\WINDOWS\system32\dh3vpw0.dll]       [N/A, ]
[PID: 3792 / new][F:\qq\TIMPlatform.exe]       [TENCENT, 7,0,431,1723]
         [C:\Program Files\Internet Explorer\Info_Ms.Sys]       [N/A, ]
         [F:\qq\TIMProxy.dll]       [tencent, 0, 3, 2, 4]
[PID: 932 / new][G:\新建文件夹 (3)\SREngPS.EXE]       [Smallfrogs Studio, 2.5.16.900]
         [C:\WINDOWS\system32\avzxdmn.dll]       [N/A, ]
         [C:\Program Files\Internet Explorer\Info_Ms.Sys]       [N/A, ]
         [C:\WINDOWS\system32\dh3vpw0.dll]       [N/A, ]

　　我给出以下的处理方法

　　打开冰刃和SRENG(down.45it.com下载sreng2.zip和IceSword120_cn.zip(以下简称冰刃)),

　　将冰刃设置为禁止进程创建,如图1

　　右键EXPLORER.EXE--模块信息打开后如图2

　　找到 C:\WINDOWS\system32\avzxdmn.dll
C:\Program Files\Internet Explorer\Info_Ms.Sys
C:\WINDOWS\system32\dh3vpw0.dll

　　全部卸除,请仔细检查每一个进程里面的DLL,确保无病毒残留,然后打开冰刃里面的文件,找到那病毒路径,删除...应该可以解决掉那家伙...

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><avzxdmn.dll> []

　　用SRENG置空为<AppInit_DLLs><> []

　　把以下注册表删除掉!~

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
         <{66650011-3344-6688-4899-345FABCD1566}><C:\WINDOWS\system32\ratbfpi.dll>       [N/A]
         <{334345F1-DACF-3452-CB7D-4620F34A1533}><C:\WINDOWS\system32\rsztcpm.dll>       [N/A]
         <{57D81718-1314-5200-2597-587901018075}><C:\WINDOWS\system32\kaqhezy.dll>       [N/A]
         <{444D7AB0-639D-445F-9143-3B3FFB2A7F39}><C:\WINDOWS\system32\dh3vpw0.dll>       []
         <{0F7A277A-4B2A-4673-8CC0-957C72ECFC6E}><C:\Program Files\Internet Explorer\Info_Ms.Sys>       []
         <{4859245F-345D-BC13-AC4F-145D47DA34F4}><C:\WINDOWS\system32\avzxdmn.dll>       []
         <{28907901-1416-3389-9981-372178569982}><C:\WINDOWS\system32\kawdbzy.dll>       [N/A]
         <{3C87A354-ABC3-DEDE-FF33-3213FD7447C3}><C:\WINDOWS\system32\kvdxcma.dll>       [N/A]
         <{2960356A-458E-DE24-BD50-268F589A56A2}><C:\WINDOWS\system32\avwlbmn.dll>       [N/A]
         <{18847374-8323-FADC-B443-4732ABCD3781}><C:\WINDOWS\system32\sidjazy.dll>       [N/A]
         <{2598FF45-DA60-F48A-BC43-10AC47853D52}><C:\WINDOWS\system32\rarjbpi.dll>       [N/A]

　　文件关联修复好
.CHM       Error. ["hh.exe" %1]
.HLP       Error. [winhlp32.exe %1]
.INI       Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]

　　据说我写的P处理无法正常运行......就手动处理下那家伙吧!~

搜索

QQ尾巴病毒(极速网络公司)分析及解决参考