瑞星卡卡安全论坛

︶ㄣ┇奇迹┇  我按照你的方法 都杀掉了 就是这个没有找到
G:\winio.sys 别的都杀掉了 用的是冰刃 和 sreng2 杀的
但是我重起以后用卡巴， 还是杀出了这个病毒：
已删除: 木马程序 Trojan.Win32.Qhost.kn    文件: C:\WINDOWS\system32\drivers\etc\hosts_SREBACK_20070418151951
已删除: 木马程序 Trojan.Win32.Qhost.kn    文件: C:\WINDOWS\system32\drivers\etc\hosts_SREBACK_20070418161203
已删除: 木马程序 Trojan.Win32.Qhost.kn    文件: C:\Documents and Settings\zhangyuzhi\Local Settings\Temporary Internet Files\Content.IE5\4G6SHLTN\image8[2].gif
已删除: 木马程序 Trojan-PSW.Win32.OnLineGames.es    文件: C:\Documents and Settings\zhangyuzhi\Local Settings\Temporary Internet Files\Content.IE5\VXAPFL3N\image7[1].gif

你再帮我看看我的日至 给位高手 我这个病毒已经修了3天了 有些人说 干脆 全部分区就搞定了，但是我认为 有毒就分区  还有什么意思呀 ！

我的日至 刚扫描的

[CODE]

2007-04-18,16:25:42

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Windows Publisher]
    <High Definition Audio Property Page Shortcut><HDAShCut.exe>  [(Verified)Microsoft Windows XP Publisher]
    <SoundMAXPnP><C:\Program Files\Analog Devices\Core\smax4pnp.exe>  [Analog Devices, Inc.]
    <SoundMAX><"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray>  [Analog Devices, Inc.]
    <PRONoMgrWired><C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe>  [Intel(R) Corporation]
    <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>  [NVIDIA Corporation]
    <nwiz><nwiz.exe /install>  [NVIDIA Corporation]
    <NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit>  [NVIDIA Corporation]
    <kav><"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe">  [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
    <WinlogonNotify: klogon><C:\WINDOWS\system32\klogon.dll>  [Kaspersky Lab]

==================================
启动文件夹
N/A

==================================
服务
[卡巴斯基反病毒6.0 / AVP][Stopped/Auto Start]
  <"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r><Kaspersky Lab>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Intel NCS NetService / NetSvc][Stopped/Manual Start]
  <C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe><Intel(R) Corporation>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
  <C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>

==================================
驱动程序
[ADI UAA Function Driver for High Definition Audio Service / ADIHdAudAddService][Running/Manual Start]
  <system32\drivers\ADIHdAud.sys><Analog Devices, Inc.>
[AEAudio Service / AEAudioService][Running/Manual Start]
  <system32\drivers\AEAudio.sys><Andrea Electronics Corporation>
[Intel(R) PRO/1000 Network Connection Driver / E1000][Running/Manual Start]
  <system32\DRIVERS\e1000325.sys><Intel Corporation>
[Microsoft UAA Function Driver for High Definition Audio Service / HdAudAddService][Stopped/Manual Start]
  <system32\drivers\HdAudio.sys><Windows (R) Server 2003 DDK provider>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
  <system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[kl1 / kl1][Running/Boot Start]
  <\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[nv / nv][Running/Manual Start]
  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><N/A>
[SenFilt Service / SenFiltService][Running/Manual Start]
  <system32\drivers\Senfilt.sys><Sensaura>

==================================
浏览器加载项
[Web反病毒保护]
  {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll, Kaspersky Lab>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\macromed\flash\flash.ocx, Macromedia, Inc.>

==================================
正在运行的进程
[PID: 668][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 732][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1768][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\nvcpl.dll]  [NVIDIA Corporation, 6.14.10.8040]
    [C:\WINDOWS\system32\nvshell.dll]  [NVIDIA Corporation, 6.14.10.10525]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll]  [Kaspersky Lab, 6.0.0.299]
[PID: 1880][C:\Program Files\Analog Devices\Core\smax4pnp.exe]  [Analog Devices, Inc., 6, 0, 0, 20]
    [C:\Program Files\Analog Devices\Core\SMWDMIF.dll]  [Analog Devices, Inc., 6, 0, 0, 012]
[PID: 1888][C:\Program Files\Analog Devices\SoundMAX\Smax4.exe]  [Analog Devices, Inc., 5, 2, 0, 9]
[PID: 1904][C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe]  [Intel(R) Corporation, 7.2.3.2]
    [C:\Program Files\Intel\PROSetWired\NCS\PROSet\CHSPGUIR.dll]  [Intel(R) Corporation, 7.2.3.2]
    [C:\Program Files\Intel\PROSetWired\NCS\PROSet\8023\PNC802_3.dll]  [Intel(R) Corporation, 7.2.3.2]
    [C:\Program Files\Intel\PROSetWired\NCS\PROSet\8023\CHSPCMRs.dll]  [Intel(R) Corporation, 7.2.3.2]
[PID: 1936][C:\WINDOWS\system32\RUNDLL32.EXE]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\NvMcTray.dll]  [NVIDIA Corporation, 6.14.10.8040]
[PID: 1952][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2272][C:\WINDOWS\system32\wscntfy.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3824][E:\病毒专用软件\sreng2\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
API HOOK
RVA  错误： LoadLibraryA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xF4D3AB25)
RVA  错误： LoadLibraryExA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xF4D3AD67)
RVA  错误： LoadLibraryExW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xF4D3AF0B)
RVA  错误： LoadLibraryW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xF4D3AC49)
RVA  错误： GetProcAddress (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0xF4D3AE8F)

==================================
隐藏进程
N/A

==================================

日志没问题

这个难道你的hosts文件有异常？？？？可是SRENG没见啥东西。
你用SRENG看一下hosts  然后发个图来。

木马程序 Trojan.Win32.Qhost.kn 文件: C:\WINDOWS\system32\drivers\etc\hosts_SREBACK_20070418151951
木马程序 Trojan.Win32.Qhost.kn 文件: C:\WINDOWS\system32\drivers\etc\hosts_SREBACK_20070418161203

这个是上网下下来的，倒是不用考虑。

木马程序 Trojan.Win32.Qhost.kn 文件: C:\Documents and Settings\zhangyuzhi\Local Settings\Temporary Internet Files\Content.IE5\4G6SHLTN\image8[2].gif
木马程序 Trojan-PSW.Win32.OnLineGames.es 文件: C:\Documents and Settings\zhangyuzhi\Local Settings\Temporary Internet Files\Content.IE5\VXAPFL3N\image7[1].gif


用冰刃打开G盘，见不到G:\winio.sys吗？？？

用冰刃打开C:\Documents and Settings\zhangyuzhi\Local Settings\Temporary Internet Files\Content.IE5文件夹，删除所有文件夹。文件夹外的两个文件别删除。