HELP~~~~~~~~我电脑中毒了,谁知道怎么彻底清除吗?!谢谢!【原创】 bbs.ikaka.com

走路很飘 - 2007-5-18 21:57:00

映像名称 5263.EXE 用户名 SYSTEM 大小3,032K
本来任务管理器还有一个RUNDLL32,我到安全模式下用卡巴斯基扫描杀了病毒,可是重启后进入系统每次打开网页或者硬盘都会出现一个对话框"加载时出错,找不到指定的模块"对话框的文件名叫RUNDLL,谁知道怎么解决这二个问题呀?!小妹先在这里说声谢谢了!

agee - 2007-5-18 22:18:00

借花献佛
下载 System Repair Engineer，
http://www.kztechs.com/sreng/download.html
1 解压缩sreng2.zip
2 运行SREng.exe
3 智能扫描=》扫描=》保存报告
4 把日志中的报告完整拷贝贴上来，不要修改
日志一次发不完，请分次发上来

走路很飘 - 2007-5-18 22:25:00

[CODE]

2007-05-18,22:12:14

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<SKYNET Personal FireWall><D:\PROGRA~1\SkyNet\Firewall\pfw.exe> [N/A]
<UUCallMini><"D:\UUCall3.exe" -autorun> [N/A]
<tfjicec><C:\Program Files\Uninstall Information\tfjicec.exe> []
<AVP><"D:\Program Files\avp.exe"> [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<Register D:\Program Files\CPHelper.dll><"C:\WINDOWS\system32\rundll32.exe" "D:\Program Files\CPHelper.dll",DllRegisterServer> []
<Register D:\Program Files\Timwp.dll><"C:\WINDOWS\system32\rundll32.exe" "D:\Program Files\Timwp.dll",DllRegisterServer> [(Verified)Tencent Technology (ShenZhen) Company Limited]
<Register D:\Program Files\TIMProxy.dll><"C:\WINDOWS\system32\rundll32.exe" "D:\Program Files\TIMProxy.dll",DllRegisterServer> [tencent]
<Register D:\Program Files\qdshm.dll><"C:\WINDOWS\system32\rundll32.exe" "D:\Program Files\qdshm.dll",DllRegisterServer> []
<KKDelay><C:\Program Files\Rising\AntiSpyware\RunOnce.exe> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><userinit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{D157330A-9EF3-49F8-9A67-4141AC41ADD4}><> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
<WinlogonNotify: klogon><C:\WINDOWS\system32\klogon.dll> [Kaspersky Lab]

==================================
启动文件夹
[Microsoft Office]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [Microsoft Corporation]><N>
[yceflf]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\yceflf.lnk --> C:\PROGRA~1\AvRack\yceflff.exe [N/A]><N>

==================================
服务
[卡巴斯基反病毒6.0个人版 / AVP][Running/Auto Start]
<"D:\Program Files\avp.exe" -r><Kaspersky Lab>
[Google Updater Service / gusvc][Stopped/Manual Start]
<"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"><Google>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Fax Client / ms_fax][Running/Auto Start]
<C:\WINDOWS\system32\5263.exe><N/A>

==================================
驱动程序
[ADProt / ADProt][Stopped/System Start]
<\SystemRoot\system32\drivers\ADProt.sys><N/A>
[Service for Avance AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Avance Logic, Inc.>
[ati2mtag / ati2mtag][Running/Manual Start]
<system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[front / front][Stopped/Boot Start]
<2 - 系统找不到指定的文件。
><N/A>
[kl1 / kl1][Running/Boot Start]
<\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Running/System Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[roreg / roreg][Stopped/System Start]
<2 - 系统找不到指定的文件。
><N/A>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
<\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[SIS AGP Bus Filter / sisagp][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\sisagp.sys><Silicon Integrated Systems Corporation>
[SiS PCI Fast Ethernet Adapter Driver / SISNIC][Running/Manual Start]
<system32\DRIVERS\sisnic.sys><SiS Corporation>
[TSP / TSP][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>

==================================
浏览器加载项
[WebThunder Browser Helper]
{00000AAA-A363-466E-BEF5-9BB68697AA7F} <D:\Program Files\WebThunderBHO_016.dll, Thunder Networking Technologies,LTD>
[Abho Class]
{1238F6B9-C123-4049-B07E-7A71AF320032} <C:\WINDOWS\system32\052.dll, TODO: <公司名>>
[Google Toolbar Helper]
{AA58ED58-01DD-4d91-8333-CF10577473F7} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[Web反病毒统计]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <D:\Program Files\scieplugin.dll, Kaspersky Lab>
[&Google]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[Rising Web Scan Object]
{E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} <C:\WINDOWS\Downloaded Program Files\OL2005.dll, Beijing Rising Technology Co., Ltd.>
[WebThunder Browser Helper]
{00000AAA-A363-466E-BEF5-9BB68697AA7F} <D:\Program Files\WebThunderBHO_016.dll, Thunder Networking Technologies,LTD>
[Abho Class]
{1238F6B9-C123-4049-B07E-7A71AF320032} <C:\WINDOWS\system32\052.dll, TODO: <公司名>>
[&Google]
{2318C2B1-4965-11D4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[Active Desktop Mover]
{72267F6A-A6F9-11D0-BC94-00C04FB67863} <%SystemRoot%\system32\SHELL32.dll, N/A>
[Google Toolbar Helper]
{AA58ED58-01DD-4D91-8333-CF10577473F7} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[CPPIE Class]
{C6844939-C324-41E0-84D0-D42F8DA5EBAD} <, N/A>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx, Adobe Systems, Inc.>
[Rising Web Scan Object]
{E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} <C:\WINDOWS\Downloaded Program Files\OL2005.dll, Beijing Rising Technology Co., Ltd.>
[上传到QQ网络硬盘]
<D:\Program Files\AddToNetDisk.htm, N/A>
[使用Web迅雷下载]
<D:\Program Files\GetUrl.htm, N/A>
[使用Web迅雷下载全部链接]
<D:\Program Files\GetAllUrl.htm, N/A>
[添加到QQ自定义面板]
<D:\Program Files\AddPanel.htm, N/A>
[添加到QQ表情]
<D:\Program Files\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<D:\Program Files\SendMMS.htm, N/A>

走路很飘 - 2007-5-18 22:26:00

正在运行的进程
[PID: 488][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 564][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 588][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\klogon.dll] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 632][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 644][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 796][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 856][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 940][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1396][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\Program Files\scrchpg.dll] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\msdmo.dll] [, ]
[C:\WINDOWS\system32\icm32.dll] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\Program Files\WebThunderBHO_016.dll] [Thunder Networking Technologies,LTD, 6, 0, 0, 5]
[C:\WINDOWS\system32\052.dll] [TODO: <公司名>, 1.0.0.1]
[D:\Program Files\rarext.dll] [N/A, ]
[D:\Program Files\ShellEx.dll] [Kaspersky Lab, 6.0.2.621]
[D:\Program Files\MSVCR80.dll] [Microsoft Corporation, 8.00.50727.42]
[D:\Program Files\MSVCP80.dll] [Microsoft Corporation, 8.00.50727.42]
[PID: 1584][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1872][C:\WINDOWS\system32\wscntfy.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3544][C:\Program Files\Rising\AntiSpyware\Ras.exe] [Beijing Rising Technology Co., Ltd., 1, 0, 6, 1]
[C:\Program Files\Rising\AntiSpyware\RasGui.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 19]
[D:\Program Files\scrchpg.dll] [Kaspersky Lab, 6.0.2.621]
[PID: 412][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\Program Files\scrchpg.dll] [Kaspersky Lab, 6.0.2.621]
[c:\program files\google\googletoolbar2.dll] [Google Inc., 4, 0, 1601, 4978]
[D:\Program Files\WebThunderBHO_016.dll] [Thunder Networking Technologies,LTD, 6, 0, 0, 5]
[C:\WINDOWS\system32\052.dll] [TODO: <公司名>, 1.0.0.1]
[D:\Program Files\klscav.dll] [Kaspersky Lab, 6.0.2.621]
[D:\Program Files\MSVCR80.dll] [Microsoft Corporation, 8.00.50727.42]
[D:\Program Files\prremote.dll] [Kaspersky Lab, 6.0.2.621]
[D:\Program Files\MSVCP80.dll] [Microsoft Corporation, 8.00.50727.42]
[D:\Program Files\prloader.dll] [Kaspersky Lab, 6.0.2.621]
[D:\Program Files\prkernel.ppl] [Kaspersky Lab, 6.0.2.621]
[d:\program files\params.ppl] [Kaspersky Lab, 6.0.2.621]
[d:\program files\pxstub.ppl] [Kaspersky Lab, 6.0.2.621]
[d:\program files\tempfile.ppl] [Kaspersky Lab, 6.0.2.621]
[d:\program files\nfio.ppl] [Kaspersky Lab, 6.0.2.621]
[d:\program files\fsdrvplgn.ppl] [Kaspersky Lab, 6.0.2.621]
[d:\program files\basegui.ppl] [Kaspersky Lab, 6.0.2.621]
[d:\program files\thpimpl.ppl] [Kaspersky Lab, 6.0.2.621]
[d:\program files\FSSync.dll] [Kaspersky Lab, 6.0.5.621]
[d:\program files\winreg.ppl] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx] [Adobe Systems, Inc., 9,0,45,0]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 2172][D:\xz\TTPlayer.exe] [Alen Soft, 4, 6, 9, 0]
[D:\xz\ttpcomm.dll] [N/A, ]
[D:\xz\ttpres.dll] [Alen Soft, 4, 6, 9, 0]
[D:\xz\msdmo.dll] [Microsoft Corporation, 6.03.01.0400]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[D:\xz\AddIn\ttp_asf.dll] [N/A, ]
[D:\xz\AddIn\ttp_aac.dll] [N/A, ]
[D:\xz\AddIn\ttp_ac3dts.dll] [N/A, ]
[D:\xz\wmadmod.dll] [Microsoft Corporation, 10.00.00.3646]
[PID: 3380][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\Program Files\scrchpg.dll] [Kaspersky Lab, 6.0.2.621]
[c:\program files\google\googletoolbar2.dll] [Google Inc., 4, 0, 1601, 4978]
[D:\Program Files\taskmanage.dll] [Thunder Networking Technologies,LTD, 1, 7, 2, 107]
[D:\Program Files\download_interface.dll] [Thunder Networking Technologies,LTD, 2, 14, 2, 79]
[D:\Program Files\stlport_vc646.dll] [STLport Consulting, Inc., 4.6.2003.1031]
[D:\Program Files\asyn_dns.dll] [Thunder Networking Technologies,LTD, 2, 14, 2, 79]
[D:\Program Files\RegisterDll.dll] [Thunder Networking Technologies,LTD, 2, 13, 4, 58]
[D:\Program Files\historyinfo_manage.dll] [Thunder Networking Technologies,LTD, 5, 3, 0, 228]
[D:\Program Files\scrchpg.dll] [Kaspersky Lab, 6.0.2.621]
[D:\Program Files\iEmbedShell.dll] [　, 1, 0, 0, 17]
[D:\Program Files\iEmbed09.dll] [　, 3, 3, 0, 78]
[D:\Program Files\klscav.dll] [Kaspersky Lab, 6.0.2.621]
[D:\Program Files\MSVCR80.dll] [Microsoft Corporation, 8.00.50727.42]
[D:\Program Files\prremote.dll] [Kaspersky Lab, 6.0.2.621]
[D:\Program Files\MSVCP80.dll] [Microsoft Corporation, 8.00.50727.42]
[D:\Program Files\prloader.dll] [Kaspersky Lab, 6.0.2.621]
[D:\Program Files\prkernel.ppl] [Kaspersky Lab, 6.0.2.621]
[d:\program files\params.ppl] [Kaspersky Lab, 6.0.2.621]
[d:\program files\pxstub.ppl] [Kaspersky Lab, 6.0.2.621]
[d:\program files\tempfile.ppl] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx] [Adobe Systems, Inc., 9,0,45,0]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1972][D:\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]

==================================
文件关联
.TXT Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. [C:\WINDOWS\hh.exe %1]
.HLP Error. [C:\WINDOWS\winhlp32.exe %1]
.INI Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.INF Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 about-blank.cc
127.0.0.1 kzxf.com
127.0.0.1 vod.mmdy.org
127.0.0.1 www.4199.com
127.0.0.1 www.71791.com
127.0.0.1 www.7939.com
127.0.0.1 www.9505.com
127.0.0.1 www.feixue.net
127.0.0.1 www.kzxf.com
127.0.0.1 www.piaoxue.com
127.0.0.1 www.xfkz.com
127.0.0.1 xfkz.com

==================================
API HOOK
RVA 错误： LoadLibraryA (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xBAE35AF0)
RVA 错误： LoadLibraryExA (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xBAE35CD0)
RVA 错误： LoadLibraryExW (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xBAE35E30)
RVA 错误： LoadLibraryW (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xBAE35BE0)
RVA 错误： GetProcAddress (危险等级: 高, 被下面模块所HOOK: Dest Addr: 0xBAE35DE0)

==================================
隐藏进程
N/A

==================================

[/CODE]

agee - 2007-5-19 0:51:00

以下启动项可疑
<tfjicec><C:\Program Files\Uninstall Information\tfjicec.exe> []
以下服务可疑
[Fax Client / ms_fax][Running/Auto Start]
<C:\WINDOWS\system32\5263.exe><N/A>
进程中调用的以下文件可疑
[C:\WINDOWS\system32\052.dll] [TODO: <公司名>, 1.0.0.1]
修复host文件

loveperday - 2007-5-19 0:58:00

我想问一下，你现在QQ能用么？
机器里的RUNDLL.EXE文件还在么？

注册表的这三个<Register D:\Program Files\CPHelper.dll><"C:\WINDOWS\system32\rundll32.exe" "D:\Program Files\CPHelper.dll",DllRegisterServer> []
<Register D:\Program Files\Timwp.dll><"C:\WINDOWS\system32\rundll32.exe" "D:\Program Files\Timwp.dll",DllRegisterServer> [(Verified)Tencent Technology (ShenZhen) Company Limited]
<Register D:\Program Files\TIMProxy.dll><"C:\WINDOWS\system32\rundll32.exe" "D:\Program Files\TIMProxy.dll",DllRegisterServer> [tencent]
<Register D:\Program Files\qdshm.dll><"C:\WINDOWS\system32\rundll32.exe" "D:\Program Files\qdshm.dll",DllRegisterServer> []

最好删除掉吧。
重新装下QQ

走路很飘 - 2007-5-21 7:46:00

QQ不能用,我卸载了QQ,然后重新安装,结果卡巴说程序有病毒不允许再继续安装,安装QQ的时候有个中文搜,勾怎么点也去不掉,真郁闷,结果我就不装了,把原来的QQ程序删了,在网上下载了还是一样的结果

loveperday - 2007-5-21 9:23:00

把四楼和五楼的东西都删除掉，删不掉用冰刃，在华君软件园能下到。再

瑞星卡卡安全论坛