orz.exe bbs.ikaka.com

赤脚大仙2 - 2008-12-17 23:32:00

今天别人用我的机器上了网，一会儿我发现开始菜单－》程序－》里面的内容打不开了，用鼠标点击，没有反应，就像是一张纸一样。
检查进程，发现有orz.exe和三个数字命名的exe文件，还有几个怪的文件在进程里运行。
意识到是中了病毒。
这时发现：
瑞星杀毒和瑞星防火墙停止工作了，进程被终止。
regedit不能运行。
开始菜单——》程序——》内的内容无法点击。
双击我的电脑，要好长时间才能看到硬盘和光驱。双击我的文档能顺利打开。
不能完全卸载瑞星。
不能安装卡巴斯基。

网上说是orz.exe 是 Flash特务（Orz.exe病毒）

但是我不知道要怎么解决。

向高手求教，谢谢！！！

用户系统信息：Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727)

古梦潭 - 2008-12-18 7:17:00

回复：困扰大虾救命啊
扫SRENG日志发这论坛来

下载最新版本的SRENG工具：http://www.kztechs.com/sreng/download.html
操作方法可以看这贴2楼：http://bbs.ikaka.com/showtopic-8442813.aspx

1 下载的是压缩包，必须解压缩后再运行。
2 运行SREng***.EXE
3 选择主界面左边的：智能扫描=》扫描=》保存报告，勾选验证数字签名
4 把报告保存后，将日志文件发这论坛来。

建议日志文件以附件形式发来
点击我这贴右下角的“引用”或最右下角的那个较大的“回复”然后就应该知道怎么发了。
请不要开新贴发日志，就原贴接贴发日志即可

赤脚大仙2 - 2008-12-18 10:16:00

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Component Publisher]
<msnmsgr><"C:\Program Files\MSN Messenger\msnmsgr.exe" /background> [(Verified)Microsoft Corporation]
<WMPNSCFG><C:\Program Files\Windows Media Player\WMPNSCFG.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<TPKMAPHELPER><C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper> [IBM Corp.]
<TPHOTKEY><C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe> []
<SoundMAXPnP><C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe> [Analog Devices, Inc.]
<SoundMAX><C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray> [Analog Devices, Inc.]
<ATIPTA><C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe> [ATI Technologies, Inc.]
<IBMPRC><C:\IBMTOOLS\UTILS\ibmprc.exe> [IBM Corp.]
<QCWLICON><C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE> [IBM Corp.]
<PWRMGRTR><rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor> [IBM Corp.]
<UsbCipHelper><C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe> [Rockwell Automation, Inc.]
<BluetoothAuthenticationAgent><rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent> [(Verified)Microsoft Windows Component Publisher]
<Adobe Reader Speed Launcher><"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"> [(Verified)"Adobe Systems, Incorporated"]
<HBService32><System.exe> [HB Software]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<nwiz><aliba32.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Component Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Infected) Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><HBmhly.dll,HBWOW.dll,HBDNF.dll,HBQQSG.dll,HBTL.dll,HBZHUXIAN.dll,HBWD.dll,HBASKTAO.dll,HBJTLQ.dll,HBQQXX.dll,HBJXSJ.dll,HBLYFX.dll,HBYY.dll,HBCHIBI.dll,HBSHQ.dll xsisco.dll qanhllao.dll kodens.dll jolinen.dll kandoftt.dll rexljeh.dll,HBTW2.dll> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<GinaDLL><Ginastub.dll> []
<UIHost><logonui.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{5934EA2B-B2C4-4BE7-BF7A-FBA781A12E40}><5934EA2B.dll> []
<{B6E23E89-C925-4BF7-92EB-77EFDF8C58A6}><B6E23E89.dll> []
<{08223B03-1B38-4A33-A83A-A4D3CC1D6E4E}><08223B03.dll> []
<{D7C79813-9233-4AE0-832C-99B2E8019673}><D7C79813.dll> []
<{2EF0D734-21FD-4225-A1A2-BCD296182AAF}><2EF0D734.dll> []
<{93DEE065-EC9B-4505-ADD3-19880AD3C38F}><93DEE065.dll> []
<{56BC86C7-0692-4F94-A2C1-6CF1DBF8096C}><56BC86C7.dll> []
<{DFB3DAC5-B0B5-4B05-BFCF-FB42737778FA}><DFB3DAC5.dll> []
<{D9C002DD-EA51-43A2-9009-54EAAAF031A4}><D9C002DD.dll> []
<{4FBFD5A4-5FE8-4444-8BD9-FD0FAFA64F96}><4FBFD5A4.dll> []
<{4D023DE9-F4B5-4BE0-99C6-7C7AD0CF5426}><4D023DE9.dll> []
<{DA63E650-537C-4042-87BB-9D19D844680B}><DA63E650.dll> []
<{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}><122B901E.dll> []
<{201476D0-2B18-462E-AB9F-3E2B0CC8732B}><201476D0.dll> []
<{E783C505-FA27-48BD-9B35-C84E5CEA523F}><E783C505.dll> []
<{755D0ED0-3996-4ADB-9B1F-AD8F0E9E4738}><755D0ED0.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<PostBootReminder><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Windows Component Publisher]
<CDBurn><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Windows Component Publisher]
<WebCheck><%SystemRoot%\system32\webcheck.dll> [(Verified)Microsoft Windows Component Publisher]
<SysTray><C:\WINDOWS\system32\stobject.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
<WinlogonNotify: crypt32chain><crypt32.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
<WinlogonNotify: cryptnet><cryptnet.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
<WinlogonNotify: cscdll><cscdll.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
<WinlogonNotify: dimsntfy><%SystemRoot%\System32\dimsntfy.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]
<WinlogonNotify: psfus><C:\Program Files\IBM fingerprint software\psfus.dll> [UPEK Inc.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\QConGina]
<WinlogonNotify: QConGina><QConGina.dll> [IBM Corp.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
<WinlogonNotify: ScCertProp><wlnotify.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
<WinlogonNotify: Schedule><wlnotify.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
<WinlogonNotify: sclgntfy><sclgntfy.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
<WinlogonNotify: SensLogn><WlNotify.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
<WinlogonNotify: termsrv><wlnotify.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
<WinlogonNotify: tphotkey><tphklock.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
<WinlogonNotify: WgaLogon><WgaLogon.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
<WinlogonNotify: wlballoon><wlnotify.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
<{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Windows Component Publisher]
<{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
<Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
<浏览器自定义组件><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP> [(Verified)Microsoft Windows Component Publisher]

小日来了 - 2008-12-18 10:17:00

把日志从附件上传！

赤脚大仙2 - 2008-12-18 10:18:00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
<Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
<Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
<N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe]
<IFEO[360safe.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe]
<IFEO[360safebox.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
<IFEO[360tray.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACKWIN32.exe]
<IFEO[ACKWIN32.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTI-TROJAN.exe]
<IFEO[ANTI-TROJAN.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti.exe]
<IFEO[anti.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivir.exe]
<IFEO[antivir.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atrack.exe]
<IFEO[atrack.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AUTODOWN.exe]
<IFEO[AUTODOWN.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.exe]
<IFEO[AVCONSOL.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVE32.exe]
<IFEO[AVE32.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGCTRL.exe]
<IFEO[AVGCTRL.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avk.exe]
<IFEO[avk.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKSERV.exe]
<IFEO[AVKSERV.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
<IFEO[avp.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPUPD.exe]
<IFEO[AVPUPD.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCHED32.exe]
<IFEO[AVSCHED32.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsynmgr.exe]
<IFEO[avsynmgr.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWIN95.exe]
<IFEO[AVWIN95.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxonsol.exe]
<IFEO[avxonsol.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKD.exe]
<IFEO[BLACKD.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKICE.exe]
<IFEO[BLACKICE.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
<IFEO[CCenter.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIADMIN.exe]
<IFEO[CFIADMIN.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIAUDIT.exe]
<IFEO[CFIAUDIT.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIND.exe]
<IFEO[CFIND.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe]
<IFEO[cfinet.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe]
<IFEO[cfinet32.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAW95.exe]
<IFEO[CLAW95.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAW95CT.exe]
<IFEO[CLAW95CT.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER.exe]
<IFEO[CLEANER.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER3.exe]
<IFEO[CLEANER3.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DAVPFW.exe]
<IFEO[DAVPFW.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbg.exe]
<IFEO[dbg.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\debu.exe]
<IFEO[debu.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DV95.exe]
<IFEO[DV95.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DV95_O.exe]
<IFEO[DV95_O.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVP95.exe]
<IFEO[DVP95.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ECENGINE.exe]
<IFEO[ECENGINE.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EFINET32.exe]
<IFEO[EFINET32.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESAFE.exe]
<IFEO[ESAFE.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESPWATCH.exe]
<IFEO[ESPWATCH.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorewclass.exe]
<IFEO[explorewclass.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-AGNT95.exe]
<IFEO[F-AGNT95.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-PROT.exe]
<IFEO[F-PROT.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe]
<IFEO[f-prot95.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe]
<IFEO[f-stopw.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FINDVIRU.exe]
<IFEO[FINDVIRU.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fir.exe]
<IFEO[fir.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe]
<IFEO[fp-win.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRW.exe]
<IFEO[FRW.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMAPP.exe]
<IFEO[IAMAPP.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMSERV.exe]
<IFEO[IAMSERV.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IBMASN.exe]
<IFEO[IBMASN.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IBMAVSP.exe]
<IFEO[IBMAVSP.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ice.exe]
<IFEO[ice.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]

赤脚大仙2 - 2008-12-18 10:32:00

辉煌

附件: SREngLOG.log

赤脚大仙2 - 2008-12-18 10:35:00

Worm.Win32.NSDownloader.p

古梦潭 - 2008-12-18 13:05:00

http://bbs.ikaka.com/showtopic-8565484.aspx参看天月版主关于木马群的处理

清除下面的
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<nwiz><aliba32.exe> []
C:\WINDOWS\system32\userinit.exe这个文件被替换了
下面的值编辑惟空
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs
清楚下面的
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{5934EA2B-B2C4-4BE7-BF7A-FBA781A12E40}><5934EA2B.dll> []
<{B6E23E89-C925-4BF7-92EB-77EFDF8C58A6}><B6E23E89.dll> []
<{08223B03-1B38-4A33-A83A-A4D3CC1D6E4E}><08223B03.dll> []
<{D7C79813-9233-4AE0-832C-99B2E8019673}><D7C79813.dll> []
<{2EF0D734-21FD-4225-A1A2-BCD296182AAF}><2EF0D734.dll> []
<{93DEE065-EC9B-4505-ADD3-19880AD3C38F}><93DEE065.dll> []
<{56BC86C7-0692-4F94-A2C1-6CF1DBF8096C}><56BC86C7.dll> []
<{DFB3DAC5-B0B5-4B05-BFCF-FB42737778FA}><DFB3DAC5.dll> []
<{D9C002DD-EA51-43A2-9009-54EAAAF031A4}><D9C002DD.dll> []
<{4FBFD5A4-5FE8-4444-8BD9-FD0FAFA64F96}><4FBFD5A4.dll> []
<{4D023DE9-F4B5-4BE0-99C6-7C7AD0CF5426}><4D023DE9.dll> []
<{DA63E650-537C-4042-87BB-9D19D844680B}><DA63E650.dll> []
<{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}><122B901E.dll> []
<{201476D0-2B18-462E-AB9F-3E2B0CC8732B}><201476D0.dll> []
<{E783C505-FA27-48BD-9B35-C84E5CEA523F}><E783C505.dll> []
<{755D0ED0-3996-4ADB-9B1F-AD8F0E9E4738}><755D0ED0.dll> []
一下驱动都清除
C:\WINDOWS\system32\b1a18a3e.sys
C:\WINDOWS\system32\b71fe93.sys
C:\WINDOWS\system32\b770ca2.sys
C:\WINDOWS\system32\f28907d.sys
SystemRoot\system32\drivers\HBKernel32.sys
<\??\C:\WINDOWS\system32\Nskhelper2.sys><N/A>

<\??\C:\WINDOWS\system32\NsPass0.sys><N/A>

<\??\C:\WINDOWS\system32\NsPass1.sys><N/A>

<\??\C:\WINDOWS\system32\NsPass2.sys><N/A>

<\??\C:\WINDOWS\system32\NsPass3.sys><N/A>

<\??\C:\WINDOWS\system32\NsPass4.sys><N/A>
C:\WINDOWS\system32\Drivers\SUPERNT.SYS

上边我写的东西不全，先参看那个帖子，
然后可以把我写的能找到的删除

赤脚大仙2 - 2008-12-18 19:33:00

好的谢谢！！

瑞星卡卡安全论坛