瑞星卡卡安全论坛

附件: 101985120083795408[2].txt (2009-1-15 23:37:55, 38.66 K)
该附件被下载次数 305

中了毒删不掉，附上日志

用户系统信息：Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727)

你安装了vnc viewer这款监控软件了么?

没有，安装了ArSwp

可以确定你机流氓软件和病毒共存，由于对一些监控软件不熟悉，将一些嫌疑比较大的问题项目罗列下：
=================================
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <Firewall auto setup><C:\DOCUME~1\USER\LOCALS~1\Temp\winlogon.exe>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <z3iyc7b><rundll32 "C:\WINDOWS\Downlo~1\z3iyc7b.dll",start>  [Microsoft Corporation]
    <ln0d8no><rundll32 "C:\WINDOWS\Downlo~1\ln0d8no.dll",Run>  [Microsoft Corporation]
==================================
服务
[COM+ Service Process Manager / COMLoader32][Running/Auto Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->c:\windows\inf\camdrvs.inf><Microsoft Corporation>
[DCOM Service Process Manager / COMROMLoader64][Running/Auto Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->c:\windows\inf\dvdromdrvs.inf><Microsoft Corporation>
[FCI / FCI][Stopped/Auto Start]
  <C:\WINDOWS\system32\svchost.exe:ext.exe><N/A>
[ICF / ICF][Stopped/Auto Start]
  <C:\WINDOWS\system32\svchost.exe:exe.exe><N/A>
[ms_2fax / ms_2fax][Running/Auto Start]
  <C:\WINDOWS\system32\f10c1.exe><Microsoft Corporation>
[Secondary Logon / seclogon][Running/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->c:\windows\system32\com\pmmdqcgci.dll><N/A>
[System Event loader / sysloader][Stopped/Auto Start]
  <"C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\sysloader.exe"><Microsoft>
[Portable Media Serial Number Services / WmdmPmSNs][Stopped/Auto Start]
  <C:\WINDOWS\system32\rxjh_2.exe><N/A>
==================================
驱动程序
[apcdli / apcdli][Running/Auto Start]
  <\??\C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys><>
[Test Info / bkckrtdl][Stopped/Boot Start]
  <\SystemRoot\system32\drivers\bkckrtdl.sys><N/A>
[x63 / x63q][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\x63q.sys><N/A>
==================================
浏览器加载项
[Invoke Class]
  {0EAF6278-BD19-4153-BA3B-9B850F31E67B} <C:\WINDOWS\system32\7f11.dll, >
[CAdLogic Object]
  {11F09AFD-75AD-4E51-AB43-E09E9351CE16} <C:\Program Files\Common Files\CPUSH\cpush.dll, N/A>
[Info cache]
  {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll, N/A>
[BHOobj Class]
  {3CF67E17-3AF1-4813-88B9-F3B2490D2216} <C:\WINDOWS\system32\KIE.dll, N/A>
[]
  {4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3} <C:\WINDOWS\system32\hdnodmzhjt.dll, N/A>
[e404mgr Class]
  {A3D76B96-30B9-4DCC-9B3D-D12E31280D29} <C:\Program Files\Helper\1204089417.dll, >
[Adobe Common Objects]
  {C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} <C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_3105.dll, N/A>
[Invoke Class]
  {0EAF6278-BD19-4153-BA3B-9B850F31E67B} <C:\WINDOWS\system32\7f11.dll, >
[CAdLogic Object]
  {11F09AFD-75AD-4E51-AB43-E09E9351CE16} <C:\Program Files\Common Files\CPUSH\cpush.dll, N/A>
[Info cache]
  {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll, N/A>
[BHOobj Class]
  {3CF67E17-3AF1-4813-88B9-F3B2490D2216} <C:\WINDOWS\system32\KIE.dll, N/A>
[]
  {4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3} <C:\WINDOWS\system32\hdnodmzhjt.dll, N/A>
[e404mgr Class]
  {A3D76B96-30B9-4DCC-9B3D-D12E31280D29} <C:\Program Files\Helper\1204089417.dll, >
[Adobe Common Objects]
  {C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} <C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_3105.dll, N/A>
==================================
正在运行的进程
    [c:\windows\system32\com\pmmdqcgci.dll]  [N/A, ]
    [c:\windows\system32\usmt\jjfavxbnl.dll]  [Microsoft Crop., 6.0.3.425]
    [c:\windows\inf\msdvdload.exe]  [N/A, ]
    [C:\WINDOWS\Downlo~1\ln0d8no.dll]  [Microsoft Corporation, 5, 3, 2600, 2180]
    [C:\WINDOWS\Downlo~1\z3iyc7b.dll]  [Microsoft Corporation, 5, 3, 2600, 2180]
    [c:\windows\inf\dvdromdrvs.inf]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [c:\windows\inf\camdrvs.inf]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\WINDOWS\system32\7f11.dll]  [, 1, 0, 0, 2]
    [C:\WINDOWS\system32\7f11.dll]  [, 1, 0, 0, 2]
    [C:\Program Files\Helper\1204089417.dll]  [, 1, 0, 0, 1]
==================================
进程特权扫描
特殊特权被允许： SeLoadDriverPrivilege [PID = 20248, C:\WINDOWS\SYSTEM32\USMT\7895\SVCHOST.EXE]
==================================
隐藏进程
    [3132] C:\DOCUME~1\USER\LOCALS~1\Temp\winlogon.exe
==================================
【注】个人以为C:\Program Files\wrkwn60\windlwork.dll这个进程是VNC软件释放的监控软件核心组件，请确认是否是网络管理员安装的监控进程软件先……:default7:

选出这些以后呢？该怎么操作

明天等天月回复吧，俺有事先走了……:default7:

天月是谁

用附件里的wsyscheck如下操作（软件设置——选择“禁止进程与文件创建”与“删除文件后锁定”）：

服务管理，右击以下服务选择“删除选中的服务与文件”

[CcEvtSvc / CcEvtSvc][Running/Auto Start]
  <C:\WINDOWS\System32\CcEvtSvc.exe -k netsvcs><N/A>
[FCI / FCI][Stopped/Auto Start]
  <C:\WINDOWS\system32\svchost.exe:ext.exe><N/A>
[ICF / ICF][Stopped/Auto Start]
<C:\WINDOWS\system32\svchost.exe:exe.exe><N/A>
[Machine Debug Manager / MDM][Running/Auto Start]
  <"C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"><Microsoft Corporation>
[ms_2fax / ms_2fax][Running/Auto Start]
  <C:\WINDOWS\system32\f10c1.exe><Microsoft Corporation>
[Secondary Logon / seclogon][Running/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->c:\windows\system32\com\pmmdqcgci.dll><N/A>
[Secondary Logon / seclogon][Running/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->c:\windows\system32\com\pmmdqcgci.dll><N/A>
[System Event loader / sysloader][Stopped/Auto Start]
  <"C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\sysloader.exe"><Microsoft>
[Windows Live Setup Service / WLSetupSvc][Stopped/Manual Start]
  <"C:\Program Files\Windows Live\installer\WLSetupSvc.exe"><Microsoft Corporation>
[Portable Media Serial Number Services / WmdmPmSNs][Stopped/Auto Start]
  <C:\WINDOWS\system32\rxjh_2.exe><N/A>
[apcdli / apcdli][Running/Auto Start]
  <\??\C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys><>
[Test Info / bkckrtdl][Stopped/Boot Start]
  <\SystemRoot\system32\drivers\bkckrtdl.sys><N/A>
[x63 / x63q][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\x63q.sys><N/A>


安全检查——活动文件，找到以下红色部分，选择“修复并删除文件”：

<Firewall auto setup><C:\DOCUME~1\USER\LOCALS~1\Temp\winlogon.exe>  [N/A]
    <z3iyc7b><rundll32 "C:\WINDOWS\Downlo~1\z3iyc7b.dll",start>  [Microsoft Corporation]
    <ln0d8no><rundll32 "C:\WINDOWS\Downlo~1\ln0d8no.dll",Run>  [Microsoft Corporation]

用sreng处理以下部分：
系统修复——浏览器加载项之如下项删除：


[Invoke Class]
  {0EAF6278-BD19-4153-BA3B-9B850F31E67B} <C:\WINDOWS\system32\7f11.dll, >
[CAdLogic Object]
  {11F09AFD-75AD-4E51-AB43-E09E9351CE16} <C:\Program Files\Common Files\CPUSH\cpush.dll, N/A>
[Info cache]
  {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll, N/A>
[BHOobj Class]
  {3CF67E17-3AF1-4813-88B9-F3B2490D2216} <C:\WINDOWS\system32\KIE.dll, N/A>
[]
  {4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3} <C:\WINDOWS\system32\hdnodmzhjt.dll, N/A>
[e404mgr Class]
  {A3D76B96-30B9-4DCC-9B3D-D12E31280D29} <C:\Program Files\Helper\1204089417.dll, >



用附件里的360粉碎器删除如下文件（先复制如下文件，然后“导入文件列表”——粘贴）：

c:\windows\system32\com\pmmdqcgci.dll
c:\windows\system32\usmt\jjfavxbnl.dll
c:\windows\inf\msdvdload.exe
C:\WINDOWS\Downlo~1\ln0d8no.dll
C:\WINDOWS\Downlo~1\z3iyc7b.dll
c:\windows\inf\dvdromdrvs.inf
c:\windows\inf\camdrvs.inf
C:\WINDOWS\system32\7f11.dll
C:\Program Files\Helper\1204089417.dll
C:\WINDOWS\SYSTEM32\USMT\7895\SVCHOST.EXE
C:\WINDOWS\system32\hdnodmzhjt.dll
C:\Program Files\Helper\1204089417.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll

用下载的“清理临时文件工具ATF-Cleaner-cn”，全选所有项目，点击“立即清理”
下载：http://bbs.ikaka.com/attachment.aspx?attachmentid=447126
用W i n d o w s 清理助手 ，清理系统。
W i n d o w s 清理助手 下载：http://www.arswp.com/（先更新）

附件: wsyscheck.rar