从日志中可以看出以下问题项:
启动项
<DbgHlp32><C:\WINDOWS\DbgHlp32.exe> [N/A]
<AVPSrv><C:\WINDOWS\AVPSrv.exE> [N/A]
<LotusHlp><C:\WINDOWS\LotusHlp.exe> [N/A]
<SHAProc><C:\WINDOWS\SHAProc.exe> [N/A]
<vrhhytkn><C:\WINDOWS\rhtnmrkg.exe> []
<WINSvr32><C:\WINDOWS\WINSvr32.exE> []
<PTSShell><C:\WINDOWS\PTSShell.exe> []
<upxdnd><C:\WINDOWS\upxdnd.exe> [N/A]
<WinSysM><C:\WINDOWS\684745M.exe> [N/A]
<shell><Explorer.exe> [(Verified)]
Explorer.exe 被病毒替换修改.
<AppInit_DLLs><mrjhtjd.dll,qrhhb.dll,xdfntt.dll,hgfhk.dll,hjaiq.dll,kduy.dll,frntrn.dll,dnteh.dll,chmfcmh.dll,jwlah.dll,crugd.dll,lariytrz.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,ydgn.dll,dbfb.dll,fjnbv.dll,wmsat.dll,gmnait.dll,hfjg.dll,xdndn.dll,rgfjj.dll,dscef.dll,xfng.dll,njritc.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,fehom.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,rhs.dll,rdthr.dll,gjjte.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,hkfgh.dll,drghszd.dll,fngn.dll,xdhdg.dll,zdbfbd.dll,fjyjy.dll,awef.dll,msepbe.dll,> [N/A]
驱动服务
[apcdli / apcdli][Running/Auto Start]
<\??\C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys><N/A>
[Atixeve2122 / Atixeve2122][Stopped/Manual Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~wxp2ins.961.tmp><N/A>
[Atixeve2758 / Atixeve2758][Stopped/Manual Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~wxp2ins.598.tmp><N/A>
[fpids32 / fpids32][Stopped/Auto Start]
<\??\C:\WINDOWS\system32\drivers\msosfpids32.sys><N/A>
[mnsf / mnsf][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp56.tmp><N/A>
[msfpfis64 / msfpfis64][Stopped/Auto Start]
<\??\C:\WINDOWS\system32\drivers\msosmsfpfis64.sys><N/A>
[ntptdb / ntptdb][Running/Auto Start]
<\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\ntptdb.sys><N/A>
[ping / ping][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp54.tmp><N/A>
浏览器加载项
[]
{1629FF4F-ACDB-5C90-A098-FACB3456A261} <C:\WINDOWS\system32\mpmyaapi.dll, N/A>
[]
{228DF602-9541-A985-210A-984A698C6F22} <C:\WINDOWS\system32\ptjhbhlp.dll, N/A>
[]
{6167F471-EF2B-41DD-A5E5-C26ACDB5C096} <C:\Program Files\Internet Explorer\PLUGINS\WinSys8v.Sys, N/A>
WinSys8v.Sys 插入部分进程
以下文件插入部分系统进程
C:\WINDOWS\system32\kduy.dll
C:\WINDOWS\system32\dnteh.dll
C:\WINDOWS\system32\lariytrz.dll
C:\WINDOWS\system32\xfgnxfn.dll
C:\WINDOWS\system32\sehhter.dll
C:\WINDOWS\system32\fjyjy.dll
C:\WINDOWS\system32\msepbe.dll
解决方法:
由于多个病毒文件插入系统进程, 需要借助 xdelbox 来处理
xdelbox:
http://bbs.ikaka.com/showtopic-8442813.aspx 三楼可以下载到
xdelbox使用方法:
http://forum.ikaka.com/topic.asp?board=28&artid=8381032下载完xdelbox后,断网,打开 xdelbox 添加以下文件路径
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\AVPSrv.exE
C:\WINDOWS\LotusHlp.exe
C:\WINDOWS\SHAProc.exe
C:\WINDOWS\rhtnmrkg.exe
C:\WINDOWS\WINSvr32.exE
C:\WINDOWS\PTSShell.exe
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\684745M.exe
C:\WINDOWS\system32\kduy.dll
C:\WINDOWS\system32\dnteh.dll
C:\WINDOWS\system32\lariytrz.dll
C:\WINDOWS\system32\xfgnxfn.dll
C:\WINDOWS\system32\sehhter.dll
C:\WINDOWS\system32\fjyjy.dll
C:\WINDOWS\system32\msepbe.dll
C:\WINDOWS\system32\mpmyaapi.dll
C:\WINDOWS\system32\ptjhbhlp.dll
C:\Program Files\Internet Explorer\PLUGINS\WinSys8v.Sys
C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~wxp2ins.961.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~wxp2ins.598.tmp
C:\WINDOWS\system32\drivers\msosfpids32.sys
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp56.tmp
C:\WINDOWS\system32\drivers\msosmsfpfis64.sys
C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\ntptdb.sys
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp54.tmp
添加完毕后,不要关闭xdelbox窗口,打开文件夹C:\WINDOWS\system32\dllcache,找到Explorer.exe,复制此文件,覆盖到 C:\Windows\
之后马上在xdelbox窗口中选择立即重启执行删除. 等待系统重新启动
重新启动完毕再进入WINDOWS系统后
打开 SREng - 启动项 - 注册表 - 编辑下列项
<AppInit_DLLs> 将其值改为空值
打开 SREng - 启动项目 - 注册表 - 将下列项删除
<DbgHlp32><C:\WINDOWS\DbgHlp32.exe> [N/A]
<AVPSrv><C:\WINDOWS\AVPSrv.exE> [N/A]
<LotusHlp><C:\WINDOWS\LotusHlp.exe> [N/A]
<SHAProc><C:\WINDOWS\SHAProc.exe> [N/A]
<vrhhytkn><C:\WINDOWS\rhtnmrkg.exe> []
<WINSvr32><C:\WINDOWS\WINSvr32.exE> []
<PTSShell><C:\WINDOWS\PTSShell.exe> []
<upxdnd><C:\WINDOWS\upxdnd.exe> [N/A]
<WinSysM><C:\WINDOWS\684745M.exe> [N/A]
打开 SREng - 启动项目 - 驱动服务 - 将下列项删除
[apcdli / apcdli][Running/Auto Start]
<\??\C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys><N/A>
[Atixeve2122 / Atixeve2122][Stopped/Manual Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~wxp2ins.961.tmp><N/A>
[Atixeve2758 / Atixeve2758][Stopped/Manual Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~wxp2ins.598.tmp><N/A>
[fpids32 / fpids32][Stopped/Auto Start]
<\??\C:\WINDOWS\system32\drivers\msosfpids32.sys><N/A>
[mnsf / mnsf][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp56.tmp><N/A>
[msfpfis64 / msfpfis64][Stopped/Auto Start]
<\??\C:\WINDOWS\system32\drivers\msosmsfpfis64.sys><N/A>
[ntptdb / ntptdb][Running/Auto Start]
<\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\ntptdb.sys><N/A>
[ping / ping][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp54.tmp><N/A>
打开SREng - 系统修复 - 浏览器加载项 - 将下列项删除
[]
{1629FF4F-ACDB-5C90-A098-FACB3456A261} <C:\WINDOWS\system32\mpmyaapi.dll, N/A>
[]
{228DF602-9541-A985-210A-984A698C6F22} <C:\WINDOWS\system32\ptjhbhlp.dll, N/A>
[]
{6167F471-EF2B-41DD-A5E5-C26ACDB5C096} <C:\Program Files\Internet Explorer\PLUGINS\WinSys8v.Sys, N/A>
上述操作全部完成后, 重新启动电脑
打开文件夹 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ 并清空此文件夹
最后检查系统是否正常
用户系统信息:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)