引用:

【xiaoyuwzc21的贴子】好多人说上了这个论坛就中这个木马呀　我好怕呀　系米真加 ...........................

汗！无语

我发了日志,大家帮忙看看啊.

修复hosts项


O4 - HKLM\..\Run: [halohhd] C:\WINDOWS\System32\dzkjbr.exe
O4 - HKLM\..\Run: [RXJ] C:\WINDOWS\System32\qxsignukfc.exe
O4 - HKLM\..\Run: [Services] c:\sxe6.tmp
O23 - Service: Windows Archiver (winarc) - Unknown owner - C:\WINDOWS\devldr.exe

修复
重启
删除对应文件



对于
O20 - Winlogon Notify: awvsr - C:\WINDOWS\System32\awvsr.dll
O20 - Winlogon Notify: hggdb - C:\WINDOWS\SYSTEM32\hggdb.dll

1)用Procexp从进程中杀掉Smss.exe进程
2)用Procexp从进程中杀掉Winlogon.exe进程
3)用Find Dll查看那些进程使用hggdb.dll,把使用hggdb.dll的进程都杀掉
4)通过procexp的File->Run...菜单项，在弹出对话框中输入CMD, 启动CMD.exe
5)在CMD程序中键入“del C:\windows\system32\hggdb.dll”，再按回车键
5)在CMD程序中键入“del C:\WINDOWS\System32\awvsr.dll”，再按回车键
6)直接按主机上的Reset键重启

注意操作步骤

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ AddrPlus2Tencentc:\program files\tencent\addrplus\qahook.dll

+ AddrPlus3File not found: C:\PROGRA~1\TENCENT\AddrPlus\QAHook1.dll

+ CnsMin3721北京三七二一科技有限公司c:\windows\downloaded program files\cnsmin.dll

+ CnxDslTaskBarTaskBar ApplicationConexant Systems Inc.c:\program files\adsl\accessrunner adsl\cnxdsltb.exe

+ halohhdFile not found: C:\WINDOWS\System32\kzuyrxmow.exe

+ hbpassportPassport ApplicationShanghai Henbang Technology Co., Ltdc:\program files\hbclient\hbast.exe

+ RavMonRavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmon.exe

+ RavTimerRavTimerBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravtimer.exe

+ RXJFile not found: C:\WINDOWS\System32\rfhyyxj.exe

+ yassistseAssistSettingYahoo!c:\program files\yahoo!\assistant\yassistse.exe

+ YLive.exeYLive c:\program files\yahoo!\assistant\ylive.exe

C:\Documents and Settings\All Users\「开始」菜单\程序\启动

+ Adobe Gamma Loader.lnkAdobe Gamma LoaderAdobe Systems, Inc.c:\program files\common files\adobe\calibration\adobe gamma loader.exe

C:\Documents and Settings\An Qiao\「开始」菜单\程序\启动

+ 腾讯TM.lnkTM腾讯公司c:\program files\tencent\tm\tmshell.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ KavPFWFile not found: C:\KAV2005\KavPFW.exe

HKLM\System\CurrentControlSet\Services

+ KPfwSvcFile not found: C:\KAV2005\KPfwSvc.EXE

+ KWatchSvc金山毒霸文件实时防毒服务程序File not found: C:\KAV2005\KWatch.EXE

+ LexBceSLexBce ServiceLexmark International, Inc.c:\windows\system32\lexbces.exe

+ lsassMicrosoft Path Finder Service Displays Internet Routing Paths.c:\windows\lsass.exe

+ netconf32Network Configurationc:\windows\netconf32.exe

+ RsCCenterCCenterrisingc:\program files\rising\rav\ccenter.exe

+ RsRavMonRavMonBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmond.exe

+ winarcManages compression on files.c:\windows\devldr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

+ cnshook.dll3721 CNS Module北京三七二一科技有限公司c:\windows\downloaded program files\cnshook.dll

+ hggdb.dllc:\windows\system32\hggdb.dll

+ hggdb.dllc:\windows\system32\hggdb.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Display Panning CPL ExtensionFile not found: deskpan.dll

+ HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\windows\system32\hticons.dll

+ RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

+ WinRAR shell extensionc:\program files\winrar\rarext.dll

+ 粉碎文件Wiper 动态链接库c:\program files\yahoo!\assistant\assist\ywiper.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Web 文件夹c:\program files\common files\microsoft shared\web folders\msonsext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ BrowserHAP ClassHapbast ModuleShanghai Henbang Technology Co., Ltdc:\program files\hbclient\hapast.dll

+ CnsHook Class3721 CNS Module北京三七二一科技有限公司c:\windows\downloaded program files\cnshook.dll

+ DragSearch BHODragSearchc:\program files\yahoo!\assistant\assist\ydragsearch.dll

+ DragSearch BHODragSearchc:\program files\yisou\yisoub.dll

+ IeCatch2 Classjccatch ModuleAmaze Softc:\program files\flashget\jccatch.dll

+ KAVIEHelper Class金山毒霸安全助手金山软件股份有限公司c:\program files\kos\kosiebar.dll

+ MSEvents Objectc:\windows\system32\awvsr.dll

+ MSEvents Objectc:\windows\system32\awvsr.dll

+ {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}c:\windows\system32\hggdb.dll

+ {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}c:\windows\system32\hggdb.dll

+ 雅虎助手ToolBarYahoo!c:\program files\yahoo!\assistant\assist\yasbar.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar

+ FlashGet BarFlashGet IE BarAmaze Softc:\program files\flashget\fgiebar.dll

+ 金山毒霸安全助手金山毒霸安全助手金山软件股份有限公司c:\program files\kos\kosiebar.dll

+ 雅虎助手ToolBarYahoo!c:\program files\yahoo!\assistant\assist\yasbar.dll

+ 一搜YiSou ToolBar 3721c:\program files\yisou\yisou.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ &FlashGetFlashGetAmaze Softc:\program files\flashget\flashget.exe

+ @shdoclc.dll,-864c:\windows\web\related.htm

+ Yahoo 1G电邮File not found: http://cn.mail.yahoo.com/promo/rd1

+ 清理上网记录File not found: http://assistant.3721.com/clean1.htm?fb=Cns

+ 情景聊天File not found: http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/

+ 手机短信File not found: http://sms.3721.com/ie/index.htm?pid=54554_1006

+ 腾讯QQFile not found: C:\Program Files\Tencent\QQ\QQ.EXE

+ 修复浏览器File not found: http://assistant.3721.com/security1.htm?fb=Cns

+ 寻宝乐趣多File not found: http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138

+ 雅虎助手File not found: http://cn.zs.yahoo.com/?source=Cns

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ hggdbc:\windows\system32\hggdb.dll

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

+ Lenovo Network PortLEXLMPM DLLLexmark International, Inc.c:\windows\system32\lexlmpm.dll

+ lsassMicrosoft Path Finder Service Displays Internet Routing Paths.c:\windows\lsass.exe
+ netconf32Network Configurationc:\windows\netconf32.exe
+ winarcManages compression on files.c:\windows\devldr.exe

先把这三项用Autoruns删掉，还有把那些File not find项也删除
重启
删除这三个文件

然后再发个日志上来