【回复“友情岁月￡亮”的帖子】



这么乱的日志，且没有启动项。第一次见到。

下面是被病毒插入的进程（PID开头一行）以及进程中的病毒模块。
[PID: 700][\??\C:\WINDOWS\system32\winlogon.exe]
[C:\WINDOWS\75976M.BMP] [N/A, ]

[PID: 1884][C:\WINDOWS\Explorer.EXE]
[C:\DOCUME~1\se\LOCALS~1\Temp\Gjzo0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\LgSy0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Rav30.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Msxo0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Wmzo0.dll] [N/A, ]


[PID: 520][C:\WINDOWS\system32\wscntfy.exe]
[C:\WINDOWS\75976M.BMP] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys] [N/A, ]


[PID: 1664][C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe]
[C:\WINDOWS\75976M.BMP] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys] [N/A, ]


[PID: 3048][G:\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\WINDOWS\75976M.BMP] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Wmzo0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\LgSy0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Msxo0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Rav30.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Gjzo0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Rav20.dll] [N/A, ]

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
    <td7xm4mdllb4s><C:\DOCUME~1\se\LOCALS~1\Temp\rundl132.exe>  []
    <mwkxw8fruc2><C:\DOCUME~1\se\LOCALS~1\Temp\servicer.exe>  []
    <irrhxjs5mdf7r><C:\DOCUME~1\se\LOCALS~1\Temp\c0nime.exe>  []
    <ehvmyvkqwu67><C:\DOCUME~1\se\LOCALS~1\Temp\iexpl0re.exe>  []
    <1ld0035udfz6><C:\DOCUME~1\se\LOCALS~1\Temp\Servere.exe>  []
    <22gs><C:\DOCUME~1\se\LOCALS~1\Temp\crasos.exe>  []
    <4yx7><C:\DOCUME~1\se\LOCALS~1\Temp\winlog0n.exe>  []
    <69sqb94g><C:\DOCUME~1\se\LOCALS~1\Temp\cftmon.exe>  []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <zzGBK><H:\setup.exe>  [N/A]
    <SoundMan><SOUNDMAN.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <runeip><C:\Program Files\Rising\AntiSpyware\runiep.exe>  [Beijing Rising Technology Co., Ltd.]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [(Verified)"RealNetworks, Inc."]
    <cmdbcs><C:\WINDOWS\cmdbcs.exe>  []
    <ROST><C:\DOCUME~1\se\LOCALS~1\Temp\update4.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <twin><C:\WINDOWS\system32\twunk32.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><75976M.BMP>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows XP Publisher]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
    <{A6011F8F-A7F8-49AA-9ADA-49127D43138F}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.dll>  []
    <{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Publisher]
    <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows XP Publisher]
    <WebCheck><%SystemRoot%\system32\webcheck.dll>  [(Verified)Microsoft Windows Publisher]
    <SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows XP Publisher]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    <Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    <Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe>  [(Verified)Microsoft Windows Publisher]

==================================

[C:\WINDOWS\system32\ntdll.dll] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
这个不是病毒吗?

[C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.dll] [N/A, ]
还有这个

【回复“友情岁月￡亮”的帖子】


用IceSword手杀。

1、禁止进程创建。强制卸除C:\WINDOWS\system32\winlogon.exe进程中的病毒模块：
C:\WINDOWS\75976M.BMP

2、结束被病毒插入的进程：
[PID: 1884][C:\WINDOWS\Explorer.EXE]
[C:\DOCUME~1\se\LOCALS~1\Temp\Gjzo0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\LgSy0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Rav30.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Msxo0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Wmzo0.dll] [N/A, ]


[PID: 520][C:\WINDOWS\system32\wscntfy.exe]
[C:\WINDOWS\75976M.BMP] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys] [N/A, ]


[PID: 1664][C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe]
[C:\WINDOWS\75976M.BMP] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys] [N/A, ]


[PID: 3048][G:\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\WINDOWS\75976M.BMP] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Wmzo0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\LgSy0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Msxo0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Rav30.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Gjzo0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Rav20.dll] [N/A, ]

注意IceSword进程中可能也有下列病毒模块：
[C:\WINDOWS\75976M.BMP] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Wmzo0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\LgSy0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Msxo0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Rav30.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Gjzo0.dll] [N/A, ]
[C:\DOCUME~1\se\LOCALS~1\Temp\Rav20.dll] [N/A, ]
务必卸除。

3、删除下列启动项：
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<td7xm4mdllb4s><C:\DOCUME~1\se\LOCALS~1\Temp\rundl132.exe> []
<mwkxw8fruc2><C:\DOCUME~1\se\LOCALS~1\Temp\servicer.exe> []
<irrhxjs5mdf7r><C:\DOCUME~1\se\LOCALS~1\Temp\c0nime.exe> []
<ehvmyvkqwu67><C:\DOCUME~1\se\LOCALS~1\Temp\iexpl0re.exe> []
<1ld0035udfz6><C:\DOCUME~1\se\LOCALS~1\Temp\Servere.exe> []
<22gs><C:\DOCUME~1\se\LOCALS~1\Temp\crasos.exe> []
<4yx7><C:\DOCUME~1\se\LOCALS~1\Temp\winlog0n.exe> []
<69sqb94g><C:\DOCUME~1\se\LOCALS~1\Temp\cftmon.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<zzGBK><H:\setup.exe> [N/A]

<cmdbcs><C:\WINDOWS\cmdbcs.exe> []
<ROST><C:\DOCUME~1\se\LOCALS~1\Temp\update4.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<twin><C:\WINDOWS\system32\twunk32.exe> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><75976M.BMP> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{A6011F8F-A7F8-49AA-9ADA-49127D43138F}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.dll> []
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys> []

4、删除相应文件。

5、取消IceSword的“禁止进程创建”。

谢谢你``猫哥``

最好先用威金专杀全盘查杀，再杀马