样本来自这个帖子：http://forum.ikaka.com/topic.asp?board=28&artid=8376865
中招后的SRENG日志：


启动项目
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><sidjazy.dll>  []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{1AB09B3F-A6D0-4B55-B87D-264934EBEAED}><C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys>  []
    <{2598FF45-DA60-F48A-BC43-10AC47853D52}><C:\windows\system32\rarjbpi.dll>  []
    <{A393C2CF-1C26-4309-9765-13B7FDC0F200}><C:\windows\system32\mypern0.dll>  []
    <{2960356A-458E-DE24-BD50-268F589A56A2}><C:\windows\system32\avwlbmn.dll>  []
    <{334345F1-DACF-3452-CB7D-4620F34A1533}><C:\windows\system32\rsztcpm.dll>  []
    <{57D81718-1314-5200-2597-587901018075}><C:\windows\system32\kaqhezy.dll>  []
    <{3C87A354-ABC3-DEDE-FF33-3213FD7447C3}><C:\windows\system32\kvdxcma.dll>  []
    <{66650011-3344-6688-4899-345FABCD1566}><C:\windows\system32\ratbfpi.dll>  []
    <{4859245F-345D-BC13-AC4F-145D47DA34F4}><C:\windows\system32\avzxdmn.dll>  []
    <{18847374-8323-FADC-B443-4732ABCD3781}><C:\windows\system32\sidjazy.dll>  []
    <{28907901-1416-3389-9981-372178569982}><C:\windows\system32\kawdbzy.dll>  []
    <{444D7AB0-639D-445F-9143-3B3FFB2A7F39}><C:\windows\system32\dh3vpw0.dll>  []
    <{0F7A277A-4B2A-4673-8CC0-957C72ECFC6E}><C:\Program Files\Internet Explorer\Info_Ms.Sys>  []
==================================
正在运行的进程
[PID: 580][\??\C:\windows\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 628][C:\windows\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 640][C:\windows\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 816][C:\windows\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 868][C:\windows\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 952][C:\Program Files\Rising\Rav\CCenter.exe]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 972][C:\windows\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\System32\sidjazy.dll]  [N/A, ]
[PID: 1048][C:\windows\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 1132][C:\Program Files\Rising\Rav\Ravmond.exe]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 49]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 1276][C:\windows\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 1312][C:\Program Files\Common Files\PFShared\UmxCfg.exe]  [Computer Associates International, Inc., 6.0.1.48]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 1332][C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe]  [Computer Associates International, Inc., 6.5.3.2]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 1368][C:\Program Files\Common Files\PFShared\UmxPol.exe]  [Computer Associates International, Inc., 6, 0, 0, 5]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 1524][C:\Program Files\Tiny Firewall Pro\UmxAgent.exe]  [Computer Associates International, Inc., 6.0.1.76]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 1556][C:\Program Files\Tiny Firewall Pro\UmxTray.exe]  [Computer Associates International, Inc., 6.5.1.59]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 1596][C:\Program Files\lenovo\GUA\GUA.exe]  [lenovo, 1.0.0.21]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 1656][C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE]  [Microsoft Corporation, 7.00.9466]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 1692][C:\windows\System32\IgrsSvcs.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\System32\sidjazy.dll]  [N/A, ]
[PID: 1716][C:\windows\system32\nvsvc32.exe]  [NVIDIA Corporation, 6.14.10.8350]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 1824][C:\windows\system32\wdfmgr.exe]  [Microsoft Corporation, 5.2.3790.1230 built by: dnsrv(bld4act)]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 280][C:\windows\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\System32\sidjazy.dll]  [N/A, ]
[PID: 1048][C:\windows\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
    [C:\windows\system32\mypern0.dll]  [N/A, ]
    [C:\windows\system32\rarjbpi.dll]  [N/A, ]
    [C:\windows\system32\kvdxcma.dll]  [N/A, ]
    [C:\windows\system32\ratbfpi.dll]  [N/A, ]
    [C:\windows\system32\kaqhezy.dll]  [N/A, ]
    [C:\windows\system32\rsztcpm.dll]  [N/A, ]
    [C:\windows\system32\avwlbmn.dll]  [N/A, ]
    [C:\windows\system32\dh3vpw0.dll]  [N/A, ]
    [C:\Program Files\Internet Explorer\Info_Ms.Sys]  [N/A, ]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
    [C:\windows\system32\avzxdmn.dll]  [N/A, ]
    [C:\windows\system32\kawdbzy.dll]  [N/A, ]
[PID: 1128][C:\PROGRA~1\EzButton\EzButton.EXE]  [Dritek System Inc., 1, 0, 5, 804]   
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
[PID: 1192][C:\Program Files\Apoint2K\Apoint.exe]  [Alps Electric Co., Ltd., 5.3.10.166] 
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
[PID: 1000][C:\windows\AGRSMMSG.exe]  [Agere Systems, 2.1.63 2.1.63 12/12/2005 14:50:01]   
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
[PID: 968][C:\Program Files\Lenovo\EnergyCut\utilty.exe]  [TODO: <Company name>, 1.0.0.1]   
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
[PID: 1280][C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe]  [N/A, ] 
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
[PID: 256][C:\Program Files\Apoint2K\Apntex.exe]  [Alps Electric Co., Ltd., 5.0.1.15] 
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
[PID: 1796][C:\windows\system32\conime.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]   
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
[PID: 2052][C:\Program Files\Rising\Rav\RavTask.exe]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9] 
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
[PID: 2124][C:\windows\system32\shadow\PowerRemind.exe]  [北京坚果比特科技有限公司, 1.0.0.1] 
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
    [C:\Program Files\Internet Explorer\Info_Ms.Sys]  [N/A, ]
[PID: 2176][C:\Program Files\Common Files\Real\Update_OB\realsched.exe]  [RealNetworks, Inc., 0.1.0.3760] 
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
[PID: 2252][C:\windows\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] 
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
[PID: 2292][C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe]  [Cyberlink, 5.00.1524] 
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
    [C:\Program Files\Internet Explorer\Info_Ms.Sys]  [N/A, ]
[PID: 2328][C:\Program Files\Tiny Firewall Pro\amon.exe]  [Computer Associates International, Inc., 6.5.3.2] 
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
    [C:\windows\system32\mypern0.dll]  [N/A, ]
    [C:\windows\system32\rarjbpi.dll]  [N/A, ]
    [C:\windows\system32\avwlbmn.dll]  [N/A, ]
    [C:\windows\system32\rsztcpm.dll]  [N/A, ]
    [C:\windows\system32\kaqhezy.dll]  [N/A, ]
    [C:\windows\system32\kvdxcma.dll]  [N/A, ]
    [C:\windows\system32\ratbfpi.dll]  [N/A, ]
    [C:\windows\system32\avzxdmn.dll]  [N/A, ]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
    [C:\windows\system32\kawdbzy.dll]  [N/A, ]
    [C:\windows\system32\dh3vpw0.dll]  [N/A, ]
    [C:\Program Files\Internet Explorer\Info_Ms.Sys]  [N/A, ]
[PID: 2332][C:\PROGRA~1\EzButton\VolumeLED.exe]  [N/A, ] 
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]




[用户系统信息]Opera/9.20 (Windows NT 5.1; U; zh-cn)

[PID: 2336][C:\Program Files\Opera\Opera.exe]  [Opera Software, 8771] 
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
    [C:\windows\system32\mypern0.dll]  [N/A, ]
    [C:\Program Files\Internet Explorer\Info_Ms.Sys]  [N/A, ]
    [C:\windows\system32\kawdbzy.dll]  [N/A, ]
    [C:\windows\system32\kvdxcma.dll]  [N/A, ]
    [C:\windows\system32\kaqhezy.dll]  [N/A, ]
    [C:\windows\system32\rarjbpi.dll]  [N/A, ]
    [C:\windows\system32\ratbfpi.dll]  [N/A, ]
    [C:\windows\system32\rsztcpm.dll]  [N/A, ]
    [C:\windows\system32\avwlbmn.dll]  [N/A, ]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
    [C:\windows\system32\avzxdmn.dll]  [N/A, ]
[PID: 3704][C:\windows\system32\rarjbtl.exe]  [N/A, ] 
    [C:\windows\system32\rarjbpi.dll]  [N/A, ]
[PID: 944][C:\windows\system32\avwlbst.exe]  [N/A, ] 
    [C:\windows\system32\avwlbmn.dll]  [N/A, ]
[PID: 2712][C:\windows\system32\rsztcsp.exe]  [N/A, ]
    [C:\windows\system32\rarjbpi.dll]  [N/A, ]
    [C:\windows\system32\rsztcpm.dll]  [N/A, ]
[PID: 4044][C:\windows\system32\kaqheaz.exe]  [N/A, ]
    [C:\windows\system32\rarjbpi.dll]  [N/A, ]
    [C:\windows\system32\kaqhezy.dll]  [N/A, ]
[PID: 3492][C:\windows\system32\kvdxcis.exe]  [N/A, ]
    [C:\windows\system32\rsztcpm.dll]  [N/A, ]
    [C:\windows\system32\kvdxcma.dll]  [N/A, ]
[PID: 2604][C:\windows\system32\ratbftl.exe]  [N/A, ]
    [C:\windows\system32\rarjbpi.dll]  [N/A, ]
    [C:\windows\system32\ratbfpi.dll]  [N/A, ]
[PID: 3764][C:\windows\system32\avzxdst.exe]  [N/A, ]
    [C:\windows\system32\rsztcpm.dll]  [N/A, ]
    [C:\windows\system32\avzxdmn.dll]  [N/A, ]
[PID: 2560][C:\windows\system32\sidjaaz.exe]  [N/A, ]
    [C:\windows\system32\rarjbpi.dll]  [N/A, ]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
[PID: 2928][C:\windows\system32\kawdbaz.exe]  [N/A, ]
    [C:\windows\system32\avwlbmn.dll]  [N/A, ]
    [C:\windows\system32\kawdbzy.dll]  [N/A, ]
[PID: 2564][C:\SRENG 2_5\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
    [C:\windows\system32\kvdxcma.dll]  [N/A, ]
    [C:\Program Files\Internet Explorer\Info_Ms.Sys]  [N/A, ]
    [C:\Program Files\Internet Explorer\PLUGINS\WinSys84.Sys]  [N/A, ]
    [C:\windows\system32\avzxdmn.dll]  [N/A, ]
    [C:\windows\system32\kawdbzy.dll]  [N/A, ]
    [C:\windows\system32\rarjbpi.dll]  [N/A, ]
    [C:\windows\system32\kaqhezy.dll]  [N/A, ]
    [C:\windows\system32\ratbfpi.dll]  [N/A, ]
    [C:\windows\system32\rsztcpm.dll]  [N/A, ]
    [C:\windows\system32\avwlbmn.dll]  [N/A, ]
    [C:\windows\system32\sidjazy.dll]  [N/A, ]
==================================
进程特权扫描
特殊特权被允许： SeDebugPrivilege [PID = 3704, C:\WINDOWS\SYSTEM32\RARJBTL.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 3704, C:\WINDOWS\SYSTEM32\RARJBTL.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 944, C:\WINDOWS\SYSTEM32\AVWLBST.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 944, C:\WINDOWS\SYSTEM32\AVWLBST.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 2712, C:\WINDOWS\SYSTEM32\RSZTCSP.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2712, C:\WINDOWS\SYSTEM32\RSZTCSP.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 4044, C:\WINDOWS\SYSTEM32\KAQHEAZ.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 4044, C:\WINDOWS\SYSTEM32\KAQHEAZ.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 3492, C:\WINDOWS\SYSTEM32\KVDXCIS.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 3492, C:\WINDOWS\SYSTEM32\KVDXCIS.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 2604, C:\WINDOWS\SYSTEM32\RATBFTL.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2604, C:\WINDOWS\SYSTEM32\RATBFTL.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 3764, C:\WINDOWS\SYSTEM32\AVZXDST.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 3764, C:\WINDOWS\SYSTEM32\AVZXDST.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 2560, C:\WINDOWS\SYSTEM32\SIDJAAZ.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2560, C:\WINDOWS\SYSTEM32\SIDJAAZ.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 2928, C:\WINDOWS\SYSTEM32\KAWDBAZ.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2928, C:\WINDOWS\SYSTEM32\KAWDBAZ.EXE]

由于病毒模块插入了所有系统核心进程及应用程序进程，只好采用改名大法来对付它（删除病毒文件的后缀、重启、删除病毒文件；见附图）。
然后，再删除病毒启动项即可。
安全模式被删除问题————可以导入先前的 注册表备份解决。

还是改名...呵呵..!

安全模式都被删了~~~!~~~

现在的病毒真是值得敬仰!

帖子收藏了，这么多毒，直接格了算了

哇 怕了 也要杀杀杀 

猫叔 无论插入进程是什么类型的***.dll 目前是不是都可以用重命名方法来清除呢?

我也中了 进安全都杀不了

学习了

[C:\windows\system32\avzxdmn.dll] [N/A, ]
[C:\windows\system32\kawdbzy.dll] [N/A, ]
[C:\windows\system32\rarjbpi.dll] [N/A, ]
[C:\windows\system32\kaqhezy.dll] [N/A, ]
[C:\windows\system32\ratbfpi.dll] [N/A, ]
[C:\windows\system32\rsztcpm.dll] [N/A, ]
[C:\windows\system32\avwlbmn.dll] [N/A, ]
[C:\windows\system32\sidjazy.dll] [N/A, ]

这类病毒最是难缠啊

引用:

【孤独更可靠的贴子】学习了 [C:\windows\system32\avzxdmn.dll] [N/A, ] [C:\windows\system32\kawdbzy.dll] [N/A, ] [C:\windows\system32\rarjbpi.dll] [N/A, ] [C:\windows\system32\kaqhezy.dll] [N/A, ] [C:\windows\system32\ratbfpi.dll] [N/A, ] [C:\windows\system32\rsztcpm.dll] [N/A, ] [C:\windows\system32\avwlbmn.dll] [N/A, ] [C:\windows\system32\sidjazy.dll] [N/A, ] 这类病毒最是难缠啊 ………………

孤独每天都来这里啊