|
|
<BR><P><FONT size=2><STRONG><FONT size=3>jvxnypf.exe病毒中毒后的SRENG日志:</FONT></STRONG><BR>(注:中此毒后,SRENG须改名运行。原因见后述。)</FONT></P>
<P><FONT size=2>启动项目<BR>注册表</FONT></P>
<P><FONT size=2>[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]<BR><naxcehy><C:\windows\system32\kndncso.exe> [N/A]<BR><gvkfbrq><C:\windows\system32\jvxnypf.exe> [N/A]<BR><cmdbcs><C:\windows\cmdbcs.exe> [N/A]<BR><mppds><C:\windows\mppds.exe> [N/A]<BR><upxdnd><C:\windows\upxdnd.exe> [N/A]<BR>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]<BR><{91B1E846-2BEF-4345-8848-7699C7C9935F}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll> [N/A]<BR>==================================<BR>服务<BR>[WinWLServiceNow / WinWLServiceNow][Stopped/Auto Start]<BR><C:\DOCUME~1\baohelin\LOCALS~1\Temp\RAVWL.EXE><N/A><BR>==================================<BR>正在运行的进程<BR>[PID: 812][C:\windows\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]<BR>[C:\windows\system32\RAVWL516.dll] [N/A, N/A]<BR>[PID: 1816][C:\windows\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)] <BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>[PID: 992][C:\windows\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] <BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>[PID: 2148][C:\Program Files\Tiny Firewall Pro\amon.exe] [Computer Associates International, Inc., 6.5.3.2] <BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>[PID: 4000][C:\WINDOWS\system32\shadow\ShadowTip.exe] [PowerShadow, 1, 0, 0, 1] <BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>[PID: 2164][C:\Program Files\SREng2\SREng.exe] [Smallfrogs Studio, 2.3.13.690] <BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>[PID: 2216][C:\Program Files\Opera\Opera.exe] [Opera Software, 8771] <BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>[PID: 2904][C:\Program Files\Tiny Firewall Pro\cfgtool.exe] [Computer Associates International, Inc., 6.0.0.52]<BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>[PID: 2580][C:\Program Files\Tiny Firewall Pro\tralogan.exe] [Computer Associates International, Inc., 6.0.0.17]<BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>[PID: 3112][C:\windows\system32\jvxnypf.exe] [N/A, N/A] <BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>[PID: 2392][C:\windows\system32\conime.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] <BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>[PID: 4020][C:\windows\system32\kndncso.exe] [N/A, N/A] <BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>[PID: 2740][C:\Autoruns\autorun.exe] [Sysinternals - www.sysinternals.com, 8.43] <BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>[PID: 3208][C:\Program Files\HyperSnap-DX 5\HprSnap5.exe] [Hyperionics Technology LLC, 5, 3, 0, 0] <BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>[PID: 2168][C:\windows\system32\111.exe] [N/A, N/A] <BR>[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll] [N/A, N/A]<BR>==================================<BR>Autorun.inf<BR>[D:\]<BR>[AutoRun]<BR>open=gvkfbrq.exe<BR>shellexecute=gvkfbrq.exe<BR>shell\Auto\command=gvkfbrq.exe</FONT></P>
<P><STRONG><FONT size=3>jvxnypf.exe病毒手工杀毒流程(注意操作顺序):</FONT></STRONG></P>
<P><FONT size=2>从上述SRENG日志可见:jvxnypf.exe和kndncso.exe以及它们下载的这堆木马颇难对付。原因在于:<BR>1、jvxnypf.exe和kndncso.exe两个病毒进程相互守护。<BR>2、临时文件夹中的那个C:\DOCUME~1\baohelin\LOCALS~1\Temp\RAVWL.EXE有一个同伙RAVWL516.DLL。此DLL插入了lsass.exe进程。若强制卸除lsass.exe进程中的RAVWL516.DLL,系统会死掉。下次开机时,随着RAVWL.EXE加载,RAVWL516.DLL又插入了lsass.exe进程。<BR>3、病毒模块SysWFGQQ2.dll“不挑食”,见进程就插。<BR>4、当前用户文件夹中还有一堆下载的木马。手工杀毒过程稍有不甚,就会前功尽弃。</FONT></P>
<P><FONT size=2>鉴于这堆病毒的上述特点,建议用IceSword,按下述操作顺序搞掂他们:</FONT></P>
<P><FONT size=2>1、改名运行IceSword(因为IceSword已经被病毒通过IFEO劫持了),禁止进程创建。<BR>2、结束病毒进程及被病毒插入的应用程序进程(不要结束lsass.exe进程)。<BR>3、强制删除主要病毒文件,主要包括下面几个文件:<BR>jvxnypf.exe<BR>RAVWL.exe<BR>RAVWL516.dll(后三位数字随机)<BR>系统目录\Documents and Settings\用户名\Local Settings\Temp\下的以纯数字命名的exe文件<BR>system32目录下的所有以数字明明的eexe文件等。<BR>4、删除病毒添加的启动项、服务项(见SRENG日志)。<BR>4、取消IceSword的“禁止进程创建”。<BR>5、此时可用资源管理器或WINRAR删除其余的病毒文件。当然,你也可以用IceSword删除这些病毒文件。我之所以这样做,是出于安全考虑。IceSword删除的文件不能恢复,万一删错,就麻烦了。我的原则是:能不用IceSword删除的,尽量不用IceSword删除。<BR>6、删除病毒添加的IFEO劫持项(可用autoruns查找并删除。注意:autoruns也被病毒IFEO了,需要改名运行。)</FONT></P>
<P><FONT color=#0033ff size=3><STRONG>jvxnypf.exe病毒专杀工具下载地址:</STRONG></FONT><A href="http://dl.360safe.com/killer_fksdy.exe"><FONT color=#0033ff size=3><STRONG>http://dl.360safe.com/killer_fksdy.exe</STRONG></FONT></A><A href="http://dl.360safe.com/killer_fksdy.exe" target=_blank><U><FONT color=#0000ff></FONT></U></A></P> <BR>
|
|
IP卡
狗仔卡
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡