endurer 原创
2006-09-08 第2版 补充杀毒软件的反应
2006-09-07 第1版
有位网友的电脑,总告发现Backdoor.Gpigeon.uql。
于是通过QQ进行远程协助。
到 http://endurer.ys168.com 下载了HijackThis 扫描log,发现如下可疑项目:
/-------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:22:51, on 2006-9-7
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:/Program Files/Microsoft/svhost32.exe
C:/Program Files/LetsCool/LetsCool.exe
C:/Program Files/Zcom/ZComService.exe
C:/Program Files/Zcom/skin.dll
C:/Program Files/Internet Explorer/7Sy.exe
R3 - URLSearchHook: (no name) - {BB936323-19FA-4521-BA29-ECA6A121BC78} - (no file)
F3 - REG:win.ini: load=C:/WINDOWS/rundl132.exe
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:/PROGRA~1/Yahoo!/ASSIST~1/Assist/yasbar.dll
O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:/WINDOWS/system32/ssup.dll
O2 - BHO: MAngle Class - {9A556B8F-FD02-420E-A1FD-9DB33808254E} - C:/Program Files/MySec/secmouseaan.dll
O3 - Toolbar: My 网蜜(&M) - {102293E4-758B-4483-946B-714EBCEC91B8} - C:/Program Files/MySec/secbaraan.dll
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - F:/音乐/KuGoo3/KuGoo3DownXControl.ocx
O2 - BHO: Letscool System Helper - {F0C15012-7DBD-4068-95A2-0A82DB03AC35} - C:/WINDOWS/system32/CoolBho.dll
O4 - HKLM/../Run: [ms] C:/Program Files/Microsoft/svhost32.exe
O4 - HKLM/../Run: [LetsCool] C:/Program Files/LetsCool/LetsCool.exe
O4 - HKLM/../Run: [stup.exe] C:/PROGRA~1/TENCENT/Adplus/stup.exe
O4 - HKLM/../Run: [_rx] C:/WINDOWS/rundll32.exe
O23 - Service: systen - Unknown owner - C:/WINDOWS/Hacker.com.cn.exe
-------------------------/
(下面的修复方法可参考:【系统修复系列之】基本操作索引
http://endurer.blogchina.com/2591241.html)
停止并禁用服务:systen
到 http://endurer.ys168.com 下载 ProcView,终止进程:
/-------------------------
C:/Program Files/Microsoft/svhost32.exe
C:/Program Files/LetsCool/LetsCool.exe
C:/Program Files/Zcom/ZComService.exe
C:/Program Files/Zcom/skin.dll
C:/Program Files/Internet Explorer/7Sy.exe
-------------------------/
用WinRAR检查下列文件夹,发现:
c:/
=====================================
internt.hta(Kaspersky 报为 Trojan-PSW.Win32.QQPass.hn)
rar.hta(Kaspersky 报为 Trojan-Downloader.JS.Small.cq)
vidll.dll(Kaspersky 报为 Worm.Win32.Viking.r,瑞星 报为 Worm.Viking.aa)
C:/Documents and Settings/user/Local Settings/temp
=====================================
g0ld.com((Kaspersky 报为 Worm.Win32.Viking.r,DrWeb 报为 Win32.HLLW.Gavir.8,瑞星 报为 Worm.Viking.aa)
qq4[1].exe(Kaspersky 报为 Trojan.Win32.Delf.rf,DrWeb 报为 Trojan.PWS.Spywoool)
C:/Program Files
=====================================
svhost32.exe(DrWeb 报为 Trojan.PWS.Lineage)
C:/Program Files/Internet Explorer
=====================================
0Sy.exe(Kaspersky 报为 Trojan.Win32.Delf.rf,DrWeb 报为 Trojan.PWS.Spywoool)
3Sy.exe(Kaspersky 报为 Trojan-PSW.Win32.Lineage.aih,DrWeb 报为 Trojan.PWS.Lineage)
4Sy.exe(Kaspersky 报为 Trojan.PSW.Win32.Lineage.pj,DrWeb 报为 Trojan.PWS.Lineage)
5Sy.exe(Kaspersky 报为 Trojan-PSW.Win32.Agent.ic)
6Sy.exe(Kaspersky 报为 Trojan-PSW.Win32.Agent.ic)
7Sy.exe(Kaspersky 报为 Trojan-PSW.Win32.Lineage.acw,DrWeb 报为 Trojan.PWS.Lineage)
C:/Program Files/LetsCool
=====================================
LetsCool.exe(DrWeb 报为 Adware.Letscool)
Picdown.exe(DrWeb 报为 Trojan.DownLoader.12193)
C:/Program Files/Microsoft
=====================================
svhost32.exe(DrWeb 报为 Trojan.PWS.Lineage)
c:/windows
=====================================
rundll32.exe(图标类似记事本,Kaspersky 报为 Trojan-PSW.Win32.Lineage.aih)
rundl132.exe(Kaspersky 报为 Worm.Win32.Viking.r,瑞星 报为 Worm.Viking.aa,DrWeb 报为 Win32.HLLW.Gavir.8)
c:/windows/system32
=====================================
a.exe(DrWeb 报为 Tool.DialupPass.243)
dllwm.dll(Kaspersky 报为 Trojan-PSW.Win32.Lineage.acw,DrWeb 报为 Trojan.PWS.Lineage)
dllz.dll(Kaspersky 报为 Trojan-PSW.Win32.Lineage.aih)
Hacker.com.cn.exe(Kaspersky 报为 Backdoor.Win32.Hupigon.cgw,DrWeb 报为 BackDoor.Pigeon.36)
msdll.dll(Kaspersky 报为 Trojan-PSW.Win32.Lineage.agl,DrWeb 报为 Trojan.PWS.Lineage)
nt.exe(Kaspersky 报为 Trojan-Downloader.Win32.Small.dgc)
nt.dll(Kaspersky 报为 Trojan-Downloader.Win32.Agent.apt)
svhost32.exe(DrWeb 报为 Trojan.PWS.Lineage)
Upzgy.exe
打包备份后删除。
关闭所有文件夹窗口,用HijackThis扫描并修复上面所列项目。
卸载:雅虎助手,LetsCool,Zcom
清空IE临时文件夹
清空 C:/Windows/temp 文件夹
清空 C:/Documents and Settings/user/Local Settings/temp 文件夹