设为首页收藏本站
开启辅助访问 切换到宽版

无忧启动论坛

 找回密码
 注册
搜索
无忧启动论坛»论坛 ::数码生活:: Windows技术讨论区 [技巧]关于本人手工清理mppds.dll木马的方案手记
系统gho:最纯净好用系统下载站投放广告、加入VIP会员,请联系 微信:wuyouceo
返回列表 发新帖
查看: 1919|回复: 6
打印 上一主题 下一主题

[技巧]关于本人手工清理mppds.dll木马的方案手记

[复制链接]
safe119
跳转到指定楼层
1#
发表于 2007-9-12 17:09:07 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
加入VIP会员,获无忧币,赠积分,送勋章,下载无限制,获论坛最高级会员权限 !
  前几天接到一位朋友的求助,是关于他机器中了mppds.dll木马而他用的金山毒霸清除不掉的情况!我让他发了一份用SREng扫描的系统运行日志给我!我对日志文件进行的分析,现将分析标注后的日志文件贴出来供大家参考:  其中危险的项我用红色且粗体标示出来了,清理方案在日志后面大家如果不看日志就直接向下翻吧:)
日志开始:
2007-09-09,12:34:02
Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能
以下内容被选中:
所有的启动项目(包括注册表、启动文件夹、服务等)

浏览器加载项
正在运行的进程(包括进程模块信息)
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
进程特权扫描
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>
[(Verified)Microsoft Windows Publisher]
<KavPFW><"C:\KAV2007\KPFW32.EXE">[Kingsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<w><%SystemRoot%\WinRaR.exe>[]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><>[N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<KavStart><"C:\KAV2007\KAVStart.exe" -startup>[Kingsoft Corporation]
<mppds><C:\WINDOWS\mppds.exe>[]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe>
[(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\Userinit.exe>
[(Verified)Microsoft Windows Publisher]
<UIHost><logonui.exe>
[(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{798977F1-34FC-4DDD-AF6D-1B5C196B4EB4}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\System6.ins>[]
<{5D83AD9C-3BFC-43F5-979D-2904DBC54A8E}><C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys>[]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
<WinlogonNotify: WgaLogon><WgaLogon.dll>
[(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>[N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>[N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>[N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>[N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>
[(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>
[(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub>
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>[N/A]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<bgswitch><; C:\WINDOWS\system32\bgswitch.exe>[]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<IMJPMIG8.1><; >[N/A]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
<Load><; ?粓?? >[N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<HIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>
[(Verified)Microsoft Windows Publisher]'正常程序不过它可以不要启动,就当做是优化吧
<HIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>
[(Verified)Microsoft Windows Publisher]'正常程序不过它可以不要启动,就当做是优化吧
<SoundMan><; SOUNDMAN.EXE>‘正常程序不过它可以不要启动,就当做是优化吧
[(Verified)Microsoft Windows Publisher]
==================================
服务
...............(我将此省略要不然太多了)

==================================
驱动程序
...............(我将此省略要不然太多了)
==================================
浏览器加载项
...............(我将此省略要不然太多了)
==================================
正在运行的进程
[PID: 544 / SYSTEM][\SystemRoot\System32\smss.exe]
[Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 616 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]
[Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 640 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]
[Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\WgaLogon.dll]
[Microsoft Corporation, 1.7.0018.5]
[C:\WINDOWS\system32\msacm32.drv]
[Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 684 / SYSTEM][C:\WINDOWS\system32\services.exe]
[Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 696 / SYSTEM][C:\WINDOWS\system32\lsass.exe]
[Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 840 / SYSTEM][C:\WINDOWS\system32\svchost.exe]
[Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 908 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]
[Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 944 / SYSTEM][C:\WINDOWS\System32\svchost.exe]
[Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\wups2.dll]
[Microsoft Corporation, 7.0.6000.381 (winmain(wmbla).070730-1740)]
[C:\KAV2007\KAScript.DLL]
[Kingsoft Corporation, 2007, 3, 6, 75]
[PID: 992 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]
[Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1064 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]
[Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1352 / SYSTEM][C:\KAV2007\KWatch.EXE]
[Kingsoft Corporation, 2007, 8, 13, 78]
[C:\KAV2007\KAVIPC2.DLL]
[Kingsoft Corporation, 2007, 1, 15, 30]
[C:\KAV2007\KAEPlat.DLL]
[Kingsoft Corp., 2007, 6, 19, 64]
[C:\KAV2007\KAEMem.DAT]
[Kingsoft, 2006, 9, 25, 16]
[C:\KAV2007\KAEUnpack.DAT]
[Kingsoft Corp., 2007, 8, 30, 130]
[C:\KAV2007\KAVQuara.DLL]
[Kingsoft Corporation, 2007, 6, 15, 4]
[PID: 1360 / Administrator][C:\WINDOWS\Explorer.EXE]
[Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
[C:\Program Files\Common Files\Microsoft Shared\MSINFO\System6.ins][N/A, ]
[C:\WINDOWS\dbhelp.dll][N/A, ]
[C:\KAV2007\KASocket.dll]
[Kingsoft Corporation, 2007, 3, 18, 241]
[C:\KAV2007\KMailOEBand.dll]
[Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll]
[Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll]
[Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\msacm32.drv]
[Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\mppds.dll][N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys][N/A, ]
[C:\Program Files\Microsoft Office\OFFICE11\msohev.dll]
[Microsoft Corporation, 11.0.5510]
[PID: 1504 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]
[Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[PID: 1668 / SYSTEM][C:\KAV2007\KPfwSvc.EXE]
[Kingsoft Corporation, 2007, 2, 2, 31]
[PID: 192 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe]
[Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 316 / Administrator][C:\KAV2007\KAVStart.exe]
[Kingsoft Corporation, 2007, 8, 15, 289]
[C:\WINDOWS\system32\MFC71.DLL]
[Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll]
[Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll]
[Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MFC71CHS.DLL]
[Microsoft Corporation, 7.10.3077.0]
[C:\KAV2007\KAVIPC2.DLL]
[Kingsoft Corporation, 2007, 1, 15, 30]
[C:\KAV2007\SvcTimer.DLL]
[Kingsoft Corporation, 2006.12.22.84]
[C:\KAV2007\KAVPassp.dll]
[Kingsoft Corporation, 2006, 12, 30, 271]
[C:\KAV2007\PopSprt3.dll]
[Kingsoft Corporation, 2007, 3, 20, 48]
[C:\WINDOWS\dbhelp.dll][N/A, ]
[C:\KAV2007\KASocket.dll]
[Kingsoft Corporation, 2007, 3, 18, 241]
[C:\KAV2007\KMailOEBand.dll]
[Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\mppds.dll][N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys][N/A, ]
[PID: 468 / Administrator][C:\WINDOWS\system32\ctfmon.exe]
[Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\dbhelp.dll][N/A, ]
[C:\KAV2007\KASocket.dll]
[Kingsoft Corporation, 2007, 3, 18, 241]
[C:\WINDOWS\system32\mppds.dll][N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys][N/A, ]
[PID: 376 / Administrator][C:\KAV2007\KPFW32.EXE]
[Kingsoft Corporation, 2007, 8, 9, 724]
[C:\WINDOWS\system32\MFC71.DLL]
[Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll]
[Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll]
[Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MFC71CHS.DLL]
[Microsoft Corporation, 7.10.3077.0]
[C:\KAV2007\KAVIPC2.DLL]
[Kingsoft Corporation, 2007, 1, 15, 30]
[C:\KAV2007\KAConfig.DLL]
[Kingsoft Corporation, 2007, 1, 11, 41]
[C:\KAV2007\FiltList.dll][N/A, ]
[C:\KAV2007\KAVPassp.DLL]
[Kingsoft Corporation, 2006, 12, 30, 271]
[C:\KAV2007\KASocket.dll]
[Kingsoft Corporation, 2007, 3, 18, 241]
[C:\KAV2007\KMailOEBand.dll]
[Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\dbhelp.dll][N/A, ]
[C:\WINDOWS\system32\mppds.dll][N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys][N/A, ]
[PID: 1024 / Administrator][C:\KAV2007\KMailMon.EXE]
[Kingsoft Corporation, 2007, 8, 16, 967]
[C:\KAV2007\KAntiSpm.dll]
[Kingsoft Corporation, 2007, 2, 25, 129]
[C:\WINDOWS\system32\MSVCR71.dll]
[Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll]
[Microsoft Corporation, 7.10.3077.0]
[C:\KAV2007\KAVIPC2.DLL]
[Kingsoft Corporation, 2007, 1, 15, 30]
[C:\KAV2007\KAECall2.DLL]
[Kingsoft Corporation, 2004, 12, 28, 7]
[C:\KAV2007\KAEPlat.DLL]
[Kingsoft Corp., 2007, 6, 19, 64]
[C:\KAV2007\KAEMem.DAT]
[Kingsoft, 2006, 9, 25, 16]
[C:\KAV2007\KAEUnpack.DAT]
[Kingsoft Corp., 2007, 8, 30, 130]
[C:\KAV2007\KAConfig.DLL]
[Kingsoft Corporation, 2007, 1, 11, 41]
[C:\KAV2007\KASocket.dll]
[Kingsoft Corporation, 2007, 3, 18, 241]
[C:\KAV2007\KMailOEBand.dll]
[Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\dbhelp.dll][N/A, ]
[C:\WINDOWS\system32\mppds.dll][N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys][N/A, ]
[PID: 3908 / Administrator][C:\Program Files\Internet Explorer\iexplore.exe]
[Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\KAV2007\KMailOEBand.dll]
[Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll]
[Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll]
[Microsoft Corporation, 7.10.3077.0]
[C:\KAV2007\KASocket.dll]
[Kingsoft Corporation, 2007, 3, 18, 241]
[C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys][N/A, ]
[C:\Program Files\Kingsoft Antispy\IEBuddy.DLL]
[Kingsoft Corporation, 2007,08,16,41]
[C:\Program Files\Kingsoft Antispy\IEBuddyExt.DLL]
[Kingsoft Corporation, 2007,09,07,137]
[C:\Program Files\Kingsoft Antispy\dump.dll]
[Kingsoft Corporation, 2006, 2, 16, 8]
[C:\Program Files\Kingsoft Antispy\KANTray.dll]
[Kingsoft Corporation, 2007,09,05,133]
[C:\KAV2007\KAVAFish.DLL]
[Kingsoft Corporation, 2006, 10, 25, 27]
[C:\WINDOWS\system32\mppds.dll][N/A, ]
[C:\WINDOWS\dbhelp.dll][N/A, ]
[C:\Program Files\Microsoft Office\OFFICE11\msohev.dll]
[Microsoft Corporation, 11.0.5510]
[C:\KAV2007\KAScript.DLL]
[Kingsoft Corporation, 2007, 3, 6, 75]
[C:\KAV2007\KAEPlat.DLL]
[Kingsoft Corp., 2007, 6, 19, 64]
[C:\KAV2007\KAEMem.DAT]
[Kingsoft, 2006, 9, 25, 16]
[C:\KAV2007\KAEUnpack.DAT]
[Kingsoft Corp., 2007, 8, 30, 130]
[C:\WINDOWS\system32\msacm32.drv]
[Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1136 / Administrator][C:\Program Files\Internet Explorer\iexplore.exe]
[Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\KAV2007\KMailOEBand.dll]
[Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll]
[Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll]
[Microsoft Corporation, 7.10.3077.0]
[C:\KAV2007\KASocket.dll]
[Kingsoft Corporation, 2007, 3, 18, 241]
[C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys][N/A, ]
[C:\Program Files\Kingsoft Antispy\IEBuddy.DLL]
[Kingsoft Corporation, 2007,08,16,41]
[C:\Program Files\Kingsoft Antispy\IEBuddyExt.DLL]
[Kingsoft Corporation, 2007,09,07,137]
[C:\Program Files\Kingsoft Antispy\dump.dll]
[Kingsoft Corporation, 2006, 2, 16, 8]
[C:\Program Files\Kingsoft Antispy\KANTray.dll]
[Kingsoft Corporation, 2007,09,05,133]
[C:\KAV2007\KAVAFish.DLL]
[Kingsoft Corporation, 2006, 10, 25, 27]
[C:\WINDOWS\system32\mppds.dll][N/A, ]
[C:\WINDOWS\dbhelp.dll][N/A, ]
[C:\Program Files\Microsoft Office\OFFICE11\msohev.dll]
[Microsoft Corporation, 11.0.5510]
[C:\KAV2007\KAScript.DLL]
[Kingsoft Corporation, 2007, 3, 6, 75]
[C:\KAV2007\KAEPlat.DLL]
[Kingsoft Corp., 2007, 6, 19, 64]
[C:\KAV2007\KAEMem.DAT]
[Kingsoft, 2006, 9, 25, 16]
[C:\KAV2007\KAEUnpack.DAT]
[Kingsoft Corp., 2007, 8, 30, 130]
[C:\WINDOWS\system32\msacm32.drv]
[Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx]
[Adobe Systems, Inc., 9,0,45,0]
[C:\WINDOWS\system32\UNISPIM6.IME]
[北京紫光华宇软件股份有限公司, 6.0.0.6117]
[PID: 2132 / Administrator][C:\Program Files\TTPlayer\TTPlayer.exe][, 4, 6, 7, 0]
[C:\Program Files\TTPlayer\ttpcomm.dll][N/A, ]
[C:\KAV2007\KMailOEBand.dll]
[Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll]
[Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll]
[Microsoft Corporation, 7.10.3077.0]
[C:\KAV2007\KASocket.dll]
[Kingsoft Corporation, 2007, 3, 18, 241]
[C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys][N/A, ]
[C:\Program Files\TTPlayer\ttpres.dll][, 4, 6, 7, 0]
[C:\Program Files\TTPlayer\msdmo.dll]
[Microsoft Corporation, 6.03.01.0400]
[C:\WINDOWS\system32\mppds.dll][N/A, ]
[C:\WINDOWS\dbhelp.dll][N/A, ]
[C:\Program Files\TTPlayer\AddIn\ttp_asf.dll][N/A, ]
[C:\Program Files\TTPlayer\AddIn\ttp_aac.dll][N/A, ]
[C:\Program Files\TTPlayer\AddIn\ttp_ac3dts.dll][N/A, ]
[C:\Program Files\TTPlayer\wmadmod.dll]
[Microsoft Corporation, 10.00.00.3646]
[C:\WINDOWS\system32\msacm32.drv]
[Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\TTPlayer\AddIn\ttp_lrcsh.dll][N/A, ]
[C:\Program Files\TTPlayer\mp3PRO.dll]
[Coding Technologies GmbH, 1, 1, 0, 0]
[PID: 2724 / Administrator][D:\Tencent\QQ\TIMPlatform.exe][TENCENT, 7,0,365,1701]
[C:\KAV2007\KMailOEBand.dll]
[Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll]
[Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll]
[Microsoft Corporation, 7.10.3077.0]
[C:\KAV2007\KASocket.dll]
[Kingsoft Corporation, 2007, 3, 18, 241]
[C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys][N/A, ]
[C:\WINDOWS\system32\mppds.dll][N/A, ]
[C:\WINDOWS\dbhelp.dll][N/A, ]
[D:\Tencent\QQ\TIMProxy.dll]
[tencent, 0, 3, 2, 4]
[PID: 2788 / Administrator][D:\Tencent\QQ\QQ.exe]
[TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\QQBaseClassInDll.dll]
[TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\QQHelperDll.dll]
[TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\BasicCtrlDll.dll]
[TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\MFC42.DLL]
[Microsoft Corporation, 6.00.8665.0]
[C:\KAV2007\KMailOEBand.dll]
[Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll]
[Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll]
[Microsoft Corporation, 7.10.3077.0]
[C:\KAV2007\KASocket.dll]
[Kingsoft Corporation, 2007, 3, 18, 241]
[C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys][N/A, ]
[D:\Tencent\QQ\RICHED32.DLL]
[Microsoft Corporation, 5.00.2134.1]
[D:\Tencent\QQ\RICHED20.dll]
[Microsoft Corporation, 5.31.23.1218]
[D:\Tencent\QQ\QQAPI.dll]
[TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\TIMProxy.dll]
[tencent, 0, 3, 2, 4]
[C:\WINDOWS\system32\mppds.dll][N/A, ]
[D:\Tencent\QQ\LoginCtrl.dll]
[TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\LoginCtrlRes.dll]
[TENCENT, 7,0,365,1701]
[C:\WINDOWS\dbhelp.dll][N/A, ]
[D:\Tencent\QQ\QQRes.dll]
[TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\QQMainFrame.dll][N/A, ]
[D:\Tencent\QQ\gdiplus.dll]
[Microsoft Corporation, 5.1.3102.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\Tencent\QQ\CQQApplication.dll][N/A, ]
[D:\Tencent\QQ\FlashAvatarDll.dll][, 1, 4, 0, 1]
[D:\Tencent\QQ\NewSkin.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\HostingMgr.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\CameraDll.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\MailSummary.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\QQKnowledgeSearch.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\QQAllInOne.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\SCCore.dll][TENCENT, 1, 6, 0, 2]
[D:\Tencent\QQ\QQSpace.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\vbscript.dll][Microsoft Corporation, 5.6.0.7426]
[C:\WINDOWS\system32\msdmo.dll][, ]
[D:\Tencent\QQ\QQGroupMng.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\QQSysMsgMng.dll][N/A, ]
[D:\Tencent\QQ\UserDefinedHead.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\QQPlugin.dll][N/A, ]
[D:\Tencent\QQ\QQConfigPlugin.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\QQAvatar.dll][N/A, ]
[D:\Tencent\QQ\QQCustomFace.dll][N/A, ]
[D:\Tencent\QQ\QRingMng.dll][N/A, ]
[D:\Tencent\QQ\ImageOle.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\QQLiveQMng.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\QQSceneMng.dll][N/A, ]
[D:\Tencent\QQ\QQPet.dll][TENCENT, 7,0,365,1701]
[C:\WINDOWS\system32\msacm32.drv][Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[D:\Tencent\QQ\LongConnection.dll] [TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\PhoneAPI.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\DialerAllinOne.dll][tencent, 1, 4, 0, 0]
[C:\WINDOWS\system32\UNISPIM6.IME][北京紫光华宇软件股份有限公司, 6.0.0.6117]
[D:\Tencent\QQ\BQQApplication.dll][N/A, ]
[D:\Tencent\QQ\CommercesMng.dll][TENCENT, 7,0,365,1701]
[D:\Tencent\QQ\PersonalDesktop.dll][深圳市腾讯计算机系统公司QQ工作小组, 1, 0, 0, 2]
[D:\Tencent\QQ\QQAddr.dll][深圳市腾讯计算机系统有限公司, 5, 0, 101, 320]
[D:\Tencent\QQ\AddrSearch.dll][腾讯科技(深圳)有限公司, 2, 1, 9, 95]
[D:\Tencent\QQ\GroupConnection.dll][TENCENT, 7,0,365,1701]
[PID: 2912 / Administrator][F:\金山殺毒客服提供\sreng2\SREngPS.EXE][Smallfrogs Studio, 2.5.16.900]
[C:\KAV2007\KMailOEBand.dll][Kingsoft Corporation, 2006, 12, 1, 139]
[C:\WINDOWS\system32\MSVCR71.dll][Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll][Microsoft Corporation, 7.10.3077.0]
[C:\KAV2007\KASocket.dll][Kingsoft Corporation, 2007, 3, 18, 241]
[C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys][N/A, ]
[C:\WINDOWS\system32\mppds.dll][N/A, ]
[C:\WINDOWS\dbhelp.dll][N/A, ]
[F:\金山殺毒客服提供\sreng2\Upload\3rdUpd.DLL][Smallfrogs Studio, 2, 1, 0, 15]
==================================
文件关联
.TXT
OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE
OK. ["%1" %*]
.COM
OK. ["%1" %*]
.PIF
OK. ["%1" %*]
.REG
OK. [regedit.exe "%1"]
.BAT
OK. ["%1" %*]
.SCR
OK. ["%1" /S]
.CHM
Error. ["hh.exe" %1]
.HLP
Error. [winhlp32.exe %1]
.INI
OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF
OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS
OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS
OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK
OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Autorun.inf
[E:\]
[AutoRun]
open=AutoRun.exe
shellexecute=AutoRun.exe
shell\打开(&O)\command=AutoRun.exe
=================================
HOSTS 文件
127.0.0.1
localhost
==================================
进程特权扫描
特殊特权被允许: SeLoadDriverPrivilege [PID = 316, C:\KAV2007\KAVSTART.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 376, C:\KAV2007\KPFW32.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 1024, C:\KAV2007\KMAILMON.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 1024, C:\KAV2007\KMAILMON.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2132, C:\PROGRAM FILES\TTPLAYER\TTPLAYER.EXE]
==================================
日志结束
未完还有.................
清理方案接着看下一楼......


[ 本帖最后由 safe119 于 2007-9-16 05:53 PM 编辑 ]
回复

使用道具 举报

safe119
2#
 楼主| 发表于 2007-9-12 17:09:55 | 只看该作者
接下来是我写给那个求助朋友清理病毒方案的原文,我就不修改了,按原样贴出来,请大家见谅!

  总的来说,我晚上花了近一个小时时间分析了一下你机器的运行日志,我现在将分析好后的日志再发送给你,你要有耐心的看一下,我将有问题或不是正常的程序及注册启动项都用红色且粗体字标示出来了,这是我们清理病毒的一个依据或是流程图(计划方案)吧。

  通过分析我们可以看到,注册表的相关启动项被添加了许多恶意启动项,我已标示出来,你自己可以用regedit命令打开注册表文件手工清理或是第三方的工具软件(例如:Sreng)来清理它们,接下来分析我们又会发现系统中几乎所有的应用程序进程和一些常用的系统进程被该病毒采用线程插入技术嵌入到正常进程中,所以我们发现病毒文件时用正常方法删除时系统会提示我们文件正在被使用无法删除的提示!也就是你说金山毒霸能发现它们全不能将它们完全清理掉的关键所在了!并且你的系统好像还中了U盘类病毒!还有你和我说你打开病毒文件所在的文件夹却看不到它们存在且你已打开“显示隐藏文件”的选项,那是什么原因呢?!因为现在的病毒使用的自我防护技非常高它们用了驱动级隐藏方法,一般用在文件夹中是看不到它们的!不过你可以用我给你的另一个软件来搞定它们!

以上是我对你的机器运行日志进行分析的总体描述!

下面就让我们来一步一步的搞定它们:  
1、根据日志文件我们发现,注入正常进程的病毒文件为三个:
   [C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys]

   [C:\WINDOWS\system32\mppds.dll]

   [C:\WINDOWS\dbhelp.dll]

  关键是对这三个病毒文件的处理,前面已说过它们采用了线程锸入技术,用普通的方法是没有办法删除的,你可以用我上次和你说过的Unlocker这个文件解锁软件来搞定它们!
  安装好该软件后,会在系统键菜单中添加快捷命令,你找到这个文件后,分别在每个文件上单击右键选择unlocker...来进行具体操作,如何使用这个软件,安全中国日志有详细使用帮助文章,你可以去看!如果用unlocker无法搞定,就用我给你的另外一个专门清理的工具去搞!

2、搞定这三个文件后,你用Sreng这个软件来清理注册表的启动相关项,如何使用这个软件,安全中国日志也有详细的教程,你也可以去看。

你机器的情况是把除了:

C:\WINDOWS\system32\ctfmon.exe

C:\KAV2007\KPFW32.EXE

C:\KAV2007\KAVStart.exe" -startup


等正常的应用程序项外所有的都删除!我在日志中用红色标示的注册表项都要删除!

3、由于你机器上还有U盘类的病毒存在所以你还在我的网站下载一个专门清理此类病毒的软件,我的网站也有的下载,专门有一个文章就是讲如何清理U盘类病毒的,你找一下!软件的名字叫:USBKiller

4、上面的事情全都做好后,记得到本站的至顶的一篇文章叫做有用的批处理文件件下载,你去下一个清理系统垃圾文件的那个批处理文件,然后运行一下它,用它的原因是因为有些病毒体会在系统临时目录下生根,所以斩草除根!

5、做好以上工作,重启一下机器,然后再用杀毒软件(推荐用卡巴斯基6.0)进行全盘扫描一下!

PS:本人只是给出根据日志文件分析后的处理方法,由于病毒本身不断在更新,本人不保证一定有效,这里只是提供一个手工清理病毒的思路与方法(若产生不良后果与本人无关)!

相关软件下载:
Unlocker和Sreng在http://blog.safe119.cn/article.asp?id=5中有的下!

另外一个专门清理无法看到文件本身的工具:


[ 本帖最后由 safe119 于 2007-9-12 05:11 PM 编辑 ]
回复

使用道具 举报

3#
发表于 2007-9-13 00:02:51 | 只看该作者
哇..密密麻麻一大堆...看了头晕..
不过感谢分享经验...
回复

使用道具 举报

4#
发表于 2007-9-13 14:08:22 | 只看该作者
楼上的搞复杂了,我用Windows优化大师推出的流氓软件清理工具清除的上面的插件。

下载地址http://www.wopti.net/download.htm



不过还是要支持原创!
回复

使用道具 举报

yuyu028
5#
发表于 2007-9-20 14:14:29 | 只看该作者
ding  支持~~~~~~~~~~~~~~~~~~
回复

使用道具 举报

6#
发表于 2007-9-20 15:13:10 | 只看该作者
呵呵
支持这样的帖子
对我等菜鸟相当有好处啊
回复

使用道具 举报

123
7#
发表于 2007-9-20 16:01:31 | 只看该作者
太复杂了,我都看不懂,不够菜,没办法。
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|捐助支持|无忧启动 ( 闽ICP备05002490号-1 )

闽公网安备 35020302032614号

GMT+8, 2026-3-13 00:36

Powered by Discuz! X3.3

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表