遭遇 my.exe,svch0st.exe,iexpl0re.exe,rundl13a.exe,LgSym.dll 等
来源:互联网 发布:伊丽莎白女王 知乎 编辑:程序博客网 时间:2024/05/22 06:41
endurer 原创
2007-02-06 第1版
一位网友的电脑,最近瑞星经常报告:
/---
病毒名称 处理结果 扫描方式 路径 文件 病毒来源
Trojan.DL.Getou.a 清除成功 手动扫描 IEXPLORE.EXE>>C:/program files/internet explorer/IEXPLORE.EXE 本机
---/
让偶帮忙检查一下。
用 pe_xscan 扫描,发现可疑项:
/---
pe_xscan by Purple Endurer
2007-3-6 10:50:43
Windows XP Service Pack 1(5.1.2600)
管理员用户组
[System Process] * 0
C:/WINDOWS/System32/LgSym.dll | 2003-3-15 0:0:0
C:/Program Files/LLJAgent/KXAgentS.exe * 1980 | 2005-3-10 10:59:52 | KXAgentService | 1, 2, 0, 0 | KXAgentService | Copyright (C) 2005 SmartDove | 1, 2, 0, 0 | SmartDove | | KXAgentService | KXAgentS.exe
C:/Program Files/LLJAgent/KXAgentS.exe | 2005-3-10 10:59:52 | KXAgentService | 1, 2, 0, 0 | KXAgentService | Copyright (C) 2005 SmartDove | 1, 2, 0, 0 | SmartDove | | KXAgentService | KXAgentS.exe
C:/Program Files/LLJAgent/zlib1.dll | 2003-11-18 1:29:4 | zlib | 1.2.1 | zlib data compression library | (C) 1995-2003 Jean-loup Gailly & Mark Adler | 1.2.1| ?| ? | zlib1.dll | zlib1.dll
C:/WINDOWS/Explorer.EXE * 424 | 2003-3-15 0:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2800.1106 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2800.1106 (xpsp1.020828-1920) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
C:/WINDOWS/System32/LgSym.dll | 2003-3-15 0:0:0
C:/WINDOWS/iexpl0re.exe * 1312 | 2007-3-6 7:53:42
C:/WINDOWS/iexpl0re.exe | 2007-3-6 7:53:42
C:/WINDOWS/System32/LgSym.dll | 2003-3-15 0:0:0
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/my.exe * 388 | 2007-3-6 7:53:48
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/my.exe | 2007-3-6 7:53:48
C:/Program Files/Internet Explorer/iexplore.exe * 1644 | 2003-3-15 8:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2800.1106 | Internet Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2800.1106 (xpsp1.020828-1920) | Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
C:/WINDOWS/System32/LgSym.dll | 2003-3-15 0:0:0
O4 - HKCR/../Run: [kavshell] C:/WINDOWS/System32/svch0st.exe
O4 - HKCR/../Run: [lch9ku087gfj] C:/WINDOWS/iexpl0re.exe
O4 - HKCR/../Run: [1xbi5t4lx] C:/WINDOWS/rundl13a.exe
O4 - HKLM/../Run: [KissKOBaby] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wl.exe
O4 - HKLM/../Run: [WhereOU] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/my.exe
O23 - 服务: IE_WinServerName (Windows CreaterIE) - C:/WINDOWS/winlllgon.exe(自动启动)
---/
到 http://endurer.ys168.com 下载 HijackThis,到 http://purpleendurer.ys168.com 下载 bat_do,下载 Dr.Web CureIt备用。
(下列修复操作可参考:
【系统修复系列之】基本操作索引
http://endurer.blogchina.com/2591241.html)
重启电脑到安全模式。
用bat_do 把可疑文件打包备份。
用Dr.Web CureIt 扫描,结果如下:
=============================================================================
Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.10060)
Copyright (c) Igor Daniloff, 1992-2006
Log generated on: 2007-03-06, 11:35:35 [HCNYBGS2][Administrator]
Command-line: "C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/RarSFX0/cureit.exe" /lng /ini:cureit_XP.ini
Operating system:Windows XP Professional x86 (Build 2600), Service Pack 1
=============================================================================
Engine version: 4.33 (4.33.5.10110)
Engine API version: 2.01
[Scan path] c:/documents and settings/administrator/local settings/temp/my.exe
>c:/documents and settings/administrator/local settings/temp/my.exe infected with Trojan.PWS.Lineage - will be cured after reboot
[Scan path] c:/windows/winlllgon.exe
c:/windows/winlllgon.exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/8HAPGZKV/xin[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/8HAPGZKV/11[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/8HAPGZKV/1[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/8HAPGZKV/1[2].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/EHTNR4CA/12[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/TM4YTSRS/xi[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/TM4YTSRS/1[1].exe infected with BackDoor.WebDor - deleted
>C:/Documents and Settings/Administrator/Local Settings/Temp/my.exe infected with Trojan.PWS.Lineage - will be cured after reboot
[Scan path] C:/WINDOWS
C:/WINDOWS/winllgon.exe infected with BackDoor.WebDor - deleted
C:/WINDOWS/rundl132.exe infected with Trojan.PWS.Wsgame - deleted
C:/WINDOWS/rundl13a.exe infected with Trojan.PWS.Wsgame - deleted
C:/WINDOWS/system32/Rav26.dll infected with Trojan.PWS.Soul - deleted
可惜对 C:/WINDOWS/System32/LgSym.dll 没有反应,只能手工删除 LgSym.dll。
用HijackThis 修复 pe_xscan 中的 O4 和 O23 项。
运行附件中的系统工具:磁盘清理。
清空 c:/windows/prefetch
检查瑞星版本,发现还是最后升级日期是3月2日,晕!
重启电脑,升级瑞星……
- 遭遇 my.exe,svch0st.exe,iexpl0re.exe,rundl13a.exe,LgSym.dll 等
- 网友遇到scvhsot.exe,SVCH0ST.EXE,wincabb.exe,wmcony.exe等
- 遭遇auto.exe,winforms.dll,zinforms.dll,LYLoader.exe,LYLoadbr.exe等/1
- 遭遇auto.exe,winforms.dll,zinforms.dll,LYLoader.exe,LYLoadbr.exe等/2
- 遭遇auto.exe,winforms.dll,zinforms.dll,LYLoader.exe,LYLoadbr.exe等/3
- 遭遇auto.exe,winforms.dll,zinforms.dll,LYLoader.exe,LYLoadbr.exe等/4
- 遭遇Cli5.exe,DNFchin.exe,362.VBS,svhot.exe,userdata.dll,oshajf.sys等
- 遭遇scvhost.exe,qsetup.exe,dsound.dll,hnetcfg.dll,olepro32.dll等1
- 遭遇scvhost.exe,qsetup.exe,dsound.dll,hnetcfg.dll,olepro32.dll等2
- 遭遇nat.exe,socks.exe,USP10.dll,BOSC.dll,kb080387.CNT,~ctwxw.txt等1
- 遭遇nat.exe,socks.exe,USP10.dll,BOSC.dll,kb080387.CNT,~ctwxw.txt等2
- 遭遇Trojan.Alipop,microinfo.dll,gofwk.pic,game.dll,qpjmy.exe,nnaa.exe,SafeDrv.exe等1
- 遭遇Trojan.Alipop,microinfo.dll,gofwk.pic,game.dll,qpjmy.exe,nnaa.exe,SafeDrv.exe等2
- Exe
- exe
- 再见avwgdmn.dll,LYLoadbr.exe,LYLoadar.exe,LYLoador.exe等
- 遭遇kav32.exe,scvhost.exe,NXD.exe,WINMSCABC.IME,extext74296t.exe等1
- 遭遇kav32.exe,scvhost.exe,NXD.exe,WINMSCABC.IME,extext74296t.exe等2
- js判断键盘按键
- 如何激活卡巴斯基?
- asp基础函数表
- 用javascript自动显示最后更新时间
- win2003上传、下载大小限制的问题
- 遭遇 my.exe,svch0st.exe,iexpl0re.exe,rundl13a.exe,LgSym.dll 等
- 使用Aglets开发agents(一)
- Googles使用技巧
- 限制输入框的长度(汉字解决方案)
- PowerDesigner oracle 反向工程到cdm文件
- 网络安全工具开发函数库-libnet
- 思想与命运
- 常备JS操作
- 内存泄露问题分析