遭遇 my.exe,svch0st.exe,iexpl0re.exe,rundl13a.exe,LgSym.dll 等

来源：互联网发布：伊丽莎白女王知乎编辑：程序博客网时间：2024/05/22 06:41

endurer 原创

2007-02-06 第1版

一位网友的电脑，最近瑞星经常报告：

/---
病毒名称处理结果扫描方式路径文件病毒来源
Trojan.DL.Getou.a 清除成功手动扫描 IEXPLORE.EXE>>C:/program files/internet explorer/IEXPLORE.EXE 本机
---/

让偶帮忙检查一下。

用 pe_xscan 扫描，发现可疑项：

/---
pe_xscan by Purple Endurer
2007-3-6 10:50:43
Windows XP Service Pack 1(5.1.2600)
管理员用户组

O4 - HKCR/../Run: [kavshell] C:/WINDOWS/System32/svch0st.exe
O4 - HKCR/../Run: [lch9ku087gfj] C:/WINDOWS/iexpl0re.exe
O4 - HKCR/../Run: [1xbi5t4lx] C:/WINDOWS/rundl13a.exe
O4 - HKLM/../Run: [KissKOBaby] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wl.exe
O4 - HKLM/../Run: [WhereOU] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/my.exe

O23 - 服务: IE_WinServerName (Windows CreaterIE) - C:/WINDOWS/winlllgon.exe(自动启动)
---/

到 http://endurer.ys168.com 下载 HijackThis，到 http://purpleendurer.ys168.com 下载 bat_do，下载 Dr.Web CureIt备用。

（下列修复操作可参考：
【系统修复系列之】基本操作索引　
http://endurer.blogchina.com/2591241.html）

重启电脑到安全模式。

用bat_do 把可疑文件打包备份。

用Dr.Web CureIt 扫描，结果如下：

=============================================================================
Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.10060)
Copyright (c) Igor Daniloff, 1992-2006
Log generated on: 2007-03-06, 11:35:35 [HCNYBGS2][Administrator]
Command-line: "C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/RarSFX0/cureit.exe" /lng /ini:cureit_XP.ini
Operating system:Windows XP Professional x86 (Build 2600), Service Pack 1
=============================================================================
Engine version: 4.33 (4.33.5.10110)
Engine API version: 2.01

[Scan path] c:/documents and settings/administrator/local settings/temp/my.exe
>c:/documents and settings/administrator/local settings/temp/my.exe infected with Trojan.PWS.Lineage - will be cured after reboot
[Scan path] c:/windows/winlllgon.exe
c:/windows/winlllgon.exe infected with BackDoor.WebDor - deleted

C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/8HAPGZKV/xin[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/8HAPGZKV/11[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/8HAPGZKV/1[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/8HAPGZKV/1[2].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/EHTNR4CA/12[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/TM4YTSRS/xi[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/TM4YTSRS/1[1].exe infected with BackDoor.WebDor - deleted
>C:/Documents and Settings/Administrator/Local Settings/Temp/my.exe infected with Trojan.PWS.Lineage - will be cured after reboot
[Scan path] C:/WINDOWS
C:/WINDOWS/winllgon.exe infected with BackDoor.WebDor - deleted
C:/WINDOWS/rundl132.exe infected with Trojan.PWS.Wsgame - deleted
C:/WINDOWS/rundl13a.exe infected with Trojan.PWS.Wsgame - deleted
C:/WINDOWS/system32/Rav26.dll infected with Trojan.PWS.Soul - deleted

可惜对 C:/WINDOWS/System32/LgSym.dll 没有反应，只能手工删除 LgSym.dll。

用HijackThis 修复 pe_xscan 中的 O4 和 O23 项。

运行附件中的系统工具：磁盘清理。

清空 c:/windows/prefetch

检查瑞星版本，发现还是最后升级日期是3月2日，晕！

重启电脑，升级瑞星……