昨晚一位网友说他的电脑中了病毒,不定期弹广告窗口,有时会倒计时关机,让偶通过QQ远程协助检修。
下载 pe_xscan 扫描 log 并分析,发现如下可疑项:
/--- pe_xscan 07-08-30 by Purple Endurer 2007-11-20 21:07:25 Windows XP Service Pack 1(5.1.2600) 管理员用户组 [System Process] * 0 C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 | | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT | | SPlus.dll | SPlus.dll C:/WINDOWS/system32/svchost.exe * 796 | 2002-10-7 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.0 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.0 (xpclient.010817-1148) | Microsoft Corporation| ? | svchost.exe | svchost.exe C:/WINDOWS/System32/nsp.dll | 2003-9-19 9:33:24 C:/WINDOWS/System32/svchost.exe * 1156 | 2002-10-7 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.0 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.0 (xpclient.010817-1148) | Microsoft Corporation| ? | svchost.exe | svchost.exe C:/WINDOWS/System32/nsp.dll | 2003-9-19 9:33:24 C:/WINDOWS/System32/ctfmon.exe * 532 | 2002-10-7 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.1106 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.1106 (xpsp1.020828-1920) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 | | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT | | SPlus.dll | SPlus.dll C:/Program Files/Tencent/qq/QQ.exe * 3244 | 2007-10-11 18:26:42 | QQ | 7,1,518,1751 | QQ | Copyright (C) 1998 - 2007 TENCENT Inc. All Rights Reserved | 7,1,518,1751 | TENCENT | | COMQQD | QQ.exe C:/WINDOWS/System32/nsp.dll | 2003-9-19 9:33:24 C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 | | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT | | SPlus.dll | SPlus.dll C:/Program Files/Tencent/QQ/TIMPlatform.exe * 3272 | 2007-10-11 17:43:48 | QQ | 7,1,518,1751 | TIMPlatform | Copyright ? 2005 ━ 2007 TENCENT Inc. All Rights Reserved | 7,1,518,1751 | TENCENT | | TIMPlatform | TIMPlatform.exe C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 | | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT | | SPlus.dll | SPlus.dll C:/WINDOWS/System32/rundll32.exe * 1376 | 2002-10-7 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.0 | Run a DLL as an App | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.0 (xpclient.010817-1148) | Microsoft Corporation| ? | rundll | RUNDLL.EXE C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 | | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT | | SPlus.dll | SPlus.dll C:/Program Files/Internet Explorer/iexplore.exe * 2268 | 2002-10-7 20:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2800.1106 | Internet Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2800.1106 (xpsp1.020828-1920) | Microsoft Corporation| ? | iexplore | IEXPLORE.EXE C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 | | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT | | SPlus.dll | SPlus.dll C:/Program Files/TENCENT/SSPlus/SAddr.dll | 2007-11-6 9:22:28 | SAddr Module | 5, 0, 2, 10 | | | 5, 0, 2, 10 | Tencent | | SAddr.dll | C:/Program Files/DeskAdTop/deskipn.dll | 2006-6-13 14:22:34 | bho Module | 1, 0, 0, 1 | bho Module | Copyright 2006 | 1, 0, 0, 1 | | ? | bho | bho.DLL C:/WINDOWS/System32/nsp.dll | 2003-9-19 9:33:24 C:/WINDOWS/explorer.exe * 3788 | 2002-10-7 12:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2800.1106 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2800.1106 (xpsp1.020828-1920) | Microsoft Corporation| ? | explorer | EXPLORER.EXE C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-9-29 10:9:20 | SPlus Module | 5, 0, 1, 25 | | 腾讯科技(深圳)有限公司 版权所有 (C) 2007 | 5, 0, 1, 25 | TENCENT | | SPlus.dll | SPlus.dll C:/Program Files/TENCENT/SSPlus/SAddr.dll | 2007-11-6 9:22:28 | SAddr Module | 5, 0, 2, 10 | | | 5, 0, 2, 10 | Tencent | | SAddr.dll | O2 - BHO IEMonitor Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:/Program Files/DeskAdTop/deskipn.dll O2 - BHO Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:/Program Files/TENCENT/SSPlus/SAddr.dll O2 - BHO CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:/WINDOWS/System32/CdnIEHlp.dll O2 - BHO Advance Helper - {8E25AC4A-B129-451B-BEE2-3B510BB751DA} - C:/WINDOWS/System32/NTDLL32.dll O2 - BHO IE Browser Helper - {D0903A3B-F0EA-434a-9742-98C5335C7946} - C:/WINDOWS/System32/IEHelper.dll O2 - BHO - {F6CD3E64-61D4-4cb1-982C-DAE3271B6D85} - O3 - IE工具栏: whatever.. - {40987A5C-6AB8-4977-8BE9-A8889DE2EDCC} - C:/Program Files/Copyso/CopysoIE.dll O4 - HKLM/../Run: [NMGameX_AutoRun] C:/WINDOWS/System32/Rundll32.exe NMGameX.dll,LiveProcess /aa O4 - HKLM/../Run: [CdnCtr] O4 - HKLM/../Run: [Desktop] "C:/WINDOWS/System32/internet.exe" O4 - HKLM/../Run: [Internet] "C:/WINDOWS/system32/internet.exe" O4 - HKLM/../Run: [stup.exe] Rundll32.exe C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll,Rundll32 R O9 - IE工具栏扩展按钮HKLM:中文域名 - {35980F6E-A137-4E50-953D-813BB8556899} - C:/WINDOWS/System32/CdnIEHlp.dll O9 - IE工具菜单扩展项HKLM:中文域名 - {35980F6E-A137-4E50-953D-813BB8556899} - C:/WINDOWS/System32/CdnIEHlp.dll O9 - IE工具栏扩展按钮HKLM:易趣购物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - hxxp://adfarm.mediaplex.com/ad/ck/4080-23171-9517-195?cn=song;icon;hp&mpro=hxxp://www.ebay.com.cn O9 - IE工具菜单扩展项HKLM:易趣购物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - hxxp://adfarm.mediaplex.com/ad/ck/4080-23171-9517-195?cn=song;icon;hp&mpro=hxxp://www.e O11 - IE扩展选项组:TBH (中文搜搜) = O23 - 服务: abhcop (abhcop) - system32/drivers/abhcop.sys(系统) O23 - 服务: AHOOK (AHOOK) - C:/WINDOWS/System32/drivers/ahook.sys(自动) O23 - 服务: CdnHook (CDNHOOK) - System32/drivers/cdnhook.sys(系统) O23 - 服务: hcalway (hcalway) - System32/DRIVERS/hcalway.sys(系统) O23 - 服务: Internet Connection Manager (Internet Connection Manager) - "C:/WINDOWS/System32/internet.exe"(自动) O23 - 服务: mspcidrv (mspcidrv) - system32/DRIVERS/mspcidrv.sys(系统) O23 - 服务: msprosys (msprosys) - System32/DRIVERS/msprosys.sys(系统) O23 - 服务: New0 (New0) - C:/WINDOWS/System32/new.sys | 2004-12-4 11:17:36(自动) O26 - IFEO: cdnup.exe -> C:/WINDOWS/system32/rundll32.exe ---/
居然还是 win xp sp1……难怪会中这么多流氓软件和恶意软件
下载安装 卡卡安全助手,先在[基本功能]—>[查杀恶意及流氓软件],扫描并清理流氓软件
然后在[高级功能]—>[系统启用项管理]里,在左边点击[登录项],在右边找到 O4 项对应的项目,右击,从弹出的菜单里选择删除。
接着在[高级功能]—>[系统启用项管理]里,在左边点击[服务项]和[驱动],在右边找到 O23 项对应的项目,右击,从弹出的菜单里选择删除;在左边点击[应用程序劫持项],在右边找到 O26 项对应的项目,右击,从弹出的菜单里选择删除。
接下来要处理文件:
C:/WINDOWS/System32/internet.exe
C:/WINDOWS/System32/new.sys
C:/WINDOWS/system32/drivers/abhcop.sys
C:/WINDOWS/System32/drivers/ahook.sys
C:/WINDOWS/System32/drivers/cdnhook.sys
C:/WINDOWS/System32/DRIVERS/hcalway.sys
C:/WINDOWS/system32/DRIVERS/mspcidrv.sys
C:/WINDOWS/System32/DRIVERS/msprosys.sys
到 http://purpleendurer.ys168.com 下载 bat_do 和FileInfo。
用 FileInfo 提取文件信息,用 bat_do 打包备份,延时删除,生成去除属性,删除,改名命令,下次启动时执行。
用 WinRAR 删除 Windows临时文件夹,IE临时文件夹,d:/windows/prefetch 中可以删除的文件。
重启电脑~