遭遇 my.exe,svch0st.exe,iexpl0re.exe,rundl13a.exe,LgSym.dll 等

最新推荐文章于 2025-12-05 15:36:57 发布

最新推荐文章于 2025-12-05 15:36:57 发布 · 95 阅读

文章标签：

本文记录了一次帮助网友清除电脑中顽固恶意软件的过程。通过使用多种工具如pe_xscan、Dr.Web CureIt! 和 HijackThis等，作者详细描述了如何检测、隔离并最终移除包括Trojan.PWS.Lineage和BackDoor.WebDor在内的恶意软件。

endurer 原创

2007-02-06 第1版

一位网友的电脑，最近瑞星经常报告：

/---
病毒名称处理结果扫描方式路径文件病毒来源
Trojan.DL.Getou.a 清除成功手动扫描 IEXPLORE.EXE>>C:/program files/internet explorer/IEXPLORE.EXE本机
---/

让偶帮忙检查一下。

用 pe_xscan 扫描，发现可疑项：

/---
pe_xscan by Purple Endurer
2007-3-6 10:50:43
Windows XP Service Pack 1(5.1.2600)
管理员用户组

O4 - HKCR/../Run: [kavshell] C:/WINDOWS/System32/svch0st.exe
O4 - HKCR/../Run: [lch9ku087gfj] C:/WINDOWS/iexpl0re.exe
O4 - HKCR/../Run: [1xbi5t4lx] C:/WINDOWS/rundl13a.exe
O4 - HKLM/../Run: [KissKOBaby] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wl.exe
O4 - HKLM/../Run: [WhereOU] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/my.exe

O23 - 服务: IE_WinServerName (Windows CreaterIE) - C:/WINDOWS/winlllgon.exe(自动启动)
---/

到 http://endurer.ys168.com下载 HijackThis，到 http://purpleendurer.ys168.com 下载 bat_do，下载 Dr.Web CureIt备用。

（下列修复操作可参考：
【系统修复系列之】基本操作索引　
http://endurer.blogchina.com/2591241.html）

重启电脑到安全模式。

用bat_do 把可疑文件打包备份。

用Dr.Web CureIt 扫描，结果如下：

=============================================================================
Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.10060)
Copyright (c) Igor Daniloff, 1992-2006
Log generated on: 2007-03-06, 11:35:35 [HCNYBGS2][Administrator]
Command-line: "C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/RarSFX0/cureit.exe" /lng /ini:cureit_XP.ini
Operating system:Windows XP Professional x86 (Build 2600), Service Pack 1
=============================================================================
Engine version: 4.33 (4.33.5.10110)
Engine API version: 2.01

[Scan path] c:/documents and settings/administrator/local settings/temp/my.exe
>c:/documents and settings/administrator/local settings/temp/my.exe infected with Trojan.PWS.Lineage - will be cured after reboot
[Scan path] c:/windows/winlllgon.exe
c:/windows/winlllgon.exe infected with BackDoor.WebDor - deleted

C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/8HAPGZKV/xin[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/8HAPGZKV/11[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/8HAPGZKV/1[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/8HAPGZKV/1[2].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/EHTNR4CA/12[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/TM4YTSRS/xi[1].exe infected with BackDoor.WebDor - deleted
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/TM4YTSRS/1[1].exe infected with BackDoor.WebDor - deleted
>C:/Documents and Settings/Administrator/Local Settings/Temp/my.exe infected with Trojan.PWS.Lineage - will be cured after reboot
[Scan path] C:/WINDOWS
C:/WINDOWS/winllgon.exe infected with BackDoor.WebDor - deleted
C:/WINDOWS/rundl132.exe infected with Trojan.PWS.Wsgame - deleted
C:/WINDOWS/rundl13a.exe infected with Trojan.PWS.Wsgame - deleted
C:/WINDOWS/system32/Rav26.dll infected with Trojan.PWS.Soul - deleted