这几个文件是干什么的??

显示全部楼层 · 发表于 2007-5-27 19:46:51

计算机重启后删除: 木马程序 Trojan-Downloader.Win32.Agent.bbb 文件: C:\WINDOWS\system32\qzazyj.dll
计算机重启后删除: 木马程序 Trojan-Downloader.Win32.Agent.bbb 文件: c:\windows\system32\drivers\qzazyj.sys
计算机重启后删除: 木马程序 Trojan-Downloader.Win32.Agent.bbb 文件: C:\WINDOWS\system32\hxsehn.dll
计算机重启后删除: 木马程序 Trojan-Downloader.Win32.Agent.bbb 文件: C:\WINDOWS\system32\idecxc.dll
计算机重启后删除: 木马程序 Trojan-Downloader.Win32.Agent.bbb 文件: C:\WINDOWS\system32\nkfpbe.dll
计算机重启后删除: 木马程序 Trojan-Downloader.Win32.Agent.bbb 文件: c:\windows\system32\drivers\hxsehn.sys
计算机重启后删除: 木马程序 Trojan-Downloader.Win32.Agent.bbb 文件: c:\windows\system32\drivers\idecxc.sys
计算机重启后删除: 木马程序 Trojan-Downloader.Win32.Agent.bbb 文件: c:\windows\system32\drivers\nkfpbe.sys

咔吧老是报...删又删不掉....用unlock也不行的说....

显示全部楼层 · 发表于 2007-5-27 19:49:49

用这个按照路径删除选择抑制生成
要是还出这个问题用SRENG扫描个报告来！

显示全部楼层 · 发表于 2007-5-27 20:23:04

不行啊.....给个报告.....
========================================

2007-05-26,20:21:52
System Repair Engineer 2.4.12.806
Smallfrogs ([url]http://www.KZTechs.com[/url])
Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能
以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<run><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<AVP><"D:\kbsj\avp.exe"> [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><c:\windows\system32\userinit.exe,,C:\WINDOWS\system32\windowsupdate.exe,> [N/A]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{90BC520C-9175-470E-94B8-10FD869D170B}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.vxd> []
<{DD7D4640-4464-48C0-82FD-21338366D2D2}><C:\Program Files\Internet Explorer\InfoMs.dll> [N/A]
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\System64.sys> [N/A]
<{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}><C:\WINDOWS\system32\msacn.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<AVP><; "D:\kbsj\avp.exe"> [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<cmdbcs><; C:\WINDOWS\WINLOGON.EXE> [N/A]
<IMJPMIG8.1><; C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<Load><; C:\WINDOWS\uninstall\rundl132.exe> [N/A]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<MSMSGS><; "C:\Program Files\Messenger\msmsgs.exe" /background> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<nqwindl><; C:\WINDOWS\RUNDLL32.exe> [N/A]
<nwnslop><; C:\WINDOWS\SVCHOST.EXE> [N/A]
<nzttlln><; C:\WINDOWS\SERVICES.EXE> [N/A]
<PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><; C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<sx8k><; C:\DOCUME~1\HDPC\LOCALS~1\Temp\iexpl0re.exe> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<System><; C:\Program Files\Common Files\system\Updaterun.exe> []
<upxdnd><; C:\WINDOWS\upxdnd.exe> [N/A]
==================================
启动文件夹
N/A
==================================
服务
[Management Instrumentation Driver Extensions / 6to4][Stopped/Manual Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\winmide32.dll><N/A>
[Kaspersky Anti-Virus 6.0 / AVP][Running/Auto Start]
<D:\kbsj\avp.exe -r><Kaspersky Lab>
[ewido anti-spyware 4.0 guard / ewido anti-spyware 4.0 guard][Stopped/Disabled]
<D:\Program Files\ewido anti-spyware 4.0\guard.exe><N/A>
[Macromedia Licensing Service / Macromedia Licensing Service][Stopped/Manual Start]
<"C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"><>
[NVIDIA Display Driver Service / NVSvc][Stopped/Disabled]
<C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[PsShutdown / PsShutdownSvc][Stopped/Disabled]
<C:\WINDOWS\System32\PSSDNSVC.EXE><N/A>
[Windows rkeb RunThem / rkeb][Others/Auto Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\mfzw\wpjg.dll>< >
[Distributed Link Tracking Clientbjh / ServiceBJH][Stopped/Disabled]
<><N/A>
[VKTServ / VKTServ][Stopped/Disabled]
<><N/A>
[TrueVector Internet Monitor / vsmon][Stopped/Manual Start]
<C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service><Zone Labs, LLC>
==================================
驱动程序
[alymad / alymad][Stopped/Boot Start]
<\SystemRoot\system32\drivers\alymad.sys><N/A>
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver][Running/System Start]
<\??\D:\Program Files\AVG\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
<System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[Intel(R) PRO Adapter Driver / E100B][Running/Manual Start]
<System32\DRIVERS\e100b325.sys><Intel Corporation>
[3Com EtherLink XL 90XB/C Adapter Driver / EL90XBC][Stopped/Manual Start]
<System32\DRIVERS\el90xbc5.sys><3Com Corporation>
[hxseh / hxsehn][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\hxsehn.sys><N/A>
[idecx / idecxc][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\idecxc.sys><N/A>
[kl1 / kl1][Running/Boot Start]
<\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Running/System Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[kmsinput / kmsinput][Stopped/Manual Start]
<\??\C:\WINDOWS\System32\drivers\kmsinput.sys><N/A>
[KRegEx / KRegEx][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\KRegEx.sys><N/A>
[KWatch3 / KWatch3][Running/System Start]
<\??\C:\WINDOWS\System32\drivers\KWatch3.SYS><Kingsoft Corporation>
[nkfpb / nkfpbe][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\nkfpbe.sys><N/A>
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
<system32\drivers\npf.sys><CACE Technologies>
[npkcrypt / npkcrypt][Running/Auto Start]
<\??\D:\Program Files\Tencent\npkcrypt.sys><INCA Internet Co., Ltd.>
[nv / nv][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[qzazy / qzazyj][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\qzazyj.sys><N/A>
[Secdrv / Secdrv][Stopped/Manual Start]
<System32\DRIVERS\secdrv.sys><N/A>
[TSP / TSP][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[ViaIde / ViaIde][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\viaide.sys><Microsoft Corporation>
[VIA AC'97 Enhanced Audio Controller (WDM) / VIAudio][Running/Manual Start]
<system32\drivers\viaudio.sys><VIA Technologies, Inc.>
[vsdatant / vsdatant][Running/System Start]
<System32\vsdatant.sys><Zone Labs, LLC>
[wrghmx / wrghmx][Stopped/Boot Start]
<\SystemRoot\system32\drivers\wrghmx.sys><N/A>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<System32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
[xinstall / xinstall][Running/Auto Start]
<\??\C:\WINDOWS\System32\drivers\xinstall.sys><N/A>
[XPROTECTOR / XPROTECTOR][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\Xprotector.sys><N/A>
[VIMICRO USB PC Camera / ZSMC302][Stopped/Manual Start]
<System32\Drivers\usbVM31b.sys><VM>
==================================
浏览器加载项
[PingSo]
{669695BC-A811-4A9D-8CDF-BA8C795F261C} <C:\WINDOWS\system32\PingBar.dll, N/A>
[ff Class]
{FAAAC0F6-94BE-4466-934B-7C53666A2F41} <C:\WINDOWS\system32\7da1.dll, N/A>
[QQ]
{c95fe080-8f5d-11d2-a20b-00aa003c157b} <D:\Program Files\Tencent\QQ.EXE, N/A>
[QQIEFloatBarCfgCmd Class]
{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} <D:\Program Files\Tencent\QQIEHelper.dll, N/A>
[PingSo]
{669695BC-A811-4A9D-8CDF-BA8C795F261C} <C:\WINDOWS\system32\PingBar.dll, N/A>
[Downloader Class]
{5932517A-3326-4439-A708-1C98EDB5C549} <C:\WINDOWS\System32\iMopDl.dll, >
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx, Adobe Systems, Inc.>
[BoBoControl Class]
{EC0978ED-24E3-403C-AB7A-060E388553E6} <C:\WINDOWS\Downloaded Program Files\CONFLICT.1\BoBo_ActiveX_V3.ocx, 广州易播信息科技有限公司>
[HTML Document]
{25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\mshtml.dll, N/A>
[QQBrowserHelperObject Class]
{54EBD53A-9BC1-480B-966A-843A333CA162} <D:\Program Files\Tencent\QQIEHelper.dll, N/A>
[Shell Name Space]
{55136805-B2DE-11D1-B9F2-00A0C98BC547} <%SystemRoot%\system32\shdocvw.dll, N/A>
[QvcXumpt Class]
{643E11DF-B7BC-CD57-021D-A49E34F9795A} <C:\WINDOWS\DOWNLO~1\zmqrnryi.dll, N/A>
[PingSo]
{669695BC-A811-4A9D-8CDF-BA8C795F261C} <C:\WINDOWS\system32\PingBar.dll, N/A>
[UmhVjytw Class]
{6A76E819-DDFC-8A02-1457-9E380CC5C1CF} <C:\WINDOWS\DOWNLO~1\xuvz.dll, N/A>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <D:\Program Files\Thunder\ComDlls\XunLeiBHO_002.dll, Thunder Networking Technologies,LTD>
[]
{A9930D97-9CF0-42A0-A10D-4F28836579D5} <C:\PROGRA~1\KuGoo2\KUGOO3~1.OCX, N/A>
[RDS.DataSpace]
{BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx, Adobe Systems, Inc.>
[ff Class]
{FAAAC0F6-94BE-4466-934B-7C53666A2F41} <C:\WINDOWS\system32\7da1.dll, N/A>
[&使用迅雷下载]
<D:\Program Files\Thunder\Program\GetUrl.htm, N/A>
[&使用迅雷下载全部链接]
<D:\Program Files\Thunder\Program\GetAllUrl.htm, N/A>
[上传到QQ网络硬盘]
<D:\Program Files\Tencent\AddToNetDisk.htm, N/A>
[添加到QQ自定义面板]
<D:\Program Files\Tencent\AddPanel.htm, N/A>
[添加到QQ表情]
<D:\Program Files\Tencent\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<D:\Program Files\Tencent\SendMMS.htm, N/A>
==================================
正在运行的进程
[PID: 660][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 732][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 756][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 800][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 812][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1004][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1108][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1460][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\qzazyj.dll] [N/A, ]
[C:\WINDOWS\system32\nkfpbe.dll] [N/A, ]
[C:\WINDOWS\system32\idecxc.dll] [N/A, ]
[C:\WINDOWS\system32\hxsehn.dll] [N/A, ]
[D:\Program Files\pdf\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[C:\Program Files\Unlocker\UnlockerCOM.dll] [N/A, ]
[D:\kbsj\ShellEx.dll] [Kaspersky Lab, 6.0.1.377]
[D:\Program Files\WinRAR\rarext.dll] [N/A, ]
[D:\Program Files\AVG\AVG Anti-Spyware 7.5\context.dll] [Anti-Malware Development a.s., 7, 5, 0, 49]
[PID: 1936][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1300][D:\Program Files\Maxthon\Maxthon.exe] [Maxthon International Ltd., 1, 6, 0, 30]
[D:\Program Files\Maxthon\maxzlib.dll] [ , 1, 0, 0, 2]
[D:\Program Files\Thunder\ComDlls\XunLeiBHO_002.dll] [Thunder Networking Technologies,LTD, 5, 0, 0, 2]
[C:\WINDOWS\system32\odbcbcp.dll] [Microsoft Corporation, 2000.085.1117.00 (xpsp_sp2_rtm.040803-2158)]
[D:\Program Files\Maxthon\Services\RealTime\real_time.dll] [, 1, 0, 0, 1]
[D:\kbsj\scrchpg.dll] [Kaspersky Lab, 1.0.6.377]
[D:\kbsj\klscav.dll] [Kaspersky Lab, 6.0.1.377]
[D:\kbsj\prremote.dll] [Kaspersky Lab, 6.0.1.377]
[D:\kbsj\prloader.dll] [Kaspersky Lab, 6.0.1.377]
[D:\kbsj\prkernel.ppl] [Kaspersky Lab, 6.0.1.377]
[d:\kbsj\params.ppl] [Kaspersky Lab, 6.0.1.377]
[d:\kbsj\pxstub.ppl] [Kaspersky Lab, 6.0.1.377]
[d:\kbsj\tempfile.ppl] [Kaspersky Lab, 6.0.1.377]
[d:\kbsj\nfio.ppl] [Kaspersky Lab, 6.0.1.377]
[d:\kbsj\fsdrvplgn.ppl] [Kaspersky Lab, 6.0.1.377]
[d:\kbsj\basegui.ppl] [Kaspersky Lab, 6.0.1.377]
[d:\kbsj\winreg.ppl] [Kaspersky Lab, 6.0.1.377]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 456][D:\Program Files\sreng2\sreng2\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
API HOOK
RVA 错误： LoadLibraryA (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xF8136B25)
RVA 错误： LoadLibraryExA (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xF8136D67)
RVA 错误： LoadLibraryExW (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xF8136F0B)
RVA 错误： LoadLibraryW (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xF8136C49)
RVA 错误： GetProcAddress (危险等级: 高, 被下面模块所HOOK: Dest Addr: 0xF8136E8F)
==================================
隐藏进程
N/A
==================================

复制代码

显示全部楼层 · 发表于 2007-5-27 20:35:10

c:\windows\system32\qzazyj.dll
c:\windows\system32\nkfpbe.dll
c:\windows\system32\idecxc.dll
c:\windows\system32\hxsehn.dll
; c:\windows\upxdnd.exe
; c:\docume~1\hdpc\locals~1\temp\iexpl0re.exe
; c:\program files\common files\system\updaterun.exe
; c:\windows\services.exe
; c:\windows\svchost.exe
; c:\windows\rundll32.exe
; c:\windows\uninstall\rundl132.exe
; c:\windows\winlogon.exe
c:\windows\system32\msacn.dll
c:\program files\internet explorer\plugins\system64.sys
c:\program files\internet explorer\infoms.dll
c:\program files\common files\microsoft shared\msinfo\sysinfo.vxd
c:\windows\system32\windowsupdate.exe,
c:\windows\system32\pingbar.dll

2.删除重启后使用SREng修复下面各项：

启动项目－－注册表之如下项删除：
[upxdnd] <; C:\WINDOWS\upxdnd.exe>
[sx8k] <; C:\DOCUME~1\HDPC\LOCALS~1\Temp\iexpl0re.exe>
[System] <; C:\Program Files\Common Files\system\Updaterun.exe>
[nzttlln] <; C:\WINDOWS\SERVICES.EXE>
[nwnslop] <; C:\WINDOWS\SVCHOST.EXE>
[nqwindl] <; C:\WINDOWS\RUNDLL32.exe>
[Load] <; C:\WINDOWS\uninstall\rundl132.exe>
[cmdbcs] <; C:\WINDOWS\WINLOGON.EXE>
[{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}] <C:\WINDOWS\system32\msacn.dll>
[{754FB7D8-B8FE-4810-B363-A788CD060F1F}] <C:\Program Files\Internet Explorer\PLUGINS\System64.sys>
[{DD7D4640-4464-48C0-82FD-21338366D2D2}] <C:\Program Files\Internet Explorer\InfoMs.dll>
[{90BC520C-9175-470E-94B8-10FD869D170B}] <C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.vxd>
注意该项[Userinit]修改[\color]：把<c:\windows\system32\userinit.exe,,C:\WINDOWS\system32\windowsupdate.exe,>修改为<C:\WINDOWS\system32\userinit.exe,>逗号不可省略

删除并且注意最后那个要修改！！

显示全部楼层 · 发表于 2007-5-27 20:47:50

你的浏览器加载项有多项可疑的加载项，务必请清理下。

**************以下分析报告由SREngLog分析助手提供******************

根据SREng扫描日志请按照如下步骤，尝试删除和修复

1.建议使用XDelBox删除以下文件：(XDelBox下载)
使用说明：删除时复制所有要删除文件的路径，在待删除文件列表里点击右键选择从剪贴板导入，导入后在要删除文件上点击右键，选择立刻重启删除，电脑会重启进入DOS界面进行删除操作。运行xdelbox前最好卸载所有可移动存储介质（包括U盘，MP3，手机存储卡等）。

c:\windows\system32\hxsehn.dll
c:\windows\system32\idecxc.dll
c:\windows\system32\nkfpbe.dll
c:\windows\system32\qzazyj.dll
c:\windows\upxdnd.exe
c:\program files\common files\system\updaterun.exe
c:\docume~1\hdpc\locals~1\temp\iexpl0re.exe
c:\windows\services.exe
c:\windows\svchost.exe
c:\windows\rundll32.exe
c:\windows\uninstall\rundl132.exe
c:\windows\winlogon.exe
c:\program files\internet explorer\plugins\system64.sys
c:\program files\internet explorer\infoms.dll
c:\program files\common files\microsoft shared\msinfo\sysinfo.vxd
c:\windows\system32\windowsupdate.exe,
c:\windows\system32\winmide32.dll
c:\progra~1\mfzw\wpjg.dll
c:\windows\system32\drivers\alymad.sys
c:\windows\system32\drivers\wrghmx.sys
c:\windows\system32\drivers\qzazyj.sys
c:\windows\system32\drivers\nkfpbe.sys
c:\windows\system32\drivers\idecxc.sys
c:\windows\system32\drivers\hxsehn.sys
c:\windows\system32\drivers\xinstall.sys

2.删除重启后使用SREng修复下面各项：

启动项目－－注册表之如下项删除：
[upxdnd] <; C:\WINDOWS\upxdnd.exe>
[System] <; C:\Program Files\Common Files\system\Updaterun.exe>
[sx8k] <; C:\DOCUME~1\HDPC\LOCALS~1\Temp\iexpl0re.exe>
[nzttlln] <; C:\WINDOWS\SERVICES.EXE>
[nwnslop] <; C:\WINDOWS\SVCHOST.EXE>
[nqwindl] <; C:\WINDOWS\RUNDLL32.exe>
[Load] <; C:\WINDOWS\uninstall\rundl132.exe>
[cmdbcs] <; C:\WINDOWS\WINLOGON.EXE>
[{754FB7D8-B8FE-4810-B363-A788CD060F1F}] <C:\Program Files\Internet Explorer\PLUGINS\System64.sys>
[{DD7D4640-4464-48C0-82FD-21338366D2D2}] <C:\Program Files\Internet Explorer\InfoMs.dll>
[{90BC520C-9175-470E-94B8-10FD869D170B}] <C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.vxd>
注意该项[Userinit]修改：把<c:\windows\system32\userinit.exe,,C:\WINDOWS\system32\windowsupdate.exe,>修改为<C:\WINDOWS\system32\userinit.exe,>逗号不可省略

启动项目－－服务－－ Win32服务应用程序之如下项删除：
[Management Instrumentation Driver Extensions / 6to4] <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\winmide32.dll>
[Windows rkeb RunThem / rkeb] <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\mfzw\wpjg.dll>

启动项目－－服务－－驱动程序之如下项删除：
[alymad / alymad] <\SystemRoot\system32\drivers\alymad.sys>
[wrghmx / wrghmx] <\SystemRoot\system32\drivers\wrghmx.sys>
[qzazy / qzazyj] <\SystemRoot\System32\DRIVERS\qzazyj.sys>
[nkfpb / nkfpbe] <\SystemRoot\System32\DRIVERS\nkfpbe.sys>
[idecx / idecxc] <\SystemRoot\System32\DRIVERS\idecxc.sys>
[hxseh / hxsehn] <\SystemRoot\System32\DRIVERS\hxsehn.sys>
[xinstall / xinstall] <\??\C:\WINDOWS\System32\drivers\xinstall.sys>

3.下载windows清理助手清理恶意软件
http://www.arswp.com/download/arswp/arswp.rar

**************以上分析报告由SREngLog分析助手提供******************
分析：shuipao
时间：2007-5-27
SREngLog分析助手 1.2 (20070420 更新 BY 草莽书生)

显示全部楼层 · 发表于 2007-5-27 20:51:17

c:\windows\system32\qzazyj.dll
c:\windows\system32\nkfpbe.dll
c:\windows\system32\idecxc.dll
c:\windows\system32\hxsehn.dll
这几个删不掉...后面的有用吗...

显示全部楼层 · 发表于 2007-5-27 20:55:38

用360那个文件粉碎工具！不行就冰刃
还有最好在安全模式删除！！

显示全部楼层 · 发表于 2007-5-27 21:40:40

最后是用冰刃把他们给删了....
在这谢谢俩位的热心帮助..

显示全部楼层 · 发表于 2007-5-28 10:50:34

冰刃是王道啊！！

显示全部楼层 · 发表于 2007-5-28 11:05:57

我跟你一样中过
根本么他们说的那么麻烦
因为这个木马和一个程序绑定在一起
那个程序好象事不能禁止的
就算安全模式也不可以的
你去下载个UNLOCK这个软件才几K
然后找到他们说木马的这个文件
运行我说的软件
直接删除
然后把你的注册表用超级兔子清理一边
重新启动
就没了
就这么简单
不明白可以加我

[已解决] 这几个文件是干什么的??

本帖子中包含更多资源