wuaucll.exe,logsony.exe,pmnnlmn.dll,ojcjoctc.dll等熊猫烧香遗

发布时间：2012-04-15 01:19:44作者：知识屋

一、问题的提出：http://hi.baidu.com/aisibo/blog(日志)

二、分析

1. 杀毒前关闭系统还原(Win2000系统可以忽略）：右键我的电脑，属性，系统还原，在所有驱动器上关闭系统还原打勾即可。
清除IE的临时文件：打开IE 点工具-->Internet选项 : Internet临时文件，点“删除文件”按钮，将删除所有脱机内容打勾，点确定删除。

2.用强制删除工具 PowerRMV 下载地址: http://post.baidu.com/f?kz=158203765
分别填入下面的文件（包括完整的路径），勾选“抑止杀灭对象再次生成”，点杀灭【有找不到提示的请忽略错误继续】

C:WINDOWSsystem32internet.exe
c:program filesrisingantispywareojcjoctc.dll
C:Program FilesInternet ExplorerPLUGINSSystemKb.sys
C:Program FilesInternet ExplorerIEXPLORE.Sys
C:Program FilesInternet ExplorerIEXPLORE.Dat
C:Program FilesInternet ExplorerIEXPLORE.win
C:WINDOWSSystem32Fast.exe
C:WINDOWSsystem32spoolvc.exe
C:WINDOWSSYSTEM32WBEMSMTPCONFS.DLL
C:WINDOWSsystem32ntfscrypt.exe
C:WINDOWSSystem32Rpcs.exe
C:WINDOWSSystem32Rpcsi.exe
C:WINDOWSSystem32Rpcsk.exe
C:WINDOWSSystem32Rpcsp.exe
C:WINDOWSSystem32Rpcsu.exe
C:WINDOWSSystem32Rpcsx.exe
C:WINDOWSSystem32windds32.dll
C:WINDOWSSystem32windhcp.ocx
C:WINDOWSSystem32wmids.exe
C:WINDOWSpmnnlmn.dll
C:WINDOWSSystem32ssqrp.dll
C:WINDOWSwuaucll.exe
C:WINDOWSSystem32NTDLL32.dll
C:WINDOWSiexpl0re.exe
C:WINDOWSwinlog0n.exe
C:WINDOWSsystem.exe
C:WINDOWSSystem32hrgecouc.dll
C:Progra~1Esetrund1132.exe
C:DOCUME~1NIGHTM~1LOCALS~1Templogsony.exe
C:WINDOWSSystem32nqqup.dll
C:WINDOWSsynu.exe
C:DOCUME~1NIGHTM~1LOCALS~1Tempsyre.exe
C:WINDOWSSystem32ldhync.exe
C:DOCUME~1NIGHTM~1LOCALS~1Tempupx1.exe
C:DOCUME~1NIGHTM~1LOCALS~1Temp1.exe
C:WINDOWSwsttrs.exe
C:WINDOWSalga.exe
C:WINDOWSzaq5.exe
C:WINDOWSzaq3.exe
C:WINDOWSzaq4.exe
C:WINDOWSzaq10.exe
C:WINDOWSmppds.exe
C:WINDOWSzaq2.exe
C:WINDOWSsye.exe
C:Program FilesCommon FilesSystemUpdaterun.exe
C:WINDOWSG_Server2006.exe
C:WINDOWSG_Server2006.dll
C:WINDOWSG_Server2006key.dll
C:WINDOWSG_Server2006_hook.dll
C:WINDOWSG_Server2006.log

重启计算机然后再进入安全模式执行如下的操作
--------------------------------------------------------------
以下的操作都要求安全模式下进行。
[安全模式？重启电脑时按住F8 选择进入安全模式]
--------------------------------------------------------------
3. 用工具 SREng 删除如下各项
下载及其使用方法看下面的链接【有图解】，看懂再下手操作！
SREng常用操作说明（2.0 RC2）www.45it.com/Article/pcedu/soft/200608/10405.htm
【如下操作有风险，必须看懂上面的方法再操作。】
【打开SREng后提醒“函数的内容与预期值不符他们可能被一些恶意的软件所修改”的错误请忽略，装杀软后的正常修改。】
==================================
启动项目 -->注册表的如下项删除
    <0x6j7k6fuqze><; C:WINDOWSiexpl0re.exe>  [N/A]
    <2d><; C:WINDOWSiexpl0re.exe>  [N/A]
    <3jds14ibg4td6h><; C:WINDOWSwinlog0n.exe>  [N/A]
    <757vbfseudrtzf><; C:WINDOWSsystem.exe>  [N/A]
    <8g018wxczd3><; C:WINDOWSiexpl0re.exe>  [N/A]
    <8ium8t39igx6><; C:WINDOWSwinlog0n.exe>  [N/A]
    <937lezs2qc7mx><; C:WINDOWSiexpl0re.exe>  [N/A]
    <gutje980sxs3cj8><; C:WINDOWSsystem.exe>  [N/A]
    <i1qwgyy3fwv3h><; C:WINDOWSwinlog0n.exe>  [N/A]
    <j8182rq1y><; C:WINDOWSwinlog0n.exe>  [N/A]
    <mf><; C:WINDOWSwinlog0n.exe>  [N/A]
    <qf9dchz4dege><; C:WINDOWSsystem.exe>  [N/A]
    <ravtask><; C:Progra~1Esetrund1132.exe>  [N/A]
    <svc><; C:DOCUME~1NIGHTM~1LOCALS~1Templogsony.exe>  [N/A]
    <SymhMy><; C:WINDOWSSystem32iexpl0re.exe>  [N/A]
    <ul7vhxcmv2><; C:WINDOWSsystem.exe>  [N/A]
    <vdeq89lte><; C:WINDOWSsystem.exe>  [N/A]
    <xswq><; C:WINDOWSsystem.exe>  [N/A]
    <y4w><; C:WINDOWSiexpl0re.exe>  [N/A]
    <yg><; C:WINDOWSiexpl0re.exe>  [N/A]
    <z4ij03biy7l><; C:WINDOWSwinlog0n.exe>  [N/A]
    <Internet><"C:WINDOWSsystem32internet.exe">  [Microsoft Corporation]
    <5zxl><; C:WINDOWSalga.exe>  [N/A]
    <91cast><; >  [N/A]
    <CdnCtr><; C:Program FilesCNNICCdncdnup.exe>  [CNNIC]
    <cmdbcs><; C:WINDOWSzaq10.exe>  [N/A]
    <d10yvzicsu1><; C:WINDOWSwinlog0n.exe>  [N/A]
    <dew><; C:WINDOWSnewzt.exe>  [N/A]
    <DllRunning><; rundll32.exe "C:WINDOWSSystem32hrgecouc.dll",setvm>  [N/A]
    <Fast><; fast.exe>  [Microsoft Corporation]
    <load><; C:WINDOWSuninstallrundl132.exe>  [N/A]
    <m01bwk><; C:WINDOWSiexp1ore.exe>  [N/A]
    <mppds><; C:WINDOWSmppds.exe>  [N/A]
    <msccr><; C:WINDOWSzaq2.exe>  [N/A]
    <msci><; C:WINDOWSzaq2.exe>  [N/A]
    <msvcc25><; svcchost.exe>  [N/A]
    <NOPNewHelp><; C:WINDOWSzaq5.exe>  [N/A]
    <Speek><; C:WINDOWSzaq5.exe>  [N/A]
    <sye><; C:WINDOWSsye.exe>  [N/A]
    <synu><; C:WINDOWSsynu.exe>  [N/A]
    <syre><; C:DOCUME~1NIGHTM~1LOCALS~1Tempsyre.exe>  [N/A]
    <System><; C:Program FilesCommon FilesSystemUpdaterun.exe>  [N/A]
    <SYSTEMS><; C:Program FilesCommon Filesrundll32.exe>  [N/A]
    <taskswitch><; taskswitch.exe>  [N/A]
    <upsy><; C:DOCUME~1NIGHTM~1LOCALS~1Temp1.exe>  [N/A]
    <upx1><; C:DOCUME~1NIGHTM~1LOCALS~1Tempupx1.exe>  [N/A]
    <verbvf><; C:WINDOWSSystem32ldhync.exe>  [N/A]
    <wsttrs><; C:WINDOWSwsttrs.exe>  [N/A]
    <wsvbs><; C:WINDOWSzaq4.exe>  [N/A]
    <{1A404685-7563-4d02-B0F6-58B308A406A9}><c:program filesrisingantispywareojcjoctc.dll>  [N/A]
    <{2D49692C-A5FD-4E29-A3CD-37E9B182FCC6}><C:Program FilesInternet ExplorerPLUGINSSystemKb.sys>  [N/A]
    <{99F1D023-7CEB-4586-80F7-BB1A98DB7602}><C:Program FilesInternet ExplorerIEXPLORE.Sys>  [N/A]
    <{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}><C:Program FilesInternet ExplorerIEXPLORE.Dat>  [N/A]
    <{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}><C:Program FilesInternet ExplorerIEXPLORE.win>  [N/A]
    <{481E7983-1F2B-4250-951A-44E0902DF978}><C:WINDOWSSystem32pmnnlmn.dll>  [N/A]
    <WinlogonNotify: pmnnlmn><pmnnlmn.dll>  [N/A]
    <WinlogonNotify: ssqrp><C:WINDOWSSystem32ssqrp.dll>  [N/A]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon]
<shell><Explorer.exe wuaucll.exe> [N/A]
修改为默认
<shell><Explorer.exe>

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows]
<AppInit_DLLs><C:WINDOWSSystem32NTDLL32.dll> [Microsoft Corporation]
修改为默认
<AppInit_DLLs><>

=================================
启动项目 -->服务-->Win32服务应用程序的如下项删除

[760BE840 / 760BE840][Stopped/Auto Start]
  <C:WINDOWSSystem32760BE840.EXE -service><N/A>
[906DE2BC / 906DE2BC][Stopped/Auto Start]
  <C:WINDOWSSystem32906DE2BC.EXE -service><N/A>
[95E990D8 / 95E990D8][Stopped/Auto Start]
  <C:WINDOWSSystem3295E990D8.EXE -service><N/A>
[System Distribution Controller / distribcontrol][Stopped/Auto Start]
  <"C:WINDOWSsystem32disctrl.exe"><N/A>
[E982C258 / E982C258][Stopped/Auto Start]
  <C:WINDOWSSystem32E982C258.EXE -service><N/A>
[Indexing Manager / Framework][Running/Auto Start]
  <C:WINDOWSSystem32svchost.exe -k netsvcs-->C:WINDOWSSystem32nqqup.dll><Microsoft Corporation>
[GrayPigeonServer / GrayPigeonServer][Stopped/Auto Start]
  <C:WINDOWSG_Server2006.exe><N/A>

[Internet Connection Manager / Internet Connection Manager][Stopped/Auto Start]
  <"C:WINDOWSSystem32internet.exe"><Microsoft Corporation>
[Local Debug Manager / Local Debug Manager][Stopped/Auto Start]
  <"C:WINDOWSsystem32spoolvc.exe"><N/A>
[Fast / NewServiceInstall1][Stopped/Auto Start]
  <C:WINDOWSSystem32Fast.exe><Microsoft Corporation>

[Intranet Messenger / NHLscA][Stopped/Auto Start]
<C:WINDOWSSYSTEM32RUNDLL32.EXE C:WINDOWSSYSTEM32WBEMSMTPCONFS.DLL,Export 1087><N/A>
[NTFS Crypto Technology / NTFSCrypt][Stopped/Auto Start]
<"C:WINDOWSsystem32ntfscrypt.exe"><N/A>

[Remote Managements Instrumenta / Remss_Ser][Stopped/Auto Start]
  <><N/A>
[Remote Procedure Call System(RPCS) / RpcS][Running/Auto Start]
  <C:WINDOWSSystem32Rpcs.exe><Microsoft Corporation>
[Remote Procedure Call System(RPCSI) / RpcSI][Running/Auto Start]
  <C:WINDOWSSystem32Rpcsi.exe><Microsoft Corporation>
[Remote Procedure Call System(RPCSk) / RpcSk][Running/Auto Start]
  <C:WINDOWSSystem32Rpcsk.exe><Microsoft Corporation>
[Remote Procedure Call System(RPCSP) / RpcSP][Running/Auto Start]
  <C:WINDOWSSystem32Rpcsp.exe><Microsoft Corporation>
[Remote Procedure Call System(RPCSU) / RpcSu][Stopped/Auto Start]
  <C:WINDOWSSystem32Rpcsu.exe><Microsoft Corporation>
[Remote Procedure Call System(RPCSx) / RpcSx][Running/Auto Start]
  <C:WINDOWSSystem32Rpcsx.exe><Microsoft Corporation>
[Win32 Display Driver / Win32DDS][Stopped/Auto Start]
  <C:WINDOWSSystem32rundll32.exe windds32.dll,input><Microsoft Corporation>
[Windows DHCP Service / WinDHCPsvc][Stopped/Auto Start]
  <C:WINDOWSSystem32rundll32.exe windhcp.ocx,input><Microsoft Corporation>
[Windows Management Instrumentation Driver System。 / WMIDS][Stopped/Auto Start]
  <C:WINDOWSSystem32wmids.exe><Microsoft Corporation>