今天不曉得中什麼毒 www.google.com/search 全都變成百度
用 firefox gmail 無法連接登入(IE可以)
www.google.com 可上，但托曳搜尋會變成百度搜尋結果
毒殺完，問題還沒解決，而最後發現hosts被修改過
但 \system32\drivers\etc\hosts 刪完後連上網又被修改回

hosts 檔案如下
**************************************
127.0.0.1 localhost
61.152.244.167 search.114.vnet.cn
61.152.244.167 auto.search.msn.com
61.152.244.167 www.hao123.com
61.152.244.167 hao123.com
61.152.244.167 www.360safe.com
61.152.244.167 360safe.com
222.73.126.115 update.360safe.com
61.152.244.167 dl.360safe.com
61.152.244.167 bbs.360safe.com
61.152.244.167 www.btbaicai.com
61.152.244.167 btbaicai.com
61.152.244.167 www.pctutu.com
61.152.244.167 www.7322.com
61.152.244.167 www.5566.net
61.152.244.167 www.9991.com
61.152.244.167 9991.com
61.152.244.167 forum.ikaka.com
61.152.244.167 www.ikaka.com
222.73.126.115 update.ikaka.com
61.152.244.167 forum.jiangmin.com
222.73.126.115 update.jiangmin.com
61.152.244.167 post.baidu.com
222.73.126.115 update.rising.com.cn
61.152.244.167 online.rising.com.cn
222.73.126.115 center.rising.com.cn
61.152.244.167 up.duba.net
61.152.244.167 shadu.baidu.com
61.152.244.167 security.symantec.com
61.152.244.167 shadu.duba.net
61.152.244.167 online.jiangmin.com
61.152.244.167 cn.mcafee.com
61.152.244.167 www.ahn.com.cn
61.152.244.167 www.kaspersky.com.cn
61.152.244.167 www.pcav.cn
61.152.244.167 mopery.hits.io
61.152.244.167 www.luosoft.com
61.152.244.167 luosoft.com
61.152.244.167 www.im286.com
61.152.244.167 bbs.htmlman.net
61.152.244.167 10000.286er.com
61.152.244.167 im286.net
61.152.244.167 cool.47555.com
61.152.244.167 ju.qihoo.com
61.152.244.167 bbs.chinaz.com
222.73.126.115 dnl-cn1.kaspersky-labs.com
222.73.126.115 dnl-cn2.kaspersky-labs.com
222.73.126.115 dnl-cn3.kaspersky-labs.com
222.73.126.115 dnl-cn4.kaspersky-labs.com
222.73.126.115 dnl-cn5.kaspersky-labs.com
222.73.126.115 dnl-cn6.kaspersky-labs.com
222.73.126.115 dnl-cn7.kaspersky-labs.com
222.73.126.115 dnl-cn8.kaspersky-labs.com
222.73.126.115 dnl-cn9.kaspersky-labs.com
222.73.126.115 dnl-cn10.kaspersky-labs.com
222.73.126.115 dnl-cn11.kaspersky-labs.com
222.73.126.115 dnl-cn12.kaspersky-labs.com
222.73.126.115 dnl-cn13.kaspersky-labs.com
222.73.126.115 dnl-cn14.kaspersky-labs.com
222.73.126.115 dnl-cn15.kaspersky-labs.com
222.73.126.115 dnl-eu1.kaspersky-labs.com
222.73.126.115 dnl-eu2.kaspersky-labs.com
222.73.126.115 dnl-eu3.kaspersky-labs.com
222.73.126.115 dnl-eu4.kaspersky-labs.com
222.73.126.115 dnl-eu5.kaspersky-labs.com
222.73.126.115 dnl-eu6.kaspersky-labs.com
222.73.126.115 dnl-eu7.kaspersky-labs.com
222.73.126.115 dnl-eu8.kaspersky-labs.com
222.73.126.115 dnl-eu9.kaspersky-labs.com
222.73.126.115 dnl-eu10.kaspersky-labs.com
222.73.126.115 dnl-eu11.kaspersky-labs.com
222.73.126.115 dnl-eu12.kaspersky-labs.com
222.73.126.115 dnl-eu13.kaspersky-labs.com
222.73.126.115 dnl-eu14.kaspersky-labs.com
222.73.126.115 dnl-eu15.kaspersky-labs.com
222.73.126.115 dnl-us1.kaspersky-labs.com
222.73.126.115 dnl-us2.kaspersky-labs.com
222.73.126.115 dnl-us3.kaspersky-labs.com
222.73.126.115 dnl-us4.kaspersky-labs.com
222.73.126.115 dnl-us5.kaspersky-labs.com
222.73.126.115 dnl-us6.kaspersky-labs.com
222.73.126.115 dnl-us7.kaspersky-labs.com
222.73.126.115 dnl-us8.kaspersky-labs.com
222.73.126.115 dnl-us9.kaspersky-labs.com
222.73.126.115 dnl-us10.kaspersky-labs.com
222.73.126.115 dnl-us11.kaspersky-labs.com
222.73.126.115 dnl-us12.kaspersky-labs.com
222.73.126.115 dnl-us13.kaspersky-labs.com
222.73.126.115 dnl-us14.kaspersky-labs.com
222.73.126.115 dnl-us15.kaspersky-labs.com
222.73.126.115 dnl-ru1.kaspersky-labs.com
222.73.126.115 dnl-ru2.kaspersky-labs.com
222.73.126.115 dnl-ru3.kaspersky-labs.com
222.73.126.115 dnl-ru4.kaspersky-labs.com
222.73.126.115 dnl-ru5.kaspersky-labs.com
222.73.126.115 dnl-ru6.kaspersky-labs.com
222.73.126.115 dnl-ru7.kaspersky-labs.com
222.73.126.115 dnl-ru8.kaspersky-labs.com
222.73.126.115 dnl-ru9.kaspersky-labs.com
222.73.126.115 dnl-ru10.kaspersky-labs.com
222.73.126.115 dnl-ru11.kaspersky-labs.com
222.73.126.115 dnl-ru12.kaspersky-labs.com
222.73.126.115 dnl-ru13.kaspersky-labs.com
222.73.126.115 dnl-ru14.kaspersky-labs.com
222.73.126.115 dnl-ru15.kaspersky-labs.com
222.73.126.115 dnl-jp1.kaspersky-labs.com
222.73.126.115 dnl-jp2.kaspersky-labs.com
222.73.126.115 dnl-jp3.kaspersky-labs.com
222.73.126.115 dnl-jp4.kaspersky-labs.com
222.73.126.115 dnl-jp5.kaspersky-labs.com
222.73.126.115 dnl-jp6.kaspersky-labs.com
222.73.126.115 dnl-jp7.kaspersky-labs.com
222.73.126.115 dnl-jp8.kaspersky-labs.com
222.73.126.115 dnl-jp9.kaspersky-labs.com
222.73.126.115 dnl-jp10.kaspersky-labs.com
222.73.126.115 dnl-jp11.kaspersky-labs.com
222.73.126.115 dnl-jp12.kaspersky-labs.com
222.73.126.115 dnl-jp13.kaspersky-labs.com
222.73.126.115 dnl-jp14.kaspersky-labs.com
222.73.126.115 dnl-jp15.kaspersky-labs.com
222.73.126.115 dnl-kr1.kaspersky-labs.com
222.73.126.115 dnl-kr2.kaspersky-labs.com
222.73.126.115 dnl-kr3.kaspersky-labs.com
222.73.126.115 dnl-kr4.kaspersky-labs.com
222.73.126.115 dnl-kr5.kaspersky-labs.com
222.73.126.115 dnl-kr6.kaspersky-labs.com
222.73.126.115 dnl-kr7.kaspersky-labs.com
222.73.126.115 dnl-kr8.kaspersky-labs.com
222.73.126.115 dnl-kr9.kaspersky-labs.com
222.73.126.115 dnl-kr10.kaspersky-labs.com
222.73.126.115 dnl-kr11.kaspersky-labs.com
222.73.126.115 dnl-kr12.kaspersky-labs.com
222.73.126.115 dnl-kr13.kaspersky-labs.com
222.73.126.115 dnl-kr14.kaspersky-labs.com
222.73.126.115 dnl-kr15.kaspersky-labs.com
222.73.126.115 dnl-cd1.kaspersky-labs.com
222.73.126.115 dnl-cd2.kaspersky-labs.com
222.73.126.115 dnl-cd3.kaspersky-labs.com
222.73.126.115 dnl-cd4.kaspersky-labs.com
222.73.126.115 dnl-cd5.kaspersky-labs.com
222.73.126.115 dnl-cd6.kaspersky-labs.com
222.73.126.115 dnl-cd7.kaspersky-labs.com
222.73.126.115 dnl-cd8.kaspersky-labs.com
222.73.126.115 dnl-cd9.kaspersky-labs.com
222.73.126.115 dnl-cd10.kaspersky-labs.com
222.73.126.115 dnl-cd11.kaspersky-labs.com
222.73.126.115 dnl-cd12.kaspersky-labs.com
222.73.126.115 dnl-cd13.kaspersky-labs.com
222.73.126.115 dnl-cd14.kaspersky-labs.com
222.73.126.115 dnl-cd15.kaspersky-labs.com
61.152.244.167 ishare.sina.com.cn
61.152.244.167 search.cn.yahoo.com
61.152.244.167 www.google.com
61.152.244.167 google.com
61.152.244.167 www.google.cn
61.152.244.167 www.sogou.com
61.152.244.167 www.yahoo.com.cn
61.152.244.167 cn.yahoo.com
222.73.210.148 www.comewz.com
61.152.244.167 www.iask.com
61.152.244.167 iask.com
61.152.244.167 search.tom.com
61.152.244.167 page.so.163.com
61.152.244.167 www.soso.com
61.152.244.167 sou.china.com
61.152.244.167 toolsbar.kuaiso.com
61.152.244.167 www.kuaiso.com
**************************************

會找 hosts 的話，如果要你處理 msconfig 的話，我想應該也沒問題吧。

看你應該是用 WinXP 的，那在「開始 → 執行」，打「 msconfig 」，找最右邊那一頁「啟動」，裡面的東西，除了防毒、防火牆軟體以外，全都取消勾選看看。（可以的話，先拍張照下來。）

然後把 hosts 刪掉，重開機看看還有沒有問題。（當然了，你有使用系統還原的話，要關掉才不會重建回去。）

如果還是有問題，你可能要重開機，在 Windows 商標出來前，按按 F8 鍵，進安全模式，手動啟動防毒軟體掃一掃了。（從 hosts 上看來， AntiVir 並沒有被改掉，也許找 AntiVir 來掃也不錯。）

如果防毒軟體沒用，可以試試 Spybot 或 Ad aware 。

到這裡還是處理不了，我個人是建議直接格式化重灌，因為中毒（雖然這不是病毒的樣子）太重要治好很麻煩。

_________________
【Firefox 有問題請先看這裡】
回覆文章的建議
萬用自我檢測除錯大法 for Firefox
完全備份大法 for Firefox
重建 Firefox 的設定
乾淨升級 Firefox
（本帳號停用中）

防毒軟體試過Avira AntiVir，Kaspersky
Spy Sweeper等等試了都沒用
再弄看看不行的話，只好...

我不知道你怎麼處理的，不過現在廣為流傳的惡意程式，也是要作業系統啟動後才會作用的，你應該先想辦法關掉惡意程式不讓它繼續更新，或是在安全模式下掃看看。（不過這八成要用中國大陸出的防毒軟體掃吧）

我認為你處理這麼多天還是一樣的話，還是備份一下重要文件，重灌比較快一點。可以的話，也加裝個軟體防火牆。

另外雖然把 hosts 裡的那些 ip 數字，拿去搜尋，也可以得到有用情報（全是簡中的），不過你現在應該也沒辦法搜尋吧……

_________________
【Firefox 有問題請先看這裡】
回覆文章的建議
萬用自我檢測除錯大法 for Firefox
完全備份大法 for Firefox
重建 Firefox 的設定
乾淨升級 Firefox
（本帳號停用中）

AutoRun, SysAuto.exe, kvmxbis.exe, ravcqmon.exe, ravsons.exe 病毒

"C:\WINNT\system32\Regsvr32.exe" /s "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\scrchpg.dll"
運行病毒以後
瑞星關了，下載了一些木馬

日誌不正常項目如下：

啟動項目
註冊表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<svc><C:\DOCUME~1\may\LOCALS~1\Temp\ravsons.exe> []
<ravcqmon><C:\Program Files\NetMeeting\ravcqmon.exe> []
<ravmsmon><C:\Program Files\NetMeeting\ravmsmon.exe> []
<DbgHlp32><C:\WINDOWS\DbgHlp32.exe> []
<ravqjmon><C:\Program Files\NetMeeting\ravqjmon.exe> []
<MsIMMs32><C:\WINDOWS\MsIMMs32.exe> []
<ravzxmon><C:\Program Files\NetMeeting\ravzxmon.exe> []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><rsmyapm.dll> []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellE xecuteHooks]
<{90BC520C-9175-470E-94B8-10FD869D170B}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.yer> []
<{1E32FA58-3453-FA2D-BC49-F340348ACCE1}><C:\WINDOWS\system32\rsmyapm.dll> []
<{40117B96-998D-4D80-8F89-5E9DBD9F3460}><C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Sys> []
<{134345F1-DACF-3452-CB7D-4620F34A1531}><C:\WINDOWS\system32\rsztapm.dll> []
<{B12BC423-3713-224D-3F55-32B35C62B11B}><C:\WINDOWS\system32\tlvpri.dll> []
<{959AFD5B-159F-ACD8-954C-ACD545FA6589}><C:\WINDOWS\system32\jzipri.dll> []

進程：
[C:\WINDOWS\system32\DbgHlp32.dll] [N/A, ]
[C:\WINDOWS\system32\tlvpri.dll] [N/A, ]
[C:\WINDOWS\system32\rsmyapm.dll] [N/A, ]
[C:\WINDOWS\system32\MsIMMs32.dll] [N/A, ]
[C:\WINDOWS\system32\rsztapm.dll] [N/A, ]
[C:\WINDOWS\system32\MsIMMs32.dll] [N/A, ]
[C:\WINDOWS\system32\jzipri.dll] [N/A, ]
[C:\Program Files\NetMeeting\ravzxmon.dat] [N/A, ]
[C:\Program Files\NetMeeting\ravqjmon.dat] [N/A, ]
[C:\Program Files\NetMeeting\ravmsmon.dat] [N/A, ]
[C:\Program Files\NetMeeting\ravcqmon.dat] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Sys] [N/A, ]

Autorun.inf
[D:\]
[AutoRun]
open=SysAuto.exe
shellexecute=SysAuto.exe
shell\打開(&O)\command=SysAuto.exe
[E:\]
[AutoRun]
open=AutoRun.exe
shellexecute=AutoRun.exe
shell\打開(&O)\command=AutoRun.exe


處理方法：
[C:\WINDOWS\system32\DbgHlp32.dll] [N/A, ]
[C:\WINDOWS\system32\tlvpri.dll] [N/A, ]
[C:\WINDOWS\system32\rsmyapm.dll] [N/A, ]
[C:\WINDOWS\system32\MsIMMs32.dll] [N/A, ]
[C:\WINDOWS\system32\rsztapm.dll] [N/A, ]
[C:\WINDOWS\system32\MsIMMs32.dll] [N/A, ]
[C:\WINDOWS\system32\jzipri.dll] [N/A, ]
[C:\Program Files\NetMeeting\ravzxmon.dat] [N/A, ]
[C:\Program Files\NetMeeting\ravqjmon.dat] [N/A, ]
[C:\Program Files\NetMeeting\ravmsmon.dat] [N/A, ]
[C:\Program Files\NetMeeting\ravcqmon.dat] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Sys]
除了這些需要改名重起刪除

其他就是正常的刪除，再清除註冊表就行了
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><rsmyapm.dll> []
這個重起後清空


AUTOEXEC.BAT
del "C:\DOCUME~1\Usersxxx\LOCALS~1\Temp\*.*"
del "C:\DOCUME~1\Usersxxx\LOCALS~1\Temp\Tempor~1\*.*"
del "C:\WINDOWS\system32\DbgHlp32.dll"
del "C:\WINDOWS\system32\tlvpri.dll"
del "C:\WINDOWS\system32\rsmyapm.dll"
del "C:\WINDOWS\system32\MsIMMs32.dll"
del "C:\WINDOWS\system32\rsztapm.dll"
del "C:\WINDOWS\system32\MsIMMs32.dll"
del "C:\WINDOWS\system32\jzipri.dll"
del "C:\WINNT\system32\DbgHlp32.dll"
del "C:\WINNT\system32\tlvpri.dll"
del "C:\WINNT\system32\rsmyapm.dll"
del "C:\WINNT\system32\MsIMMs32.dll"
del "C:\WINNT\system32\rsztapm.dll"
del "C:\WINNT\system32\MsIMMs32.dll"
del "C:\WINNT\system32\jzipri.dll"
del "C:\Progra~1\NetMee~1\ravzxmon.dat"
del "C:\Progra~1\NetMee~1\ravqjmon.dat"
del "C:\Progra~1\NetMee~1\ravmsmon.dat"
del "C:\Progra~1\NetMee~1\ravcqmon.dat"
del "C:\Progra~1\Intern~1\PLUGINS\SysWin64.Sys"

病毒來源：某網友提供；自己虛擬機裡木馬下載器也曾下載到，最近的求救已經呈現逐漸增多趨勢
詳細分析：
File: 1.1
Size: 43543 bytes
MD5: 9139FD02F496B0F8205E13F55D6814A0
SHA1: 2F1DE9E0B851FDB9B7FC8EA368B7A87B38A13E4C
CRC32: F564476E
1.1是個dll 用rundll32.exe加載後
生成如下文件
C:\WINDOWS\system32\1.1
C:\WINDOWS\system32\718.50（隨機文件名）
病毒採用獨佔技術 無法刪除 複製或者重命名
刪除鍵
HKLM\SYSTEM\ControlSet001\Control\SafeBoot 破壞安全模式
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下面 添加
鍵值C:\WINDOWS\system32\rundll32.exe 1.1 s
達到開機啟動的目的
在
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System下面添加
鍵值項Disabecmd 數據為0x00000001 屏蔽cmd
監控如下進程或者阻止如下dll加載，如果發現立即結束並將其刪除
mmskskin.dll
kkclean.dll
VirUnk.def
AntiActi.dll
Rsaupd.exe
Iereset.dll
Libclsid.dat
KnetWch.sys
CleanHis.dll
WoptiClean.sys
kakaliv.def
libdll.dat
kkinst.ini
Ras.exe
ishelp.exe
trojandetector.exe
KAConfig.dll
KAVPassp.dll
hsfw.dll
wopticlean.exe
360safe.exe
並且通過監控子窗口查找如下字符，如果找到則將其進程結束並刪除文件
Smallfrogs
Kingsoft
Antivirus
Antispyware
TrojanDetector
Micropoint
後來研究發現文件並未被完全刪除而是被移到了%temp%文件夾下 並且命名為_*.TMP
*代表數字


修改hosts文件屏蔽常見殺毒軟件的升級
61.152.244.167 114.vnet.cn
61.152.244.167 auto.search.msn.com
61.152.244.167 www.hao123.com
61.152.244.167 hao123.com
61.152.244.167 www.360safe.com
61.152.244.167 360safe.com
222.73.126.115 update.360safe.com
61.152.244.167 dl.360safe.com
61.152.244.167 bbs.360safe.com
61.152.244.167 www.btbaicai.com
61.152.244.167 btbaicai.com
61.152.244.167 www.pctutu.com
61.152.244.167 www.7322.com
61.152.244.167 www.5566.net
61.152.244.167 www.9991.com
61.152.244.167 9991.com
61.152.244.167 forum.ikaka.com
61.152.244.167 www.ikaka.com
222.73.126.115 update.ikaka.com
61.152.244.167 forum.jiangmin.com
222.73.126.115 update.jiangmin.com
61.152.244.167 post.baidu.com
222.73.126.115 update.rising.com.cn
61.152.244.167 online.rising.com.cn
222.73.126.115 center.rising.com.cn
61.152.244.167 up.duba.net
61.152.244.167 shadu.baidu.com
61.152.244.167 security.symantec.com
61.152.244.167 shadu.duba.net
61.152.244.167 online.jiangmin.com
61.152.244.167 cn.mcafee.com
61.152.244.167 www.ahn.com.cn
61.152.244.167 www.kaspersky.com.cn
61.152.244.167 www.pcav.cn
61.152.244.167 mopery.hits.io
61.152.244.167 www.luosoft.com
61.152.244.167 luosoft.com
61.152.244.167 www.im286.com
61.152.244.167 bbs.htmlman.net
61.152.244.167 10000.286er.com
61.152.244.167 im286.net
61.152.244.167 cool.47555.com
61.152.244.167 ju.qihoo.com
61.152.244.167 bbs.chinaz.com
222.73.126.115 dnl-cn1.kaspersky-labs.com
...(卡巴斯基升級網站幾乎都被屏蔽）
61.152.244.167 ishare.sina.com.cn
61.152.244.167 www.google.com
61.152.244.167 google.com
61.152.244.167 www.google.cn
61.152.244.167 www.sogou.com
61.152.244.167 www.yahoo.com.cn
61.152.244.167 cn.yahoo.com
222.73.210.148 www.comewz.com
61.152.244.167 www.iask.com
61.152.244.167 iask.com
61.152.244.167 search.tom.com
61.152.244.167 page.so.163.com
61.152.244.167 www.soso.com
61.152.244.167 sou.china.com
61.152.244.167 toolsbar.kuaiso.com
61.152.244.167 www.kuaiso.com
61.152.244.167 m2126.com
連接網絡下載木馬
並生成如下文件
C:\WINDOWS\system32\VOHATM.dll
C:\WINDOWS\system32\56789a.lmn
C:\WINDOWS\system32\hijklmn.123

解決方法：
1.使用Icesword（冰刃）找到C:\WINDOWS\system32\1.1
C:\WINDOWS\system32\718.50（隨機文件名）
文件
右鍵 強制刪除

2.打開sreng
啟動項目 註冊表 刪除如下項目
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{B852FC96-B852-30DA-1EB8-FC9630DA741E}> []
重啟計算機 刪除
C:\WINDOWS\system32\VOHATM.dll
C:\WINDOWS\system32\56789a.lmn
C:\WINDOWS\system32\hijklmn.123

3.開始 運行 輸入regedit 展開
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
將Disabecmd 的鍵值項刪除

該病毒是一個惡性的類似AV終結者的病毒 由於他常由一些木馬下載器下載，下載後他主要執行破壞計算機安全軟件的作用，之後其他一些木馬和病毒會紛至踏來，所以及時升級殺毒軟件和防火牆，hotfix，提防此類病毒的入侵

不過我殺的病毒和以上的AV終結者病毒不太一樣
有抓中國的 廣告/間諜程式移除程式
"windows清理助手清理惡意軟體"
目前暫時用 NetLimiter 禁止explorer,防止連線hosts被偷改

但問題還是在...
安全模式無法進入
命令提示字元被禁止(Disabecmd) 改了又被改回來。
真他xx的難搞...