AVG查出并删除Downloader.Agent.clq这个木马病毒,但再上网后又能查出,请教如何才能撤底删除?谢谢
---------------------------------------------------------
AVG Anti-Spyware - 扫描报告
---------------------------------------------------------

+ 创建时间:        17:18:32 2008-9-12

+ 扫描结果:       



C:\Documents and Settings\MS\Local Settings\Temporary Internet Files\Content.IE5\I9CB61I5\stat[1].htm -> Downloader.Agent.clq : 已清除并备份(已隔离).


::报告结束

[ 本帖最后由 大拇哥 于 2008-9-16 08:16 编辑 ]

扫描日志,如下:

日志文件 Trend Micro HijackThis v 2.0.2
日志保存时间: 12:55:08,2008-9-13
操作系统: Windows XP SP2 (WinNT 5.01.2600)
IE版本: Internet Explorer v7.00 (7.00.6000.16705)
启动模式: 正常

正在运行的进程:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\ravmond.exe
c:\program files\rising\rfw\rfwsrv.exe
c:\program files\rising\rfw\rfwproxy.exe
C:\WINDOWS\Explorer.EXE
c:\program files\rising\rfw\rfwstub.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\rising\rfw\RfwMain.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\360safe\safemon\360Tray.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\CRavgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\北京城市热点资讯有限公司\Dr.COM 宽带客户端\ishare_user.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MS\My Documents\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: TuoTuHelper.LDown - {0BECAB3A-E1F8-45E6-8332-38DD750EBA01} - D:\fengchi\TuoTuHelper_v8.dll
O2 - BHO: SafeMon Class - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - C:\Program Files\360safe\safemon\safemon.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [360Safetray] C:\Program Files\360safe\safemon\360Tray.exe /start
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\CRavgas.exe" /minimized
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [Tuotu] D:\fengchi\Tuotu.exe /m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - 扩展右键菜单项: 使用脱兔下载 - D:\fengchi\TT_one.htm
O8 - 扩展右键菜单项: 使用脱兔下载全部链接 - D:\fengchi\TT_all.htm
O9 - 额外的按钮: (未命名) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - 额外的“工具”菜单项目: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - 额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - 额外的“工具”菜单项目: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/1101/aliedit.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0) -
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0) -
O23 - NT 服务:   AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - NT 服务:   Rising Proxy  Service (RfwProxySrv) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - NT 服务:   Rising Personal Firewall Service (RfwService) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - NT 服务:   Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - NT 服务:   Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--
文件结束 - 4960 字节

先卸载脱兔，修复以下红色的部分，再用windows清理助手扫描一次。

O2 - BHO: TuoTuHelper.LDown - {0BECAB3A-E1F8-45E6-8332-38DD750EBA01} - D:\fengchi\TuoTuHelper_v8.dll
O2 - BHO: SafeMon Class - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - C:\Program Files\360safe\safemon\safemon.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [360Safetray] C:\Program Files\360safe\safemon\360Tray.exe /start
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\CRavgas.exe" /minimized
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [Tuotu] D:\fengchi\Tuotu.exe /m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - 扩展右键菜单项: 使用脱兔下载 - D:\fengchi\TT_one.htm
O8 - 扩展右键菜单项: 使用脱兔下载全部链接 - D:\fengchi\TT_all.htm
O9 - 额外的按钮: (未命名) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - 额外的“工具”菜单项目: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - 额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - 额外的“工具”菜单项目: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/1101/aliedit.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0) -
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0) -
O23 - NT 服务:   AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - NT 服务:   Rising Proxy  Service (RfwProxySrv) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - NT 服务:   Rising Personal Firewall Service (RfwService) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - NT 服务:   Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - NT 服务:   Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

谢谢阿顺版主的指点,以按您的指点做了一便,还是有问题,该木马病毒还在出现.我把2次扫描
贴上您再给看看,十分感谢.
日志文件 Trend Micro HijackThis v 2.0.2
日志保存时间: 23:12:31,2008-9-13
操作系统: Windows XP SP2 (WinNT 5.01.2600)
IE版本: Internet Explorer v7.00 (7.00.6000.16705)
启动模式: 正常

正在运行的进程:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\ravmond.exe
c:\program files\rising\rfw\rfwsrv.exe
c:\program files\rising\rfw\rfwproxy.exe
c:\program files\rising\rfw\rfwstub.exe
C:\WINDOWS\Explorer.EXE
c:\program files\rising\rfw\RfwMain.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\360safe\safemon\360Tray.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\CRavgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\北京城市热点资讯有限公司\Dr.COM 宽带客户端\ishare_user.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\MS\My Documents\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [360Safetray] C:\Program Files\360safe\safemon\360Tray.exe /start
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\CRavgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - 额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - 额外的“工具”菜单项目: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - NT 服务:   AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - NT 服务:   Rising Proxy  Service (RfwProxySrv) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - NT 服务:   Rising Personal Firewall Service (RfwService) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - NT 服务:   Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - NT 服务:   Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--
文件结束 - 2673 字节

单从日志看已经没有问题了。用windows清理助手扫描一次看看。

windows清理助手下载地址：
http://www.xdowns.com/soft/6/12/2007/Soft_37062.html

还是不行呀!!这可恶的病毒真难办!!!.目前电脑未见异常,可是很担心呀!!
AVG Anti-Spyware - 扫描报告
---------------------------------------------------------

+ 创建时间:        9:55:07 2008-9-14

+ 扫描结果:       



C:\Documents and Settings\MS\Local Settings\Temporary Internet Files\Content.IE5\17CZH7YI\c[1].htm -> Downloader.Agent.clq : 已清除并备份(已隔离).
C:\Documents and Settings\MS\Local Settings\Temporary Internet Files\Content.IE5\6EZB22GW\stat[5].htm -> Downloader.Agent.clq : 已清除并备份(已隔离).
C:\Documents and Settings\MS\Local Settings\Temporary Internet Files\Content.IE5\6EZB22GW\stat[7].htm -> Downloader.Agent.clq : 已清除并备份(已隔离).
C:\Documents and Settings\MS\Local Settings\Temporary Internet Files\Content.IE5\AYY9ZE1E\stat[3].htm -> Downloader.Agent.clq : 已清除并备份(已隔离).
C:\Documents and Settings\MS\Local Settings\Temporary Internet Files\Content.IE5\AYY9ZE1E\stat[4].htm -> Downloader.Agent.clq : 已清除并备份(已隔离).
C:\Documents and Settings\MS\Local Settings\Temporary Internet Files\Content.IE5\QI7XLP27\stat[5].htm -> Downloader.Agent.clq : 已清除并备份(已隔离).


::报告结束

[ 本帖最后由 大拇哥 于 2008-9-14 15:04 编辑 ]

清空IE缓存和临时文件再看。

谢谢阿顺版主!!祝您中秋节快乐!这个问题搞的我头痛,我以用清理助手清了三遍,都没有问题,可是一登录M等论坛(登咱论坛没事),就能查出很多木马病毒,真是怪了?!我现在登录一个网站就用AVG查一遍,逐个排查!可这也不是事呀!!看来须重装系统了.再次感谢您的指导.

[ 本帖最后由 大拇哥 于 2008-9-14 21:54 编辑 ]

百度一下发现：
关于“Downloader.Agent.clq”病毒的求助帖可谓漫天飞，发现全部是AVG所报，而其他工具则没任何动作
据此，不少高手认为是AVG误报

本人也同意这种观点

谢谢浪者版主,我在百度也看到了.但愿是误报!只有先观查一段时间再说了.

终于发现了问题的根源，问题的根源主要是由系统中Adobe Flash Player这个软件的漏洞造成的。

引用:

原帖由 大拇哥 于 2008-9-16 08:18 发表
终于发现了问题的根源，问题的根源主要是由系统中Adobe Flash Player这个软件的漏洞造成的。

来晚了!
这是个利用Adobe Flash Player这个软件的漏洞的网马,所以;当Adobe Flash Player有漏洞,再登录放有这种网马的网站时木马就在本地自动生成了。