Question

Trojan.PSW.QQPass.rvy是什么病毒

Trojan.PSW.QQPass.rvy是什么病毒

Answer 1

Trojan.PSW.QQPass是叫做QQ通行证的病毒，可以试试瑞星免费的专杀工具——“‘橙色八月’专用提取清除工具”。

该工具可清除“QQ通行证（Trojan.PSW.QQPass）”、“传奇终结者（Trojan.PSW.Lmir）”、“密西木马Trojan.psw.misc）”等病毒及其变种。

所有未安装杀毒软件，或者使用其它杀毒软件但是被感染的用户，都可以到http://it.rising.com.cn/Channels/Service/2006-08/1154786729d36873.shtml（瑞星的网站）免费下载使用该工具。

Trojan.PSW.QQpass.pqg是QQ密码窃取木马!
你可以在安全模式下杀毒后,卸载QQ,并删除QQ文件夹!
在杀毒历史记录中找到Trojan.PSW.QQpass.pqg感染路径和文件,并清理!
再清理IE上网缓冲文件和上网记录(最好清理一下垃圾文件)
主要是D:\盘下的autorun.inf,sxs.exe和C:\盘下svohost.exe,winscok.dll文件必须彻底删除!

记住其盘的根目录下有上述相同的文件也必须彻底删除!

最后才重新安装你的QQ!

否则在你下次双击D盘就自动启动SXS.EXE这个木马服务程度并加载svohost.exe,winscok.dll,从而木马再度中上!

小心地分辩清楚:svohost.exe就是QQ木马,而windows系统里只有svchost.exe文件,区别在于第三个字母"o"和"c"!!!
用搜索方式寻找svohost.exe文件和winscok.dll文件一定要彻底删除!

解决杀掉Trojan.PSW.QQPass类木马瑞星监控不能打开问题
于是我在备份的注册表中找到瑞星相关注册表项的正常值，做成一个.reg文件。手工杀毒后（木马文件见附图），将这个Rising.reg导入注册表。重启系统后观察。结果——瑞星的各项监控均可正常加载。
Rising.reg内容如下：

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RavTask"="\"C:\\Program Files\\Rising\\Rav\\RavTask.exe\" -system"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExpScaner]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
52,69,73,69,6e,67,5c,52,61,76,5c,45,78,70,53,63,61,6e,2e,73,79,\
73,00
"DisplayName"="ExpScaner"
"Group"="TDI"
"DependOnService"=hex(7):42,61,73,65,54,44,49,00,00
"DependOnGroup"=hex(7):00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExpScaner\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,\
00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,\
00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\
01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,\
01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExpScaner\Enum]
"0"="Root\\LEGACY_EXPSCANER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookCont]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
52,69,73,69,6e,67,5c,52,61,76,5c,48,4f,4f,4b,43,4f,4e,54,2e,73,\
79,73,00
"DisplayName"="HookCont"
"Group"="TDI"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookCont\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,\
00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,\
00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\
01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,\
01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookCont\Enum]
"0"="Root\\LEGACY_HOOKCONT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookReg]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
52,69,73,69,6e,67,5c,52,61,76,5c,48,6f,6f,6b,52,65,67,2e,73,79,\
73,00
"DisplayName"="HookReg"
"Group"="TDI"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookReg\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,\
00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,\
00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\
01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,\
01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookReg\Enum]
"0"="Root\\LEGACY_HOOKREG\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookSys]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
52,69,73,69,6e,67,5c,52,61,76,5c,48,6f,6f,6b,53,79,73,2e,73,79,\
73,00
"DisplayName"="HookSys"
"Group"="TDI"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookSys\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,\
00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,\
00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\
01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,\
01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookSys\Enum]
"0"="Root\\LEGACY_HOOKSYS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsCCenter]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):22,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,52,69,73,\
69,6e,67,5c,52,61,76,5c,43,43,65,6e,74,65,72,2e,65,78,65,22,00
"DisplayName"="Rising Process Communication Center"
"Group"="COM Infrastructure"
"DependOnService"=hex(7):52,70,63,53,73,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsCCenter\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,\
00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,\
00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\
01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,\
01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsCCenter\Enum]
"0"="Root\\LEGACY_RSCCENTER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsRavMon]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):22,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,52,69,73,\
69,6e,67,5c,52,61,76,5c,52,61,76,6d,6f,6e,64,2e,65,78,65,22,00
"DisplayName"="RsRavMon Service"
"Group"="TDI"
"DependOnService"=hex(7):52,73,43,43,65,6e,74,65,72,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsRavMon\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,\
00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,\
00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\
01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,\
01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsRavMon\Enum]
"0"="Root\\LEGACY_RSRAVMON\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

杀掉Trojan.PSW.QQPass类木马后，瑞星监控不能加载的朋友，如果你的系统和瑞星与我的一样——都在C盘，你可将这部分内容（蓝色字体）粘贴到记事本中，保存为Rising.reg（其它文件名也行，但后缀必须是.reg）。然后，双击之，将其导入注册表。试试看。

Answer 2

特洛伊木马,我前几天也中了这个毒,后来用卡巴杀了几遍才杀完