瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 我的瑞星被毒杀 ̄ ̄
jrsjrs - 2005-7-22 11:55:00
中了QQ尾巴
然后任务管理器也被锁了,注册表也不能修改了
瑞星杀毒软件一打开就自动关闭了,别的杀毒软件打开也自动关闭
我买的可是正版2005的,198元人民币啊
钝愚山人 - 2005-7-22 12:19:00
建议用光盘在DOS下杀毒试试
花落花又开 - 2005-7-22 12:20:00
用hijackthis1.99.1版把扫描完生成的日志内容贴到帖子上来.
王大灭火器 - 2005-7-22 12:45:00
反了,简直是反了
jrsjrs - 2005-7-22 15:48:00
Logfile of HijackThis v1.99.0
Scan saved at 13:54:51, on 2005-7-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\3721\Dlaccel\YDownloader.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\WINNT\system32\ctfmon.exe
E:\Program Files\Nikon\PictureProject\NkbMonitor.exe
E:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\SVOHOST.exe
E:\BAK\工具\HIJACKTHIS\HIJACKTHIS\HijackThis.exe

C:\WINNT\SVOHOST.exe

F2 - REG:system.ini: Shell=Explorer.exe a1g.exe
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINNT\system32\xunleibho_v6.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35980F6E-A137-4E50-953D-813BB8556899} - (no file)
O2 - BHO: AntiFish Class - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\Program Files\3721\Assist\Angling.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: Router Layer - {5EB7CB50-E375-4718-B4C0-9AD12EFA2F84} - C:\WINNT\System32\aclayer.dll
O2 - BHO: ShowBarObject Class - {850B69E4-90DB-4F45-8621-891BF35A5B53} - c:\winnt\system32\alitb\__new\bar.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: T2BHO Class - {B1D147E7-873E-4909-8127-695D9BB78728} - C:\WINNT\Downloaded Program Files\CONFLICT.1\barhelp22.0.dll
O2 - BHO: AssistII - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll
O2 - BHO: (no name) - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O2 - BHO: bho Class - {ED8DFC5C-10EF-45AB-9DC2-0639AFF5A270} - C:\PROGRA~1\COMMON~1\Wnwb\wnwbio.dll
O2 - BHO: DragSearch BHO - {EF1D17A9-089F-40cc-8D64-7324CDEBA0DB} - C:\PROGRA~1\yisou\yisoub.dll
O3 - Toolbar: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll
O3 - Toolbar: CopySo拷贝搜 - {40987A5C-6AB8-4977-8BE9-A8889DE2EDCC} - C:\Program Files\Copyso\CopysoIE.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [RfwMain] C:\Program Files\Rising\Rfw\rfwmain.exe
O4 - HKLM\..\Run: [HPRestartApp] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\applch.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [dl_accel] C:\Program Files\3721\Dlaccel\YDownloader.exe
O4 - HKLM\..\Run: [helper.dll] C:\WINNT\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [assistse] "C:\PROGRA~1\3721\assistse.exe"
O4 - HKLM\..\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [] regedit -s C:\$NtUninstallQ5926809$\sp4custom.dll
O4 - HKCU\..\Run: [ctfnom.exe] C:\WINNT\SVOHOST.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: 腾讯TM.lnk = C:\Program Files\Tencent\QQ\TMShell.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: Microtek 扫描仪探测器.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = E:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &使用下载加速专家下载 - C:\Program Files\3721\Dlaccel\geturl.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用搜狗直通车下载 - C:\PROGRA~1\P4P\dl.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm?pid=U_verycd_25102 (file missing)
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - C:\Program Files\浩方对战平台\GameClient.exe
O9 - Extra button: 商机直通车 - {13b0c05c-ef05-4bf6-b0ea-f6111af25544} - c:\winnt\system32\alitb\__new\bar.dll
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: 易趣购物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://adfarm.mediaplex.com/ad/c ... p://www.ebay.com.cn (file missing)
O9 - Extra 'Tools' menuitem: 易趣购物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://adfarm.mediaplex.com/ad/c ... p://www.ebay.com.cn (file missing)
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/mess ... essenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra button: 百万图库 - {6713E8D2-850A-101B-AFC0-4210102A8DA7} - http://www.26-3.com/p (file missing) (HKCU)
O9 - Extra button: 铃声图片下载 - {7713E8D2-850A-101B-AFC0-4210102A8DA7} - http://www.26-3.com/sms/index.htm (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdnns.dll
O11 - Options group: [!CNS]  上网助手-地址栏搜索
O11 - Options group: [CDNCLIENT]  中文上网
O16 - DPF: {115074A0-83F0-42C0-B694-A5320628AEDE} (MeChatA Class) - http://www.51.com:6000/audio/MeChatAudio.cab
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab
O16 - DPF: {56A7DC70-E102-4408-A34A-AE06FEF01586} (天下搜索) - http://iebar.t2t2.com/iebar.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} - http://client.jogo.cn/cdnClient/cab/cdn.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D0A29C6C-AA71-4423-8C4A-5998B774C448} (IEDown Class) - http://download.ourgame.com/IEDown2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55136F3A-C0FB-4515-BDF3-10A6FE87F790}: NameServer = 202.96.209.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{55136F3A-C0FB-4515-BDF3-10A6FE87F790}: NameServer = 202.96.209.133
O17 - HKLM\System\CS2\Services\Tcpip\..\{55136F3A-C0FB-4515-BDF3-10A6FE87F790}: NameServer = 202.96.209.133
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Rising Process Communication Center - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
kaka23 - 2005-7-22 15:54:00
C:\WINNT\SVOHOST.exe 这个文件可疑,不是系统的文件,找到它进行删除,最好在安全模式下操作,正常的应该是这样C:\WINNT\system32\svchost.exe  注册表中也有O4 - HKCU\..\Run: [ctfnom.exe] C:\WINNT\SVOHOST.exe 可以用hijackthis进行修复
木马将军 - 2005-7-23 20:14:00
我建议你用瑞星QQ尾巴专杀工具查杀
baohe - 2005-7-23 20:24:00
【回复“jrsjrs”的帖子】O4 - HKCU\..\Run: [ctfnom.exe] C:\WINNT\SVOHOST.exe
这项有鬼。请把C:\WINNT\SVOHOST.exe打包传上来(如果能找到的话).
≮大头仔≯ - 2005-7-23 20:26:00
在安全模式下.搞定
艾玛 - 2005-7-23 20:33:00
http://kvirus.blogchina.com/2351287.html

看看是不这个的变种?



Worm.Youda.d 瑞星17.36.31 版可查杀- -                                     
Worm.Youda.d
破坏方法:病毒采用Delphi编写。

病毒运行后有以下行为:
  将自己复制到%WINDIR%目录下,文件名为"svchost.exe"。

修改注册表以下键值以达到其自启动的目的:

HKEY_CLASSES_ROOT\exefile\shell\open\command
默认 ="%WINDIR%\SVCHOST.EXE "%1" %*"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion
\Run  "Microsoft"="%WINDIR%\SVCHOST.EXE"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Explorer\Advanced  "HideFileExt" = 0X00000001

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Explorer\Advanced  "Hidden" = 0X00000002

查找并结束下进程:
pfw.exe
kvfw.exe
iamapp.exe
nmain.exe
freepp.EXE
freekav.EXE
freesys.EXE
Iparmor.exe
trojan_hunter.exe
Rfw.exe
KVMonXP.kxp
KVCenter.kxp
KvXP.kxp
KAVPFW.EXE
KWatch.EXE
KPfwSvc.EXE
KAVStart.exe
KMailMon.EXE
KAV32.EXE
关闭包含字符串"瑞星"、"病毒"、"杀毒"、"木马"、"金山毒霸"的窗口,并删除指定的反病毒软件和防火墙程序在注册表中的自启动项。

病毒会删除瑞星目录下的所有文件,感染可执行文件,枚举网络中可写的共享目录,试图将自己复制到这些目录下,为其远程控制端提供远程控制服务。

原文http://it.rising.com.cn/newSite/Channels/Anti_Virus/Upgrade_Report/Upgrade_Report/200507/21-115020042.htm
艾玛 - 2005-7-23 20:36:00
楼主来放最新QQ毒?



附件: 2460222005723204428.jpg
baohe - 2005-7-23 20:40:00
引用:
【艾玛的贴子】楼主来放最新QQ毒?
...........................

已将主帖中的url删除
艾玛 - 2005-7-23 20:41:00
scanning the file "520.exe" file.

Antivirus Version Update Result


AntiVir 6.31.1.0 07.22.2005 Worm/Lewor.F
AVG 718 07.22.2005 no virus found
Avira 6.31.1.0 07.22.2005 Worm/Lewor.F
BitDefender 7.0 07.22.2005 BehavesLike:Trojan.ShellStartup
CAT-QuickHeal 7.03 07.23.2005 (Suspicious) - DNAScan
ClamAV devel-20050712 07.22.2005 no virus found
DrWeb 4.32b 07.23.2005 no virus found
eTrust-Iris 7.1.194.0 07.23.2005 no virus found
eTrust-Vet 11.9.1.0 07.22.2005 no virus found
Fortinet 2.36.0.0 07.23.2005 suspicious
F-Prot 3.16c 07.22.2005 no virus found
Ikarus 2.32 07.22.2005 suspicious program sequence found
Kaspersky 4.0.2.24 07.23.2005 Trojan-Downloader.Win32.Delf.qv
McAfee 4541 07.22.2005 W32/Lewor.gen
NOD32v2 1.1176 07.22.2005 a variant of Win32/Lewor
Norman 5.70.10 07.21.2005 W32/Malware
Panda 8.02.00 07.23.2005 no virus found
Sybari 7.5.1314 07.23.2005 no virus found
Symantec 8.0 07.22.2005 no virus found
TheHacker 5.8.2.075 07.22.2005 no virus found
VBA32 3.10.4 07.22.2005 no virus found

bobo无极限 - 2005-7-23 21:59:00
放毒的吗?
我已经这样中过招了,
朋友们请不要上传病毒附件好不好,很害人的.谢谢
艾玛 - 2005-7-25 19:46:00
520.exe

Real图标文件

FSG

AVP

trojan program Trojan-Downloader.Win32.Delf.qv

%system%\SVOHOST.exe

%system32%\commamd.exe

%system32%\lsasa.exe

%system32%\he1p.exe
1
查看完整版本: 我的瑞星被毒杀 ̄ ̄
© 2000 - 2026 Rising Corp. Ltd.