瑞星卡卡安全论坛

我的机器只要一拨号 过一会儿就会弹出一个网页 网址是
http://217.170.4.137/_vti_bin/index.html
弹出来还不要紧 可恶的是它一出来就会自己创建
一个拨号连接 然后我就会吊线 还会在C盘出一个EXE的文件 文件名一天和不一样
删不掉的 删了又会出 还原系统都没有用啊！
就在我发贴这段时间就掉了N次
已经几天了 真的快崩溃了！~
请高人相助！小弟先谢谢了

附件: 562465200581420155.BMP

弹出来拨号的图

附件: 562465200581415210.BMP

哪位好心的人告诉我解决的办法啊？
以身相许也可以啊！~

http://forum.ikaka.com/topic.asp?board=28&artid=6979213 看来你需要到这个帖子1楼,下附件里的工具,扫个日志上来

请大大看看
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\Rpcmon.exe
D:\Tencent\qq\QQ.exe
C:\WINDOWS\sounddv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\155847200541134207\HijackThis.exe

O1 - Hosts: 141.225.152.142 onlineaccounts2.abbeynational.co.uk
O1 - Hosts: 141.225.152.142 www3.aibgbonline.co.uk
O1 - Hosts: 141.225.152.142 www.bank.alliance-leicester.co.uk
O1 - Hosts: 141.225.152.142 login.iblogin.com
O1 - Hosts: 141.225.152.142 ww2.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 141.225.152.142 inet.barclays.co.uk
O1 - Hosts: 141.225.152.142 iibank.barclays.co.uk
O1 - Hosts: 141.225.152.142 iibank.cahoot.com
O1 - Hosts: 141.225.152.142 www3.coventrybuildingsociety.co.uk
O1 - Hosts: 141.225.152.142 ww.hsbc.co.uk
O1 - Hosts: 141.225.152.142 login.ebank.offshore.hsbc.co.je
O1 - Hosts: 141.225.152.142 ww3.online-offshore.lloydstsb.com
O1 - Hosts: 141.225.152.142 ww3.online-business.lloydstsb.co.uk
O1 - Hosts: 141.225.152.142 ww3.online.lloydstsb.co.uk
O1 - Hosts: 141.225.152.142 ww3.online.lloydstsb.co.uk
O1 - Hosts: 141.225.152.142 ww3.online-business.lloydstsb.co.uk
O1 - Hosts: 141.225.152.142 ob2.nationet.com
O1 - Hosts: 141.225.152.142 ww3.onlinebanking.natwestoffshore.com
O1 - Hosts: 141.225.152.142 ww1.nwolb.com
O1 - Hosts: 141.225.152.142 ww1.onlinebanking.iombank.com
O1 - Hosts: 141.225.152.142 ww1.www.rbsdigital.com
O1 - Hosts: 141.225.152.142 welcome.smile.co.uk
O1 - Hosts: 141.225.152.142 login.365online.com
O1 - Hosts: 141.225.152.142 wvw.citizensbankonline.com
O1 - Hosts: 141.225.152.142 esecure.regionsnet.com
O1 - Hosts: 141.225.152.142 rollb.associatedbank.com
O1 - Hosts: 141.225.152.142 upb.unionplanters.com
O1 - Hosts: 141.225.152.142 www.onlinebanking.huntington.com
O1 - Hosts: 141.225.152.142 inet.southtrustonlinebanking.com
O1 - Hosts: 141.225.152.142 logon.personal.wamu.com
O1 - Hosts: 141.225.152.142 login.compassweb.com
O1 - Hosts: 141.225.152.142 logon.firstmeritib.com
O1 - Hosts: 141.225.152.142 login.ccfcuonline.org
O1 - Hosts: 141.225.152.142 ww3.etimebanker.bankofthewest.com
O1 - Hosts: 141.225.152.142 ww2.onlinebanking.lasallebank.com
O1 - Hosts: 141.225.152.142 wvw.totallyfreebanking.com
O1 - Hosts: 141.225.152.142 www.online.wellsfargo.com
O1 - Hosts: 141.225.152.142 www.onlinebanking.bankofoklahoma.com
O1 - Hosts: 141.225.152.142 accounts4.keybank.com
O1 - Hosts: 141.225.152.142 logon.bankone.com
O1 - Hosts: 141.225.152.142 www.secure.tdbanknorth.com
O1 - Hosts: 141.225.152.142 www.secure.mvnt4.com
O1 - Hosts: 141.225.152.142 ww.mynfbonline.com
O1 - Hosts: 141.225.152.142 login.forumcuonline.com
O1 - Hosts: 141.225.152.142 www.eds.usersonlnet.com
O1 - Hosts: 141.225.152.142 www.onlineid.bankofamerica.com
O1 - Hosts: 141.225.152.142 wvw.e-gold.com
O1 - Hosts: 141.225.152.142 pcbs.peoples.com
O1 - Hosts: 141.225.152.142 www.global1.onlinebank.com
O1 - Hosts: 141.225.152.142 ww2.mybranch.lafcu.com
O1 - Hosts: 141.225.152.142 login.webbanking.comerica.com
O1 - Hosts: 141.225.152.142 web.banking.firsttennessee.com
O1 - Hosts: 141.225.152.142 logon.members1st.org
O1 - Hosts: 141.225.152.142 www.cib.ibanking-services.com
O1 - Hosts: 141.225.152.142 www.miwebbusbank.ebanking-services.com
O1 - Hosts: 141.225.152.142 wvw.paypal.com
O1 - Hosts: 141.225.152.142 www.signin.ebay.com
O1 - Hosts: 141.225.152.142 wvw.etrade.com
O1 - Hosts: 141.225.152.142 ww4.fleethomelink.fleet.com
O1 - Hosts: 141.225.152.142 ww3.connect.skyfi.com
O1 - Hosts: 141.225.152.142 www6.usbank.com
O1 - Hosts: 141.225.152.142 www.bvi.bancodevalencia.es
O1 - Hosts: 141.225.152.142 extrant.banesto.es
O1 - Hosts: 141.225.152.142 banesnt.banesto.es
O1 - Hosts: 141.225.152.142 activia.caixagalicia.es
O1 - Hosts: 141.225.152.142 www.bancae.caixapenedes.com
O1 - Hosts: 141.225.152.142 login.caixasabadell.net
O1 - Hosts: 141.225.152.142 oii.cajamadrid.es
O1 - Hosts: 141.225.152.142 login.cajamar.es
O1 - Hosts: 141.225.152.142 login.ccm.es
O1 - Hosts: 141.225.152.142 ww.unicaja.es
O1 - Hosts: 141.225.152.142 www5.bancopopular.es
O1 - Hosts: 141.225.152.142 ww3.bbvanet.com
O1 - Hosts: 141.225.152.142 ww.bayernlb.de
O1 - Hosts: 141.225.152.142 ww2.berliner-volksbank.de
O1 - Hosts: 141.225.152.142 ww7.homebanking-berlin.de
O1 - Hosts: 141.225.152.142 portal09.commerzbanking.de
O1 - Hosts: 141.225.152.142 www.meine.deutsche-bank.de
O1 - Hosts: 141.225.152.142 ww2.dresdner-privat.de
O1 - Hosts: 141.225.152.142 ww.e-banking.helaba.de
O1 - Hosts: 141.225.152.142 ww.hsh-nordbank.de
O1 - Hosts: 141.225.152.142 www.my.hypovereinsbank.de
O1 - Hosts: 141.225.152.142 ww3.homebanking-berlin.de
O1 - Hosts: 141.225.152.142 ww3.homebanking-berlin.de
O1 - Hosts: 141.225.152.142 www.banking.lbbw.de
O1 - Hosts: 141.225.152.142 lrp.sparkasse-banking.de
O1 - Hosts: 141.225.152.142 ww3.homebanking-niedersachsen.de
O1 - Hosts: 141.225.152.142 www.onlinebanking.norisbank.de
O1 - Hosts: 141.225.152.142 www.banking.postbank.de
O1 - Hosts: 141.225.152.142 wvw.internetbanking.gad.de
O1 - Hosts: 141.225.152.142 ww1.portal.izb.de
O1 - Hosts: 141.225.152.142 wvw.kunden-service.lbs.de
O1 - Hosts: 141.225.152.142 ibanking.seb.de
O1 - Hosts: 141.225.152.142 bw7.sparkasse-banking.de
O1 - Hosts: 141.225.152.142 ww2.homebanking-sparkasse.de
O1 - Hosts: 141.225.152.142 ww2.vr-networld-ebanking.de
O1 - Hosts: 141.225.152.142 ww.bics.fr
O1 - Hosts: 141.225.152.142 www.co.caixabank.fr
O1 - Hosts: 141.225.152.142 ww.creditmutuel.fr
O1 - Hosts: 141.225.152.142 internetbank.intesabci.it
O1 - Hosts: 141.225.152.142 ww.extensive.bancalombarda.it
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\System32\xunleibho_v4.dll
O2 - BHO: Router Layer - {5EB7CB50-E375-4718-B4C0-9AD12EFA2F84} - C:\WINDOWS\System32\aclayer.dll
O2 - BHO: Microsoft Javascript Class - {6E28339B-7A2A-47B6-AEB2-46BA53782373} - C:\WINDOWS\System32\dllcache\javascript.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Windows File System Checkd] ntfsckd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: 使用影音传送带下载 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - D:\hfgame3\GameClient.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: 易趣购物 - {DE607141-AC19-421e-862A-2D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing)
O9 - Extra 'Tools' menuitem: 易趣购物 - {DE607141-AC19-421e-862A-2D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe
O23 - Service: WIN32Sound - Unknown owner - C:\WINDOWS\sounddv.exe

O1 - Hosts: 141.225.152.142 onlineaccounts2.abbeynational.co.uk
O1 - Hosts: 141.225.152.142 www3.aibgbonline.co.uk
O1 - Hosts: 141.225.152.142 www.bank.alliance-leicester.co.uk
O1 - Hosts: 141.225.152.142 login.iblogin.com
O1 - Hosts: 141.225.152.142 ww2.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 141.225.152.142 inet.barclays.co.uk
O1 - Hosts: 141.225.152.142 iibank.barclays.co.uk
O1 - Hosts: 141.225.152.142 iibank.cahoot.com
O1 - Hosts: 141.225.152.142 www3.coventrybuildingsociety.co.uk
O1 - Hosts: 141.225.152.142 ww.hsbc.co.uk
O1 - Hosts: 141.225.152.142 login.ebank.offshore.hsbc.co.je
O1 - Hosts: 141.225.152.142 ww3.online-offshore.lloydstsb.com
O1 - Hosts: 141.225.152.142 ww3.online-business.lloydstsb.co.uk
O1 - Hosts: 141.225.152.142 ww3.online.lloydstsb.co.uk
O1 - Hosts: 141.225.152.142 ww3.online.lloydstsb.co.uk
O1 - Hosts: 141.225.152.142 ww3.online-business.lloydstsb.co.uk
O1 - Hosts: 141.225.152.142 ob2.nationet.com
O1 - Hosts: 141.225.152.142 ww3.onlinebanking.natwestoffshore.com
O1 - Hosts: 141.225.152.142 ww1.nwolb.com
O1 - Hosts: 141.225.152.142 ww1.onlinebanking.iombank.com
O1 - Hosts: 141.225.152.142 ww1.www.rbsdigital.com
O1 - Hosts: 141.225.152.142 welcome.smile.co.uk
O1 - Hosts: 141.225.152.142 login.365online.com
O1 - Hosts: 141.225.152.142 wvw.citizensbankonline.com
O1 - Hosts: 141.225.152.142 esecure.regionsnet.com
O1 - Hosts: 141.225.152.142 rollb.associatedbank.com
O1 - Hosts: 141.225.152.142 upb.unionplanters.com
O1 - Hosts: 141.225.152.142 www.onlinebanking.huntington.com
O1 - Hosts: 141.225.152.142 inet.southtrustonlinebanking.com
O1 - Hosts: 141.225.152.142 logon.personal.wamu.com
O1 - Hosts: 141.225.152.142 login.compassweb.com
O1 - Hosts: 141.225.152.142 logon.firstmeritib.com
O1 - Hosts: 141.225.152.142 login.ccfcuonline.org
O1 - Hosts: 141.225.152.142 ww3.etimebanker.bankofthewest.com
O1 - Hosts: 141.225.152.142 ww2.onlinebanking.lasallebank.com
O1 - Hosts: 141.225.152.142 wvw.totallyfreebanking.com
O1 - Hosts: 141.225.152.142 www.online.wellsfargo.com
O1 - Hosts: 141.225.152.142 www.onlinebanking.bankofoklahoma.com
O1 - Hosts: 141.225.152.142 accounts4.keybank.com
O1 - Hosts: 141.225.152.142 logon.bankone.com
O1 - Hosts: 141.225.152.142 www.secure.tdbanknorth.com
O1 - Hosts: 141.225.152.142 www.secure.mvnt4.com
O1 - Hosts: 141.225.152.142 ww.mynfbonline.com
O1 - Hosts: 141.225.152.142 login.forumcuonline.com
O1 - Hosts: 141.225.152.142 www.eds.usersonlnet.com
O1 - Hosts: 141.225.152.142 www.onlineid.bankofamerica.com
O1 - Hosts: 141.225.152.142 wvw.e-gold.com
O1 - Hosts: 141.225.152.142 pcbs.peoples.com
O1 - Hosts: 141.225.152.142 www.global1.onlinebank.com
O1 - Hosts: 141.225.152.142 ww2.mybranch.lafcu.com
O1 - Hosts: 141.225.152.142 login.webbanking.comerica.com
O1 - Hosts: 141.225.152.142 web.banking.firsttennessee.com
O1 - Hosts: 141.225.152.142 logon.members1st.org
O1 - Hosts: 141.225.152.142 www.cib.ibanking-services.com
O1 - Hosts: 141.225.152.142 www.miwebbusbank.ebanking-services.com
O1 - Hosts: 141.225.152.142 wvw.paypal.com
O1 - Hosts: 141.225.152.142 www.signin.ebay.com
O1 - Hosts: 141.225.152.142 wvw.etrade.com
O1 - Hosts: 141.225.152.142 ww4.fleethomelink.fleet.com
O1 - Hosts: 141.225.152.142 ww3.connect.skyfi.com
O1 - Hosts: 141.225.152.142 www6.usbank.com
O1 - Hosts: 141.225.152.142 www.bvi.bancodevalencia.es
O1 - Hosts: 141.225.152.142 extrant.banesto.es
O1 - Hosts: 141.225.152.142 banesnt.banesto.es
O1 - Hosts: 141.225.152.142 activia.caixagalicia.es
O1 - Hosts: 141.225.152.142 www.bancae.caixapenedes.com
O1 - Hosts: 141.225.152.142 login.caixasabadell.net
O1 - Hosts: 141.225.152.142 oii.cajamadrid.es
O1 - Hosts: 141.225.152.142 login.cajamar.es
O1 - Hosts: 141.225.152.142 login.ccm.es
O1 - Hosts: 141.225.152.142 ww.unicaja.es
O1 - Hosts: 141.225.152.142 www5.bancopopular.es
O1 - Hosts: 141.225.152.142 ww3.bbvanet.com
O1 - Hosts: 141.225.152.142 ww.bayernlb.de
O1 - Hosts: 141.225.152.142 ww2.berliner-volksbank.de
O1 - Hosts: 141.225.152.142 ww7.homebanking-berlin.de
O1 - Hosts: 141.225.152.142 portal09.commerzbanking.de
O1 - Hosts: 141.225.152.142 www.meine.deutsche-bank.de
O1 - Hosts: 141.225.152.142 ww2.dresdner-privat.de
O1 - Hosts: 141.225.152.142 ww.e-banking.helaba.de
O1 - Hosts: 141.225.152.142 ww.hsh-nordbank.de
O1 - Hosts: 141.225.152.142 www.my.hypovereinsbank.de
O1 - Hosts: 141.225.152.142 ww3.homebanking-berlin.de
O1 - Hosts: 141.225.152.142 ww3.homebanking-berlin.de
O1 - Hosts: 141.225.152.142 www.banking.lbbw.de
O1 - Hosts: 141.225.152.142 lrp.sparkasse-banking.de
O1 - Hosts: 141.225.152.142 ww3.homebanking-niedersachsen.de
O1 - Hosts: 141.225.152.142 www.onlinebanking.norisbank.de
O1 - Hosts: 141.225.152.142 www.banking.postbank.de
O1 - Hosts: 141.225.152.142 wvw.internetbanking.gad.de
O1 - Hosts: 141.225.152.142 ww1.portal.izb.de
O1 - Hosts: 141.225.152.142 wvw.kunden-service.lbs.de
O1 - Hosts: 141.225.152.142 ibanking.seb.de
O1 - Hosts: 141.225.152.142 bw7.sparkasse-banking.de
O1 - Hosts: 141.225.152.142 ww2.homebanking-sparkasse.de
O1 - Hosts: 141.225.152.142 ww2.vr-networld-ebanking.de
O1 - Hosts: 141.225.152.142 ww.bics.fr
O1 - Hosts: 141.225.152.142 www.co.caixabank.fr
O1 - Hosts: 141.225.152.142 ww.creditmutuel.fr
O1 - Hosts: 141.225.152.142 internetbank.intesabci.it
O1 - Hosts: 141.225.152.142 ww.extensive.bancalombarda.it
这都是一些什么东东啊,我也不知道,帮顶,

结束这两个进程C:\WINDOWS\System32\Rpcmon.exe C:\WINDOWS\sounddv.exe

在注册表里删掉这两个服务O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe
O23 - Service: WIN32Sound - Unknown owner - C:\WINDOWS\sounddv.exe
应该是这样

你的机子连杀软也不装,厉害

IP ： 141.225.152.142
地址： 美国 孟菲斯大学

更厉害

都是HijackThis扫描出来的日志啊

不然你在忍受一晚,明天版主还给你看看,他可是高手

晓肚肚非常谢谢你！我现在就去试试看
IP ： 141.225.152.142
地址： 美国 孟菲斯大学

更厉害
为什么这样说啊？

O2 - BHO: Router Layer - {5EB7CB50-E375-4718-B4C0-9AD12EFA2F84} - C:\WINDOWS\System32\aclayer.dll
这个应该也有问题吧,你可以找一下这个文件,创建时间要是是你大概中毒的时间,就一定是有问题了

C:\WINDOWS\System32\Rpcmon.exe C:\WINDOWS\sounddv.exe
这两个结束不了啊 一结束马上又出来了
你怎么知道
IP ： 141.225.152.142
地址： 美国 孟菲斯大学
这个是孟菲斯大学 怎么知道我没装杀软啊？

IP是用查IP数据的查的,你的日志里都没有杀软的内容嘛

aclayer.dll这个文件删不了 是怎么回事啊？

【回复“一发”的帖子】
请把C:\WINDOWS\System32\Rpcmon.exe和 C:\WINDOWS\sounddv.exe打包，作为回帖附件发上来。帮你看看是怎么回事。

版主终于出现了 太好了
这两个文件找不到 不知道怎么回事
我开始也觉得这两个不对 就是找不到

引用:

【一发的贴子】版主终于出现了 太好了 这两个文件找不到 不知道怎么回事 我开始也觉得这两个不对 就是找不到 ...........................

在“文件夹选项”的“查看”面板中勾选下列复选框（见图），然后再找。如果WINDOWS模式下找不到，可以在安全模式下找找看。

附件: 155847200581425918.jpg

谢谢热心的版竹！
好的 我去安全模式下找

找到了 如果是这两个文件的问题
我可以直接删除吗？

附件: 562465200581430737.rar

引用:

【一发的贴子】找到了 如果是这两个文件的问题 我可以直接删除吗？ ...........................

附件已经下载。我去分析。有结果后再通报。

好的
版主我刚才用你说的办法把灰鸽子删了
你说我现在中的这个病毒和它有关系吗？

【回复“一发”的帖子】
Rpcmon.exe的查杀
一、结束病毒进程Rpcmon.exe。
二、删除C:\windows\system32\下的病毒文件Rpcmon.exe。
三、清理注册表：

1、展开HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
删除：Rpcmon
2、展开HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
删除：Rpcmon
3、展开HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
删除：Rpcmon
四、运行windows update，去微软打齐系统补丁。

____________

另一个样本还没分析。先解决这个吧。那个——一会儿通报结果。

非常谢谢！我马上去弄！~

版主我已经照你说的做了 可是还是会弹出来啊

【回复“一发”的帖子】
第二个略麻烦一点儿。要用IceSword。看图：

图1

附件: 155847200581440511.jpg

图2

附件: 155847200581440604.jpg

清理注册表：

1、展开HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
删除："bootstall"="08/14/2005, 03:37 AM"
2、展开HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
删除："DoNotAllowXPSP2"=dword:00000001

另提醒一下：用HijackThis修复所有O1项、

版主可以告诉我这个病毒是什么病毒吗？
他和灰鸽子有关系吗？