瑞星卡卡安全论坛

HijackThis_815汉化版扫描日志 V1.99.1
保存于      21:24:48, 日期 2005-10-18
操作系统：  Windows XP SP2 (WinNT 5.01.2600)
浏览器：    Internet Explorer v6.00 SP2 (6.00.2900.2180)

当前运行的进程：         
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
d:\program files\rising\rfw\rfwsrv.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
D:\Program Files\Rising\Rfw\rfwmain.exe
D:\PROGRA~1\RISING\RAV\RAVMON.EXE
D:\Program Files\D-Tools\daemon.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\DrvMon.exe
D:\WINDOWS\system32\drivers\CDAC11BA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\DOCUME~1\zh\LOCALS~1\Temp\Rar$EX00.515\HijackThis1991zww.exe
G:\WinRAR\WinRAR.exe
D:\DOCUME~1\zh\LOCALS~1\Temp\Rar$EX00.781\HijackThis1991zww.exe

R3 - URLSearchHook: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - D:\Program Files\3721\Assist\asbar.dll
O2 - BHO: AssistII - {BB936323-19FA-4521-BA29-ECA6A121BC78} - D:\Program Files\3721\Assist\asbar.dll
O3 - IE工具栏增项: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - D:\Program Files\3721\Assist\asbar.dll
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [RavTimer] D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - 启动项HKLM\\Run: [RfwMain] "D:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - 启动项HKLM\\Run: [RavMon] D:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - 启动项HKLM\\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - 启动项HKLM\\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] D:\WINDOWS\system32\DrvMon.exe
O8 - IE右键菜单中的新增项目: 使用超级解霸播放 - C:\Herosoft\HeroV9\MPURLGET.HTM
O9 - 浏览器额外的按钮: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm?pid=U_3721home (file missing)
O9 - 浏览器额外的按钮: 豪杰超级解霸V9 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV9\STHSDVD.EXE
O9 - 浏览器额外的“工具”菜单项: 豪杰超级解霸V9 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV9\STHSDVD.EXE
O9 - 浏览器额外的按钮: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - 浏览器额外的按钮: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - 浏览器额外的按钮: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - 浏览器额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - 浏览器额外的“工具”菜单项: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [!CNS]  网络实名
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9F8D774-9A82-49DD-93AC-CD563F8B3229}: NameServer = 202.102.192.68 202.102.199.68
O20 - Winlogon Notify: WB - F:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - NT 服务: Alias Wavefront Help Server (AWHelpServer) - Unknown owner - E:\Maya 5.0\docs\Wrapper.exe" -s "E:\Maya 5.0\docs/Wrapper.conf (file missing)
O23 - NT 服务: C-DillaCdaC11BA - Macrovision - D:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - NT 服务: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - NT 服务: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - NT 服务: Pigeon_Server (PigeonServer) - Unknown owner - D:\WINDOWS\scvhostn.exe
O23 - NT 服务: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - d:\program files\rising\rfw\rfwsrv.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - rising - D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe

日志正常

建议将(file missing)项修复

O23 - NT 服务: Pigeon_Server (PigeonServer) - Unknown owner - D:\WINDOWS\scvhostn.exe

楼上说的对,诊断失误

O23 - NT 服务: Pigeon_Server (PigeonServer) - Unknown owner - D:\WINDOWS\scvhostn.exe

将此项修复,搜索scvhostn.exe,删!
注册表中搜索相关键值,删!

【回复“bobo无极限”的帖子】请教一下，我说的那个正常吗？

thank

引用:

【猎鹰渔民的贴子】【回复“bobo无极限”的帖子】请教一下，我说的那个正常吗？ ...........................

这个是AGOBOT病毒的变种

病毒在运行时，这种驻留内存的病毒在 Windows 系统文件夹中生成名为 winctr32.exe 的自己的拷贝。并附带生成有scvhostn.exe的拷贝

具体目录(假设用户为xp系统,默认安装为c:\windows)

c:\windows\system32\winctr32.exe

c:\windows\system32\scvhostn.exe

同时病毒存在系统进程中,进程名为

winctr32.exe

scvhostn.exe

为了保证在每次 Windows 启动的时候病毒能够运行，它增加了下面的注册表键：


HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services>a5

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
ConfiggLoader = "winctrl32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

ConfiggLoader = "scvhostn.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
ConfiggLoader = "winctrl32.exe"

估计就是这么个情况

转自:http://www.zz-bzsh.com/shangdu/ReadNews.asp?NewsID=1665&BigClassName=%B0%B2%C8%AB%D0%C2%CE%C5&SmallClassName=%D7%DB%BA%CF%D0%C2%CE%C5&SpecialID=0

c:\windows\system32\winctr32.exe

再找一下,看能不能找到这个文件

打开进程查看有没有下面这两个进程,有的话估计就是这个病毒了!

winctr32.exe

scvhostn.exe