瑞星卡卡安全论坛

也是瑞星杀出来的可是重起后又发现了啊

附件: 56956420051025221517.JPG

也是重起有进程自动起动啊

附件: 56956420051025221822.JPG

文件名是这样的啊请大家多多帮忙啊谢了啊

附件: 56956420051025221952.JPG

这是个存档文件啊但偶的报高上也没木马进程啊
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD716A51-3C1C-48AB-B477-DC3C8B33E30B}: NameServer = 220.189.127.108 220.189.127.107
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - NT 服务: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - rising - D:\RISING\RAV\CCENTER.EXE
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\RISING\RAV\Ravmond.exe

请把这个100K的TavStub.exe压缩发送至fangrensong@yahoo.com.cn,另外把HijackThis日志完整的贴出来

偶的可疑样本上传了偶的完整报告在这
HijackThis_815汉化版扫描日志 V1.99.1
保存于      23:17:45, 日期 2005-10-25
操作系统：  Windows XP SP1 (WinNT 5.01.2600)
浏览器：    Unable to get Internet Explorer version!

当前运行的进程：         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\RISING\RAV\Ravmond.exe
D:\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\System Volume Information\logonui.exe
D:\RISING\RAV\RAVTIMER.EXE
D:\RISING\RAV\RAVMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\RISING\RAV\CCENTER.EXE
D:\游戏\软件更新\HijackThis_815汉化版\HijackThis1991zww.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\System32\xunleibho_v5.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\Program Files\3721\Assist\Angling.dll (file missing)
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\Assistant\Assist\yasbar.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - d:\Tencent\QQ\QQIEHelper.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O3 - IE工具栏增项: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - IE工具栏增项: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\Assistant\Assist\yasbar.dll
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [IgfxTray] rem C:\WINDOWS\System32\igfxtray.exe
O4 - 启动项HKLM\\Run: [HotKeysCmds] rem C:\WINDOWS\System32\hkcmd.exe
O4 - 启动项HKLM\\Run: [SoundMan] rem ; SOUNDMAN.EXE
O4 - 启动项HKLM\\Run: [NvCplDaemon] rem ; RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - 启动项HKLM\\Run: [nwiz] rem ; nwiz.exe /install
O4 - 启动项HKLM\\Run: [DAEMON Tools-1033] rem ; "D:\D-Tools\daemon.exe"  -lang 1033
O4 - 启动项HKLM\\Run: [RavTimer] D:\RISING\RAV\RAVTIMER.EXE
O4 - 启动项HKLM\\Run: [RavMon] D:\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - 启动项HKLM\\Run: [YLive.exe] rem C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - 启动项HKLM\\Run: [yassistse] rem "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - 启动项HKLM\\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] rem ; RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] rem ; "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - IE右键菜单中的新增项目: &使用迅雷下载 - D:\Thunder Network\Thunder\geturl.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载全部链接 - D:\Thunder Network\Thunder\getAllurl.htm
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - D:\Tencent\QQ\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - D:\Tencent\QQ\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - D:\Tencent\QQ\SendMMS.htm
O9 - 浏览器额外的按钮: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - 浏览器额外的按钮: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - E:\HFGAMES\HFGame3\GameClient.exe
O9 - 浏览器额外的按钮: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - 浏览器额外的按钮: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - 浏览器额外的按钮: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - 浏览器额外的按钮: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - 浏览器额外的按钮: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - 浏览器额外的“工具”菜单项: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - 浏览器额外的按钮: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - 浏览器额外的“工具”菜单项: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O11 - Options group: [!CNS]  网络实名
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://cn.download.zs.yahoo.com/partner/kavwebscan_unicode.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {C8BD9ACB-F7EC-48E6-BB2F-DAADC6789E9A} (Kingsoft DUBA OnlineScan) - http://zs.kingsoft.com/duba/OCX/KAVClean.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD716A51-3C1C-48AB-B477-DC3C8B33E30B}: NameServer = 220.189.127.108 220.189.127.107
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - NT 服务: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - rising - D:\RISING\RAV\CCENTER.EXE
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\RISING\RAV\Ravmond.exe

咋没看见楼主那个病毒文件啊？E:\System Volume Information\logonui.exe是个啥东东？楼主可试着关闭系统还原试试。

系统还原没关过

D盘的杀了E盘又来了个啊

附件: 5695642005102660321.JPG

错了系统还原是没开过默认就是关的

这个文件的属性啊大家帮忙看下到底是啥啊急啊

附件: 5695642005102660503.JPG

D盘的去掉了E盘又杀出个E:\System Volume Information\logonui.exe

附件: 5695642005102660725.JPG

看样子好象已经有人进去拜访过楼主

http://forum.ikaka.com/topic.asp?board=28&artid=7318038
慢慢把帖子看完

用procexp看看系统启动的进程的属性，若文件大小为100K左右，没有公司标志，则从进程中杀掉，再找到文件所在目录删除此文件。

没用啊删除了别的文件夹又会出来个不同的文件但同样是瑞星报错，病毒名也一样啊

关闭XP自动系统还原功能

用procexp的菜单File->save项保存一个日志贴上来，
再用autoruns保存一份也贴上来

楼上的看下

附件: 56956420051026100136.JPG

还有张

附件: 56956420051026100321.JPG

C:\Documents and Settings\fxzm\这下面有3个文件和那个瑞星报的病毒文件是同天同时改的啊

在菜单里File->Save保存一个文件，把内容贴上来

就这3个可咋去不掉啊，关掉进程也去不掉他啊

附件: 56956420051026100617.JPG

偶以把那进程关了啊可是还是去不掉这3个文件啊

附件: 56956420051026100917.JPG

ProcessPIDCPUDescriptionCompany Name
services.exe2276
System4
System Idle Process091.43
alg.exe464Application Layer Gateway ServiceMicrosoft Corporation
CCenter.exe632CCenterrising
csrss.exe640Client Server Runtime ProcessMicrosoft Corporation
conime.exe3600Console IMEMicrosoft Corporation
CTFMON.EXE440CTF LoaderMicrosoft Corporation
DPCsn/aDeferred Procedure Calls
svchost.exe884Generic Host Process for Win32 ServicesMicrosoft Corporation
svchost.exe1008Generic Host Process for Win32 ServicesMicrosoft Corporation
svchost.exe1100Generic Host Process for Win32 ServicesMicrosoft Corporation
svchost.exe1120Generic Host Process for Win32 ServicesMicrosoft Corporation
Interruptsn/a0.95Hardware Interrupts
lsass.exe720LSA Shell (Export Version)Microsoft Corporation
nvsvc32.exe608NVIDIA Driver Helper Service, Version 53.03NVIDIA Corporation
QQ.exe2296QQTENCENT
RavMonD.exe636RavMonBeijing Rising Technology Co., Ltd.
RavMon.exe2128RavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.
RavTimer.exe416RavTimerBeijing Rising Technology Co., Ltd.
realsched.exe432RealNetworks SchedulerRealNetworks, Inc.
RavStub.exe876Rising Rav StubBeijing Rising Technology Co., Ltd.
Rundll32.exe228Run a DLL as an AppMicrosoft Corporation
services.exe7083.81Services and Controller appMicrosoft Corporation
spoolsv.exe1432Spooler SubSystem AppMicrosoft Corporation
procexp.exe20441.90Sysinternals Process ExplorerSysinternals
TIMPlatform.exe2656TIMPlatformtencent
Explorer.EXE17881.90Windows ExplorerMicrosoft Corporation
winlogon.exe664Windows NT Logon ApplicationMicrosoft Corporation
smss.exe584Windows NT Session ManagerMicrosoft Corporation

Process: Procexp Pid: -2

TypeName

那三个文件是系统使用的文件，不用删除的

谢谢帮忙看下啊多谢了啊

楼上看下报告咋弄啊

进程中是正常的

难道没毒吗

那瑞星咋不断杀毒啊报错啊偶晕啊

HijackThis_815汉化版扫描日志 V1.99.1
保存于      9:25:44, 日期 2005-10-26
操作系统：  Windows XP SP1 (WinNT 5.01.2600)
浏览器：    Unable to get Internet Explorer version!

当前运行的进程：         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\RISING\RAV\Ravmond.exe
D:\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\RISING\RAV\RAVTIMER.EXE
D:\RISING\RAV\RAVMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\RISING\RAV\CCENTER.EXE
E:\System Volume Information\logonui.exe
D:\游戏\软件更新\HijackThis_815汉化版\HijackThis1991zww.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\System32\xunleibho_v5.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\Program Files\3721\Assist\Angling.dll (file missing)
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\Assistant\Assist\yasbar.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - d:\Tencent\QQ\QQIEHelper.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O3 - IE工具栏增项: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - IE工具栏增项: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\Assistant\Assist\yasbar.dll
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [IgfxTray] rem C:\WINDOWS\System32\igfxtray.exe
O4 - 启动项HKLM\\Run: [HotKeysCmds] rem C:\WINDOWS\System32\hkcmd.exe
O4 - 启动项HKLM\\Run: [SoundMan] rem ; SOUNDMAN.EXE
O4 - 启动项HKLM\\Run: [NvCplDaemon] rem ; RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - 启动项HKLM\\Run: [nwiz] rem ; nwiz.exe /install
O4 - 启动项HKLM\\Run: [DAEMON Tools-1033] rem ; "D:\D-Tools\daemon.exe"  -lang 1033
O4 - 启动项HKLM\\Run: [RavTimer] D:\RISING\RAV\RAVTIMER.EXE
O4 - 启动项HKLM\\Run: [RavMon] D:\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - 启动项HKLM\\Run: [YLive.exe] rem C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - 启动项HKLM\\Run: [yassistse] rem "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - 启动项HKLM\\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] rem ; RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] rem ; "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - IE右键菜单中的新增项目: &使用迅雷下载 - D:\Thunder Network\Thunder\geturl.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载全部链接 - D:\Thunder Network\Thunder\getAllurl.htm
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - D:\Tencent\QQ\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - D:\Tencent\QQ\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - D:\Tencent\QQ\SendMMS.htm
O9 - 浏览器额外的按钮: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - 浏览器额外的按钮: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - E:\HFGAMES\HFGame3\GameClient.exe
O9 - 浏览器额外的按钮: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - 浏览器额外的按钮: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - 浏览器额外的按钮: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - 浏览器额外的按钮: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - 浏览器额外的按钮: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - 浏览器额外的“工具”菜单项: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - 浏览器额外的按钮: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - 浏览器额外的“工具”菜单项: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O11 - Options group: [!CNS]  网络实名
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://cn.download.zs.yahoo.com/partner/kavwebscan_unicode.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {C8BD9ACB-F7EC-48E6-BB2F-DAADC6789E9A} (Kingsoft DUBA OnlineScan) - http://zs.kingsoft.com/duba/OCX/KAVClean.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD716A51-3C1C-48AB-B477-DC3C8B33E30B}: NameServer = 220.189.127.108 220.189.127.107
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - NT 服务: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - rising - D:\RISING\RAV\CCENTER.EXE
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\RISING\RAV\Ravmond.exe