瑞星卡卡安全论坛

C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
d:\MSSQL7\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
c:\program files\rising\rfw\RfwMain.exe
C:\Program Files\联想个人数据专家及远程协助\个人数据专家\MntDsk.exe
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Chinanet\VnetClient.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\QQexternal.exe
C:\WINNT\system32\crss.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
F:\HijackThis1991汉化版\HijackThis1991zww.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINNT\system32\xunleibho_v5.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: AssistII - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O3 - IE工具栏增项: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - IE工具栏增项: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O4 - 启动项HKLM\\Run: [Synchronization Manager] mobsync.exe /logon
O4 - 启动项HKLM\\Run: [mntdsk] C:\Program Files\联想个人数据专家及远程协助\个人数据专家\MntDsk.exe
O4 - 启动项HKLM\\Run: [SecuwayClient2000 Manager] C:\PROGRA~1\FOUND\SECUWA~1\SECUWA~1.EXE
O4 - 启动项HKLM\\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - 启动项HKLM\\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - 启动项HKLM\\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - 启动项HKLM\\Run: [迅雷4] C:\Program Files\Sandai Technologies Inc\Thunder\MediaIssue\TDUpdate.exe
O4 - 启动项HKLM\\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\Ctfmon.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Service Manager.lnk = D:\MSSQL7\Binn\sqlmangr.exe
O8 - IE右键菜单中的新增项目: &使用迅雷下载 - C:\Program Files\Sandai Technologies Inc\Thunder\geturl.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载全部链接 - C:\Program Files\Sandai Technologies Inc\Thunder\getAllurl.htm
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - 浏览器额外的按钮: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - 浏览器额外的“工具”菜单项: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - 浏览器额外的按钮: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - 浏览器额外的“工具”菜单项: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - 浏览器额外的按钮: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - 浏览器额外的“工具”菜单项: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O11 - Options group: [!CNS]  网络实名
O16 - DPF: {2EA6D939-4445-43F1-A12B-8CB3DDA8B855} (BlueskyVideo Control) - http://images.5460.net/otherSiteImages/chat/software/v2_60.cab
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab
O16 - DPF: {4C808628-A940-11D6-97A1-0010C60C4C5C} - file://D:\nsxt\publish\webns.CAB
O16 - DPF: {7A38130D-BEB7-4D60-BE7A-4C4AB6A85CD1} - http://bar.souhuu.com/vcbar1.cab
O16 - DPF: {88734439-46D0-42C0-A13F-7E881EE550CF} (Filetran Control) - http://www.bluesky.cn/download/filetran.cab
O16 - DPF: {991481A7-4669-4E15-8C24-100404E1F5CB} (Blueskyvoice Control) - http://images.5460.net/otherSiteImages/chat/software/blueskyvoice_60.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} - http://client.jogo.cn/download/cnnic/cdn.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DA984A6D-508E-11D6-AA49-0050FF3C628D} (Ravonline) - http://download.rising.com.cn/QQ/QQkill/rsonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ECE0492-B3AA-4A8C-A6C0-3E9B56763B31}: NameServer = 61.187.98.3 202.103.96.68
O17 - HKLM\System\CCS\Services\Tcpip\..\{91E9D37A-789F-4470-8705-82C8B20DD754}: NameServer = 61.187.98.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{3ECE0492-B3AA-4A8C-A6C0-3E9B56763B31}: NameServer = 61.187.98.3 202.103.96.68
O23 - NT 服务: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - NT 服务: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - c:\program files\rising\rfw\rfwsrv.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

【回复“再也不喝了”的帖子】
C:\WINNT\system32\crss.exe

木马。
如果杀不掉，请打包，发到我的邮箱（见签名档）。

发了，我先在安全模式下把他删了啊。不杀感觉速度好慢

该用户帖子内容已被屏蔽

好了，发了，忘记看有CN了

【回复“wangjm”的帖子】
是有点像，可惜不是的。老要改我的注册表，我拒绝了

帖子要沉了，快帮下我啊。我在等回信

引用:

【再也不喝了的贴子】帖子要沉了，快帮下我啊。我在等回信 ...........................

是个新的后门。卡巴斯基今天上午（2005－10－27 10：00）的病毒库不报毒。

查杀方法：

1、结束病毒进程crss.exe，删除SYSTEM32下的病毒文件crss.exe。
2、清理注册表：
展开：HKEY_CURRENT_USER\Software\Microsoft\OLE
删除："Microsoft CRSS"="crss.exe"

展开：HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
删除："Microsoft CRSS"="crss.exe"

展开：HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
删除："Microsoft CRSS"="crss.exe"

展开：HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
删除："Microsoft CRSS"="crss.exe"

展开：HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
删除："Microsoft CRSS"="crss.exe"

展开：HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
删除："Microsoft CRSS"="crss.exe"

展开：HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices
删除："Microsoft CRSS"="crss.exe"

展开：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
删除："Microsoft CRSS"="crss.exe"

按方法做了后，重起还有这个东西，只要开了SSM阻止他了