瑞星卡卡安全论坛

文件名为：G_ServerKey.DLL
文件路径为：C:\WINDOWS
病毒名为：Backdoor.Gpigeon.spm

本来想将可疑文件上报，可电脑水平不行，不会上传。特向版主求救！

这个病毒17。50。42都能查到Backdoor.Gpigeon.sxx我中了Backdoor.GPigeon.syf ，

去看看baohe的贴子吧！！！
http://forum.ikaka.com/topic.asp?board=28&artid=5666824

鸽子而已http://forum.ikaka.com/topic.asp?board=28&artid=6202404

这些文章好像对这个变种没有用

用hijackthis扫描后，把日志贴上来

Logfile of HijackThis v1.99.1
Scan saved at 14:58:39, on 2005-10-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\program files\rising\rfw\RfwMain.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\RISING\RAV\Rav.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\hijackthis\HijackThis.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v5.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130554272296
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
我的系统是xp+sp2

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
鸽子应该是这个,要删除就删除干净点,开始-运行输入regedit,打开注册表编辑器，定位到HKEY_LOCAL_MACHINE\ SYSTEM \ CURRENTCONTROLSET \ SERVICES分支，删除左栏中的病毒服务名 MySQL



我想知道你现在报鸽子的路径在哪里?

我装了mysql数据库，已经删除了，谢谢！

【回复“asb”的帖子】 拜托你们,能不能把杀软的报告贴出来看看~`,不然很难判断~~因为鸽子的名字很会伪装

处理结果发现日期扫描方式路径文件病毒来源
发现病毒05-10-30 13:48实时监控C:\Documents and Settings\yuanxq\Local Settings\Temporary Internet Files\Content.IE5\2LLAN69Sreal%E9%9F%B3%E9%A2%91%E6%8F%92%E4%BB%B6[1].exe本机
发现病毒05-10-30 13:48实时监控C:\Documents and Settings\yuanxq\Local Settings\Temporary Internet Files\Content.IE5\2LLAN69Sreal%E9%9F%B3%E9%A2%91%E6%8F%92%E4%BB%B6[1].exe本机
发现病毒05-10-30 13:50实时监控C:\Documents and Settings\yuanxq\Local Settings\Temporary Internet Files\Content.IE5\2LLAN69Sreal%E9%9F%B3%E9%A2%91%E6%8F%92%E4%BB%B6[1].exe本机
我已经删除这个目录下的所有内容了

引用:

【asb的贴子】处理结果发现日期扫描方式路径文件病毒来源 发现病毒05-10-30 13:48实时监控C:\Documents and Settings\yuanxq\Local Settings\Temporary Internet Files\Content.IE5\2LLAN69Sreal%E9%9F%B3%E9%A2%91%E6%8F%92%E4%BB%B6[1].exe本机 发现病毒05-10-30 13:48实时监控C:\Documents and Settings\yuanxq\Local Settings\Temporary Internet Files\Content.IE5\2LLAN69Sreal%E9%9F%B3%E9%A2%91%E6%8F%92%E4%BB%B6[1].exe本机 发现病毒05-10-30 13:50实时监控C:\Documents and Settings\yuanxq\Local Settings\Temporary Internet Files\Content.IE5\2LLAN69Sreal%E9%9F%B3%E9%A2%91%E6%8F%92%E4%BB%B6[1].exe本机 我已经删除这个目录下的所有内容了 ...........................

这个清除很简单,看图

附件: 41475820051030172628.jpg