backdoor.sdbot.ve如何查杀 bbs.ikaka.com

lostcatwl - 2005-11-20 21:35:00

Logfile of HijackThis v1.99.1
Scan saved at 21:34:23, on 2005-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
D:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\绿鹰PC万能精灵\adam.exe
D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Iparmor\Iparmor.exe
C:\Program Files\Tencent\QQ2005\TIMPlatform.exe
C:\Program Files\Windows Media Player\wmplayer.exe
D:\Program Files\Thunder Network\Thunder\Thunder.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Tencent\QQ2005\QQ.exe
D:\pp\248783200522382732\HijackThis.exe

R3 - URLSearchHook: (no name) - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - (no file)
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\QQ2005\QQIEHelper.dll (file missing)
O4 - HKLM\..\Run: [] ;
O4 - HKLM\..\Run: [RavTimer] D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] D:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [Super Rabbit SRRestore] D:\Program Files\Super Rabbit\MagicSet\srrest.exe /autosave
O4 - HKLM\..\Run: [iparmor] D:\Program Files\Iparmor\Iparmor.exe mini
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ2005\QQ.exe
O4 - Global Startup: 绿鹰PC万能精灵.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &使用迅雷下载 - d:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - d:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ2005\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ2005\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ2005\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ2005\SendMMS.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\WINDOWS\system32\shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F2C8744-0668-4DB1-B8CF-F023DDC51048}: NameServer = 202.97.224.69 202.97.227.138
O20 - AppInit_DLLs: APIHookDll.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe

lostcatwl - 2005-11-20 21:38:00

新建文件: C:\WINDOWS\eraseme_36366.exe 2005-11-20 21:01:46
C:\WINDOWS\eraseme_36366.exe 怀疑为灰鸽子木马.
扫描了 24个进程，
扫描结束.
没有发现木马，系统安全!

\\221.210.232.156\Admin$\eraseme_36366.exe 程序设置为系统服务
扫描了 24个进程，
扫描结束.
没有发现木马，系统安全!

神无 - 2005-11-20 21:41:00

清空IE临时文件夹.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
修复这两项

神无 - 2005-11-20 21:43:00

C:\WINDOWS\eraseme_36366.exe 这个文件压缩打包发到baohelin@yahoo.com.cn版主邮箱

lostcatwl - 2005-11-20 21:43:00

而且伴随着症状
qq发抓的图就掉线。。

xjlwj - 2005-11-20 21:44:00

我把防火墙关闭才可上网，请问大哥大姐我该怎么办？

lostcatwl - 2005-11-20 21:45:00

修复了。。删除那两项
期待着不再复发

神无 - 2005-11-20 21:45:00

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present看这项IE被禁用了.可能和它有关

lostcatwl - 2005-11-20 21:46:00

引用:

【神无的贴子】C:\WINDOWS\eraseme_36366.exe 这个文件压缩打包发到baohelin@yahoo.com.cn版主邮箱
...........................

找不到这个文件。。指教怎么找到

lostcatwl - 2005-11-20 21:48:00

最讨厌的就是qq不能发抓的图
一发就掉线

神无 - 2005-11-20 21:49:00

显示系统和隐藏文件.

附件: 52209820051120214921.bmp

lostcatwl - 2005-11-20 21:52:00

如上操作。。依然看不到

lostcatwl - 2005-11-20 21:54:00

lostcatwl - 2005-11-20 21:57:00

山田邪子 - 2005-11-20 21:57:00

引用:

【lostcatwl的贴子】如上操作。。依然看不到
...........................

已被瑞星删除,当然找不到.呵呵,

lostcatwl - 2005-11-20 21:58:00

可是他老是提示新建eraseme_36366.exe 类的东西
而且现在qq发抓拍的图就掉线

山田邪子 - 2005-11-20 22:07:00

【回复“lostcatwl”的帖子】
这个启动项就不对劲,O4 - HKLM\..\Run: [] ;

该病毒运行后将自己复制到%system%目录下并在注册表run项中加入自己的键值以达到随系统启动的目的。

lostcatwl - 2005-11-21 15:01:00

Logfile of HijackThis v1.99.1
Scan saved at 15:01:16, on 2005-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Iparmor\Iparmor.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\绿鹰PC万能精灵\adam.exe
D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\WINDOWS\system32\conime.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Iparmor\Iparmor.exe
C:\Program Files\Tencent\QQ2005\QQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Tencent\QQ2005\TIMPlatform.exe
d:\Program Files\Thunder Network\Thunder\Thunder.exe
d:\Program Files\rising\Rav\RavTimer.exe
d:\Program Files\rising\Rav\RsAgent.exe
C:\WINDOWS\msagent\AgentSvr.exe
D:\pp\248783200522382732\HijackThis.exe

R3 - URLSearchHook: (no name) - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - (no file)
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\QQ2005\QQIEHelper.dll (file missing)
O4 - HKLM\..\Run: [RavTimer] D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] D:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [Super Rabbit SRRestore] D:\Program Files\Super Rabbit\MagicSet\srrest.exe /autosave
O4 - HKLM\..\Run: [iparmor] D:\Program Files\Iparmor\Iparmor.exe mini
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ2005\QQ.exe
O4 - Global Startup: 绿鹰PC万能精灵.lnk = ?
O8 - Extra context menu item: &使用迅雷下载 - d:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - d:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ2005\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ2005\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ2005\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ2005\SendMMS.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\WINDOWS\system32\shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F2C8744-0668-4DB1-B8CF-F023DDC51048}: NameServer = 202.97.224.69 202.97.227.138
O20 - AppInit_DLLs: APIHookDll.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe

lostcatwl - 2005-11-21 20:29:00

再贴..
Logfile of HijackThis v1.99.1
Scan saved at 20:24:38, on 2005-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Iparmor\Iparmor.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\绿鹰PC万能精灵\adam.exe
D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\WINDOWS\system32\conime.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Iparmor\Iparmor.exe
d:\Program Files\rising\Rav\RavTimer.exe
D:\Program Files\Kingsoft\KnightV\KnightV.exe
C:\Program Files\Tencent\QQ2005\TIMPlatform.exe
C:\Program Files\Tencent\QQ2005\QQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\pp\248783200522382732\HijackThis.exe

R3 - URLSearchHook: (no name) - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - (no file)
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\QQ2005\QQIEHelper.dll (file missing)
O4 - HKLM\..\Run: [RavTimer] D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] D:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [Super Rabbit SRRestore] D:\Program Files\Super Rabbit\MagicSet\srrest.exe /autosave
O4 - HKLM\..\Run: [iparmor] D:\Program Files\Iparmor\Iparmor.exe mini
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ2005\QQ.exe
O4 - Global Startup: 绿鹰PC万能精灵.lnk = ?
O8 - Extra context menu item: &使用迅雷下载 - d:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - d:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ2005\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ2005\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ2005\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ2005\SendMMS.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\WINDOWS\system32\shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F2C8744-0668-4DB1-B8CF-F023DDC51048}: NameServer = 202.97.224.69 202.97.227.138
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O20 - AppInit_DLLs: APIHookDll.dll
神无大大..问题依然存在啊

新建文件: C:\WINDOWS\eraseme_60373.exe 2005-11-21 19:53:10
C:\WINDOWS\eraseme_60373.exe 怀疑为灰鸽子木马.
扫描了 25个进程，
扫描结束.
没有发现木马，系统安全!

瑞星卡卡安全论坛