瑞星卡卡安全论坛
tuguo - 2005-11-28 13:57:00
你好!
麻烦你帮我分析,万分谢谢!!
我的电脑每次启动的时候瑞星个人防火墙都显示:发现木马,删除成功
Explorer.EXE>>C:\WINDOWS\Explorer.EXE ->Worm.Mail.Fanbot
以下是扫描系统的情况:
Logfile of HijackThis v1.99.1
Scan saved at 18:33:51, on 2005-11-27
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\WINDOWS\System32\svchost.exe
c:\program files\rising\rfw\RfwMain.exe
C:\WINDOWS\VM_STI.EXE
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\Program Files\ftc\Trojanwall.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\conime.exe
D:\Program Files\TT\TTraveler.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\BLUEWA~1\LOCALS~1\Temp\Rar$EX95.854\HijackThis.exe
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: BitCometBar - {3F1ABCDB-A875-46c1-8345-B72A4567E486} - d:\BitComet\BitCometBar\BitCometBar0.1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
O4 - HKLM\..\Run: [Windows木马防火墙] C:\Program Files\ftc\Trojanwall.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\qq\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\PROGRA~1\FLASHGET\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\qq\SendMMS.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\qq\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\qq\QQ.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O15 - Trusted Zone: http://www.icbc.com.cn
O16 - DPF: {2761225D-F0F2-44E8-A2C9-476FB6A3316A} (TRadio Control) - http://dl_dir.qq.com/qqtools/trsetup.exe
O16 - DPF: {276BF72D-CA22-4237-9BCF-593B4E490DE9} (DownLoad Class) - http://img.china.alibaba.com/club/upload/cy2101/onlinesetupimg/atdownload.cab
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/aliedit.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2633648bdc6d24a94b05/netzip/RdxIE601_cn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132878269086
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {E787FD25-8D7C-4693-AE67-9406BC6E22DF} (CPasswordEditCtrl Object) - https://www.tenpay.com/download/qqedit.cab
O16 - DPF: {EF6205C1-3F17-4829-BCB5-1336ED89E356} - http://club.jiangmin.com/kvscan/KvDown.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F125A2DC-185E-4587-AED7-585D12AF598B}: NameServer = 202.101.224.69 202.101.226.68
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
tuguo - 2005-11-29 8:26:00
哪位高手帮忙分析呀???
先谢谢!
miswf - 2005-11-29 9:03:00
我没有发现什么可疑的
miswf - 2005-11-29 9:04:00
请版主看一下吧
tuguo - 2005-11-30 10:16:00
急呀,高手帮忙呀!
BlackStone - 2005-11-30 10:28:00
日志看不出问题
用Autoruns保存一个日志再发上来看看
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)
工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038第14楼
tuguo - 2005-12-1 13:51:00
回5楼的朋友:(谢谢)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ BigDogPathStill Image (STI) DriverVM.c:\windows\vm_sti.exe
+ MSPY2002c:\windows\system32\ime\pintlgnt\imscinst.exe
+ RavMonRavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmon.exe
+ RavTimerRavTimerBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravtimer.exe
+ RfwMainRising Personal FireWall Main ProgramBeijing Rising Technology Corporation Limitedc:\program files\rising\rfw\rfwmain.exe
+ WinampAgentFile not found: C:\Program Files\Winamp3\\winampa.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ SystemSafetyMonitorMaster ModuleSystem Safetyd:\program files\system safety monitor\syssafe.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ Auto Update Property Sheet ExtensionFile not found: C:\WINDOWS\System32\wuaucpl.cpl
+ Display Panning CPL ExtensionFile not found: deskpan.dll
+ HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\windows\system32\hticons.dll
+ RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll
+ WinRAR shell extensionc:\program files\winrar\rarext.dll
+ 用户(&P)...File not found: CLSID\{32714800-2E5F-11d0-8B85-00AA0044F941}\InprocServer32
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ Web 文件夹c:\program files\common files\microsoft shared\web folders\msonsext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ IeCatch2 Classjccatch ModuleAmaze Softd:\program files\flashget\jccatch.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ FlashGet BarFlashGet IE BarAmaze Softd:\program files\flashget\fgiebar.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ &FlashGetFlashGetAmaze Softd:\program files\flashget\flashget.exe
+ @shdoclc.dll,-864c:\windows\web\related.htm
+ Yahoo! Messengerc:\program files\yahoo!\messenger\ypager.exe
+ 腾讯QQQQTENCENTd:\program files\qq\qq.exe
Task Scheduler
+ DDD_Install_Program.jobFile not found: C:\DOCUME~1\BLUEWA~1\LOCALS~1\Temp\remotesetup.exe
HKLM\System\CurrentControlSet\Services
+ RfwServiceRising Personal Firewall ServiceBeijing Rising Technology Corporation Limitedc:\program files\rising\rfw\rfwsrv.exe
+ RsCCenterCCenterrisingc:\program files\rising\rav\ccenter.exe
+ RsRavMonRavMonBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmond.exe
HKLM\System\CurrentControlSet\Services
+ ac97intcIntel(r) Integrated Controller Hub Audio DriverIntel Corporationc:\windows\system32\drivers\ac97intc.sys
+ ati2mtaaATI RAGE 128 Miniport DriverATI Technologies Inc.c:\windows\system32\drivers\ati2mtaa.sys
+ BaseTDIbasetdiRisingc:\windows\system32\drivers\basetdi.sys
+ ExpScanerExpScan.sysc:\program files\rising\rav\expscan.sys
+ FETNDISNDIS 5.0 miniport driverVIA Technologies, Inc. c:\windows\system32\drivers\fetnd5a.sys
+ GMSIPCIFile not found: G:\INSTALL\GMSIPCI.SYS
+ HookContTDI HOOK DriverRising tech Co. ltdc:\program files\rising\rav\hookcont.sys
+ HookRegc:\program files\rising\rav\hookreg.sys
+ HookSys瑞星c:\program files\rising\rav\hooksys.sys
+ kmsinputc:\windows\system32\drivers\kmsinput.sys
+ npkcryptnProtect KeyCrypt DriverINCA Internet Co., Ltd.d:\program files\qq\npkcrypt.sys
+ npkycrypFile not found: D:\Program Files\qq\npkycryp.sys
+ nvNVIDIA Compatible Windows 2000 Miniport Driver, Version 29.58 NVIDIA Corporationc:\windows\system32\drivers\nv4_mini.sys
+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\windows\system32\drivers\ptilink.sys
+ RsFwDrvnt_fwdrvRisingc:\program files\rising\rfw\rsfwdrv.sys
+ rtl8029File not found: System32\DRIVERS\RTL8029.SYS
+ rtl8139NDIS 5.0 driver Realtek Semiconductor Corporation c:\windows\system32\drivers\rtl8139.sys
+ S3PsddrS3 ProSavage(DDR) & Twister Miniport DriverS3 Graphics, Inc.c:\windows\system32\drivers\s3gnbm.sys
+ safemonSystem Safety Monitor 2.0 extension for Windows security layerSystem Safetyc:\windows\system32\drivers\safemon.sys
+ SecdrvSafeDisc driverc:\windows\system32\drivers\secdrv.sys
+ SetupNTc:\windows\system32\setupnt.sys
+ STAC97VIA VT82C686A Audio Driver (WDM)SigmaTel, Inc.c:\windows\system32\drivers\stac97.sys
+ viaagp1VIA NT AGP FilterVIA Technologies, Inc.c:\windows\system32\drivers\viaagp1.sys
+ VIAudioVIA AC'97 Enhanced Audio WDM Driver VIA Technologies, Inc.c:\windows\system32\drivers\viaudio.sys
+ vulfnthsVIA USB Host Controller Lower Filter DriverVIA Technologies, Inc.c:\windows\system32\drivers\vulfnth.sys
+ vulfntrsVIA USB Roothub Lower Filter DriverVIA Technologies, Inc.c:\windows\system32\drivers\vulfntr.sys
+ ZSMC301bVideo streaming and Capture Device DriverVMc:\windows\system32\drivers\usbvm31b.sys
BlackStone - 2005-12-1 14:04:00
+ SetupNTc:\windows\system32\setupnt.sys
删除启动项
重启
删除c:\windows\system32\setupnt.sys
还有那些File not found的启动项也删除试试
tuguo - 2005-12-1 14:42:00
你好!谢谢!
我试过了,还是不能成功呀!
tuguo - 2005-12-1 14:45:00
重新扫描了,情况如下:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ BigDogPathStill Image (STI) DriverVM.c:\windows\vm_sti.exe
+ MSPY2002c:\windows\system32\ime\pintlgnt\imscinst.exe
+ RavMonRavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmon.exe
+ RavTimerRavTimerBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravtimer.exe
+ RfwMainRising Personal FireWall Main ProgramBeijing Rising Technology Corporation Limitedc:\program files\rising\rfw\rfwmain.exe
+ WinampAgentFile not found: C:\Program Files\Winamp3\\winampa.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ SystemSafetyMonitorMaster ModuleSystem Safetyd:\program files\system safety monitor\syssafe.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\windows\system32\hticons.dll
+ RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll
+ WinRAR shell extensionc:\program files\winrar\rarext.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ Web 文件夹c:\program files\common files\microsoft shared\web folders\msonsext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ IeCatch2 Classjccatch ModuleAmaze Softd:\program files\flashget\jccatch.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ FlashGet BarFlashGet IE BarAmaze Softd:\program files\flashget\fgiebar.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ &FlashGetFlashGetAmaze Softd:\program files\flashget\flashget.exe
+ @shdoclc.dll,-864c:\windows\web\related.htm
+ Yahoo! Messengerc:\program files\yahoo!\messenger\ypager.exe
+ 腾讯QQQQTENCENTd:\program files\qq\qq.exe
Task Scheduler
+ DDD_Install_Program.jobFile not found: C:\DOCUME~1\BLUEWA~1\LOCALS~1\Temp\remotesetup.exe
HKLM\System\CurrentControlSet\Services
+ RfwServiceRising Personal Firewall ServiceBeijing Rising Technology Corporation Limitedc:\program files\rising\rfw\rfwsrv.exe
+ RsCCenterCCenterrisingc:\program files\rising\rav\ccenter.exe
+ RsRavMonRavMonBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmond.exe
HKLM\System\CurrentControlSet\Services
+ ac97intcIntel(r) Integrated Controller Hub Audio DriverIntel Corporationc:\windows\system32\drivers\ac97intc.sys
+ ati2mtaaATI RAGE 128 Miniport DriverATI Technologies Inc.c:\windows\system32\drivers\ati2mtaa.sys
+ BaseTDIbasetdiRisingc:\windows\system32\drivers\basetdi.sys
+ ExpScanerExpScan.sysc:\program files\rising\rav\expscan.sys
+ FETNDISNDIS 5.0 miniport driverVIA Technologies, Inc. c:\windows\system32\drivers\fetnd5a.sys
+ HookContTDI HOOK DriverRising tech Co. ltdc:\program files\rising\rav\hookcont.sys
+ HookRegc:\program files\rising\rav\hookreg.sys
+ HookSys瑞星c:\program files\rising\rav\hooksys.sys
+ kmsinputc:\windows\system32\drivers\kmsinput.sys
+ npkcryptnProtect KeyCrypt DriverINCA Internet Co., Ltd.d:\program files\qq\npkcrypt.sys
+ nvNVIDIA Compatible Windows 2000 Miniport Driver, Version 29.58 NVIDIA Corporationc:\windows\system32\drivers\nv4_mini.sys
+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\windows\system32\drivers\ptilink.sys
+ RsFwDrvnt_fwdrvRisingc:\program files\rising\rfw\rsfwdrv.sys
+ rtl8139NDIS 5.0 driver Realtek Semiconductor Corporation c:\windows\system32\drivers\rtl8139.sys
+ S3PsddrS3 ProSavage(DDR) & Twister Miniport DriverS3 Graphics, Inc.c:\windows\system32\drivers\s3gnbm.sys
+ safemonSystem Safety Monitor 2.0 extension for Windows security layerSystem Safetyc:\windows\system32\drivers\safemon.sys
+ SecdrvSafeDisc driverc:\windows\system32\drivers\secdrv.sys
+ STAC97VIA VT82C686A Audio Driver (WDM)SigmaTel, Inc.c:\windows\system32\drivers\stac97.sys
+ viaagp1VIA NT AGP FilterVIA Technologies, Inc.c:\windows\system32\drivers\viaagp1.sys
+ VIAudioVIA AC'97 Enhanced Audio WDM Driver VIA Technologies, Inc.c:\windows\system32\drivers\viaudio.sys
+ vulfnthsVIA USB Host Controller Lower Filter DriverVIA Technologies, Inc.c:\windows\system32\drivers\vulfnth.sys
+ vulfntrsVIA USB Roothub Lower Filter DriverVIA Technologies, Inc.c:\windows\system32\drivers\vulfntr.sys
+ ZSMC301bVideo streaming and Capture Device DriverVMc:\windows\system32\drivers\usbvm31b.sys
BlackStone - 2005-12-1 14:52:00
日志中看不出
把瑞星防火墙关闭,看看杀毒软件的监控会不会报毒
tuguo - 2005-12-1 15:15:00
你好!谢谢!
把瑞星防火墙设置为:不自动启动.
重新启动电脑;
监控不会报毒,但用瑞星杀毒,提示:发现病毒,删除成功
Explorer.EXE>>C:\WINDOWS\Explorer.EXE ->Worm.Mail.Fanbot
BlackStone - 2005-12-1 15:30:00
用procexp保存一个日志上来看看
工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038
tuguo - 2005-12-1 15:38:00
你好!谢谢!
ProcessPIDCPUDescriptionCompany Name
System Idle Process048.44
Interruptsn/a1.56Hardware Interrupts
DPCsn/a0.78Deferred Procedure Calls
System40.78
SMSS.EXE584Windows NT Session ManagerMicrosoft Corporation
CSRSS.EXE6523.13Client Server Runtime ProcessMicrosoft Corporation
WINLOGON.EXE676Windows NT Logon ApplicationMicrosoft Corporation
SERVICES.EXE72810.94Services and Controller appMicrosoft Corporation
SVCHOST.EXE900Generic Host Process for Win32 ServicesMicrosoft Corporation
SVCHOST.EXE996Generic Host Process for Win32 ServicesMicrosoft Corporation
SVCHOST.EXE1116Generic Host Process for Win32 ServicesMicrosoft Corporation
SVCHOST.EXE1132Generic Host Process for Win32 ServicesMicrosoft Corporation
RavMonD.exe11523.13RavMonBeijing Rising Technology Co., Ltd.
RavStub.exe1280Rising Rav StubBeijing Rising Technology Co., Ltd.
SPOOLSV.EXE1492Spooler SubSystem AppMicrosoft Corporation
alg.exe912Application Layer Gateway ServiceMicrosoft Corporation
SVCHOST.EXE1020Generic Host Process for Win32 ServicesMicrosoft Corporation
LSASS.EXE740LSA Shell (Export Version)Microsoft Corporation
EXPLORER.EXE17043.91Windows ExplorerMicrosoft Corporation
VM_STI.EXE208Still Image (STI) DriverVM.
RavTimer.exe224RavTimerBeijing Rising Technology Co., Ltd.
RavMon.exe232RavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.
Trojanwall.exe2401.56Windows木马清道夫-木马防火墙风云谷
CTFMON.EXE248CTF LoaderMicrosoft Corporation
TTraveler.exe16964.69Tencent Traveler腾讯公司
conime.exe1220Console IMEMicrosoft Corporation
WinRAR.exe1656
procexp.exe13001.56Sysinternals Process ExplorerSysinternals
procexp.exe140819.53Sysinternals Process ExplorerSysinternals
Process: System Idle Process Pid: 0
TypeName
BlackStone - 2005-12-1 15:45:00
重启计算机
打开瑞星主程序(先不要杀毒)
用procexp关闭Explorer.exe
用瑞星杀毒(只扫描系统盘就可以了)
杀完毒后用Procexp启动Explorer.exe试试
若还不行,偶也没办法了,只能请教高手了,
tuguo - 2005-12-1 16:36:00
你好!我试了,还是没效果!
太感谢你了!谢谢!
如果哪位高手路过,请多多指点呀!我很需要量你们的帮助呀!
先谢谢了!
BlackStone - 2005-12-1 16:39:00
【回复“tuguo”的帖子】
不用客气,也没帮你解决问题,若高手帮你解决了,记得把解决的方法告诉偶,谢谢!
玉面修罗 - 2005-12-1 16:54:00
哎。。我也被这个毒困饶了好久。。
HJ的日志中看不出来异常。
病毒的路径也是异常奇怪。
朋友还等着我的消息呢。。不知道有没有高手能够解决。
baohe - 2005-12-1 17:03:00
很想拿到这个病毒样本观察一下,但就是没人能提供样本。遗憾!
从现有看过的帖子判断,这个病毒可能与灰鸽子有关系。如果真是如此,这个病毒在WINDOWS模式下是杀不净的(鸽子的.dll插系统进程)。
建议楼主用HIjackThis1.99.1扫个系统日志贴上。
玉面修罗 - 2005-12-1 17:06:00
说实话。。我真的都不知道这个毒该怎么提样本出来
baohe - 2005-12-1 17:20:00
| 引用: |
【玉面修罗的贴子】说实话。。我真的都不知道这个毒该怎么提样本出来
........................... |
用DLLCOMPARE试过吗?
记得我以前写过一个帖子,查杀rootkit的那个帖子。最后,迫不得已,用DLLCOMPARE找到了木马的.exe文件。
玉面修罗 - 2005-12-1 17:27:00
没有试过这个工具。。
病毒不在我机器上,在一个朋友机器上面。
我用远程协助查看过她机器。
可惜没能杀掉那毒。。
现在毒还在她机器上。。
什么办法可以提出来?说具体点
baohe - 2005-12-1 17:31:00
| 引用: |
【玉面修罗的贴子】没有试过这个工具。。
病毒不在我机器上,在一个朋友机器上面。
我用远程协助查看过她机器。
可惜没能杀掉那毒。。
现在毒还在她机器上。。
什么办法可以提出来?说具体点
........................... |
可以参考:http://forum.ikaka.com/topic.asp?board=28&artid=6787830
airplane - 2005-12-1 17:48:00
试试吧
玉面修罗 - 2005-12-1 17:57:00
| 引用: |
【baohe的贴子】
可以参考:http://forum.ikaka.com/topic.asp?board=28&artid=6787830
........................... |
我在运行DllCompare的时候提示:
Run-time error '75':
Path/file access error
何解?
玉面修罗 - 2005-12-1 18:00:00
已经解决了。。
换了个路径。
猎鹰渔民 - 2005-12-1 18:27:00
| 引用: |
【baohe的贴子】很想拿到这个病毒样本观察一下,但就是没人能提供样本。遗憾!
从现有看过的帖子判断,这个病毒可能与灰鸽子有关系。如果真是如此,这个病毒在WINDOWS模式下是杀不净的(鸽子的.dll插系统进程)。
建议楼主用HIjackThis1.99.1扫个系统日志贴上。
........................... |
和鸽子似乎是两兄弟来着~~整天粘在一起……
胖丁丁 - 2005-12-2 15:26:00
Worm.mail.Fanbot这个病毒是因为装了“街头篮球”这个网游而有的这个问题在他们天联的官方论坛上争议很久例如目前好象只有瑞星杀的出来,他们游戏管方都说是瑞星报错了!本人也是玩了街头篮球这游戏中这毒的!我也很苦恼不知道是在这游戏还是相信街球官方说是瑞星的问题!!!请斑竹能够给个恢复!另外斑竹要这病毒样本很简单去下个街头篮球保证你马上中!卸载游戏后就差不出来!我是用放火墙游戏保护节球几乎没次启动游戏都会出现该病毒!!!
1
© 2000 - 2026 Rising Corp. Ltd.