瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 【求助】 Backdoor.Gpigeon.uvc和 Backdoor.Kakogo这两个病毒杀不掉
kof2005 - 2006-1-27 10:27:00
Backdoor.Gpigeon.uvc和 Backdoor.Kakogo这两个病毒杀不掉
瑞星的状态是“清除成功”可重起后还有,清高手帮帮忙怎么解决?
kof2005 - 2006-1-27 10:32:00
HijackThis_zww汉化版扫描日志 V1.99.1
保存于      10:22:32, 日期 2006-1-27
操作系统:  Windows XP  (WinNT 5.01.2600)
浏览器:    Internet Explorer v6.00 (6.00.2600.0000)

当前运行的进程:         
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\windows\System32\svchost.exe
C:\Program Files\Rising\Rav\Ravmond.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Rising\Rav\RavStub.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\smss.exe
C:\windows\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\System32\LSASS.EXE
C:\Program Files\rising\rfw\Rfw.exe
D:\Program Files\淘宝网\淘宝旺旺\WangWang.exe
C:\windows\System32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Rising\Rav\Rav.exe
C:\Program Files\Rising\Rav\RsAgent.exe
C:\WINDOWS\msagent\AgentSvr.exe
D:\WinRAR\WinRAR.exe
C:\DOCUME~1\赵红\LOCALS~1\Temp\Rar$EX00.126\HijackThis1991zww.exe

R3 - URLSearchHook: SrchHook Class - {EED92A43-CFCE-4548-BD73-B0A405470ED5} - C:\Progra~1\CNNIC\Cdn\iesrch.dll
O2 - BHO:  - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\System32\ib6.dll
O2 - BHO: DownloadBHO T2BHO - {B1D147E7-873E-4909-8127-695D9BB78728} - C:\WINDOWS\Downloaded Program Files\barhelp24.0.dll
O3 - IE工具栏增项: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - IE工具栏增项: 天下搜索 - {56A7DC70-E102-4408-A34A-AE06FEF01586} - C:\WINDOWS\Downloaded Program Files\iebar23.0.dll
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [internat.exe] internat.exe
O4 - 启动项HKLM\\Run: [SystemTray] SysTray.Exe
O4 - 启动项HKLM\\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - 启动项HKLM\\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - 启动项HKLM\\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - 启动项HKLM\\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - 启动项HKLM\\Run: [Microsoft Windows Session Manager Subsystem] C:\windows\smss.exe
O4 - 启动项HKLM\\Run: [Microsoft Windows Logon Process] C:\windows\winlogon.exe
O4 - 启动项HKLM\\Run: [Microsoft Office] C:\windows\System32\msoff.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exe
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - E:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - E:\Program Files\Tencent\QQ\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - E:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - E:\Program Files\Tencent\QQ\SendMMS.htm
O9 - 浏览器额外的按钮: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - 浏览器额外的“工具”菜单项: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: Win32 Classes -
O16 - DPF: {045ADB92-9635-45CE-B25B-F19F825B0E39} (MSTPlayerInstaller Control) - http://211.157.0.242/mstview/chs/MSTPlayerInstaller.ocx
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/aliedit.cab
O16 - DPF: {56A7DC70-E102-4408-A34A-AE06FEF01586} (天下搜索) - http://iebar.t2t2.com/iebar.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138327612667
O16 - DPF: {98A62E3F-A8C5-4EF0-8A00-C70CF9D18A89} - http://tb.sogou.com/DLLoader.cab
O16 - DPF: {E787FD25-8D7C-4693-AE67-9406BC6E22DF} (CPasswordEditCtrl Object) - https://www.tenpay.com/download/qqedit.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FD4766F-63A5-46AE-B98B-F73869EE3D37}: NameServer = 202.99.160.68 202.99.166.4
O23 - NT 服务: Gray_Pigeon_Server2.0 (GrayPigeonServer2.0) - www.huigezi.net - C:\WINDOWS\G_Server2.0.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - NT 服务: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

阿拉伯伯 - 2006-1-27 10:47:00
O23 - NT 服务: Gray_Pigeon_Server2.0 (GrayPigeonServer2.0) - www.huigezi.net - C:\WINDOWS\G_Server2.0.exe
修复这一项,然后进入注册表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services查找G_Server2.0.exe找到后删除,再到c:\windows\查找G_Server2.0.dll,G_Server2.0_hook.dll,G_Server2.0key.dll,G_Server2.0.exe(要让隐藏的受保护的系统文件可见的情况下)删除.
kof2005 - 2006-1-27 11:00:00
感激不尽!
七彩黄花菜萱草 - 2006-1-27 14:52:00

1.终止C:\windows\smss.exe进程
2.重启进安全模式
3.修复:
O4 - 启动项HKLM\\Run: [Microsoft Windows Session Manager Subsystem] C:\windows\smss.exe
O4 - 启动项HKLM\\Run: [Microsoft Windows Logon Process] C:\windows\winlogon.exe
O23 - NT 服务: Gray_Pigeon_Server2.0 (GrayPigeonServer2.0) - www.huigezi.net - C:\WINDOWS\G_Server2.0.exe
4.删除:
C:\windows\smss.exe
C:\windows\winlogon.exe
C:\WINDOWS\G_Server2.0.exe(可能还有:C:\WINDOWS\G_Server2.0.dll,C:\WINDOWS\G_Server2.0_hook.dll,C:\WINDOWS\G_Server2.0.key.dll)

请楼主看清楚了文件路径再操作:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
是正常的系统文件.一定小心哟
不言放弃 - 2006-1-27 14:59:00
操作参考:

结束C:\windows\smss.exe进程

修复
O2 - BHO: - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\System32\ib6.dll
O2 - BHO: DownloadBHO T2BHO - {B1D147E7-873E-4909-8127-695D9BB78728} - C:\WINDOWS\Downloaded Program Files\barhelp24.0.dll
O3 - IE工具栏增项: 天下搜索 - {56A7DC70-E102-4408-A34A-AE06FEF01586} - C:\WINDOWS\Downloaded Program Files\iebar23.0.dll
O4 - 启动项HKLM\\Run: [Microsoft Windows Session Manager Subsystem] C:\windows\smss.exe
O4 - 启动项HKLM\\Run: [Microsoft Windows Logon Process] C:\windows\winlogon.exe
O4 - 启动项HKLM\\Run: [Microsoft Office] C:\windows\System32\msoff.exe
O23 - NT 服务: Gray_Pigeon_Server2.0 (GrayPigeonServer2.0) - www.huigezi.net - C:\WINDOWS\G_Server2.0.exe

删除C:\WINDOWS\System32\ib6.dll
C:\WINDOWS\Downloaded Program Files\barhelp24.0.dll
C:\WINDOWS\Downloaded Program Files\iebar23.0.dll
C:\windows\smss.exe
C:\windows\winlogon.exe
C:\windows\System32\msoff.exe
C:\WINDOWS\G_Server2.0.exe

另外在硬盘中搜索G_Server2.0.dll
G_Server2.0key.dll
G_Server2.0_hook.dll
找到后全部删除

或文件找不到或无法删除
请参考http://www.xfilt.com/tech/trojan-horse.htm
或参考图片设置:

附件: 3640522006127145940.JPG
1
查看完整版本: 【求助】 Backdoor.Gpigeon.uvc和 Backdoor.Kakogo这两个病毒杀不掉
© 2000 - 2026 Rising Corp. Ltd.