瑞星卡卡安全论坛

今天早上下传奇外挂.下下来以后.查毒.报毒.杀了.
然后安装..安装过后.他就关掉我的瑞星监控.我机子才重新装过不久.我开网页不到两个.就报虚拟内存不足.杀毒,杀毒软件.半个小时才查了三个文件..在安全模式下.杀毒.又没得问题.

http://forum.ikaka.com/topic.asp?board=28&artid=6979213
下载HIJACKTHIS
导出日志

Logfile of HijackThis v1.99.1
Scan saved at 13:10:23, on 2006-2-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\Ravmond.exe
c:\program files\rising\rfw\rfwproxy.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\RavStub.exe
c:\program files\rising\rfw\RfwMain.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\system32\dll.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Rising\Rav\Smartup.exe
C:\DOCUME~1\aaa\LOCALS~1\Temp\hijackthis.zip 的临时目录 1\HijackThis.exe

O1 - Hosts: 202.103.67.180 auto.search.msn.com
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - F:\PROGRA~1\KuGoo3\KUGOO3~1.OCX
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\KakaTool.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: 上传到QQ网络硬盘 - F:\qq\AddToNetDisk.htm
O8 - Extra context menu item: 使用KuGoo3下载(&K) - F:\Program Files\KuGoo3\KuGoo3DownX.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - F:\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - F:\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - F:\qq\SendMMS.htm
O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising T

C:\WINDOWS\system32\dll.exe有问题

建议参考http://forum.ikaka.com/topic.asp?board=28&artid=7133966

不言放弃..
1、结束病毒进程dll.exe和系统进程spoolsv.exe（被病毒插入）。
这个要如果操作???

我的机子.根本不能上.反映太慢了.而且他老说虚拟内存不够..我只有在网吧上.等结果了.

请使用SSM或iceword
下载地址：
http://www.syssafety.com/，http://aqfrs.ys168.com

还有，小心:\WINDOWS\system32\keyhook.exe
象毒

【回复“一只会飞的猪”的帖子】
http://forum.ikaka.com/topic.asp?board=28&artid=7133966
这个贴子好详细
请楼主好好看看

好难弄哦.俺都想哭了...俺都想把机子砸了.

在任务管理器中结束这两个进程 的运行~~或你不是装卡卡安全助手的吗~~用那里面的进程管理也可以~~

晓得在那里关了..高兴..但是.不言放弃
http://forum.ikaka.com/topic.asp?board=28&artid=7133966

这是个后门。卡巴斯基命名为Backdoor.Win32.PcClient.ck。

查杀过程：

1、结束病毒进程dll.exe和系统进程spoolsv.exe（被病毒插入）。

2、删除下列文件：

C:\windows\system32\00007981.dll
C:\Documents and Settings\当前用户名\Local Settings\Temp\151.tmp
C:\Documents and Settings\当前用户名\Local Settings\Temp\152.tmp
C:\Documents and Settings\当前用户名\Local Settings\Temp\153.tmp
我找过这些文件夹.找不到这些文件.咋办?

引用:

【一只会飞的猪的贴子】晓得在那里关了..高兴..但是.不言放弃 http://forum.ikaka.com/topic.asp?board=28&artid=7133966 这是个后门。卡巴斯基命名为Backdoor.Win32.PcClient.ck。 查杀过程： 1、结束病毒进程dll.exe和系统进程spoolsv.exe（被病毒插入）。 2、删除下列文件： C:\windows\system32\00007981.dll C:\Documents and Settings\当前用户名\Local Settings\Temp\151.tmp C:\Documents and Settings\当前用户名\Local Settings\Temp\152.tmp C:\Documents and Settings\当前用户名\Local Settings\Temp\153.tmp 我找过这些文件夹.找不到这些文件.咋办? ...........................

C:\Documents and Settings\当前用户名\Local Settings\Temp是IE临时文件夹
属性是隐藏

附件: 3640522006210171416.JPG

加我QQ行不??12740342

以后要记得给系统盘做个GHOST备份~或用其它备份软件亦可~~（在系统最干净、常用软件已经安装 且已经更新至最新的时候，）
这样在电脑有麻烦的时候不至于会这么烦~~~
只要把盘上的重要数据做一下备份转移，再用还原软件恢复系统盘为初始状态，哪个盘上有删不去的病毒，格哪个盘（这是最简单，也是最笨的办法了~~

还是没有找到:\windows\system32\00007981.dll
C:\Documents and Settings\当前用户名\Local Settings\Temp\151.tmp
C:\Documents and Settings\当前用户名\Local Settings\Temp\152.tmp
C:\Documents and Settings\当前用户名\Local Settings\Temp\153.

用Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038

PIDCPUDescriptionCompany Name
093.94
n/aHardware Interrupts
n/aDeferred Procedure Calls
4
  456Windows NT Session ManagerMicrosoft Corporation
  5241.52Client Server Runtime ProcessMicrosoft Corporation
  548Windows NT Logon ApplicationMicrosoft Corporation
    5921.52Services and Controller appMicrosoft Corporation
    748Generic Host Process for Win32 ServicesMicrosoft Corporation
    816Generic Host Process for Win32 ServicesMicrosoft Corporation
    896CCenterBeijing Rising Technology Co., Ltd.
    920Generic Host Process for Win32 ServicesMicrosoft Corporation
    1012Generic Host Process for Win32 ServicesMicrosoft Corporation
    1120Generic Host Process for Win32 ServicesMicrosoft Corporation
    1136RavMondBeijing Rising Technology Co., Ltd.
      1624Rising RavStubBeijing Rising Technology Co., Ltd.
    1304Rising Personal Proxy ServiceBeijing Rising Technology Co., Ltd.
    1344Rising Personal FireWall ServiceBeijing Rising Technology Co., Ltd.
      1860Rising Personal FireWall Main ProgramBeijing Rising Technology Co., Ltd.
    176Generic Host Process for Win32 ServicesMicrosoft Corporation
    2120Generic Host Process for Win32 ServicesMicrosoft Corporation
    3860Spooler SubSystem AppMicrosoft Corporation
    604LSA Shell (Export Version)Microsoft Corporation
1284Windows ExplorerMicrosoft Corporation
1852SiS Compatible Super VGA Keyboard DaemonSilicon Integrated Systems Corporation
220Still Image (STI) DriverVM.
404RavTimerBeijing Rising Technology Co., Ltd.
  648RavMonBeijing Rising Technology Co., Ltd.
908CTF LoaderMicrosoft Corporation
780Internet ExplorerMicrosoft Corporation
8563.03Sysinternals Process ExplorerSysinternals

是Autoruns不是procexp的日志

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ BigDogPathStill Image (STI) DriverVM.c:\windows\vm_sti.exe

+ CmaudioCmiCnfg DLLC-Media Corporationc:\windows\system\cmicnfg.cpl

+ RavTaskRavTimerBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravtask.exe

+ RfwMainRising Personal FireWall Main ProgramBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rfwmain.exe

+ SiS Windows KeyHookSiS Compatible Super VGA Keyboard DaemonSilicon Integrated Systems Corporationc:\windows\system32\keyhook.exe

+ SiSUSBRGSiSUSBrgSilicon Integrated Systems Corp.c:\windows\sisusbrg.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

+ Winpatch AutoUpdatec:\windows\system32\dll.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

+ Rising Execute File Exts hookRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Display Panning CPL ExtensionFile not found: deskpan.dll

+ HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\windows\system32\hticons.dll

+ RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

HKLM\System\CurrentControlSet\Services

+ RfwProxySrvRising Personal Proxy ServiceBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rfwproxy.exe

+ RfwServiceRising Personal Firewall ServiceBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rfwsrv.exe

+ RsCCenterCCenterBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ccenter.exe

+ RsRavMonRavMondBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmond.exe

HKLM\System\CurrentControlSet\Services

+ BaseTDIbasetdiBeijing Rising Technology Co., Ltd.c:\windows\system32\drivers\basetdi.sys

+ cmudaC-Media Audio WDM DriverC-Media Incc:\windows\system32\drivers\cmuda.sys

+ ExpScanerExpScan.sysc:\program files\rising\rav\expscan.sys

+ HOOKAPIHOOKAPI Driver瑞星软件有限公司c:\program files\rising\rav\hookapi.sys

+ HookContTDI HOOK DriverRising tech Co. ltdc:\program files\rising\rav\hookcont.sys

+ HookRegc:\program files\rising\rav\hookreg.sys

+ HookSysHooksysRisingc:\program files\rising\rav\hooksys.sys

+ HookUrlHookUrlBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\hookurl.sys

+ MEMSCANMemScan Driver瑞星软件有限公司c:\program files\rising\rav\memscan.sys

+ mProcRsRising Personal FireWall  mprocrs.sysBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\mprocrs.sys

+ npkcryptnProtect KeyCrypt DriverINCA Internet Co., Ltd.f:\qq\npkcrypt.sys

+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\windows\system32\drivers\ptilink.sys

+ RsFwDrvnt_fwdrvBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rsfwdrv.sys

+ SecdrvSafeDisc driverc:\windows\system32\drivers\secdrv.sys

+ SiS315SiS Compatible Super VGA DriverSilicon Integrated Systems Corporationc:\windows\system32\drivers\sisgrp.sys

+ SISAGPSiS AGPv3.5 FilterSilicon Integrated Systems Corporationc:\windows\system32\drivers\sisagpx.sys

+ SiSkpSiS VGA Driver ManagerSilicon Integrated Systems Corporationc:\windows\system32\drivers\srvkp.sys

+ SISNICSiS PCI Fast Ethernet Adapter DriverSiS Corporationc:\windows\system32\drivers\sisnic.sys

+ ZSMC301bVideo streaming and Capture Device DriverVMc:\windows\system32\drivers\usbvm31b.sys

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+ Winpatch AutoUpdatec:\windows\system32\dll.exe

删除启动项
重启
删除c:\windows\system32\dll.exe试试

那么删除.能说得详细一点嘛?

用autoruns删除启动项（具体操作看那个说明的帖子）
重启

找到c:\windows\system32\dll.exe文件直接删除

若删除不了
用Unlocker工具删除试试
工具下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7471002

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ BigDogPathStill Image (STI) DriverVM.c:\windows\vm_sti.exe

+ CmaudioCmiCnfg DLLC-Media Corporationc:\windows\system\cmicnfg.cpl

+ RavTaskRavTimerBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravtask.exe

+ RfwMainRising Personal FireWall Main ProgramBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rfwmain.exe

+ SiS Windows KeyHookSiS Compatible Super VGA Keyboard DaemonSilicon Integrated Systems Corporationc:\windows\system32\keyhook.exe

+ SiSUSBRGSiSUSBrgSilicon Integrated Systems Corp.c:\windows\sisusbrg.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

+ Rising Execute File Exts hookRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Display Panning CPL ExtensionFile not found: deskpan.dll

+ HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\windows\system32\hticons.dll

+ RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

HKLM\System\CurrentControlSet\Services

+ RfwProxySrvRising Personal Proxy ServiceBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rfwproxy.exe

+ RfwServiceRising Personal Firewall ServiceBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rfwsrv.exe

+ RsCCenterCCenterBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ccenter.exe

+ RsRavMonRavMondBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmond.exe

HKLM\System\CurrentControlSet\Services

+ BaseTDIbasetdiBeijing Rising Technology Co., Ltd.c:\windows\system32\drivers\basetdi.sys

+ cmudaC-Media Audio WDM DriverC-Media Incc:\windows\system32\drivers\cmuda.sys

+ ExpScanerExpScan.sysc:\program files\rising\rav\expscan.sys

+ HOOKAPIHOOKAPI Driver瑞星软件有限公司c:\program files\rising\rav\hookapi.sys

+ HookContTDI HOOK DriverRising tech Co. ltdc:\program files\rising\rav\hookcont.sys

+ HookRegc:\program files\rising\rav\hookreg.sys

+ HookSysHooksysRisingc:\program files\rising\rav\hooksys.sys

+ HookUrlHookUrlBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\hookurl.sys

+ MEMSCANMemScan Driver瑞星软件有限公司c:\program files\rising\rav\memscan.sys

+ mProcRsRising Personal FireWall  mprocrs.sysBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\mprocrs.sys

+ npkcryptnProtect KeyCrypt DriverINCA Internet Co., Ltd.f:\qq\npkcrypt.sys

+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\windows\system32\drivers\ptilink.sys

+ RsFwDrvnt_fwdrvBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rsfwdrv.sys

+ SecdrvSafeDisc driverc:\windows\system32\drivers\secdrv.sys

+ SiS315SiS Compatible Super VGA DriverSilicon Integrated Systems Corporationc:\windows\system32\drivers\sisgrp.sys

+ SISAGPSiS AGPv3.5 FilterSilicon Integrated Systems Corporationc:\windows\system32\drivers\sisagpx.sys

+ SiSkpSiS VGA Driver ManagerSilicon Integrated Systems Corporationc:\windows\system32\drivers\srvkp.sys

+ SISNICSiS PCI Fast Ethernet Adapter DriverSiS Corporationc:\windows\system32\drivers\sisnic.sys

+ ZSMC301bVideo streaming and Capture Device DriverVMc:\windows\system32\drivers\usbvm31b.sys