moke - 2006-2-14 14:14:00
前天中了个木马程序,成功杀毒后并没在意。
但是以后在次从起电脑后会出现下面对话框(见图)
不管选择Y 还是N ,都会自动关闭瑞星 。以后从起,默认不开启瑞星。试图手工打开瑞星系统监控,显示 “不能开启”
备份,删除瑞星,然后从装。
会在次出现下图,询问是否关闭瑞星,如此反复,导致始终不能开启 系统监控。
请教下,如何去掉这个自动关闭瑞星系统监控的程序。
在线等 谢谢。
附件:
6472862006214141439.jpg
BlackStone - 2006-2-14 14:20:00
用
Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)工具的下载、使用参考
http://forum.ikaka.com/topic.asp?board=28&artid=7318038
moke - 2006-2-14 14:36:00
感谢BlackStone 大人的帮助
下边是我保存的日志 请帮助帮忙看下
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ NvCplDaemon NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll
+ NvMediaCenter NVIDIA Media Center Library NVIDIA Corporation c:\windows\system32\nvmctray.dll
+ nwiz NVIDIA nView Wizard, Version 110.14 NVIDIA Corporation c:\windows\system32\nwiz.exe
+ RavTask RavTimer Beijing Rising Technology Co., Ltd. d:\program files\rising\rav\ravtask.exe
+ RfwMain Rising Personal FireWall Main Program Beijing Rising Technology Co., Ltd. c:\program files\rising\rfw\rfwmain.exe
+ SoundMan Avance Sound Manager Avance Logic, Inc. C:\WINDOWS\soundman.exe
+ WheelMouse Amoumain A4Tech Co., Ltd. c:\program files\win2\mouse\amoumain.exe
C:\Documents and Settings\All Users\「开始」菜单\程序\启动
+ Adobe Gamma Loader.lnk Adobe Gamma Loader Adobe Systems, Inc. c:\program files\common files\adobe\calibration\adobe gamma loader.exe
+ AutoCAD 启动加速器.lnk AutoCAD Startup Accelerator Autodesk, Inc c:\program files\common files\autodesk shared\acstart16.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ ewido shell guard d:\program files\ewido anti-malware\shellhook.dll
+ Rising Execute File Exts hook Rising Shell Ext Module Beijing Rising Technology Co., Ltd. c:\windows\system32\ravext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ AutoCAD 数字签名图标覆盖处理程序 AcSignIcon Module Autodesk c:\windows\system32\acsignicon.dll
+ Autodesk Drawing Preview AcThumbnail Module Autodesk c:\program files\common files\autodesk shared\thumbnail\acthumbnail16.dll
+ Autodesk DWF Preview AcThumbnail Module Autodesk c:\program files\common files\autodesk shared\thumbnail\acdwfthmbprxy16.dll
+ Desktop Explorer NVIDIA Desktop Explorer, Version 110.14 NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Desktop Explorer Menu NVIDIA Desktop Explorer, Version 110.14 NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticons.dll
+ NvCpl DesktopContext Class NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll
+ nView Desktop Context Menu NVIDIA Desktop Explorer, Version 110.14 NVIDIA Corporation c:\windows\system32\nvshell.dll
+ PicaView PicaView 系统扩展 DLL ACD Systems, Ltd. e:\program files\acdsee\picaview.dll
+ Play on my TV helper NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll
+ RISING Rising Shell Ext Module Beijing Rising Technology Co., Ltd. c:\windows\system32\ravext.dll
+ TuneUp 碎纸机 TuneUp Shredder Shell Extension TuneUp Software GmbH d:\program files\tuneup utilities 2006\sdshelex.dll
+ WinRAR shell extension c:\program files\winrar\rarext.dll
+ Yahoo Trojan Cleanner d:\program files\3721\ske\contmenu.dll
+ Yahoo!Photo yPhtb Yahoo! China c:\program files\yahoo!\assistant\assist\yphtb.dll
+ 粉碎文件 Wiper 动态链接库 c:\program files\yahoo!\assistant\assist\ywiper.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. e:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ AcroIEHlprObj Class Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated e:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
+ BandIE Class File not found: C:\PROGRA~1\Baidu\Bar\BDBar_tmp\BDBar_tmp\BaiduBar.dll
+ DragSearch BHO DragSearch c:\program files\yahoo!\assistant\assist\ydragsearch.dll
+ IeCatch2 Class jccatch Module Amaze Soft d:\program files\flashget\jccatch.dll
+ Yahoo!Photo yPhtb Yahoo! China c:\program files\yahoo!\assistant\assist\yphtb.dll
+ 雅虎助手 ToolBar Yahoo! c:\program files\yahoo!\assistant\assist\yasbar.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ FlashGet Bar FlashGet IE Bar Amaze Soft d:\program files\flashget\fgiebar.dll
+ 雅虎助手 ToolBar Yahoo! c:\program files\yahoo!\assistant\assist\yasbar.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ &FlashGet FlashGet Amaze Soft d:\program files\flashget\flashget.exe
Task Scheduler
+ 一键维护.job TuneUp System Optimizer TuneUp Software GmbH d:\program files\tuneup utilities 2006\systemoptimizer.exe
HKLM\System\CurrentControlSet\Services
+ Autodesk Licensing Service Anchor service for Autodesk products licensed with SafeCast Autodesk c:\program files\common files\autodesk shared\service\adskscsrv.exe
+ ewido security suite control ewido control ewido networks d:\program files\ewido anti-malware\ewidoctrl.exe
+ ewido security suite guard guard ewido networks d:\program files\ewido anti-malware\ewidoguard.exe
+ NVSvc Provides system and desktop level support to the NVIDIA display driver NVIDIA Corporation c:\windows\system32\nvsvc32.exe
+ O&O Defrag O&O Defragmentation Service O&O Software GmbH c:\windows\system32\oodag.exe
+ RsRavMon RavMond Beijing Rising Technology Co., Ltd. d:\program files\rising\rav\ravmond.exe
HKLM\System\CurrentControlSet\Services
+ ALCXWDM Avance AC'97 Audio Driver (WDM) Avance Logic, Inc. c:\windows\system32\drivers\alcxwdm.sys
+ Amfilter A4Tech iWheelWorks Mouse Filter Driver A4Tech Co.,Ltd. c:\windows\system32\drivers\amfilter.sys
+ Amps2prt A4Tech PS/2 Port Mouse Filter Driver A4Tech Co.,Ltd. c:\windows\system32\drivers\amps2prt.sys
+ Amusbprt A4Tech iWheelWorks USB Port Mouse Filter Driver A4Tech Co.,Ltd. c:\windows\system32\drivers\amusbprt.sys
+ BaseTDI basetdi Beijing Rising Technology Co., Ltd. c:\windows\system32\drivers\basetdi.sys
+ DumaNT DumaNT Auxillary Driver for Stereo Windows (R) 2000 DDK provider c:\windows\system32\drivers\dumant.sys
+ ewido security suite driver d:\program files\ewido anti-malware\guard.sys
+ ExpScaner ExpScan.sys d:\program files\rising\rav\expscan.sys
+ HookCont TDI HOOK Driver Rising tech Co. ltd d:\program files\rising\rav\hookcont.sys
+ HookReg d:\program files\rising\rav\hookreg.sys
+ HookSys Hooksys Rising d:\program files\rising\rav\hooksys.sys
+ IdeBusDr Intel Application Accelerator Driver Intel Corporation c:\windows\system32\drivers\idebusdr.sys
+ IdeChnDr Intel Application Accelerator Driver Intel Corporation c:\windows\system32\drivers\idechndr.sys
+ MEMSCAN MemScan Driver 瑞星软件有限公司 d:\program files\rising\rav\memscan.sys
+ mProcRs Rising Personal FireWall mprocrs.sys Beijing Rising Technology Co., Ltd. c:\program files\rising\rfw\mprocrs.sys
+ npkcrypt nProtect KeyCrypt Driver INCA Internet Co., Ltd. d:\program files\tencent\qq\npkcrypt.sys
+ nv NVIDIA Compatible Windows 2000 Miniport Driver, Version 81.98 NVIDIA Corporation c:\windows\system32\drivers\nv4_mini.sys
+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\drivers\ptilink.sys
+ RsFwDrv nt_fwdrv Beijing Rising Technology Co., Ltd. c:\program files\rising\rfw\rsfwdrv.sys
+ rtl8139 NDIS 5.0 driver Realtek Semiconductor Corporation c:\windows\system32\drivers\rtl8139.sys
+ Secdrv SafeDisc driver c:\windows\system32\drivers\secdrv.sys
+ SVKP SVKP driver for NT AntiCracking c:\windows\system32\svkp.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ OODBS O&O BootTimeDefrag O&O Software GmbH c:\windows\system32\oodbs.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
+ KB2153661.LOG File not found: KB2153661.LOG
moke - 2006-2-14 14:46:00
正在学习你的帖子。
用了procexp (由于你的procexp有图介绍)
发现了下边这个程序,显示 Not verified 是不是代表他是木马程序?
附件:
6472862006214144640.jpg
moke - 2006-2-14 14:48:00
不言放弃 - 2006-2-14 14:50:00
进入注册表
删除如下几项:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ RavTask RavTimer Beijing Rising Technology Co., Ltd. d:\program files\rising\rav\ravtask.exe
+ RfwMain Rising Personal FireWall Main Program Beijing Rising Technology Co., Ltd. c:\program files\rising\rfw\rfwmain.exe
==================
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ Rising Execute File Exts hook Rising Shell Ext Module Beijing Rising Technology Co., Ltd. c:\windows\system32\ravext.dll
==========
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ RISING Rising Shell Ext Module Beijing Rising Technology Co., Ltd. c:\windows\system32\ravext.dll
==============
HKLM\System\CurrentControlSet\Services
+ RsRavMon RavMond Beijing Rising Technology Co., Ltd. d:\program files\rising\rav\ravmond.exe
==============
HKLM\System\CurrentControlSet\Services
+ BaseTDI basetdi Beijing Rising Technology Co., Ltd. c:\windows\system32\drivers\basetdi.sys
+ ExpScaner ExpScan.sys d:\program files\rising\rav\expscan.sys
+ HookCont TDI HOOK Driver Rising tech Co. ltd d:\program files\rising\rav\hookcont.sys
+ HookReg d:\program files\rising\rav\hookreg.sys
+ HookSys Hooksys Rising d:\program files\rising\rav\hooksys.sys
+ MEMSCAN MemScan Driver 瑞星软件有限公司 d:\program files\rising\rav\memscan.sys
+ mProcRs Rising Personal FireWall mprocrs.sys Beijing Rising Technology Co., Ltd. c:\program files\rising\rfw\mprocrs.sys
+ RsFwDrv nt_fwdrv Beijing Rising Technology Co., Ltd. c:\program files\rising\rfw\rsfwdrv.sys
通过日志删除注册表垃圾的方法不知是否彻底?
moke - 2006-2-14 14:55:00
BlackStone - 2006-2-14 14:56:00
winlogon.exe应该没问题
通过procexp找到winser.exe所在目录,杀掉那个进程,删除文件。
也可把那个文件发给我(VirusInBox@163.com)
moke - 2006-2-14 15:03:00
本人对于电脑很菜,能不能告诉我下
HKLM 在注册表的什么目录下?
不言放弃 - 2006-2-14 15:06:00
| 引用: |
【moke的贴子】本人对于电脑很菜,能不能告诉我下
HKLM 在注册表的什么目录下?
........................... |
对于楼主来说
建议先备份一下注册表吧
以防万一
开始--运行
输入regedit
确定
进入注册表
moke - 2006-2-14 15:09:00
| 引用: |
【BlackStone的贴子】winlogon.exe应该没问题
通过procexp找到winser.exe所在目录,杀掉那个进程,删除文件。
也可把那个文件发给我(VirusInBox@163.com)
........................... |
不会找他的目录 ~我在procexp中确实发现了winser.exe ~然后直接把他KILL了~
我现在去从起下看看
moke - 2006-2-14 15:23:00
在 procexp 中找到了 如图
但是KILL了之后`从起又出来了~
按照C:\windows\system32 下却没有WINSER.EXE
附件:
6472862006214152349.jpg
BlackStone - 2006-2-14 15:28:00
| 引用: |
【moke的贴子】在 procexp 中找到了 如图
但是KILL了之后`从起又出来了~
按照C:\windows\system32 下却没有WINSER.EXE
........................... |
修改一下文件夹选项再找找
附件:
5887812006214152817.JPG
moke - 2006-2-14 15:37:00
我打开 隐藏受保护的操作系统文件
和显示所有文件之后
还是没有找到 winser.exe 只是在procexp中可以看到~
你能不能通过QQ的远程帮助~帮我解决下~
QQ号:11106745
moke - 2006-2-14 15:42:00
打开注册表了
但是我找不到HKLM\SOFTWARE
附件:
6472862006214154226.jpg
BlackStone - 2006-2-14 15:47:00
moke - 2006-2-14 16:10:00
moke - 2006-2-14 16:13:00
刚才还偶然发现
C D E F 每个盘的根目录下都多了3个隐藏文件。
在安全模式下也不能删除~~~~~
我是不是种了个比较难缠的木马? 瑞星居然检查不出来~
附件:
6472862006214161341.jpg
BlackStone - 2006-2-14 16:24:00
用IceSword不是TcpView
moke - 2006-2-14 16:39:00
抱歉 搞错了~这次对了~也发现了winser.exe
你在贴子中提到了 ,驱动注册表隐藏项
由于我对注册表不了解 找不到zwwmlmtz文件夹
能给个详细连接,说明他在拿个分支下吗?
附件:
6472862006214163915.jpg
BlackStone - 2006-2-14 16:52:00
你的机器没有中我帖子中的木马,我只是说工具的使用方法参考那个帖子
在IceSword中的File中C:\windows\system32 下找是否有WINSER.EXE
moke - 2006-2-14 17:08:00
发现了 C:\windows\system32 下有WINSER.EXE
然后怎么处理?
附件:
6472862006214170819.jpg
BlackStone - 2006-2-14 17:18:00
在文件上右键菜单中复制到另一个地方,把它发给我
BlackStone - 2006-2-14 17:20:00
解决方法:
先用procexp杀掉WINSER.EXE进程
用IceSword删除它
moke - 2006-2-14 17:33:00
我已经把他发给你了~ 现在去杀掉他~~
然后回来汇报
BlackStone - 2006-2-14 17:44:00
| 引用: |
【moke的贴子】我已经把他发给你了~ 现在去杀掉他~~
然后回来汇报
........................... |
没收到。
moke - 2006-2-14 17:47:00
问题已经成功的解决了~
感谢您的帮助~
我在从新给你发下~
moke - 2006-2-14 18:00:00
© 2000 - 2026 Rising Corp. Ltd.