瑞星卡卡安全论坛

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FirebirdGuardianDefaultInstance - The Firebird Project - C:\PROGRA~1\广东省~1\FireBird\bin\fbguard.exe
O23 - Service: FirebirdServerDefaultInstance - The Firebird Project - C:\PROGRA~1\广东省~1\FireBird\bin\fbserver.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WinkldUP - Unknown owner - C:\DOCUME~1\acc\LOCALS~1\Temp\wz\wz.exe

O23 - Service: WinkldUP - Unknown owner - C:\DOCUME~1\acc\LOCALS~1\Temp\wz\wz.exe
木马
但不是灰鸽子

建议导出全部日志

全部日志导出如下，请高手帮我看下。谢谢

Logfile of HijackThis v1.99.1
Scan saved at 8:27:54, on 2006-2-28
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\广东省~1\FireBird\bin\fbguard.exe
C:\PROGRA~1\广东省~1\FireBird\bin\fbserver.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\DOCUME~1\acc\LOCALS~1\Temp\wz\wz.exe
C:\PROGRA~1\3721\assistse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\acc\LOCALS~1\Temp\Rar$EX00.782\HijackThis.exe

O2 - BHO: std software - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [ccApp] rem "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] rem C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [YLive.exe] rem C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [assistse] "C:\PROGRA~1\3721\assistse.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: (no name) - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - http://www38.websamba.com/oioio/?a=mf&b=uc&c=ot&d=051223&e=c&f=5460&i=&j=685451&t=12/23/2005&u=me&s=b (file missing)
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra button: (no name) - {A23817F2-733B-4BC5-8DED-C1B9B4BBF93C} - (no file)
O9 - Extra button: (no name) - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - http://www38.websamba.com/oioio/?a=mf&b=uc&c=ot&d=051223&e=c&f=5460&i=&j=685451&t=12/23/2005&u=me&s=b (file missing)
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra button: 百变小精灵 - {6713E8D2-850A-101B-AFC0-4210102A8DA7} - http://www38.websamba.com/oioio/?v=all&s=bu (file missing) (HKCU)
O11 - Options group: [!CNS]  上网助手-地址栏搜索
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132187499066
O17 - HKLM\System\CCS\Services\Tcpip\..\{55A1D12D-279A-4BE6-8921-8270B3C7613F}: NameServer = 202.96.128.68
O17 - HKLM\System\CS2\Services\Tcpip\..\{55A1D12D-279A-4BE6-8921-8270B3C7613F}: NameServer = 202.96.128.68
O17 - HKLM\System\CS3\Services\Tcpip\..\{55A1D12D-279A-4BE6-8921-8270B3C7613F}: NameServer = 202.96.128.68
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FirebirdGuardianDefaultInstance - The Firebird Project - C:\PROGRA~1\广东省~1\FireBird\bin\fbguard.exe
O23 - Service: FirebirdServerDefaultInstance - The Firebird Project - C:\PROGRA~1\广东省~1\FireBird\bin\fbserver.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WinkldUP - Unknown owner - C:\DOCUME~1\acc\LOCALS~1\Temp\wz\wz.exe

结束C:\DOCUME~1\acc\LOCALS~1\Temp\wz\wz.exe进程

用HIJACKTHIS修复
O2 - BHO: std software - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll
O23 - Service: WinkldUP - Unknown owner - C:\DOCUME~1\acc\LOCALS~1\Temp\wz\wz.exe

删除
C:\WINDOWS\SYSTEM32\stdup.dll
以及C:\DOCUME~1\acc\LOCALS~1\Temp下的所有文件

若常规模式下无法操作
请进入安全模式下操作即可

附件: 364052200622884437.JPG

谢谢“不言放弃”，这么快就回复了。感谢！！！！
我学一下。

请问如何结束C:\DOCUME~1\acc\LOCALS~1\Temp\wz\wz.exe进程？

那那文件我删不了呢？是不是没有结束进程的原因？

【回复“安琪儿221”的帖子】
按CTRL＋ALT＋DEL组合键
调出任务管理器
在wz.exe名称上按右键－－结束

若无法结束　
就进入安全模式下操作

OK？

谢谢你，但我调出任务管理器后，进程里没有找到wz.exe

还有：O2 - BHO: std software - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll  修复不了呢？



要将C:\DOCUME~1\acc\LOCALS~1\Temp下的“所有文件”删除吗？

这个  C:\WINDOWS\SYSTEM32\stdup.dll  删除后重启又还有？

盼回复，谢谢“不言放弃”

安全模式下试了没？

引用:

【安琪儿221的贴子】还有：O2 - BHO: std software - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll  修复不了呢？ 要将C:\DOCUME~1\acc\LOCALS~1\Temp下的“所有文件”删除吗？ 这个  C:\WINDOWS\SYSTEM32\stdup.dll  删除后重启又还有？ 盼回复，谢谢“不言放弃” ...........................

是的
删除C:\DOCUME~1\acc\LOCALS~1\Temp下的“所有文件”

stdup.dll无法删除请参考http://forum.ikaka.com/topic.asp?board=67&artid=7423269

我刚刚用我的软件杀到一个毒，提示如下，但重启后或者是重新查毒还是同样的提示：
Scan type:  Manual Scan
Event:  Threat Found!
Threat: Backdoor.Graybird
File:  C:\System Volume Information\_restore{E915D3C7-909A-4321-A2D3-B40E367A8C42}\RP24\A0002193.exe
Location:  Quarantine
Action taken:  Quarantine succeeded
Date found: 2006年2月28日  9:41:46

【回复“安琪儿221”的帖子】
C:\System Volume Information是系统还原文件夹
关闭系统还原
安全模式下断网查杀即可

谢谢，我再试下

删除之后，扫描日志如下。麻烦帮我看看还有没有问题，谢谢



Logfile of HijackThis v1.99.1
Scan saved at 11:34:37, on 2006-2-28
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\广东省~1\FireBird\bin\fbguard.exe
C:\PROGRA~1\广东省~1\FireBird\bin\fbserver.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\PROGRA~1\3721\assistse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\acc\LOCALS~1\Temp\Rar$EX68.000\HijackThis.exe

O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [ccApp] rem "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] rem C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [YLive.exe] rem C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\RunOnce: [ 3721AutoRepair] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\assist\repair.dll,Rundll32
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O11 - Options group: [!CNS]  上网助手-地址栏搜索
O17 - HKLM\System\CCS\Services\Tcpip\..\{55A1D12D-279A-4BE6-8921-8270B3C7613F}: NameServer = 202.96.128.68
O17 - HKLM\System\CS2\Services\Tcpip\..\{55A1D12D-279A-4BE6-8921-8270B3C7613F}: NameServer = 202.96.128.68
O17 - HKLM\System\CS3\Services\Tcpip\..\{55A1D12D-279A-4BE6-8921-8270B3C7613F}: NameServer = 202.96.128.68
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FirebirdGuardianDefaultInstance - The Firebird Project - C:\PROGRA~1\广东省~1\FireBird\bin\fbguard.exe
O23 - Service: FirebirdServerDefaultInstance - The Firebird Project - C:\PROGRA~1\广东省~1\FireBird\bin\fbserver.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe