【求助】Worm.Mail.Fanbot无法清除,请帮我分析! - 瑞星卡卡安全论坛bbs.ikaka.com

瑞星卡卡安全论坛技术交流区 反病毒/反流氓软件论坛【求助】Worm.Mail.Fanbot无法清除,请帮我分析!

	瑞星“1+2”全新解决方案巡展在广州画上圆满句号		叶院长揭秘：瑞星如何运用AI技术革新网络安全		俄乌冲突加剧网络攻击风险白俄罗斯政府遭APT攻击		瑞星ESM防病毒系统助力矿业大学筑牢网络安全防线
	实力拉满瑞星第四十七次通过VB100测评		携手老友，拥抱新精彩 —— 新论坛新活动，感谢你的陪伴		护航司法，瑞星助力山西省高院构建安全防线		人工智能在网络安全领域的风险和机遇

12 3

1 / 3 页

跳转页

【求助】Worm.Mail.Fanbot无法清除,请帮我分析!

tuguo 初生襁褓狮帖子:10 注册: 2005-11-27 来自:	发表于： 2005-11-28 13:57 \| 只看楼主短消息资料字号：小中大 1楼【求助】Worm.Mail.Fanbot无法清除,请帮我分析! 你好！麻烦你帮我分析，万分谢谢！！我的电脑每次启动的时候瑞星个人防火墙都显示：发现木马，删除成功 Explorer.EXE>>C:\WINDOWS\Explorer.EXE ->Worm.Mail.Fanbot 以下是扫描系统的情况： Logfile of HijackThis v1.99.1 Scan saved at 18:33:51, on 2005-11-27 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\PROGRAM FILES\RISING\RAV\Ravmond.exe c:\program files\rising\rfw\rfwsrv.exe C:\PROGRAM FILES\RISING\RAV\RavStub.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE C:\WINDOWS\System32\svchost.exe c:\program files\rising\rfw\RfwMain.exe C:\WINDOWS\VM_STI.EXE C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE C:\PROGRA~1\RISING\RAV\RAVMON.EXE C:\Program Files\ftc\Trojanwall.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\conime.exe D:\Program Files\TT\TTraveler.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\BLUEWA~1\LOCALS~1\Temp\Rar$EX95.854\HijackThis.exe O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: BitCometBar - {3F1ABCDB-A875-46c1-8345-B72A4567E486} - d:\BitComet\BitCometBar\BitCometBar0.1.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup O4 - HKLM\..\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE O4 - HKLM\..\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe" O4 - HKLM\..\Run: [Windows木马防火墙] C:\Program Files\ftc\Trojanwall.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\qq\AddToNetDisk.htm O8 - Extra context menu item: 使用网际快车下载 - C:\PROGRA~1\FLASHGET\jc_link.htm O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\PROGRA~1\FLASHGET\jc_all.htm O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\qq\AddPanel.htm O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\qq\AddEmotion.htm O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\qq\SendMMS.htm O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\qq\QQ.EXE O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\qq\QQ.EXE O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O15 - Trusted Zone: http://www.icbc.com.cn O16 - DPF: {2761225D-F0F2-44E8-A2C9-476FB6A3316A} (TRadio Control) - http://dl_dir.qq.com/qqtools/trsetup.exe O16 - DPF: {276BF72D-CA22-4237-9BCF-593B4E490DE9} (DownLoad Class) - http://img.china.alibaba.com/club/upload/cy2101/onlinesetupimg/atdownload.cab O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/aliedit.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2633648bdc6d24a94b05/netzip/RdxIE601_cn.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132878269086 O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab O16 - DPF: {E787FD25-8D7C-4693-AE67-9406BC6E22DF} (CPasswordEditCtrl Object) - https://www.tenpay.com/download/qqedit.cab O16 - DPF: {EF6205C1-3F17-4829-BCB5-1336ED89E356} - http://club.jiangmin.com/kvscan/KvDown.cab O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F125A2DC-185E-4587-AED7-585D12AF598B}: NameServer = 202.101.224.69 202.101.226.68 O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - c:\program files\rising\rfw\rfwsrv.exe O23 - Service: Rising Process Communication Center (RsCCenter) - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe 2005-12-02 15:26:10
tuguo 初生襁褓狮帖子:10 注册: 2005-11-27 来自:	分享到：

tuguo 初生襁褓狮帖子:10 注册: 2005-11-27 来自:	发表于： 2005-11-29 08:26 \| 只看楼主短消息资料字号：小中大 2楼哪位高手帮忙分析呀??? 先谢谢!
tuguo 初生襁褓狮帖子:10 注册: 2005-11-27 来自:

miswf 社区嘉宾帖子:2939 注册: 2002-06-26 来自:	发表于： 2005-11-29 09:03 \| 短消息资料字号：小中大 3楼我没有发现什么可疑的
miswf 社区嘉宾帖子:2939 注册: 2002-06-26 来自:

miswf 社区嘉宾帖子:2939 注册: 2002-06-26 来自:	发表于： 2005-11-29 09:04 \| 短消息资料字号：小中大 4楼请版主看一下吧
miswf 社区嘉宾帖子:2939 注册: 2002-06-26 来自:

tuguo 初生襁褓狮帖子:10 注册: 2005-11-27 来自:	发表于： 2005-11-30 10:16 \| 只看楼主短消息资料字号：小中大 5楼急呀,高手帮忙呀!
tuguo 初生襁褓狮帖子:10 注册: 2005-11-27 来自:

BlackStone 叱咤花甲狮帖子:2616 注册: 2005-09-27 来自:	发表于： 2005-11-30 10:28 \| 短消息资料字号：小中大 6楼日志看不出问题用Autoruns保存一个日志再发上来看看日志保存方法:选择File->Save菜单项保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮) 工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038第14楼
BlackStone 叱咤花甲狮帖子:2616 注册: 2005-09-27 来自:

tuguo 初生襁褓狮帖子:10 注册: 2005-11-27 来自:	发表于： 2005-12-01 13:51 \| 只看楼主短消息资料字号：小中大 7楼回5楼的朋友:(谢谢) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + BigDogPathStill Image (STI) DriverVM.c:\windows\vm_sti.exe + MSPY2002c:\windows\system32\ime\pintlgnt\imscinst.exe + RavMonRavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmon.exe + RavTimerRavTimerBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravtimer.exe + RfwMainRising Personal FireWall Main ProgramBeijing Rising Technology Corporation Limitedc:\program files\rising\rfw\rfwmain.exe + WinampAgentFile not found: C:\Program Files\Winamp3\\winampa.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run + SystemSafetyMonitorMaster ModuleSystem Safetyd:\program files\system safety monitor\syssafe.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved + Auto Update Property Sheet ExtensionFile not found: C:\WINDOWS\System32\wuaucpl.cpl + Display Panning CPL ExtensionFile not found: deskpan.dll + HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\windows\system32\hticons.dll + RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll + WinRAR shell extensionc:\program files\winrar\rarext.dll + 用户(&P)...File not found: CLSID\{32714800-2E5F-11d0-8B85-00AA0044F941}\InprocServer32 HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved + Web 文件夹c:\program files\common files\microsoft shared\web folders\msonsext.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects + IeCatch2 Classjccatch ModuleAmaze Softd:\program files\flashget\jccatch.dll HKLM\Software\Microsoft\Internet Explorer\Toolbar + FlashGet BarFlashGet IE BarAmaze Softd:\program files\flashget\fgiebar.dll HKLM\Software\Microsoft\Internet Explorer\Extensions + &FlashGetFlashGetAmaze Softd:\program files\flashget\flashget.exe + @shdoclc.dll,-864c:\windows\web\related.htm + Yahoo! Messengerc:\program files\yahoo!\messenger\ypager.exe + 腾讯QQQQTENCENTd:\program files\qq\qq.exe Task Scheduler + DDD_Install_Program.jobFile not found: C:\DOCUME~1\BLUEWA~1\LOCALS~1\Temp\remotesetup.exe HKLM\System\CurrentControlSet\Services + RfwServiceRising Personal Firewall ServiceBeijing Rising Technology Corporation Limitedc:\program files\rising\rfw\rfwsrv.exe + RsCCenterCCenterrisingc:\program files\rising\rav\ccenter.exe + RsRavMonRavMonBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmond.exe HKLM\System\CurrentControlSet\Services + ac97intcIntel(r) Integrated Controller Hub Audio DriverIntel Corporationc:\windows\system32\drivers\ac97intc.sys + ati2mtaaATI RAGE 128 Miniport DriverATI Technologies Inc.c:\windows\system32\drivers\ati2mtaa.sys + BaseTDIbasetdiRisingc:\windows\system32\drivers\basetdi.sys + ExpScanerExpScan.sysc:\program files\rising\rav\expscan.sys + FETNDISNDIS 5.0 miniport driverVIA Technologies, Inc. c:\windows\system32\drivers\fetnd5a.sys + GMSIPCIFile not found: G:\INSTALL\GMSIPCI.SYS + HookContTDI HOOK DriverRising tech Co. ltdc:\program files\rising\rav\hookcont.sys + HookRegc:\program files\rising\rav\hookreg.sys + HookSys瑞星c:\program files\rising\rav\hooksys.sys + kmsinputc:\windows\system32\drivers\kmsinput.sys + npkcryptnProtect KeyCrypt DriverINCA Internet Co., Ltd.d:\program files\qq\npkcrypt.sys + npkycrypFile not found: D:\Program Files\qq\npkycryp.sys + nvNVIDIA Compatible Windows 2000 Miniport Driver, Version 29.58 NVIDIA Corporationc:\windows\system32\drivers\nv4_mini.sys + PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\windows\system32\drivers\ptilink.sys + RsFwDrvnt_fwdrvRisingc:\program files\rising\rfw\rsfwdrv.sys + rtl8029File not found: System32\DRIVERS\RTL8029.SYS + rtl8139NDIS 5.0 driver Realtek Semiconductor Corporation c:\windows\system32\drivers\rtl8139.sys + S3PsddrS3 ProSavage(DDR) & Twister Miniport DriverS3 Graphics, Inc.c:\windows\system32\drivers\s3gnbm.sys + safemonSystem Safety Monitor 2.0 extension for Windows security layerSystem Safetyc:\windows\system32\drivers\safemon.sys + SecdrvSafeDisc driverc:\windows\system32\drivers\secdrv.sys + SetupNTc:\windows\system32\setupnt.sys + STAC97VIA VT82C686A Audio Driver (WDM)SigmaTel, Inc.c:\windows\system32\drivers\stac97.sys + viaagp1VIA NT AGP FilterVIA Technologies, Inc.c:\windows\system32\drivers\viaagp1.sys + VIAudioVIA AC'97 Enhanced Audio WDM Driver VIA Technologies, Inc.c:\windows\system32\drivers\viaudio.sys + vulfnthsVIA USB Host Controller Lower Filter DriverVIA Technologies, Inc.c:\windows\system32\drivers\vulfnth.sys + vulfntrsVIA USB Roothub Lower Filter DriverVIA Technologies, Inc.c:\windows\system32\drivers\vulfntr.sys + ZSMC301bVideo streaming and Capture Device DriverVMc:\windows\system32\drivers\usbvm31b.sys
tuguo 初生襁褓狮帖子:10 注册: 2005-11-27 来自:

BlackStone 叱咤花甲狮帖子:2616 注册: 2005-09-27 来自:	发表于： 2005-12-01 14:04 \| 短消息资料字号：小中大 8楼 + SetupNTc:\windows\system32\setupnt.sys 删除启动项重启删除c:\windows\system32\setupnt.sys 还有那些File not found的启动项也删除试试
BlackStone 叱咤花甲狮帖子:2616 注册: 2005-09-27 来自:

tuguo 初生襁褓狮帖子:10 注册: 2005-11-27 来自:	发表于： 2005-12-01 14:42 \| 只看楼主短消息资料字号：小中大 9楼你好！谢谢！我试过了，还是不能成功呀！
tuguo 初生襁褓狮帖子:10 注册: 2005-11-27 来自:

tuguo 初生襁褓狮帖子:10 注册: 2005-11-27 来自:	发表于： 2005-12-01 14:45 \| 只看楼主短消息资料字号：小中大 10楼重新扫描了，情况如下： HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + BigDogPathStill Image (STI) DriverVM.c:\windows\vm_sti.exe + MSPY2002c:\windows\system32\ime\pintlgnt\imscinst.exe + RavMonRavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmon.exe + RavTimerRavTimerBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravtimer.exe + RfwMainRising Personal FireWall Main ProgramBeijing Rising Technology Corporation Limitedc:\program files\rising\rfw\rfwmain.exe + WinampAgentFile not found: C:\Program Files\Winamp3\\winampa.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run + SystemSafetyMonitorMaster ModuleSystem Safetyd:\program files\system safety monitor\syssafe.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved + HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\windows\system32\hticons.dll + RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll + WinRAR shell extensionc:\program files\winrar\rarext.dll HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved + Web 文件夹c:\program files\common files\microsoft shared\web folders\msonsext.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects + IeCatch2 Classjccatch ModuleAmaze Softd:\program files\flashget\jccatch.dll HKLM\Software\Microsoft\Internet Explorer\Toolbar + FlashGet BarFlashGet IE BarAmaze Softd:\program files\flashget\fgiebar.dll HKLM\Software\Microsoft\Internet Explorer\Extensions + &FlashGetFlashGetAmaze Softd:\program files\flashget\flashget.exe + @shdoclc.dll,-864c:\windows\web\related.htm + Yahoo! Messengerc:\program files\yahoo!\messenger\ypager.exe + 腾讯QQQQTENCENTd:\program files\qq\qq.exe Task Scheduler + DDD_Install_Program.jobFile not found: C:\DOCUME~1\BLUEWA~1\LOCALS~1\Temp\remotesetup.exe HKLM\System\CurrentControlSet\Services + RfwServiceRising Personal Firewall ServiceBeijing Rising Technology Corporation Limitedc:\program files\rising\rfw\rfwsrv.exe + RsCCenterCCenterrisingc:\program files\rising\rav\ccenter.exe + RsRavMonRavMonBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmond.exe HKLM\System\CurrentControlSet\Services + ac97intcIntel(r) Integrated Controller Hub Audio DriverIntel Corporationc:\windows\system32\drivers\ac97intc.sys + ati2mtaaATI RAGE 128 Miniport DriverATI Technologies Inc.c:\windows\system32\drivers\ati2mtaa.sys + BaseTDIbasetdiRisingc:\windows\system32\drivers\basetdi.sys + ExpScanerExpScan.sysc:\program files\rising\rav\expscan.sys + FETNDISNDIS 5.0 miniport driverVIA Technologies, Inc. c:\windows\system32\drivers\fetnd5a.sys + HookContTDI HOOK DriverRising tech Co. ltdc:\program files\rising\rav\hookcont.sys + HookRegc:\program files\rising\rav\hookreg.sys + HookSys瑞星c:\program files\rising\rav\hooksys.sys + kmsinputc:\windows\system32\drivers\kmsinput.sys + npkcryptnProtect KeyCrypt DriverINCA Internet Co., Ltd.d:\program files\qq\npkcrypt.sys + nvNVIDIA Compatible Windows 2000 Miniport Driver, Version 29.58 NVIDIA Corporationc:\windows\system32\drivers\nv4_mini.sys + PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\windows\system32\drivers\ptilink.sys + RsFwDrvnt_fwdrvRisingc:\program files\rising\rfw\rsfwdrv.sys + rtl8139NDIS 5.0 driver Realtek Semiconductor Corporation c:\windows\system32\drivers\rtl8139.sys + S3PsddrS3 ProSavage(DDR) & Twister Miniport DriverS3 Graphics, Inc.c:\windows\system32\drivers\s3gnbm.sys + safemonSystem Safety Monitor 2.0 extension for Windows security layerSystem Safetyc:\windows\system32\drivers\safemon.sys + SecdrvSafeDisc driverc:\windows\system32\drivers\secdrv.sys + STAC97VIA VT82C686A Audio Driver (WDM)SigmaTel, Inc.c:\windows\system32\drivers\stac97.sys + viaagp1VIA NT AGP FilterVIA Technologies, Inc.c:\windows\system32\drivers\viaagp1.sys + VIAudioVIA AC'97 Enhanced Audio WDM Driver VIA Technologies, Inc.c:\windows\system32\drivers\viaudio.sys + vulfnthsVIA USB Host Controller Lower Filter DriverVIA Technologies, Inc.c:\windows\system32\drivers\vulfnth.sys + vulfntrsVIA USB Roothub Lower Filter DriverVIA Technologies, Inc.c:\windows\system32\drivers\vulfntr.sys + ZSMC301bVideo streaming and Capture Device DriverVMc:\windows\system32\drivers\usbvm31b.sys
tuguo 初生襁褓狮帖子:10 注册: 2005-11-27 来自:

<<上一主题|下一主题>>

12 3

1 / 3 页

跳转页

页面顶部

Powered by Discuz!NT