瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 高手、、、、!大虾、、、、、、、、!救命

123   2  /  3  页   跳转

高手、、、、!大虾、、、、、、、、!救命

收藏
宝知2006
头像
初生襁褓狮
  • 帖子:15
  • 注册: 2007-02-14
  • 来自:
发表于: 2007-02-21 13:55 | 只看楼主 短消息 资料
字号: 11楼

[PID: 5956][C:\Program Files\Rising\AntiSpyware\runiep.exe]  [Beijing Rising Technology Co., Ltd., 1, 0, 1, 6]
    [C:\Program Files\Rising\AntiSpyware\iep_ctrl.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 4]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINDOWS\System32\wsfttrs.dll]  [N/A, N/A]
    [C:\WINDOWS\System32\wsttrs.dll]  [N/A, N/A]
[PID: 6132][C:\Program Files\Rising\Rav\RavTask.exe]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
    [C:\Program Files\Rising\Rav\CfgDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
    [C:\Program Files\TENCENT\Adplus\Adplus.dll]  [Tencent, 4, 4, 2, 22]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINDOWS\System32\wsfttrs.dll]  [N/A, N/A]
    [C:\WINDOWS\System32\wsttrs.dll]  [N/A, N/A]
[PID: 3536][C:\WINDOWS\mhs3.exe]  [N/A, N/A]
    [C:\DOCUME~1\zgb\LOCALS~1\Temp\mhs0.dll]  [N/A, N/A]
[PID: 5864][C:\WINDOWS\System32\adirss.exe]  [N/A, N/A]
[PID: 4084][C:\Program Files\Messenger\msmsgs.exe]  [Microsoft Corporation, 4.0.0155]
    [C:\Program Files\TENCENT\Adplus\Adplus.dll]  [Tencent, 4, 4, 2, 22]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINDOWS\System32\wsfttrs.dll]  [N/A, N/A]
    [C:\WINDOWS\System32\wsttrs.dll]  [N/A, N/A]
[PID: 3700][C:\Windows\xpupdate.exe]  [N/A, N/A]
    [C:\Program Files\TENCENT\Adplus\Adplus.dll]  [Tencent, 4, 4, 2, 22]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINDOWS\System32\wsfttrs.dll]  [N/A, N/A]
    [C:\WINDOWS\System32\wsttrs.dll]  [N/A, N/A]
[PID: 2984][C:\WINDOWS\rund1132.exe]  [N/A, N/A]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINDOWS\System32\wsfttrs.dll]  [N/A, N/A]
    [C:\WINDOWS\System32\wsttrs.dll]  [N/A, N/A]
[PID: 2004][C:\WINDOWS\System32\conime.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\Program Files\TENCENT\Adplus\Adplus.dll]  [Tencent, 4, 4, 2, 22]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINDOWS\System32\wsfttrs.dll]  [N/A, N/A]
    [C:\WINDOWS\System32\wsttrs.dll]  [N/A, N/A]
[PID: 3720][C:\Program Files\Rising\Rav\Ravmon.exe]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 45]
    [C:\Program Files\Rising\Rav\RsGuiLib.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 33]
    [C:\Program Files\Rising\Rav\BWList.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 10]
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
    [C:\Program Files\Rising\Rav\CfgDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
    [C:\Program Files\Rising\Rav\RsXML.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
    [C:\Program Files\Rising\Rav\PngDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
    [C:\Program Files\TENCENT\Adplus\Adplus.dll]  [Tencent, 4, 4, 2, 22]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINDOWS\System32\wsfttrs.dll]  [N/A, N/A]
    [C:\WINDOWS\System32\wsttrs.dll]  [N/A, N/A]
[PID: 4636][C:\Program Files\Rising\Rav\RsAgent.exe]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
    [C:\Program Files\TENCENT\Adplus\Adplus.dll]  [Tencent, 4, 4, 2, 22]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINDOWS\System32\wsfttrs.dll]  [N/A, N/A]
    [C:\WINDOWS\System32\wsttrs.dll]  [N/A, N/A]
[PID: 4652][C:\WINDOWS\msagent\AgentSvr.exe]  [Microsoft Corporation, 2.00.0.3422]
    [C:\Program Files\TENCENT\Adplus\Adplus.dll]  [Tencent, 4, 4, 2, 22]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINDOWS\System32\wsfttrs.dll]  [N/A, N/A]
    [C:\WINDOWS\System32\wsttrs.dll]  [N/A, N/A]
[PID: 2748][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2600.0000 (xpclient.010817-1148)]
    [C:\Program Files\TENCENT\Adplus\Adplus.dll]  [Tencent, 4, 4, 2, 22]
    [C:\Program Files\TENCENT\Adplus\SSAddr.dll]  [Tencent, 4, 4, 2, 22]
    [C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_007.dll]  [Thunder Networking Technologies,LTD, 5, 0, 1, 4]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINDOWS\System32\wsfttrs.dll]  [N/A, N/A]
    [C:\WINDOWS\System32\wsttrs.dll]  [N/A, N/A]
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [C:\WINDOWS\System32\Macromed\Flash\Flash9.ocx]  [Adobe Systems, Inc., 9,0,16,0]
[PID: 3128][C:\Program Files\WinRAR\WinRAR.exe]  [N/A, N/A]
    [C:\Program Files\TENCENT\Adplus\Adplus.dll]  [Tencent, 4, 4, 2, 22]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINDOWS\System32\wsfttrs.dll]  [N/A, N/A]
    [C:\WINDOWS\System32\wsttrs.dll]  [N/A, N/A]
[PID: 2976][C:\DOCUME~1\zgb\LOCALS~1\Temp\Rar$EX02.250\SREng.EXE]  [Smallfrogs Studio, 2.3.13.690]
    [C:\Program Files\TENCENT\Adplus\Adplus.dll]  [Tencent, 4, 4, 2, 22]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 8]
    [C:\WINDOWS\System32\wsfttrs.dll]  [N/A, N/A]
    [C:\WINDOWS\System32\wsttrs.dll]  [N/A, N/A]

==================================
gototop
 
宝知2006
头像
初生襁褓狮
  • 帖子:15
  • 注册: 2007-02-14
  • 来自:
发表于: 2007-02-21 13:57 | 只看楼主 短消息 资料
字号: 12楼

文件关联
.TXT  Error. [C:\WINDOWS\notepad.exe %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. ["hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
N/A

==================================
API HOOK
N/A

==================================


[/CODE]
gototop
 
蓝狐Lovepig
头像
初生襁褓狮
  • 帖子:310
  • 注册: 2006-10-23
  • 来自:
发表于: 2007-02-21 14:36 | 短消息 资料
字号: 13楼

进入安全模式,显业所有文件和文件夹,把隐藏受保护第统文件的勾去掉。删除下以文件
<ravshell><C:\WINDOWS\rund1132.exe> [N/A]
<mhs3><C:\WINDOWS\mhs3.exe> [N/A]
<moppds><C:\WINDOWS\5.exe> [N/A]
<mhs3><C:\WINDOWS\mhs3.exe> [N/A]
[PID: 3536][C:\WINDOWS\mhs3.exe] [N/A, N/A]
[C:\DOCUME~1\zgb\LOCALS~1\Temp\下的所有文件
[PID: 2984][C:\WINDOWS\rund1132.exe] [N/A, N/A]

删除后记得把文件隐藏,还有勾起受保护的文件
gototop
 
奇迹天下
头像
叱咤花甲狮
  • 帖子:2935
  • 注册: 2004-07-01
  • 来自:
发表于: 2007-02-21 14:55 | 短消息 资料
字号: 14楼

中毒已深,基本没救
我怀疑以下病毒文件,但建议听下其他人意见

<upxdnd><C:\DOCUME~1\zgb\LOCALS~1\Temp\upxdnd.exe> [N/A]
<cmdbcs><C:\WINDOWS\cmdbcs.exe> [N/A]
<mppds><C:\WINDOWS\mppds.exe> [N/A]
<wsttrs><C:\WINDOWS\wsttrs.exe> [N/A]
<moppds><C:\WINDOWS\5.exe> [N/A]
<msccrt><C:\WINDOWS\msccrt.exe> [N/A]
<sdafdsafds><C:\WINDOWS\temp\162.exe> [N/A]
<mhs3><C:\WINDOWS\mhs3.exe> [N/A]
<cmdbbcs><C:\WINDOWS\cmdbbcs.exe> [N/A]
<msccccrt><C:\WINDOWS\msccccrt.exe> [N/A]
<upxdn><C:\DOCUME~1\zgb\LOCALS~1\Temp\TIMPLATF0RM.exe> [N/A]
<wsfttrs><C:\WINDOWS\wsfttrs.exe> [N/A]
<sysinter><C:\WINDOWS\System32\adirss.exe> [N/A
<C:\WINDOWS\System32\drivers\ttp.exe><C:\WINDOWS\System32\drivers\ttp.exe> [N/
服务
[SysAutoWin323 / AutoWin323][Running/Auto Start]
<C:\Windows\system32\BHNVELTAHPWDLS.EXE><N/A>
[Client IP-IPX / Client IP-IPX][Running/Auto Start]
<"C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000327><N/A>
[Network Logon / NetWorkLogon][Stopped/Auto Start]
<rundll32.exe KB896475.log,start><N/A>

[C:\WINDOWS\System32\wsfttrs.dll] [N/A, N/A]
[C:\WINDOWS\System32\wsttrs.dll] [N/A, N/A]
[C:\WINDOWS\System32\cmdbcs.dll] [N/A, N/A]
[C:\DOCUME~1\zgb\LOCALS~1\Temp\upxdn.dll] [N/A, N/A]
[C:\WINDOWS\System32\wsfttrs.dll] [N/A, N/A]
gototop
 
蓝狐Lovepig
头像
初生襁褓狮
  • 帖子:310
  • 注册: 2006-10-23
  • 来自:
发表于: 2007-02-21 15:02 | 短消息 资料
字号: 15楼

<upxdn><C:\DOCUME~1\zgb\LOCALS~1\Temp\TIMPLATF0RM.exe> [N/A]
呵,这样不如直接删除C:\DOCUME~1\zgb\LOCALS~1\Temp\下的所有文件
gototop
 
spiritfire
头像
锋芒艾服狮
  • 帖子:1266
  • 注册: 2006-10-22
  • 来自:
发表于: 2007-02-21 15:37 | 短消息 资料
字号: 16楼

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<csrss><C:\Progra~1\Eset\csrss.exe> [N/A]
<Windows update loader><C:\Windows\xpupdate.exe> [N/A]
<taskdir><C:\WINDOWS\System32\taskdir.exe> [N/A]
<ravshell><C:\WINDOWS\rund1132.exe> [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<upxdnd><C:\DOCUME~1\zgb\LOCALS~1\Temp\upxdnd.exe> [N/A]
<cmdbcs><C:\WINDOWS\cmdbcs.exe> [N/A]
<mppds><C:\WINDOWS\mppds.exe> [N/A]
<wsttrs><C:\WINDOWS\wsttrs.exe> [N/A]
<moppds><C:\WINDOWS\5.exe> [N/A]
<msccrt><C:\WINDOWS\msccrt.exe> [N/A]
<sdafdsafds><C:\WINDOWS\temp\162.exe> [N/A]
<C:\WINDOWS\System32\drivers\ttp.exe><C:\WINDOWS\System32
\drivers\ttp.exe> [N/A]
<winsystem><C:\WINDOWS\smss.exe> [铭迈科技]
<mhs3><C:\WINDOWS\mhs3.exe> [N/A]
<cmdbbcs><C:\WINDOWS\cmdbbcs.exe> [N/A]
<msccccrt><C:\WINDOWS\msccccrt.exe> [N/A]
<upxdn><C:\DOCUME~1\zgb\LOCALS~1\Temp\TIMPLATF0RM.exe>
[N/A]
<wsfttrs><C:\WINDOWS\wsfttrs.exe> [N/A]
<sysinter><C:\WINDOWS\System32\adirss.exe> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
<winsystem><C:\WINDOWS\smss.exe> [铭迈科技]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<twin><C:\WINDOWS\System32\ctfnom.exe> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\rpcc]
<WinlogonNotify: rpcc><C:\WINDOWS\System32\rpcc.dll> [N/A]
8033BCB0 / 8033BCB0][Stopped/Auto Start]
<C:\WINDOWS\System32\8033BCB0.EXE -service><Microsoft Corporation>
[SysAutoWin323 / AutoWin323][Running/Auto Start]
<C:\Windows\system32\BHNVELTAHPWDLS.EXE><N/A>
[BCD4F510 / BCD4F510][Stopped/Auto Start]
<C:\WINDOWS\System32\BCD4F510.EXE -service><Microsoft Corporation>
[Client IP-IPX / Client IP-IPX][Running/Auto Start]
<"C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000327><N/A>
[DB724A98 / DB724A98][Stopped/Auto Start]
<C:\WINDOWS\System32\DB724A98.EXE -service><Microsoft Corporation>
[EE125CF8 / EE125CF8][Stopped/Auto Start]
<C:\WINDOWS\System32\EE125CF8.EXE -service><Microsoft Corporation>
[Network Logon / NetWorkLogon][Stopped/Auto Start]
<rundll32.exe KB896475.log,start><N/A>
[RestoreService / RestoreService][Stopped/Auto Start]
<C:\WINDOWS\System32\Svchost.exe -k RestoreService-->C:\WINDOWS\System32\drivers\restore.dll><N/A>
[Internet Protect Service / SHipING][Stopped/Auto Start]
<C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE C:\WINDOWS\SYSTEM32\WBEM\MHSHV.DLL,Export 1087><N/A>
[hidproc / hidproc][Running/Auto Start]
<\??\C:\WINDOWS\System32\drivers\hidproc.sys><Microsoft Corporation>
[mkci / mkcin][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\mkcin.sys><N/A>
[msusbbux / msusbbux][Running/Auto Start]
<\??\C:\WINDOWS\System32\drivers\msusbbux.sys><Microsoft Corporation>
[vfhh_x / vfhh_x][Stopped/Manual Start]
<\??\C:\WINDOWS\System32\drivers\vfhh_x.sys><N/A>

用SREng删除以上启动项目,安全模式删除如下:
C:\DOCUME~1\zgb\LOCALS~1\Temp(安全模式下,清空整个文件夹)
C:\WINDOWS\System32\wsfttrs.dll
[C:\WINDOWS\System32\wsttrs.dll
C:\WINDOWS\System32\svchosts.exe
[C:\WINDOWS\System32\cmdbcs.dll
C:\DOCUME~1\zgb\LOCALS~1\Temp\upxdn.dll
C:\WINDOWS\System32\wsfttrs.dll
C:\WINDOWS\System32\moppds.dll
C:\WINDOWS\System32\msccccrt.dll
C:\WINDOWS\System32\wsttrs.dll
C:\WINDOWS\System32\cmdbbcs.dll
C:\WINDOWS\System32\msccrt.dll
C:\Windows\system32\QXDLVCJRYF.DLL
C:\WINDOWS\System32\adirss.exe
C:\WINDOWS\rund1132.exe
C:\Program Files\TENCENT(卸掉Q后,整个文件夹都删除)
C:\WINDOWS\System32\taskdir.exe
C:\Windows\xpupdate.exe
C:\Progra~1\Eset\csrss.exe
C:\WINDOWS\rund1132.exe
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\mppds.exe
C:\WINDOWS\wsttrs.exe
C:\WINDOWS\5.exe
C:\WINDOWS\msccrt.exe
C:\WINDOWS\temp\162.exe
C:\WINDOWS\System32\drivers\ttp.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\mhs3.exe
C:\WINDOWS\cmdbbcs.exe
C:\WINDOWS\msccccrt.exe
C:\WINDOWS\wsfttrs.exe
C:\WINDOWS\System32\adirss.exe
C:\WINDOWS\System32\ctfnom.exe
C:\WINDOWS\System32\rpcc.dll
C:\WINDOWS\System32\8033BCB0.EXE
C:\Windows\system32\BHNVELTAHPWDLS.EXE
C:\WINDOWS\System32\BCD4F510.EXE
C:\WINDOWS\System32\DB724A98.EXE
C:\WINDOWS\System32\EE125CF8.EXE
C:\WINDOWS\System32\KB896475.log
C:\WINDOWS\System32\drivers\restore.dll
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
C:\WINDOWS\SYSTEM32\WBEM\MHSHV.DLL
C:\WINDOWS\System32\drivers\hidproc.sys
C:\WINDOWS\System32\DRIVERS\mkcin.sys
C:\WINDOWS\System32\drivers\msusbbux.sys
C:\WINDOWS\System32\drivers\vfhh_x.sys
 
置顶中下载killbox,勾选替换后重启,将此路径填入后处理!
C:\WINDOWS\System32\winlib .dll

PS:如果有Ghost的话,还是别费劲了,直接还原比较快些,系统已经成了马棚,鸽子窝!
gototop
 
炫火冰焰
头像
拙长孩提狮
  • 帖子:93
  • 注册: 2006-03-29
  • 来自:
发表于: 2007-02-21 15:52 | 短消息 资料
字号: 17楼

毒真多
gototop
 
蓝狐Lovepig
头像
初生襁褓狮
  • 帖子:310
  • 注册: 2006-10-23
  • 来自:
发表于: 2007-02-21 15:54 | 短消息 资料
字号: 18楼

呵,对呀,他的机子有好多东西偶都看不懂。
也不敢教他乱删
gototop
 
已成过去
头像
叱咤花甲狮
  • 帖子:2685
  • 注册: 2007-01-24
  • 来自:
发表于: 2007-02-21 15:58 | 短消息 资料
字号: 19楼

还真奇怪.他进程里面的东西差不多是我两倍....
gototop
 
misaboa
头像
健康舞勺狮
  • 帖子:354
  • 注册: 2006-08-31
  • 来自:
发表于: 2007-02-21 16:01 | 短消息 资料
字号: 20楼

[Client IP-IPX / Client IP-IPX][Running/Auto Start]
<"C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000327><N/A>
鸽子,
有GHOST的话直接恢复把,
gototop
 
<<上一主题|下一主题>>
123   2  /  3  页   跳转
页面顶部
Powered by Discuz!NT