急死了！用了3个杀毒软件没搞定的病毒 - 瑞星卡卡安全论坛bbs.ikaka.com

瑞星卡卡安全论坛技术交流区 反病毒/反流氓软件论坛急死了！用了3个杀毒软件没搞定的病毒

	瑞星“1+2”全新解决方案巡展在广州画上圆满句号		叶院长揭秘：瑞星如何运用AI技术革新网络安全		俄乌冲突加剧网络攻击风险白俄罗斯政府遭APT攻击		瑞星ESM防病毒系统助力矿业大学筑牢网络安全防线
	实力拉满瑞星第五十次通过VB100测评		携手老友，拥抱新精彩 —— 新论坛新活动，感谢你的陪伴		护航司法，瑞星助力山西省高院构建安全防线		人工智能在网络安全领域的风险和机遇

2 / 3 页

跳转页

急死了！用了3个杀毒软件没搞定的病毒

henian 初生襁褓狮帖子:76 注册: 2004-12-24 来自:	发表于： 2007-05-21 11:25 \| 只看楼主短消息资料字号：小中大 11楼 [PID: 1612][C:\WINDOWS\system32\igfxtray.exe] [Intel Corporation, 3.0.0.4299] [C:\WINDOWS\system32\hccutils.DLL] [Intel Corporation, 3.0.0.4299] [C:\Program Files\Internet Explorer\InfoMs.dll] [N/A, ] [C:\WINDOWS\system32\igfxsrvc.dll] [Intel Corporation, 3.0.0.4299] [C:\WINDOWS\system32\igfxres.dll] [Intel Corporation, 3.0.0.4299] [C:\WINDOWS\system32\igfxress.dll] [Intel Corporation, 3.0.0.4299] [PID: 1624][C:\WINDOWS\system32\hkcmd.exe] [Intel Corporation, 3.0.0.4299] [C:\WINDOWS\system32\hccutils.DLL] [Intel Corporation, 3.0.0.4299] [C:\WINDOWS\system32\igfxsrvc.dll] [Intel Corporation, 3.0.0.4299] [D:\Program Files\Unlocker\UnlockerHook.dll] [N/A, ] [C:\WINDOWS\system32\igfxres.dll] [Intel Corporation, 3.0.0.4299] [C:\Program Files\Internet Explorer\InfoMs.dll] [N/A, ] [PID: 1636][C:\WINDOWS\system32\igfxpers.exe] [Intel Corporation, 3.0.0.4299] [C:\WINDOWS\system32\igfxsrvc.dll] [Intel Corporation, 3.0.0.4299] [D:\Program Files\Unlocker\UnlockerHook.dll] [N/A, ] [C:\Program Files\Internet Explorer\InfoMs.dll] [N/A, ] [PID: 1672][D:\Program Files\Unlocker\UnlockerAssistant.exe] [N/A, ] [D:\Program Files\Unlocker\UnlockerHook.dll] [N/A, ] [C:\Program Files\Internet Explorer\InfoMs.dll] [N/A, ] [PID: 1764][C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe] [Jetsoft Development Company, 1, 0, 0, 1] [D:\Program Files\Unlocker\UnlockerHook.dll] [N/A, ] [C:\WINDOWS\system32\Lxasmdm.dll] [Oasis Semiconductor Inc., 2.0] [C:\Program Files\Internet Explorer\InfoMs.dll] [N/A, ] [PID: 1772][C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe] [Jetsoft Development Company, 1, 0, 0, 1] [D:\Program Files\Unlocker\UnlockerHook.dll] [N/A, ] [C:\Program Files\Internet Explorer\InfoMs.dll] [N/A, ] [PID: 1804][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] [D:\Program Files\Unlocker\UnlockerHook.dll] [N/A, ] [C:\Program Files\Internet Explorer\InfoMs.dll] [N/A, ] [PID: 1820][D:\Program Files\Super Rabbit\MagicSet\SRIECLI.EXE] [Super Rabbit Soft, 7.98] [C:\WINDOWS\system32\msvbvm60.dll] [Microsoft Corporation, 6.00.9690] [C:\WINDOWS\system32\vb6chs.dll] [Microsoft Corporation, 6.00.8988]
henian 初生襁褓狮帖子:76 注册: 2004-12-24 来自:

henian 初生襁褓狮帖子:76 注册: 2004-12-24 来自:	发表于： 2007-05-21 11:26 \| 只看楼主短消息资料字号：小中大 12楼 [D:\Program Files\Unlocker\UnlockerHook.dll] [N/A, ] [D:\PROGRA~1\SUPERR~1\MagicSet\shlobj71.ocx] [Sky Software (http://www.ssware.com), 7, 1, 0, 0] [C:\Program Files\Internet Explorer\InfoMs.dll] [N/A, ] [PID: 2160][C:\WINDOWS\system32\wscntfy.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] [D:\Program Files\Unlocker\UnlockerHook.dll] [N/A, ] [C:\Program Files\Internet Explorer\InfoMs.dll] [N/A, ] [PID: 3392][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)] [D:\Program Files\Unlocker\UnlockerHook.dll] [N/A, ] [C:\WINDOWS\system32\AcSignIcon.dll] [Autodesk, 16.0.0.86] [d:\Program Files\Thunder Network\WebThunder\WebThunderBHO_016.dll] [Thunder Networking Technologies,LTD, 6, 0, 0, 5] [D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 7.0.7.2006011200] [C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4] [C:\Program Files\Internet Explorer\InfoMs.dll] [N/A, ] [C:\WINDOWS\winvar.dll] [N/A, ] [D:\Program Files\Microsoft Office\OFFICE11\msohev.dll] [Microsoft Corporation, 11.0.5510] [D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scr_ch_pg.dll] [Kaspersky Lab, 1.0.6.299] [D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\klscav.dll] [Kaspersky Lab, 6.0.0.299] [D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\pr_remote.dll] [Kaspersky Lab, 6.0.0.299] [D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prloader.dll] [Kaspersky Lab, 6.0.0.299] [D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prkernel.ppl] [Kaspersky Lab, 6.0.0.304] [d:\program files\kaspersky lab\kaspersky anti-virus 6.0\params.ppl] [Kaspersky Lab, 6.0.0.299] [d:\program files\kaspersky lab\kaspersky anti-virus 6.0\pxstub.ppl] [Kaspersky Lab, 6.0.0.299] [d:\program files\kaspersky lab\kaspersky anti-virus 6.0\tempfile.ppl] [Kaspersky Lab, 6.0.0.299] [C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [d:\program files\kaspersky lab\kaspersky anti-virus 6.0\nfio.ppl] [Kaspersky Lab, 6.0.0.299] [d:\program files\kaspersky lab\kaspersky anti-virus 6.0\fsdrvplgn.ppl] [Kaspersky Lab, 6.0.0.299] [C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx] [Adobe Systems, Inc., 9,0,45,0] [C:\WINDOWS\system32\SOGOUPY.IME] [Sohu.com Inc., 3, 0, 0, 0]
henian 初生襁褓狮帖子:76 注册: 2004-12-24 来自:

henian 初生襁褓狮帖子:76 注册: 2004-12-24 来自:	发表于： 2007-05-21 11:26 \| 只看楼主短消息资料字号：小中大 13楼 [C:\WINDOWS\system32\dllMergeDict.dll] [Sogou.com Inc., 3, 0, 0, 0] [C:\Program Files\SogouInput\Plugin\SgImeWord.dll] [, 1, 0, 0, 31] [C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL] [Microsoft Corporation, 11.0.5510] [PID: 2956][E:\tools\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806] [D:\Program Files\Unlocker\UnlockerHook.dll] [N/A, ] [C:\Program Files\Internet Explorer\InfoMs.dll] [N/A, ] [C:\WINDOWS\winvar.dll] [N/A, ] [PID: 2980][C:\WINDOWS\system32\mspaint.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] [D:\Program Files\Unlocker\UnlockerHook.dll] [N/A, ] [C:\Program Files\Internet Explorer\InfoMs.dll] [N/A, ] [C:\WINDOWS\winvar.dll] [N/A, ] [C:\WINDOWS\system32\AcSignIcon.dll] [Autodesk, 16.0.0.86] [C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll] [Autodesk, 16.0.0.86] ================================== 文件关联 .TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1] .EXE OK. ["%1" %] .COM OK. ["%1" %] .PIF OK. ["%1" %] .REG OK. [regedit.exe "%1"] .BAT OK. ["%1" %] .SCR Error. [AutoCADScriptFile] .CHM OK. ["C:\WINDOWS\hh.exe" %1] .HLP OK. [%SystemRoot%\System32\winhlp32.exe %1] .INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1] .INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1] .VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %] .JS OK. [%SystemRoot%\System32\WScript.exe "%1" %] .LNK OK. [{00021401-0000-0000-C000-000000000046}]
henian 初生襁褓狮帖子:76 注册: 2004-12-24 来自:

henian 初生襁褓狮帖子:76 注册: 2004-12-24 来自:	发表于： 2007-05-21 11:27 \| 只看楼主短消息资料字号：小中大 14楼 ================================== Winsock 提供者 N/A ================================== Autorun.inf N/A ================================== HOSTS 文件 127.0.0.1 localhost 127.1.1.1 www.hao333.com 127.1.1.2 www.hao333.com ================================== API HOOK RVA 错误： LoadLibraryA (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xAAB81B25) RVA 错误： LoadLibraryExA (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xAAB81D67) RVA 错误： LoadLibraryExW (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xAAB81F0B) RVA 错误： LoadLibraryW (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xAAB81C49) RVA 错误： GetProcAddress (危险等级: 高, 被下面模块所HOOK: Dest Addr: 0xAAB81E8F) ================================== 隐藏进程 N/A ================================== [/CODE]
henian 初生襁褓狮帖子:76 注册: 2004-12-24 来自:

henian 初生襁褓狮帖子:76 注册: 2004-12-24 来自:	发表于： 2007-05-21 11:28 \| 只看楼主短消息资料字号：小中大 15楼用UNLOCK删除不掉，把日志都帖出了
henian 初生襁褓狮帖子:76 注册: 2004-12-24 来自:

yqlikaka 叱咤花甲狮帖子:4469 注册: 2007-01-05 来自:蓉城	发表于： 2007-05-21 11:37 \| 短消息资料字号：小中大 16楼 <8><C:\DOCUME~1\hhh\LOCALS~1\Temp\iexpl0re.exe> [] <fysa><C:\DOCUME~1\hhh\LOCALS~1\Temp\fyso.exe> [N/A] <jtsa><C:\DOCUME~1\hhh\LOCALS~1\Temp\jtso.exe> [N/A] <wlsa><C:\DOCUME~1\hhh\LOCALS~1\Temp\wlso.exe> [N/A] <wmsa><C:\DOCUME~1\hhh\LOCALS~1\Temp\wmso.exe> [N/A] <wosa><C:\DOCUME~1\hhh\LOCALS~1\Temp\woso.exe> [N/A] <ztsa><C:\DOCUME~1\hhh\LOCALS~1\Temp\ztso.exe> [N/A] <mhsa><C:\DOCUME~1\hhh\LOCALS~1\Temp\mhso.exe> [N/A] <wgsa><C:\DOCUME~1\hhh\LOCALS~1\Temp\wgso.exe> [N/A] <qjsa><C:\DOCUME~1\hhh\LOCALS~1\Temp\qjso.exe> [N/A] <rxsa><C:\DOCUME~1\hhh\LOCALS~1\Temp\rxso.exe> [N/A] <wdsa><C:\DOCUME~1\hhh\LOCALS~1\Temp\wdso.exe> [N/A] <tlsa><C:\DOCUME~1\hhh\LOCALS~1\Temp\tlso.exe> [N/A] <cmdbcs><C:\WINDOWS\cmdbcs.exe> [] <accwiz><C:\WINDOWS\accwiz.exe> [N/A] <System><C:\Program Files\Common Files\system\Updaterun.exe> [] <{03F6E661-0D5F-3FAD-3E2B-E261E3CB6CD2}><C:\Program Files\Internet Explorer\PLUGINS\HiJack.dll> [N/A] <{DD7D4640-4464-48C0-82FD-21338366D2D2}><C:\Program Files\Internet Explorer\InfoMs.dll> [] <{90BC520C-9175-470E-94B8-10FD869D170B}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.vxd> [] <{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\System64.sys> [N/A] <{AB0219F9-4EB2-4997-A50A-1A42C3205261}><C:\WINDOWS\winvar.dll> [] [ClipManage / MouTALS][Running/Auto Start] <C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE C:\WINDOWS\SYSTEM32\WBEM\GBLNO.DLL,Export 1087><Microsoft Corporation> 删除对应文件清空C:\DOCUME~1\hhh\LOCALS~1\Temp
yqlikaka 叱咤花甲狮帖子:4469 注册: 2007-01-05 来自:蓉城

qwe0023 初生襁褓狮帖子:8 注册: 2007-05-20 来自:	发表于： 2007-05-21 12:01 \| 短消息资料字号：小中大 17楼安全模式下杀
qwe0023 初生襁褓狮帖子:8 注册: 2007-05-20 来自:

henian 初生襁褓狮帖子:76 注册: 2004-12-24 来自:	发表于： 2007-05-21 12:15 \| 只看楼主短消息资料字号：小中大 18楼感谢yqlikaka 重启后ok了
henian 初生襁褓狮帖子:76 注册: 2004-12-24 来自:

长期潜水初生襁褓狮帖子:138 注册: 2007-02-01 来自:	发表于： 2007-05-21 17:08 \| 短消息资料字号：小中大 19楼补充: 删除15楼所说的启动项,以及服务: [Network Engine / Trial][Running/Auto Start] <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\xyadq.dll><Microsoft Corporation> [ASP.NET FrameWork Service / LocalServices][Running/Auto Start] <C:\WINDOWS\system32\Svchost.exe -k LocalServices-->C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dll><Microsoft Corporation> 重启,删除对应文件以及HOST内容 127.1.1.1 www.hao333.com 127.1.1.2 www.hao333.com
长期潜水初生襁褓狮帖子:138 注册: 2007-02-01 来自:

yqlikaka 叱咤花甲狮帖子:4469 注册: 2007-01-05 来自:蓉城	发表于： 2007-05-21 17:18 \| 短消息资料字号：小中大 20楼高手/......在下不才啊~~~没看出来是病毒服务~~~~~请问你是怎么看出来的,你要了样本?
yqlikaka 叱咤花甲狮帖子:4469 注册: 2007-01-05 来自:蓉城

<<上一主题|下一主题>>

2 / 3 页

跳转页

页面顶部

Powered by Discuz!NT