瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 52z_Fat_2005.exe怎么也删除不掉!请大大帮忙看一下日志!

12   1  /  2  页   跳转

52z_Fat_2005.exe怎么也删除不掉!请大大帮忙看一下日志!

52z_Fat_2005.exe怎么也删除不掉!请大大帮忙看一下日志!

最近下软件的时候不小心下到的.(本来是想下个金山快译)
后来发现文件不对,想删除的时候就怎么也删除不掉了!
用了KILLBOX也删除不掉!郁闷~

估计是个木马什么的,用瑞星也查不出!

大家给个意见,先谢了 !
最后编辑2005-11-14 20:44:43
分享到:
gototop
 

用Hijackthis扫个日志上来,
http://forum.ikaka.com/topic.asp?board=28&artid=5666824
一楼的附件就是
gototop
 

C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\conime.exe
D:\RISING\RAV\Ravmond.exe
D:\RISING\RAV\RavStub.exe
d:\rising\rav\RAVMON.EXE
d:\rising\rav\RAV.EXE
C:\Program Files\Internet Explorer\iexplore.exe
E:\下载\HijackThis1991zww.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NaviHelperObj Class - {3E422F49-1566-40D3-B43D-077EF739AC32} - C:\WINDOWS\System32\NaviHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\FLASHGET\jccatch.dll
O3 - IE工具栏增项: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - IE工具栏增项: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\FLASHGET\fgiebar.dll
O3 - IE工具栏增项: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\System32\KakaTool.dll
O3 - IE工具栏增项: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - D:\Kingsoft\FastAIT 2006\IEBand.dll
O4 - 启动项HKLM\\Run: [RfwMain] "d:\rising\Rfw\rfwmain.exe" -Startup
O4 - 启动项HKLM\\Run: [RavMon] D:\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - 启动项HKLM\\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - 启动项HKLM\\Run: [RavTimer] D:\RISING\RAV\RAVTIMER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - IE右键菜单中的新增项目: 使用Kugoo下载 - D:\KuGoo\KugooDownX.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载 - D:\FlashGet\jc_link.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载全部链接 - D:\FlashGet\jc_all.htm
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - D:\Tencent\qq\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - D:\Tencent\qq\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - D:\Tencent\qq\SendMMS.htm
O8 - IE右键菜单中的新增项目: 用比特精灵下载(&B) - D:\BitSpirit\bsurl.htm
O9 - 浏览器额外的按钮: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - 浏览器额外的“工具”菜单项: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - 浏览器额外的按钮: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FLASHGET\flashget.exe
O9 - 浏览器额外的“工具”菜单项: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FLASHGET\flashget.exe
O16 - DPF: {03E1DE6F-1E51-4BF9-81F6-18FB5FA12E35} (SnSubmitControl Class) - https://ekeyabc.poptang.com/sndasec.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} (PowerPlayer Control) - http://www.ppstream.com/bin/powerplayer.cab
O16 - DPF: {A6FF8D1E-E687-497B-96AC-F5B359663440} (XLecture Control) - http://www.sinago.com/lectureview/lectureview.cab
O16 - DPF: {A9E58728-1FA7-46CE-845D-44694EB11602} (XGiboView Control) - http://www.sinago.com/giboview/giboview.cab
O16 - DPF: {DDA166FA-B3EA-4A3B-8EE2-4F552CDEEE81} (KATScan Control) - http://scan.kingsoft.com/scan/KatNewVerHtml/KATScan.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD8B2EF3-19C1-4875-A7F1-3C84F98236B3}: NameServer = 202.101.172.46 202.101.172.47
O20 - AppInit_DLLs: APIHookDll.dll
O23 - NT 服务: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - NT 服务: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - NT 服务: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - D:\rising\rfw\rfwsrv.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - rising - D:\RISING\RAV\CCENTER.EXE
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\RISING\RAV\Ravmond.exe


哦,日志以上!帮忙看看!
gototop
 

若从进程中杀不掉用procexp试试
工具使用方法可参考
http://forum.ikaka.com/topic.asp?board=28&artid=7318038
gototop
 

最新发现:该文件是个压缩文件,解压后是个叫"注册器"什么的文件,会修改注册表,生成"EXPIORER","女生宿舍"等病毒
但是原文件就是删除不掉...郁闷~

还有,在这过程中瑞星楞是没什么反应,也查不出病毒来..哎~
gototop
 

用Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

工具使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038第14楼
gototop
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ NvCplDaemonNVIDIA Display Properties ExtensionNVIDIA Corporationc:\windows\system32\nvcpl.dll

+ RavMonRavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.d:\rising\rav\ravmon.exe

+ RavTimerRavTimerBeijing Rising Technology Co., Ltd.d:\rising\rav\ravtimer.exe

+ RfwMainRising Personal FireWall Main ProgramBeijing Rising Technology Corporation Limitedd:\rising\rfw\rfwmain.exe

HKLM\System\CurrentControlSet\Services

+ NVSvcProvides system and desktop level support to the NVIDIA display driverNVIDIA Corporationc:\windows\system32\nvsvc32.exe

+ RfwServiceRising Personal Firewall ServiceBeijing Rising Technology Corporation Limitedd:\rising\rfw\rfwsrv.exe

+ RsCCenterCCenterrisingd:\rising\rav\ccenter.exe

+ RsRavMonRavMonBeijing Rising Technology Co., Ltd.d:\rising\rav\ravmond.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Desktop ExplorerNVIDIA Desktop Explorer, Version 110.07 NVIDIA Corporationc:\windows\system32\nvshell.dll

+ Desktop Explorer MenuNVIDIA Desktop Explorer, Version 110.07 NVIDIA Corporationc:\windows\system32\nvshell.dll

+ NvCpl DesktopContext ClassNVIDIA Display Properties ExtensionNVIDIA Corporationc:\windows\system32\nvcpl.dll

+ nView Desktop Context MenuNVIDIA Desktop Explorer, Version 110.07 NVIDIA Corporationc:\windows\system32\nvshell.dll

+ RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

+ Shell Extensions for RealOne PlayerRealPlayer Shell ExtensionsRealNetworks, Inc.d:\real\realplayer\rpshell.dll

+ WinRAR shell extensiond:\winrar\rarext.dll

+ 我的手机File Manager interfaceSony Ericsson Mobile Communications ABd:\sony_e\file manager\fmgrgui.dll

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

+ mp3infpmp3infp DLLwin32lab.comc:\windows\system32\mp3infp.dll

+ PDF Shell ExtensionPDF Shell ExtensionAdobe Systems, Inc.d:\adobe\acrobat 7.0\activex\pdfshell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ AcroIEHlprObj ClassAdobe Acrobat IE Helper Version 7.0 for ActiveXAdobe Systems Incorporatedd:\adobe\acrobat 7.0\activex\acroiehelper.dll

+ IeCatch2 Classjccatch ModuleAmaze Softd:\flashget\jccatch.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar

+ FlashGet BarFlashGet IE BarAmaze Softd:\flashget\fgiebar.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ &FlashGetFlashGetAmaze Softd:\flashget\flashget.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

+ APIHookDll.dllc:\windows\system32\apihookdll.dll

HKCU\Control Panel\Desktop\Scrnsave.exe

+ C:\WINDOWS\STRIPS~1.SCRc:\windows\stripsaver.scr

谢谢大大再看一下
gototop
 

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

+ mp3infpmp3infp DLLwin32lab.comc:\windows\system32\mp3infp.dll

删除启动项
重启试试
gototop
 

mp3infp.dll这个是查mp3信息的,是正常的.
我在命令行的安全模式下把该文件删除了.现在还是不放心,系统中肯定什么地方被修改了.
gototop
 

你删除 52z_Fat_2005.exe时提示什么
gototop
 
12   1  /  2  页   跳转
页面顶部
Powered by Discuz!NT