关于木马 - 瑞星卡卡安全论坛bbs.ikaka.com

瑞星卡卡安全论坛技术交流区 反病毒/反流氓软件论坛关于木马

	瑞星“1+2”全新解决方案巡展在广州画上圆满句号		叶院长揭秘：瑞星如何运用AI技术革新网络安全		俄乌冲突加剧网络攻击风险白俄罗斯政府遭APT攻击		瑞星ESM防病毒系统助力矿业大学筑牢网络安全防线
	实力拉满瑞星第五十次通过VB100测评		携手老友，拥抱新精彩 —— 新论坛新活动，感谢你的陪伴		护航司法，瑞星助力山西省高院构建安全防线		人工智能在网络安全领域的风险和机遇

12

1 / 2 页

跳转页

关于木马

138sun 初生襁褓狮帖子:21 注册: 2006-08-12 来自:	发表于： 2006-08-13 11:12 \| 只看楼主短消息资料字号：小中大 1楼关于木马我想问一下大侠们如果木马病毒只是被处理隔离后，我应该在如何处理彻底消除木马 2006-08-13 13:03:57
138sun 初生襁褓狮帖子:21 注册: 2006-08-12 来自:	分享到：

影子110 叱咤花甲狮帖子:4210 注册: 2005-04-10 来自:怀黯	发表于： 2006-08-13 11:22 \| 短消息资料字号：小中大 2楼如果被隔离,则说明已经没事,(只是有的被感染的正常文件如果强行删除,可能会导致某些方面运行不正常) 如果你的电脑现在还有问题~ 可以用HijackThis扫个日志帖上来看看~
影子110 叱咤花甲狮帖子:4210 注册: 2005-04-10 来自:怀黯

138sun 初生襁褓狮帖子:21 注册: 2006-08-12 来自:	发表于： 2006-08-13 11:58 \| 只看楼主短消息资料字号：小中大 3楼太谢谢了这是我的日志 Logfile of HijackThis v1.99.1 Scan saved at 11:47:54, on 2004-8-13 Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Rising\Rav\CCenter.exe C:\Program Files\Rising\Rav\Ravmond.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Rising\Rav\RavStub.exe C:\Program Files\Rising\Rav\RavTask.exe C:\Program Files\Rising\Rav\Ravmon.exe C:\Program Files\MDL CrossFire Commander 7.0\xfdlink.exe D:\programs\天网Maze\MazeSvr.exe C:\WINDOWS\system32\ctfmon.exe D:\programs\QQ\QQ.exe F:\软件\客户端上网认证.exe C:\Program Files\QQ\TIMPlatform.exe C:\WINDOWS\System32\alg.exe C:\Program Files\baigoo\bgoomain.exe F:\setup\木马杀客\mmsk.exe C:\Program Files\Maxthon\Maxthon.exe D:\programs\hijack\HijackThis.exe R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\egnd.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\programs\ACR\ActiveX\AcroIEHelper.dll O2 - BHO: FltSetUp Class - {1D49D58D-5C84-4B50-8359-D9809BEB2B32} - C:\Program Files\Internet Explorer\Connection Wizard\icwuti1.dll O2 - BHO: yPhtb - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yangling.dll O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL O2 - BHO: ActiveBHO Class - {63C55A7F-6E29-8D4F-5C76-4F850F28D13A} - C:\Progra~1\DoDoorRSSFinder\ActiveBandObject.dll O2 - BHO: bg - {7BDAF75A-0D6F-4F50-AFE9-333D08DF4005} - C:\Program Files\baigoo\BGooBHO.dll O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_001.dll O2 - BHO: WAB Importer/Exporter - {AA158CA5-93B4-4cd4-8D8C-BB6F9F515213} - C:\WINDOWS\System32\wabimp.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\programs\ACR\Acrobat\AcroIEFavClient.dll O2 - BHO: Flash 8 ocx - {B8CCDD47-38E4-4CD2-B7FA-3B4B690F74BD} - C:\WINDOWS\system32\flash8.dll O2 - BHO: shdocvwhlp Class - {BE442802-3911-46E0-B227-076B15A4EAD3} - C:\WINDOWS\system32\shdocvw2.dll O2 - BHO: IEHlprObj Class - {D424FE4E-CAF9-4fdd-BC5F-E6E6B91D53BF} - C:\Progra~1\NetMeeting\conf.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\programs\ACR\Acrobat\AcroIEFavClient.dll O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload O4 - HKLM\..\Run: [XFDLINK] "C:\Program Files\MDL CrossFire Commander 7.0\xfdlink.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\RunOnce: [RavStub] "C:\Program Files\Rising\Rav\ravstub.exe" /RUNONCE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: 快捷方式到 QQ.lnk = D:\programs\QQ\QQ.exe O4 - Startup: 快捷方式到客户端上网认证.lnk = ? O8 - Extra context menu item: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm O8 - Extra context menu item: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\QQ\AddToNetDisk.htm O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://D:\programs\OFFICE\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\QQ\AddPanel.htm O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\QQ\AddEmotion.htm O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\QQ\SendMMS.htm O8 - Extra context menu item: 转换为 Adobe PDF - res://D:\programs\ACR\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: 转换为现有 PDF - res://D:\programs\ACR\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://D:\programs\ACR\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://D:\programs\ACR\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: 转换选项为 Adobe PDF - res://D:\programs\ACR\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: 转换选项为现有 PDF - res://D:\programs\ACR\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://D:\programs\ACR\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: 转换链接目标为现有 PDF - res://D:\programs\ACR\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246 O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\programs\OFFICE\OFFICE11\REFIEBAR.DLL O9 - Extra button: 娱乐在线 - {D1EDDE84-E67E-4ccd-B28E-73AD3B71A7C9} - http://bars.plugunion.com/ (file missing) O9 - Extra 'Tools' menuitem: 娱乐在线 - {D1EDDE84-E67E-4ccd-B28E-73AD3B71A7C9} - http://bars.plugunion.com/ (file missing) O11 - Options group: [!CNS] 网络实名 O17 - HKLM\System\CCS\Services\Tcpip\..\{FD3F7275-6056-4C0A-892A-1DBEBD417778}: NameServer = 202.4.130.100,202.4.130.101 O18 - Filter: text/html - {E7009873-0D40-45B1-8D59-5B9AE98C7D38} - C:\Program Files\Internet Explorer\Connection Wizard\icwuti1.dll O23 - Service: MazeSvr - Unknown owner - D:\programs\天网Maze\MazeSvr.exe O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing) O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
138sun 初生襁褓狮帖子:21 注册: 2006-08-12 来自:

138sun 初生襁褓狮帖子:21 注册: 2006-08-12 来自:	发表于： 2006-08-13 12:04 \| 只看楼主短消息资料字号：小中大 4楼顶自己
138sun 初生襁褓狮帖子:21 注册: 2006-08-12 来自:

138sun 初生襁褓狮帖子:21 注册: 2006-08-12 来自:	发表于： 2006-08-13 12:04 \| 只看楼主短消息资料字号：小中大 5楼再顶
138sun 初生襁褓狮帖子:21 注册: 2006-08-12 来自:

系统格式化·重装初生襁褓狮帖子:293 注册: 2006-05-12 来自:	发表于： 2006-08-13 12:07 \| 短消息资料字号：小中大 6楼不用顶了，隔离了还会复发的
系统格式化·重装初生襁褓狮帖子:293 注册: 2006-05-12 来自:

网络小强健康舞勺狮帖子:256 注册: 2006-07-18 来自:	发表于： 2006-08-13 12:18 \| 短消息资料字号：小中大 7楼隔离会复发`?不一定好哇``
网络小强健康舞勺狮帖子:256 注册: 2006-07-18 来自:

138sun 初生襁褓狮帖子:21 注册: 2006-08-12 来自:	发表于： 2006-08-13 12:25 \| 只看楼主短消息资料字号：小中大 8楼这是我启动项的列表麻烦给看看 StartupList report, 2004-8-13, 12:12:47 StartupList version: 1.52.2 Started from : D:\programs\hijack\HijackThis.EXE Detected: Windows XP SP2, v.2149 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP2 (6.00.2900.2149) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Rising\Rav\CCenter.exe C:\Program Files\Rising\Rav\Ravmond.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Rising\Rav\RavStub.exe C:\Program Files\Rising\Rav\RavTask.exe C:\Program Files\Rising\Rav\Ravmon.exe C:\Program Files\MDL CrossFire Commander 7.0\xfdlink.exe D:\programs\天网Maze\MazeSvr.exe C:\WINDOWS\system32\ctfmon.exe D:\programs\QQ\QQ.exe F:\软件\客户端上网认证.exe C:\Program Files\QQ\TIMPlatform.exe C:\WINDOWS\System32\alg.exe C:\Program Files\baigoo\bgoomain.exe C:\Program Files\Maxthon\Maxthon.exe D:\programs\hijack\HijackThis.exe D:\programs\kingsoft\XDICT.EXE -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\Administrator\「开始」菜单\程序\启动] 快捷方式到 QQ.lnk = D:\programs\QQ\QQ.exe 快捷方式到客户端上网认证.lnk = ? -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\egnd.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC RavTask = "C:\Program Files\Rising\Rav\RavTask.exe" -system IMSCMig = C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload XFDLINK = "C:\Program Files\MDL CrossFire Commander 7.0\xfdlink.exe" -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce RavStub = "C:\Program Files\Rising\Rav\ravstub.exe" /RUNONCE -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = NOTEPAD.EXE %1 -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=INI section not found SCRNSAVE.EXE=INI section not found drivers=INI section not found Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr drivers=Registry value not found Policies Shell key: HKCU\..\Policies: Shell=Registry value not found HKLM\..\Policies: Shell=Registry value not found -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - D:\programs\ACR\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - C:\Program Files\Internet Explorer\Connection Wizard\icwuti1.dll - {1D49D58D-5C84-4B50-8359-D9809BEB2B32} yPhtb - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} Anti Fish - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yangling.dll - {38928D50-8A48-44C2-945F-D2F23F771410} 雅虎助手 - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} YDragSearch - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL - {62EED7C6-9F02-42f9-B634-98E2899E147B} (no name) - C:\Progra~1\DoDoorRSSFinder\ActiveBandObject.dll - {63C55A7F-6E29-8D4F-5C76-4F850F28D13A} bg - C:\Program Files\baigoo\BGooBHO.dll - {7BDAF75A-0D6F-4F50-AFE9-333D08DF4005} ThunderBHO - C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_001.dll - {889D2FEB-5411-4565-8998-1DD2C5261283} (no name) - C:\WINDOWS\System32\wabimp.dll - {AA158CA5-93B4-4cd4-8D8C-BB6F9F515213} (no name) - D:\programs\ACR\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910} (no name) - C:\WINDOWS\system32\flash8.dll - {B8CCDD47-38E4-4CD2-B7FA-3B4B690F74BD} (no name) - C:\WINDOWS\system32\shdocvw2.dll - {BE442802-3911-46E0-B227-076B15A4EAD3} (no name) - C:\Progra~1\NetMeeting\conf.dll - {D424FE4E-CAF9-4fdd-BC5F-E6E6B91D53BF} -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: No scripts set to run Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XERKEMKB\hgz[1].exe\|\|\|T -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\system32\webcheck.dll SysTray: C:\WINDOWS\system32\stobject.dll -------------------------------------------------- End of report, 6,195 bytes Report generated in 0.266 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only
138sun 初生襁褓狮帖子:21 注册: 2006-08-12 来自:

系统格式化·重装初生襁褓狮帖子:293 注册: 2006-05-12 来自:	发表于： 2006-08-13 12:26 \| 短消息资料字号：小中大 9楼你看看我帖子，我机子刚重装，又中了，是从系统漏洞进入的，还是不能打开网络啊
系统格式化·重装初生襁褓狮帖子:293 注册: 2006-05-12 来自:

138sun 初生襁褓狮帖子:21 注册: 2006-08-12 来自:	发表于： 2006-08-13 12:27 \| 只看楼主短消息资料字号：小中大 10楼我总是觉得我的电脑好慢比刚装好时
138sun 初生襁褓狮帖子:21 注册: 2006-08-12 来自:

<<上一主题|下一主题>>

12

1 / 2 页

跳转页

页面顶部

Powered by Discuz!NT