求助我中了 Trojan.Rootkit.Vanti.ba病毒 bbs.ikaka.com

intelll - 2006-2-7 16:24:00

瑞星提示我中了 Trojan.Rootkit.Vanti.ba病毒
文件的路径是 c:/windows/temp/vmmqk5c.dll
可是它却怎么也杀不掉
总是提示重新启动计算机后文件删除可是重启后状况依旧
那位大侠帮帮忙吧

阿拉伯伯 - 2006-2-7 16:44:00

发个日志上来吧,HijackThis日志!

intelll - 2006-2-7 17:09:00

HijackThis@Qoo的扫描日志 V1.97.7
Scan saved at 17:06:10, on 2006-2-7
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

R3 - URLSearchHook:
O2 - BHO: (no name) - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v11.dll
O2 - BHO: (no name) - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\Program Files\Yahoo!\Assistant\Assist\yphtb.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\Program Files\Yahoo!\Assistant\Assist\yAngling.dll
O2 - BHO:
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
O2 - BHO: (no name) - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: ????? - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O3 - Toolbar: ????? - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [YLive.exe] ; C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] ; "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [helper.dll] ; C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [XDeskWeather] C:\Documents and Settings\user\My Documents\
O4 - HKLM\..\Run: [Super Rabbit SRRestore] C:\PROGRA~1\SUPERR~1\MAGICSET\SRRest.exe /autosave
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\MSNShell\BIN\MSNShell.exe autorun
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: NTUSER.DAT_BAK
O4 - Global Startup: ntuser.dat
O4 - Global Startup: ntuser.dat.LOG
O8 - Extra context menu item: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm
O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O8 - Extra context menu item: 雅虎搜索 - res://C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll/246
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

不言放弃 - 2006-2-7 17:32:00

c:/windows/temp/vmmqk5c.dll已经插入到系统进程中了

通过HIJACKTHIS日志是无法解决的

建议：
http://forum.ikaka.com/topic.asp?board=28&artid=6979213
System Repair Engineer 2.0.12.350
用这个工具导出日志
查看一下vmmqk5c.dll插入到了哪些进程中
再决定怎么操作

intelll - 2006-2-7 17:52:00

永不放弃大侠你好
按照你的方法在下面的进程中发现了正在运行的进程vmmqk5c.dll

[PID: 504][C:\Program Files\Rising\Rav\Rav.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 46>
[C:\Program Files\Rising\Rav\PlugIn\RsPgScan.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
[C:\Program Files\Rising\Rav\RSAPPMGR.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
[C:\Program Files\Rising\Rav\CfgDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 6>
[C:\Program Files\Rising\Rav\RsCommX.dll] <rising><18, 0, 0, 1>
[C:\Program Files\Rising\Rav\RavUI.Dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 51>
[C:\Program Files\Rising\Rav\RsGuiLib.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 22>
[C:\Program Files\Rising\Rav\PngDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
[C:\WINDOWS\system32\UNISPIM.IME] <北京清华紫光软件股份有限公司><3.0.0.3045>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\WINDOWS\system32\upengine.dll] <北京清华紫光软件股份有限公司><3.0.0.3045>
[C:\Program Files\Rising\Rav\Scanner.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 28>
[C:\Program Files\Rising\Rav\BWList.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 16>
[C:\Program Files\Rising\Rav\RavUIMsg.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 22>
[C:\WINDOWS\TEMP\vmmqk5c.dll] <N/A><N/A>
[PID: 1716][C:\Program Files\Rising\Rav\RavStub.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 12>
[C:\Program Files\Rising\Rav\RsCommX.dll] <rising><18, 0, 0, 1>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\WINDOWS\TEMP\vmmqk5c.dll] <N/A><N/A>
[PID: 1128][C:\Program Files\Rising\Rav\Ravmond.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 1, 6>
[C:\Program Files\Rising\Rav\BWList.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 16>
[C:\Program Files\Rising\Rav\RsCommX.dll] <rising><18, 0, 0, 1>
[C:\Program Files\Rising\Rav\RSAPPMGR.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
[C:\Program Files\Rising\Rav\CfgDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 6>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\Program Files\Rising\Rav\RsLog.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 18>
[C:\Program Files\Rising\Rav\HOOKSYS.dll] <Rising><18, 1, 0, 9>
[C:\Program Files\Rising\Rav\Scanner.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 28>
[C:\Program Files\Rising\Rav\libload.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
[C:\Program Files\Rising\Rav\VirusLib.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
[C:\Program Files\Rising\Rav\regmon.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 6>
[C:\Program Files\Rising\Rav\HookWeb.dll] <rising><18, 0, 0, 1>
[C:\Program Files\Rising\Rav\MemMon.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 8>
[C:\Program Files\Rising\Rav\expscan.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\Program Files\Rising\Rav\mPorts.dll] <Beijing Rising Technology Co., Ltd.><4, 0, 0, 3>
[C:\Program Files\Rising\Rav\MailMon.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
[C:\Program Files\Rising\Rav\SpamEng.dll] <N/A><18, 0, 0, 4>
[C:\Program Files\Rising\Rav\engine.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 23>
[C:\Program Files\Rising\Rav\UnExe.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 6>
[C:\Program Files\Rising\Rav\PostTrt.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
[C:\Program Files\Rising\Rav\ScanExec.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 6>
[C:\Program Files\Rising\Rav\ScanEx.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
[C:\Program Files\Rising\Rav\NvFile.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 7>
[C:\Program Files\Rising\Rav\ScanMac.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 7>
[C:\Program Files\Rising\Rav\ScanSct.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
[C:\Program Files\Rising\Rav\Unpacker.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[C:\Program Files\Rising\Rav\RsStore.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
[C:\Program Files\Rising\Rav\posttrtx.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 1>
[C:\WINDOWS\TEMP\vmmqk5c.dll] <N/A><N/A>
[PID: 548][\??\C:\WINDOWS\system32\csrss.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\TEMP\vmmqk5c.dll] <N/A><N/A>
[PID: 596][\??\C:\WINDOWS\system32\winlogon.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\UNISPIM.IME] <北京清华紫光软件股份有限公司><3.0.0.3045>
[C:\WINDOWS\system32\upengine.dll] <北京清华紫光软件股份有限公司><3.0.0.3045>
[C:\WINDOWS\TEMP\vmmqk5c.dll] <N/A><N/A>

intelll - 2006-2-7 18:00:00

vmmqk5c.dll插入到了以下的进程中，请问该怎么办

[PID: 504][C:\Program Files\Rising\Rav\Rav.exe]
[PID: 1716][C:\Program Files\Rising\Rav\RavStub.exe]
[PID: 1128][C:\Program Files\Rising\Rav\Ravmond.exe]
[PID: 548][\??\C:\WINDOWS\system32\csrss.exe]
[PID: 596][\??\C:\WINDOWS\system32\winlogon.exe]

q3zz - 2006-2-7 18:05:00

我记得免疫007的SetWindowsHookEx调用dwThreadId参数为0,应该是一个全局钩子.除非程序不调用SendMessage,或有R0级的HOOK,否则都应该有才对.

intelll - 2006-2-7 18:34:00

不明白请告诉我怎么办好吗？

intelll - 2006-2-7 21:16:00

各位大侠麻烦再给指点指点吧

baohe - 2006-2-7 21:21:00

引用:

【intelll的贴子】vmmqk5c.dll插入到了以下的进程中，请问该怎么办

[PID: 504][C:\Program Files\Rising\Rav\Rav.exe]
[PID: 1716][C:\Program Files\Rising\Rav\RavStub.exe]
[PID: 1128][C:\Program Files\Rising\Rav\Ravmond.exe]
[PID: 548][\??\C:\WINDOWS\system32\csrss.exe]
[PID: 596][\??\C:\WINDOWS\system32\winlogon.exe]
...........................

这种情形下，应该在DOS下查杀。

baohe - 2006-2-7 21:24:00

【回复“intelll”的帖子】
另一个办法：
如果你会用SSM，可以在“规则”中自己添加一条规则——禁止vmmqk5c.dll加载运行，并将SSM设置为启动自动加载。然后，重启系统，再删除那个vmmqk5c.dll。

intelll - 2006-2-8 2:20:00

我把硬盘当从属盘挂在了另一个机子上，把那个那个vmmqk5c.dll给删除了，不知道这样是否能够彻底清楚它？

不言放弃 - 2006-2-8 8:19:00

[PID: 548][\??\C:\WINDOWS\system32\csrss.exe]
[PID: 596][\??\C:\WINDOWS\system32\winlogon.exe]
这是两个系统必要进程
是无法手动结束的

个人认为只有参考10楼baohe版版的方法了

intelll - 2006-2-8 12:43:00

按10楼baohe版版的方法试了
还是不灵啊
难道就真的没有办法了吗？

不言放弃 - 2006-2-8 13:04:00

【回复“intelll”的帖子】
DOS下查杀吧
唉
按照baohe版主的方法好好操作一下
另外楼主要好好查看一下那个文件到底插入到了哪此进程
不要漏掉被插入的进程哟

瑞星卡卡安全论坛