瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 【求助】该死的病毒,搞得我我要疯了.帮忙看看!!!
DavidLu2000 - 2006-3-30 9:34:00
各位专家,我的机器中毒了,用Norton和瑞星都能查到,重新启动机器却又来了.
中毒现象如下:
1. 每次机器启动后,Norton提示C:\Windows\711815.dll文件中毒,自动隔离后弹出应用程序mir2.exe和hgz.exe错误.在C:\Documents and Settings\Administrator\Local Settings\Temp下能找到这些文件.
2. 将上述文件删除后重新启动,又出现了前面的错误提示和现象.
3. 到安全模式下杀毒后,问题仍然存在.

我将机器启动后,Norton自动杀毒的图片全部附加如下,请帮忙看看,并提出意见.

谢谢.
DavidLu2000 - 2006-3-30 9:35:00
这是病毒相关图片一

附件: 674804200633093528.png
DavidLu2000 - 2006-3-30 9:35:00
这是病毒相关图片二

附件: 674804200633093549.png
DavidLu2000 - 2006-3-30 9:36:00
这是病毒相关图片三

附件: 674804200633093609.png
DavidLu2000 - 2006-3-30 9:36:00
这是病毒相关图片四

附件: 674804200633093631.png
不言放弃 - 2006-3-30 9:40:00
【回复“DavidLu2000”的帖子】
http://forum.ikaka.com/topic.asp?board=28&artid=6979213
下载System Repair Engineer 2.0.12.350
导出全部日志
DavidLu2000 - 2006-3-30 9:44:00
这是SREng的日志:

2006-03-30,09:41:15

System Repair Engineer 2.0.12.350 (2.0 RC 1)
    Service Pack 1, v.1023 - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <ctfmon.exe><; C:\WINDOWS\system32\ctfmon.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <load><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <SoundMAXPnP><C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <SoundMAX><"C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <BMMGAG><; RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <BMMLREF><; C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <ATIPTA><; C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <vptray><D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <IMSCMig><; C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <shell><Explorer.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <Userinit><C:\WINDOWS\system32\userinit.exe,>

==================================
Startup Folders
Services
[AdminService for PROGRESS 9.1D / AdminService9.1D]
  <"D:\DLC91D\bin\AdmSrvc.exe"><N/A>
[Ati HotKey Poller / Ati HotKey Poller]
  <C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[DefWatch / DefWatch]
  <D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe><Symantec Corporation>
[IBM PM Service / IBMPMSVC]
  <C:\WINDOWS\system32\ibmpmsvc.exe><N/A>
[Symantec AntiVirus Client / Norton AntiVirus Server]
  <D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe><Symantec Corporation>
[Oracle OLAP 9.0.1.0.1 / OLAPServer]
  <D:\Ora90\bin\xsolap.exe><Oracle Corporation>
[Oracle OLAP Agent / Oracle OLAP Agent]
  <D:\Ora90\bin\xsaagent.exe><N/A>
[OracleOraHome90Agent / OracleOraHome90Agent]
  <D:\Ora90\bin\agntsrvc.exe><Oracle Corporation>
[OracleOraHome90ClientCache / OracleOraHome90ClientCache]
  <D:\Ora90\BIN\ONRSD.EXE><N/A>
[OracleOraHome90HTTPServer / OracleOraHome90HTTPServer]
  <D:\Ora90\Apache\Apache\Apache.exe><N/A>
[OracleOraHome90PagingServer / OracleOraHome90PagingServer]
  <D:\Ora90/bin/pagntsrv.exe><N/A>
[OracleOraHome90SNMPPeerEncapsulator / OracleOraHome90SNMPPeerEncapsulator]
  <D:\Ora90\BIN\ENCSVC.EXE><N/A>
[OracleOraHome90SNMPPeerMasterAgent / OracleOraHome90SNMPPeerMasterAgent]
  <D:\Ora90\BIN\AGNTSVC.EXE><N/A>
[OracleOraHome90TNSListener / OracleOraHome90TNSListener]
  <D:\Ora90\BIN\TNSLSNR ><N/A>
[OracleServiceORA9 / OracleServiceORA9]
  <d:\ora90\bin\ORACLE.EXE ORA9><Oracle Corporation>
[ProService for 9.1D / ProService9.1D]
  <D:\DLC91D\bin\ProSrvc.exe><Progress Software>
[Spectrum24 Event Monitor / S24EventMonitor]
  <C:\WINDOWS\system32\S24EvMon.exe><Intel Corporation >
[SoundMAX Agent Service / SoundMAX Agent Service (default)]
  <C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe><Analog Devices, Inc.>
[VMware Authorization Service / VMAuthdService]
  <D:\Program Files\VMware\VMware Workstation\vmware-authd.exe><VMware, Inc.>
[VMware DHCP Service / VMnetDHCP]
  <C:\WINDOWS\system32\vmnetdhcp.exe><VMware, Inc.>
[VMware NAT Service / VMware NAT Service]
  <C:\WINDOWS\system32\vmnat.exe><VMware, Inc.>
[Visibroker Smart Agent / xsSmartAgent]
  <D:\Ora90\bin\osagent.exe><N/A>

==================================
Browser Add-ons
[IeCatch2 Class]
  {A5366673-E8CA-11D3-9CD9-0090271D075B} <D:\PROGRA~1\FlashGet\jccatch.dll, Amaze Soft>
[Google Toolbar Helper]
  {AA58ED58-01DD-4d91-8333-CF10577473F7} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[FlashGet]
  {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <D:\PROGRA~1\FlashGet\flashget.exe, Amaze Soft>
[@msdxmLC.dll,-1@1033,&Radio]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\system32\msdxm.ocx, N/A>
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <D:\PROGRA~1\FlashGet\fgiebar.dll, Amaze Soft>
[&Google]
  {2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>
[Rising Web Scan Object]
  {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} <C:\WINDOWS\Downloaded Program Files\OL2005.dll, Beijing Rising Technology Co., Ltd.>
[Download All by FlashGet]
  <D:\PROGRA~1\FlashGet\jc_all.htm, N/A>
[Download using FlashGet]
  <D:\PROGRA~1\FlashGet\jc_link.htm, N/A>

==================================
Running Processes
[PID: 600][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 648][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 672][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.2.3790.1023 (srvr2.030624-1700)>
    [C:\WINDOWS\system32\NavLogon.dll]  <N/A><N/A>
[PID: 716][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.2.3790.1023 (srvr2.030624-1700)>
[PID: 728][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 888][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 940][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 956][C:\WINDOWS\system32\ibmpmsvc.exe]  <N/A><N/A>
[PID: 980][C:\WINDOWS\system32\Ati2evxx.exe]  <ATI Technologies Inc.><6.14.10.4112>
    [C:\WINDOWS\system32\Ati2edxx.dll]  <ATI Technologies, Inc.><6, 14, 10, 2496>
[PID: 1092][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 1280][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 1324][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 1772][C:\WINDOWS\system32\msdtc.exe]  <Microsoft Corporation><2001.12.4720.0 (srv03_rtm.030324-2048)>
    [D:\Ora90\bin\oci.dll]  <Oracle Corporation><9.0.1.1.1>
[PID: 1856][D:\DLC91D\bin\AdmSrvc.exe]  <N/A><N/A>
    [D:\DLC91D\bin\EVNTLOG.dll]  <Progress Software Corporation><9.1A>
[PID: 1872][C:\WINDOWS\System32\alg.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 1912][D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe]  <Symantec Corporation><8.1.0.821>
[PID: 1924][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 1964][C:\WINDOWS\system32\inetsrv\inetinfo.exe]  <Microsoft Corporation><6.0.3790.0 (srv03_rtm.030324-2048)>
[PID: 1972][D:\DLC91D\jre\bin\java.exe]  <N/A><N/A>
    [D:\DLC91D\jre\bin\hotspot\jvm.dll]  <N/A><N/A>
    [D:\DLC91D\jre\bin\hpi.dll]  <N/A><N/A>
    [D:\DLC91D\jre\bin\verify.dll]  <N/A><N/A>
    [D:\DLC91D\jre\bin\java.dll]  <N/A><N/A>
    [D:\DLC91D\jre\bin\zip.dll]  <N/A><N/A>
    [D:\DLC91D\bin\jutil.dll]  <N/A><N/A>
    [D:\DLC91D\bin\jni_util.dll]  <N/A><N/A>
    [D:\DLC91D\bin\auth.dll]  <N/A><N/A>
    [D:\DLC91D\jre\bin\net.dll]  <N/A><N/A>
    [D:\DLC91D\bin\ntjavamain.dll]  <N/A><N/A>
    [D:\DLC91D\bin\ntadminserver.dll]  <N/A><N/A>
    [D:\DLC91D\bin\versioninfo.dll]  <N/A><N/A>
    [D:\DLC91D\bin\procfg.dll]  <N/A><N/A>
    [D:\DLC91D\bin\environ.dll]  <N/A><N/A>
DavidLu2000 - 2006-3-30 9:45:00
[PID: 172][C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe]  <Microsoft Corporation><7.10.3077>
[PID: 196][C:\WINDOWS\system32\conime.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 528][D:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe]  <Microsoft Corporation><2000.080.0194.00>
[PID: 1300][D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe]  <Symantec Corporation><8.1.0.821>
    [C:\WINDOWS\system32\CBA.DLL]  <Intel? Corporation><6.12.0.105 E>
    [C:\WINDOWS\system32\MsgSys.dll]  <Intel? Corporation><6.12.0.105 E>
    [C:\WINDOWS\system32\NTS.dll]  <Intel? Corporation><6.12.0.105 E>
    [C:\WINDOWS\system32\PDS.DLL]  <Intel? Corporation><6.12.0.105 E>
    [D:\PROGRA~1\SYMANT~1\SYMANT~1\NAVLU.dll]  <Symantec Corporation><8.1.0.821>
    [D:\PROGRA~1\SYMANT~1\SYMANT~1\NAVNTUTL.DLL]  <Symantec/Peter Norton Group><1, 0, 0, 1>
    [D:\PROGRA~1\SYMANT~1\SYMANT~1\i2ldvp3.dll]  <Symantec Corporation><8.1.0.821>
    [D:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAPI32.DLL]  <Symantec Corp.><4.2.0.7>
    [C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060322.033\NAVEX32a.DLL]  <Symantec Corporation><20051.3.1.11>
    [C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060322.033\NAVENG32.DLL]  <Symantec Corporation><20051.3.1.11>
    [D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP32.DLL]  <Symantec Corporation><9.1.0.26>
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\Scandlgs.dll]  <Symantec Corporation><8.1.0.821>
[PID: 1352][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 1368][C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe]  <Analog Devices, Inc.><3, 2, 6, 0>
[PID: 1404][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 1712][D:\Program Files\VMware\VMware Workstation\vmware-authd.exe]  <VMware, Inc.><5.0.0 build-13124>
[PID: 376][C:\WINDOWS\system32\vmnat.exe]  <VMware, Inc.><5.0.0 build-13124>
[PID: 396][C:\WINDOWS\system32\Dfssvc.exe]  <Microsoft Corporation><5.2.3790.1023 (srvr2.030624-1700)>
[PID: 500][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.3790.0 (srv03_rtm.030324-2048)>
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\InfoMz.Ime]  <N/A><N/A>
    [D:\Program Files\WinRAR\rarext.dll]  <N/A><N/A>
    [D:\Program Files\IDM Computer Solutions\UltraEdit-32\ue32ctmn.dll]  <><1, 0, 0, 1>
    [C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll]  <Symantec Corporation><8.1.0.821>
    [D:\PROGRA~1\FlashGet\jccatch.dll]  <Amaze Soft><1, 1, 4, 0>
[PID: 616][C:\WINDOWS\system32\vmnetdhcp.exe]  <VMware, Inc.><5.0.0 build-13124>
[PID: 692][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 2688][C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe]  <Analog Devices, Inc.><5, 0, 1, 57>
    [C:\Program Files\Analog Devices\SoundMAX\SMWDMIF.dll]  <Analog Devices, Inc.><5, 0, 0, 473>
[PID: 2720][D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe]  <Symantec Corporation><8.1.0.821>
    [D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliscan.dll]  <Symantec Corporation><8.1.0.821>
    [D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVNTUTL.DLL]  <Symantec/Peter Norton Group><1, 0, 0, 1>
[PID: 3116][D:\DLC91D\jre\bin\java.exe]  <N/A><N/A>
    [D:\DLC91D\jre\bin\hotspot\jvm.dll]  <N/A><N/A>
    [D:\DLC91D\jre\bin\hpi.dll]  <N/A><N/A>
    [D:\DLC91D\jre\bin\verify.dll]  <N/A><N/A>
    [D:\DLC91D\jre\bin\java.dll]  <N/A><N/A>
    [D:\DLC91D\jre\bin\zip.dll]  <N/A><N/A>
    [D:\DLC91D\bin\ntjavamain.dll]  <N/A><N/A>
    [D:\DLC91D\bin\jutil.dll]  <N/A><N/A>
    [D:\DLC91D\bin\jni_util.dll]  <N/A><N/A>
    [D:\DLC91D\jre\bin\net.dll]  <N/A><N/A>
    [D:\DLC91D\bin\environ.dll]  <N/A><N/A>
    [D:\DLC91D\bin\procfg.dll]  <N/A><N/A>
[PID: 3936][C:\WINDOWS\system32\wbem\wmiprvse.exe]  <Microsoft Corporation><5.2.3790.0 (srv03_rtm.030324-2048)>
[PID: 2112][C:\Program Files\Internet Explorer\IEXPLORE.EXE]  <Microsoft Corporation><6.00.3790.0 (srv03_rtm.030324-2048)>
    [c:\program files\google\googletoolbar2.dll]  <Google Inc.><3, 0, 131, 0>
    [D:\PROGRA~1\FlashGet\jccatch.dll]  <Amaze Soft><1, 1, 4, 0>
    [C:\WINDOWS\system32\UNISPIM.IME]  <北京清华紫光软件股份有限公司><3.0.0.3045>
    [C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx]  <Macromedia, Inc.><8,0,22,0>
    [C:\WINDOWS\system32\upengine.dll]  <北京清华紫光软件股份有限公司><3.0.0.3045>
[PID: 2180][C:\Program Files\MSN Messenger\msnmsgr.exe]  <Microsoft Corporation><7.5.0306>
    [C:\WINDOWS\system32\devenum.dll]  <N/A><N/A>
    [C:\WINDOWS\system32\msdmo.dll]  <N/A><N/A>
    [C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx]  <Macromedia, Inc.><8,0,22,0>
    [C:\WINDOWS\system32\UNISPIM.IME]  <北京清华紫光软件股份有限公司><3.0.0.3045>
    [C:\WINDOWS\system32\upengine.dll]  <北京清华紫光软件股份有限公司><3.0.0.3045>
[PID: 1740][C:\Program Files\Internet Explorer\IEXPLORE.EXE]  <Microsoft Corporation><6.00.3790.0 (srv03_rtm.030324-2048)>
    [c:\program files\google\googletoolbar2.dll]  <Google Inc.><3, 0, 131, 0>
    [D:\PROGRA~1\FlashGet\jccatch.dll]  <Amaze Soft><1, 1, 4, 0>
    [C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx]  <Macromedia, Inc.><8,0,22,0>
[PID: 3144][D:\PROGRA~1\FlashGet\flashget.exe]  <Amaze Soft><1, 7, 1, 0>
[PID: 3912][G:\My Works\Virus\SREng.exe]  <Smallfrogs Studio><2.0.12.350>

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  Error. []
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider

==================================
DavidLu2000 - 2006-3-30 9:53:00
帮忙看看! 感激不尽! 等待中......
不言放弃 - 2006-3-30 9:54:00
【回复“DavidLu2000”的帖子】
日志也没有什么问题啊
头晕中

进入安全模式下断网查杀了吗?
zq77 - 2006-3-30 9:59:00
把它从隔离区里删除试试
DavidLu2000 - 2006-3-30 10:07:00
已经进入过安全模式杀毒,并且把文件都删除了,但是重新启动后,问题又来了.
我怀疑是否Explorer.EXE被感染?
DavidLu2000 - 2006-3-30 10:18:00
简直要疯了!
DavidLu2000 - 2006-3-30 11:10:00
大侠们,帮帮我吧!
1
查看完整版本: 【求助】该死的病毒,搞得我我要疯了.帮忙看看!!!
© 2000 - 2026 Rising Corp. Ltd.