Trojan.Clicker.Chimoz.k这个病毒怎么杀都杀不尽,请高手指点! bbs.ikaka.com

ly4171 - 2006-5-26 14:08:00

在安全模式下扫描了一遍,没有扫描出来(之前在正常模式下已查杀过一次),我用的是瑞星下载版18.27.10,病毒库更新日期2006.5.16. 杀了N遍了,一开机就有,并且经常活动(瑞星监控显示).生成wupdata.exe,iupdata.exe等文件.现在系统异常的慢啊.哪位大虾指点一下,将其彻底杀除?

我无邪 - 2006-5-26 14:11:00

请下载 System Repair Engineer，使用“智能扫描”，按下“扫描”按钮进行扫描，扫描完成后按下“保存报告”按钮保存报告日志文件（SREng.LOG），把保存的报告日志文件内容复制-粘贴上来
http://www.kztechs.com/sreng/sreng2.zip
http://forum.ikaka.com/topic.asp?board=67&artid=5188931
日志一次粘不完，分次粘完，请不要修改。

不言放弃 - 2006-5-26 14:14:00

【回复“ly4171”的帖子】
先说一下病毒文件名称与路径？

ly4171 - 2006-5-26 14:25:00

路径就是在这个下面 c:/Documents and Settings/Local Settings/Temporary Internet Files
病毒执行文件:wupdata.exe,iupdata[1].exe.
病毒名:Trojan.clicker.chimoz.k

ly4171 - 2006-5-26 15:15:00

2006-05-26,15:09:49

System Repair Engineer 2.0.12.350 (2.0 RC 1)
Windows 2000 Professional Service Pack 4 - 非管理权限用户 - 受限功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Explore.exe><C:\WINNT\explore.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Taskmor.exe><C:\WINNT\taskmor.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Synchronization Manager><mobsync.exe /logon>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Advanced Tools Check><C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Super Rabbit Desktop Set><C:\Program Files\Super Rabbit\MagicSet\DS.EXE /Load>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Super Rabbit Memory><C:\Program Files\Super Rabbit\MagicSet\memdef.EXE /LOAD>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<ccApp><"C:\Program Files\Common Files\Symantec Shared\ccApp.exe">
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<vptray><C:\PROGRA~1\SYMANT~2\VPTray.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<RavStub><"C:\Program Files\Rising\Rav\ravstub.exe" /RUNONCE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<Userinit><C:\WINNT\system32\userinit.exe,>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><>

ly4171 - 2006-5-26 15:15:00

启动文件夹
[快捷方式 FortuneDate]
<C:\Documents and Settings\saca201.ALLTRONICS.000\「开始」菜单\程序\启动\快捷方式 FortuneDate.lnk><N>
[快捷方式 XDICT]
<C:\Documents and Settings\saca201.ALLTRONICS.000\「开始」菜单\程序\启动\快捷方式 XDICT.lnk><N>

==================================
服务
[C-DillaCdaC11BA / C-DillaCdaC11BA]
<C:\WINNT\system32\drivers\CDAC11BA.EXE><Macrovision>
[Symantec Event Manager / ccEvtMgr]
<"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"><Symantec Corporation>
[Symantec Password Validation / ccPwdSvc]
<"C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"><Symantec Corporation>
[Symantec Settings Manager / ccSetMgr]
<"C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"><Symantec Corporation>
[Symantec AntiVirus Definition Watcher / DefWatch]
<"C:\Program Files\Symantec AntiVirus\DefWatch.exe"><Symantec Corporation>
[Logical Disk Manager Administrative Service / dmadmin]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Norton Unerase Protection / NProtectService]
<"C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE"><N/A>
[Rising Process Communication Center / RsCCenter]
<"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
<"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[SavRoam / SavRoam]
<"C:\Program Files\Symantec AntiVirus\SavRoam.exe"><symantec>
[ScriptBlocking Service / SBService]
<><N/A>
[Symantec Network Drivers Service / SNDSrvc]
<"C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"><Symantec Corporation>
[Symantec SPBBCSvc / SPBBCSvc]
<C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe><Symantec Corporation>
[Symantec AntiVirus / Symantec AntiVirus]
<"C:\Program Files\Symantec AntiVirus\Rtvscan.exe"><Symantec Corporation>

ly4171 - 2006-5-26 15:18:00

浏览器加载项
[超级兔子上网精灵]
{FEDF637B-F631-4583-A210-33CC828D42DB} <C:\PROGRA~1\SUPERR~1\MagicSet\HAOKAN~1.DLL, 超级兔子>
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[QQ]
{c95fe080-8f5d-11d2-a20b-00aa003c157b} <d:\Program Files\Tencent\QQ\QQ.EXE, TENCENT>
[QQIEFloatBarCfgCmd Class]
{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} <d:\Program Files\Tencent\QQ\QQIEHelper.dll, N/A>
[金山快译(&K)]
{6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} <D:\Program Files\Kingsoft\FastAIT 2005\IEBand.dll, 金山软件股份有限公司>
[电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[超级兔子上网精灵]
{FEDF637B-F631-4583-A210-33CC828D42DB} <C:\PROGRA~1\SUPERR~1\MagicSet\HAOKAN~1.DLL, 超级兔子>
[Update Class]
{9F1C11AA-197B-4942-BA54-47A8489BB47F} <C:\WINNT\System32\iuctl.dll, Microsoft Corporation>
[!搜一搜]
<res://C:\WINNT\DOWNLO~1\CnsMinEx.dll/1003, N/A>
[E&xport to Microsoft Excel]
<res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>
[上传到QQ网络硬盘]
<D:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[使用网际快车下载]
<D:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
<D:\Program Files\FlashGet\jc_all.htm, N/A>
[添加到QQ自定义面板]
<D:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
<D:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<D:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

ly4171 - 2006-5-26 15:21:00

正在运行的进程
[PID: 836][C:\WINNT\Explorer.EXE] <Microsoft Corporation><5.00.3700.6690>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll] <Autodesk><16.0.0.86>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[C:\WINNT\system32\RavExt.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[PID: 1320][C:\Program Files\Super Rabbit\MagicSet\memdef.EXE] <Super Rabbit Software><3.00>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 1344][C:\PROGRA~1\SYMANT~2\VPTray.exe] <Symantec Corporation><10.0.0.359>
[C:\Program Files\Symantec AntiVirus\SAVRT32.DLL] <Symantec Corporation><9.5.0.44>
[C:\Program Files\Symantec AntiVirus\Cliscan.dll] <Symantec Corporation><10.0.0.359>
[C:\PROGRA~1\SYMANT~2\NAVNTUTL.DLL] <Symantec Corporation><10.0.0.359>
[C:\Program Files\Symantec AntiVirus\Cliproxy.dll] <Symantec Corporation><10.0.0.359>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 1364][C:\Program Files\Rising\Rav\RavTask.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 22>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\Program Files\Rising\Rav\RSAPPMGR.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
[C:\Program Files\Rising\Rav\CfgDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
[C:\Program Files\Rising\Rav\RsCommX.dll] <rising><18, 0, 0, 1>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 1080][D:\Tec Data\www file\sofa\FortuneDate\FortuneDate.exe] <N/A><N/A>
[D:\Tec Data\www file\sofa\FortuneDate\bdertl60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\rtl60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\dbrtl60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\dclaxserver60.bpl] <Borland Software Corporation><1.0.0.0>
[D:\Tec Data\www file\sofa\FortuneDate\vcl60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\vcldb60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\dsnap60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\HDSNDLL.dll] <N/A><N/A>
[D:\Tec Data\www file\sofa\FortuneDate\Print.bpl] <><1.0.0.0>
[D:\Tec Data\www file\sofa\FortuneDate\printbase.bpl] <><1.0.0.0>
[D:\Tec Data\www file\sofa\FortuneDate\tee60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\uadl.bpl] <><1.0.0.0>
[D:\Tec Data\www file\sofa\FortuneDate\vcljpg60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\VclSmp60.bpl] <Borland Software Corporation><1.0.0.0>
[D:\Tec Data\www file\sofa\FortuneDate\vclx60.bpl] <Borland Software Corporation><6.0.6.163>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>

ly4171 - 2006-5-26 15:21:00

[PID: 1272][C:\Program Files\Rising\Rav\Ravmon.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 1, 17>
[C:\Program Files\Rising\Rav\RsGuiLib.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 24>
[C:\Program Files\Rising\Rav\BWList.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 16>
[C:\Program Files\Rising\Rav\RSAPPMGR.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
[C:\Program Files\Rising\Rav\CfgDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\Program Files\Rising\Rav\RsCommX.dll] <rising><18, 0, 0, 1>
[C:\Program Files\Rising\Rav\PngDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 1224][C:\Program Files\XDICT\XDICT.EXE] <Kingsoft Co, Ltd.><5, 5, 0, 0>
[C:\Program Files\XDICT\IHooks.dll] <N/A><N/A>
[C:\Program Files\XDICT\ITextOut.dll] <N/A><N/A>
[C:\Program Files\XDICT\CJKTAB32.dll] <N/A><N/A>
[C:\Program Files\XDICT\XImage32.dll] <N/A><N/A>
[C:\Program Files\XDICT\NewWord.dll] <N/A><N/A>
[C:\Program Files\XDICT\xfile.dll] <N/A><N/A>
[C:\Program Files\XDICT\ITTSEngine.dll] <N/A><N/A>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 260][C:\WINNT\system32\WISPTIS.EXE] <Microsoft Corporation><1.0.2201.0 (xpsp1.020820-1800)>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 1260][C:\WINNT\intranet.exe] <N/A><N/A>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[PID: 1408][C:\WINNT\winlogin.exe] <N/A><N/A>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[PID: 1612][C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\AGM.dll] <Adobe Systems Incorporated><4.10.50>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\CoolType.dll] <Adobe Systems Incorporated><4.13.42>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\JP2KLib.dll] <Adobe system Incorporated><1.0.22891>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\OPP.dll] <Adobe Systems Incorporated><1.02.05>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\BIB.dll] <Adobe Systems Incorporated><1.1.14>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\ACE.dll] <Adobe Systems Incorporated><2.03.24>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[c:\program files\adobe\acrobat 6.0\reader\rdlang32.chs] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[C:\WINNT\system32\ATMLIB.dll] <Adobe Systems><5.0 Build 225>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\SPPlugins\ADMPlugin.apl] <Adobe Systems Incorporated><3.01acp01>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\SPPlugins\ExpressViews.apl] <Adobe Systems Incorporated><6.0>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\ImageViewer\ImageViewer.API] <Adobe Systems Inc.><6.0.1.38590>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Multimedia\Multimedia.api] <Adobe Systems Incorporated><6.0.0.2003051500>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\PDDom.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Accessibility.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\reflow.api] <Adobe Systems Incorporated><6.0.0.2003051500>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\MakeAccessible.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\SaveAsRTF.api] <Adobe Systems Incorporated><6.0.0.2003051500>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\eBook.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Annotations\Annots.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\AcroForm.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\DigSig.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\PPKLite.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\EScript.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\EWH32.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\HLS.api] <Adobe Systems Incorporated><6.0.0.2003051500>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\weblink.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\IA32.api] <Adobe Systems Incorporated><6.0.0.2003051500>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\SendMail.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Search.api] <Adobe Systems Incorporated><6.0.0.2003051500>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Soap.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Updater.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\esdupdate.dll] <Adobe Systems><2, 0, 0, 21>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\XFA.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\PictureTasks\PictureTasks.api] <Adobe Systems Incorporated><6.0.1.2003110300>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\PPKLite.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Accessibility.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\AcroForm.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Annotations\Annots.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\DigSig.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\eBook.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\EScript.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\EWH32.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\HLS.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Multimedia\Multimedia.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\PDDom.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\PictureTasks\PictureTasks.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\reflow.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\SaveAsRTF.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Search.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\SendMail.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Soap.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Updater.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\weblink.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\XFA.CHS] <N/A><N/A>
[C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\IA32.CHS] <N/A><N/A>
[PID: 2080][C:\Program Files\MSN Messenger\msnmsgr.exe] <Microsoft Corporation><7.0.0816>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[C:\WINNT\System32\devenum.dll] <N/A><N/A>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll] <Autodesk><16.0.0.86>
[PID: 1772][D:\Tec Data\www file\sofa\rav2006\sreng2\SREng.exe] <Smallfrogs Studio><2.0.12.350>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 1700][C:\Program Files\Internet Explorer\iexplore.exe] <Microsoft Corporation><6.00.2800.1106>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[C:\PROGRA~1\SUPERR~1\MagicSet\HAOKAN~1.DLL] <超级兔子><1.0.7.7>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>

ly4171 - 2006-5-26 15:21:00

文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS Error. [C:\WINNT\system32\WScript.exe "%1" %*]
.JS Error. [C:\WINNT\system32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

ly4171 - 2006-5-26 15:44:00

瑞星的病毒记录,共计有6种.
病毒名称发现日期路径文件
1. Backdoor.Gpigeon.arw 2006-05-25 14:03C:\WINNT\system32 2006.exe
2. Trojan.Clicker.Chimoz.k 2006-05-25 14:10C:\WINNT wupdate.exe>>Unpack
3. Trojan.Clicker.Chimoz.k 2006-05-25 14:10C:\WINNT iupdate.exe>>Unpack
4. Trojan.PSW.Lmir.jyh 2006-05-25 14:10C:\WINNT 896588.DLL
5. Backdoor.Gpigeon.arw 2006-05-25 14:10C:\WINNT Srer.exe
6. Trojan.HTML.Psyme.b 2006-05-25 14:32 C: boot.hta
7. Dropper.Agent.bff 2006-05-25 16:14 D:\Tec Data\www file\sofa我不想理财.rar>>我不想理财！V3.61 破解版.exe
8. Trojan.Clicker.Chimoz.k 2006-05-26 08:09 C:\WINNT wupdate.exe>>Unpack
9. Trojan.Clicker.Chimoz.k 2006-05-26 08:14 C:\Documents and Settings\saca201.ALLTRONICS.000\Local Settings\Temporary Internet Files\Content.IE5\EHYMS9SO wupdate[1].exe>>Unpack
10. Trojan.Clicker.Chimoz.k 2006-05-26 11:56 C:\Documents and Settings\saca201.ALLTRONICS.000\Local Settings\Temporary Internet Files\Content.IE5\6TXUBE94 iupdate[1].exe>>Unpack
11. Trojan.Clicker.Chimoz.k 2006-05-26 11:56 C:\Documents and Settings\saca201.ALLTRONICS.000\Local Settings\Temporary Internet Files\Content.IE5\4BHBYE7P wupdate[1].exe>>Unpack

ly4171 - 2006-5-26 15:50:00

各位大虾请继续出招啊.

我无邪 - 2006-5-27 0:03:00

打开一个IE窗口，工具，internte选项，点“删除文件”弹出一个窗口勾选“删除所有脱机内容”确定。
运行System Repair Engineer，点“启动项目，服务，勾选“隐藏微软服务”选中病毒服务ScriptBlocking Service，选择“删除所选服务”“否”
ALT+CTRL+DELETE调出任务管理器,终止explore.exe，taskmor.exe的进程
运行System Repair Engineer，使用“启动项目，注册表”来删除以下选项。
（如果在注册表里无法识别那一下，可以选中一项后，点“编辑”这样会有很明细的路径）
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Explore.exe><C:\WINNT\explore.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Taskmor.exe><C:\WINNT\taskmor.exe>
以上两个木马如果无法删除，就试着在安全模式下删除。
修复后，请重启。烦再扫份报告粘上来。

ly4171 - 2006-5-27 10:12:00

感谢无邪大虾深夜仍在为我等指点迷津.
按照以上方法,重启,发现这两个病毒explore.exe;taskmor.exe在进程中已经没有了,但我的电脑还是异常的慢.是否还有其它问题?
重新扫描的报告如下:

ly4171 - 2006-5-27 10:14:00

2006-05-27,10:08:27

System Repair Engineer 2.0.12.350 (2.0 RC 1)
Windows 2000 Professional Service Pack 4 - 非管理权限用户 - 受限功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Synchronization Manager><mobsync.exe /logon>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Advanced Tools Check><C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Super Rabbit Desktop Set><C:\Program Files\Super Rabbit\MagicSet\DS.EXE /Load>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Super Rabbit Memory><C:\Program Files\Super Rabbit\MagicSet\memdef.EXE /LOAD>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<ccApp><"C:\Program Files\Common Files\Symantec Shared\ccApp.exe">
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<vptray><C:\PROGRA~1\SYMANT~2\VPTray.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<RavStub><"C:\Program Files\Rising\Rav\ravstub.exe" /RUNONCE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<Userinit><C:\WINNT\system32\userinit.exe,>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><>

ly4171 - 2006-5-27 10:15:00

==================================
启动文件夹
[快捷方式 FortuneDate]
<C:\Documents and Settings\saca201.ALLTRONICS.000\「开始」菜单\程序\启动\快捷方式 FortuneDate.lnk><N>
[快捷方式 XDICT]
<C:\Documents and Settings\saca201.ALLTRONICS.000\「开始」菜单\程序\启动\快捷方式 XDICT.lnk><N>

==================================
服务
[C-DillaCdaC11BA / C-DillaCdaC11BA]
<C:\WINNT\system32\drivers\CDAC11BA.EXE><Macrovision>
[Symantec Event Manager / ccEvtMgr]
<"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"><Symantec Corporation>
[Symantec Password Validation / ccPwdSvc]
<"C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"><Symantec Corporation>
[Symantec Settings Manager / ccSetMgr]
<"C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"><Symantec Corporation>
[Symantec AntiVirus Definition Watcher / DefWatch]
<"C:\Program Files\Symantec AntiVirus\DefWatch.exe"><Symantec Corporation>
[Logical Disk Manager Administrative Service / dmadmin]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Norton Unerase Protection / NProtectService]
<"C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE"><N/A>
[Rising Process Communication Center / RsCCenter]
<"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
<"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[SavRoam / SavRoam]
<"C:\Program Files\Symantec AntiVirus\SavRoam.exe"><symantec>
[ScriptBlocking Service / SBService]
<><N/A>
[Symantec Network Drivers Service / SNDSrvc]
<"C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"><Symantec Corporation>
[Symantec SPBBCSvc / SPBBCSvc]
<C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe><Symantec Corporation>
[Symantec AntiVirus / Symantec AntiVirus]
<"C:\Program Files\Symantec AntiVirus\Rtvscan.exe"><Symantec Corporation>

ly4171 - 2006-5-27 10:16:00

==================================
浏览器加载项
[超级兔子上网精灵]
{FEDF637B-F631-4583-A210-33CC828D42DB} <C:\PROGRA~1\SUPERR~1\MagicSet\HAOKAN~1.DLL, 超级兔子>
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[QQ]
{c95fe080-8f5d-11d2-a20b-00aa003c157b} <d:\Program Files\Tencent\QQ\QQ.EXE, TENCENT>
[QQIEFloatBarCfgCmd Class]
{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} <, N/A>
[金山快译(&K)]
{6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} <D:\Program Files\Kingsoft\FastAIT 2005\IEBand.dll, 金山软件股份有限公司>
[电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[超级兔子上网精灵]
{FEDF637B-F631-4583-A210-33CC828D42DB} <C:\PROGRA~1\SUPERR~1\MagicSet\HAOKAN~1.DLL, 超级兔子>
[Update Class]
{9F1C11AA-197B-4942-BA54-47A8489BB47F} <C:\WINNT\System32\iuctl.dll, Microsoft Corporation>
[!搜一搜]
<res://C:\WINNT\DOWNLO~1\CnsMinEx.dll/1003, N/A>
[E&xport to Microsoft Excel]
<res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>
[上传到QQ网络硬盘]
<D:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[使用网际快车下载]
<D:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
<D:\Program Files\FlashGet\jc_all.htm, N/A>
[添加到QQ自定义面板]
<D:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
<D:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<D:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

ly4171 - 2006-5-27 10:16:00

==================================
正在运行的进程
[PID: 1156][C:\WINNT\Explorer.EXE] <Microsoft Corporation><5.00.3700.6690>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll] <Autodesk><16.0.0.86>
[C:\WINNT\system32\RavExt.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
[PID: 944][C:\WINNT\system32\conime.exe] <Microsoft Corporation><5.00.2195.6655>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 1368][C:\Program Files\Super Rabbit\MagicSet\memdef.EXE] <Super Rabbit Software><3.00>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 1392][C:\PROGRA~1\SYMANT~2\VPTray.exe] <Symantec Corporation><10.0.0.359>
[C:\Program Files\Symantec AntiVirus\SAVRT32.DLL] <Symantec Corporation><9.5.0.44>
[C:\Program Files\Symantec AntiVirus\Cliscan.dll] <Symantec Corporation><10.0.0.359>
[C:\PROGRA~1\SYMANT~2\NAVNTUTL.DLL] <Symantec Corporation><10.0.0.359>
[C:\Program Files\Symantec AntiVirus\Cliproxy.dll] <Symantec Corporation><10.0.0.359>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 1252][C:\Program Files\Rising\Rav\RavTask.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 22>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\Program Files\Rising\Rav\RSAPPMGR.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
[C:\Program Files\Rising\Rav\CfgDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
[C:\Program Files\Rising\Rav\RsCommX.dll] <rising><18, 0, 0, 1>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 1412][C:\Program Files\Rising\Rav\Ravmon.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 1, 17>
[C:\Program Files\Rising\Rav\RsGuiLib.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 24>
[C:\Program Files\Rising\Rav\BWList.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 16>
[C:\Program Files\Rising\Rav\RSAPPMGR.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
[C:\Program Files\Rising\Rav\CfgDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\Program Files\Rising\Rav\RsCommX.dll] <rising><18, 0, 0, 1>
[C:\Program Files\Rising\Rav\PngDll.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 1468][D:\Tec Data\www file\sofa\FortuneDate\FortuneDate.exe] <N/A><N/A>
[D:\Tec Data\www file\sofa\FortuneDate\bdertl60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\rtl60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\dbrtl60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\dclaxserver60.bpl] <Borland Software Corporation><1.0.0.0>
[D:\Tec Data\www file\sofa\FortuneDate\vcl60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\vcldb60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\dsnap60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\HDSNDLL.dll] <N/A><N/A>
[D:\Tec Data\www file\sofa\FortuneDate\Print.bpl] <><1.0.0.0>
[D:\Tec Data\www file\sofa\FortuneDate\printbase.bpl] <><1.0.0.0>
[D:\Tec Data\www file\sofa\FortuneDate\tee60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\uadl.bpl] <><1.0.0.0>
[D:\Tec Data\www file\sofa\FortuneDate\vcljpg60.bpl] <Borland Software Corporation><6.0.6.163>
[D:\Tec Data\www file\sofa\FortuneDate\VclSmp60.bpl] <Borland Software Corporation><1.0.0.0>
[D:\Tec Data\www file\sofa\FortuneDate\vclx60.bpl] <Borland Software Corporation><6.0.6.163>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 1516][C:\Program Files\XDICT\XDICT.EXE] <Kingsoft Co, Ltd.><5, 5, 0, 0>
[C:\Program Files\XDICT\IHooks.dll] <N/A><N/A>
[C:\Program Files\XDICT\ITextOut.dll] <N/A><N/A>
[C:\Program Files\XDICT\CJKTAB32.dll] <N/A><N/A>
[C:\Program Files\XDICT\XImage32.dll] <N/A><N/A>
[C:\Program Files\XDICT\NewWord.dll] <N/A><N/A>
[C:\Program Files\XDICT\xfile.dll] <N/A><N/A>
[C:\Program Files\XDICT\ITTSEngine.dll] <N/A><N/A>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[PID: 1664][D:\Tec Data\www file\sofa\rav2006\sreng2\SREng.exe] <Smallfrogs Studio><2.0.12.350>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[PID: 1348][C:\Program Files\Internet Explorer\IEXPLORE.EXE] <Microsoft Corporation><6.00.2800.1106>
[C:\Program Files\XDICT\Cjktl32.dll] <N/A><N/A>
[C:\WINNT\system32\AcSignIcon.dll] <Autodesk><16.0.0.86>
[C:\PROGRA~1\SUPERR~1\MagicSet\HAOKAN~1.DLL] <超级兔子><1.0.7.7>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>

ly4171 - 2006-5-27 10:17:00

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS Error. [C:\WINNT\system32\WScript.exe "%1" %*]
.JS Error. [C:\WINNT\system32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================

我无邪 - 2006-5-27 11:50:00

运行System Repair Engineer，使用“系统修复，文件关联，勾选“全选”点“修复”使所有扩展名都恢复正常。
除上以外，日志看不出问题来了。
你说感觉到慢，请问你是否安装了两个杀软，建议至少开机禁用一个实时监控。
还有，是否安装有瑞星的防火墙？
如果有，试着禁用它加载系统的启动看看

ly4171 - 2006-5-27 14:26:00

不知什么时候那个西门泰克监控启动了,也没有图标显示,现在把瑞星监控停了,速度就恢复正常了.
再次感谢.

我无邪 - 2006-8-31 0:13:00

嗯，典行的问题。能进入系统算是走运的了。
注意不要同时开启两个实时监控。

瑞星卡卡安全论坛