瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 【求助】急!!这个病毒如何杀?---TROJ_AGENT.CBQ
bird1234 - 2006-6-12 14:38:00
搞不定呀!!!

先谢谢了

附件: 6988132006612154529.jpg
我无邪 - 2006-6-12 14:41:00
请下载 System Repair Engineer,使用“智能扫描”,按下“扫描”按钮进行扫描,扫描完成后按下“保存报告”按钮保存报告日志文件(SREng.LOG),把保存的报告日志文件内容复制-粘贴上来
下载网址
http://www.kztechs.com/sreng/sreng2.zip
http://forum.ikaka.com/topic.asp?board=67&artid=5188931
日志一次粘不完,分次粘完,请不要修改。
bird1234 - 2006-6-12 15:19:00
好人呀,这么快!
2006-06-12,14:57:46

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <internat.exe><internat.exe>  [Microsoft Corporation]
    <91cast><>  []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  []
    <run><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <Synchronization Manager><mobsync.exe /logon>  [Microsoft Corporation]
    <NvCplDaemon><RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup>  [NVIDIA Corporation]
    <nwiz><nwiz.exe /install>  [NVIDIA Corporation]
    <SoundMan><SOUNDMAN.EXE>  [Realtek Semiconductor Corp.]
    <internat.exe><internat.exe>  [Microsoft Corporation]
    <OfficeScanNT Monitor><"C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow>  [Trend Micro Inc.]
    <TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [RealNetworks, Inc.]
    <91cast><>  []
    <iparmor><C:\Program Files\Iparmor\Iparmor.exe mini>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    <SNDInst.exe><C:\PROGRA~1\COMMON~1\SYMANT~1\SNDInst.exe /7>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [Microsoft Corporation]
    <Userinit><C:\WINNT\system32\userinit.exe,>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <Vision><>  []

==================================
启动文件夹
[Adobe Reader Speed Launch]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Adobe Reader Speed Launch.lnk><N>
[Microsoft Office]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Microsoft Office.lnk><N>
[Acrobat Assistant]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Acrobat Assistant.lnk><N>

==================================
服务
[C-DillaCdaC11BA / C-DillaCdaC11BA]
  <C:\WINNT\system32\drivers\CDAC11BA.EXE><Macrovision>
[Crypkey License / Crypkey License]
  <crypserv.exe><CrypKey (Canada) Ltd.>
[Logical Disk Manager Administrative Service / dmadmin]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[hklphd / hklphd]
  <"\\172.20.150.229\E$\systemcfg.exe" -service><N/A>
[InstallDriver Table Manager / IDriverT]
  <"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"><Macrovision Corporation>
[Lotus Notes Single Logon / Lotus Notes Single Logon]
  <C:\WINNT\system32\nslsvice.exe><IBM Corp>
[Macromedia Licensing Service / Macromedia Licensing Service]
  <"C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"><N/A>
[Multi-user Cleanup Service / Multi-user Cleanup Service]
  <"C:\Program Files\lotus\notes\ntmulti.exe"><IBM Corp>
[OfficeScanNT RealTime Scan / ntrtscan]
  <C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe><Trend Micro Inc.>
[NVIDIA Display Driver Service / NVSvc]
  <C:\WINNT\System32\nvsvc32.exe><NVIDIA Corporation>
[OfficeScanNT Personal Firewall / OfcPfwSvc]
  <C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe><Trend Micro Inc.>
[OfficeScanNT Listener / tmlisten]
  <C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe><Trend Micro Inc.>

==================================
浏览器加载项
[BandIE Class]
  {77FEF28E-EB96-44FF-B511-3185DEA48697} <, N/A>
[JoyoCtrl Class]
  {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} <d:\PROGRA~1\Kingsoft\XDict\IEPlugin.dll, >
[电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[百度超级搜霸]
  {B580CF65-E151-49C3-B73F-70B13FCA8E86} <C:\PROGRA~1\baidu\bar\baidubar.dll, Baidu.com, Inc.>
[&Google]
  {2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, N/A>
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <D:\PROGRA~1\FLASHGET\fgiebar.dll, Amaze Soft>
[Edit Class]
  {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} <C:\WINNT\system32\CMBEdit.dll, >
[WebDraw Class]
  {B234C268-A755-49A1-8A52-C8408A99AD7C} <C:\WINNT\system32\photon\support\webutil.dll, >
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>
[Google 搜索(&G)]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html, N/A>
[使用网际快车下载]
  <D:\PROGRA~1\FLASHGET\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <D:\PROGRA~1\FLASHGET\jc_all.htm, N/A>
bird1234 - 2006-6-12 15:19:00
==================================
正在运行的进程
[PID: 144][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.00.2195.6601>
[PID: 168][\??\C:\WINNT\system32\csrss.exe]  <Microsoft Corporation><5.00.2195.6601>
[PID: 188][\??\C:\WINNT\system32\winlogon.exe]  <Microsoft Corporation><5.00.2195.6997>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 216][C:\WINNT\system32\services.exe]  <Microsoft Corporation><5.00.2195.7035>
    [c:\winnt\rsvpsp.dll]  <N/A><N/A>
    [C:\WINNT\system32\dmserver.dll]  <VERITAS Software Corp.><2195.6605.297.3>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 228][C:\WINNT\system32\lsass.exe]  <Microsoft Corporation><5.00.2195.7011>
    [c:\winnt\rsvpsp.dll]  <N/A><N/A>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 400][C:\WINNT\system32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
    [c:\winnt\rsvpsp.dll]  <N/A><N/A>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 428][C:\WINNT\system32\spoolsv.exe]  <Microsoft Corporation><5.00.2195.7059>
    [C:\WINNT\system32\BBPDFPortMon.dll]  <N/A><N/A>
    [C:\Program Files\Network Print Monitor\Driver.DLL]  <><1, 0, 0, 1>
    [C:\WINNT\system32\pdfports.dll]  <Adobe Systems Incorporated.><5.0.000>
    [d:\Program Files\Adobe\Acrobat 5.0\Distillr\ADistRes.CHS]  <Adobe Systems Incorporated.><5.0.0.0>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 488][C:\WINNT\system32\drivers\CDAC11BA.EXE]  <Macrovision><4.20.020>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 508][C:\WINNT\system32\crypserv.exe]  <CrypKey (Canada) Ltd.><6.0>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
    [C:\WINNT\system32\AcSignIcon.dll]  <Autodesk><16.0.0.86>
[PID: 528][C:\WINNT\System32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 560][C:\Program Files\lotus\notes\ntmulti.exe]  <IBM Corp><6.0.40.4008>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 576][C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcDog.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInAPI.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\TimeString.dll]  <N/A><N/A>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPIPC.dll]  <N/A><N/A>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInMain.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInTray.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 620][C:\WINNT\System32\nvsvc32.exe]  <NVIDIA Corporation><6.14.10.5216>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 632][C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwCommon.dll]  <N/A><N/A>
    [C:\Program Files\Trend Micro\OfficeScan Client\ZLib.dll]  <Trend Micro Inc.><1.31.0.1708>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPIPC.dll]  <N/A><N/A>
    [C:\Program Files\Trend Micro\OfficeScan Client\tmCfwApi.dll]  <Trend Micro Inc.><1.2.0.1020>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 656][C:\WINNT\system32\MSTask.exe]  <Microsoft Corporation><4.71.2195.6972>
    [c:\winnt\rsvpsp.dll]  <N/A><N/A>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 692][C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\TMSOCK.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\loadhttp.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInAPI.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPIPC.dll]  <N/A><N/A>
    [C:\Program Files\Trend Micro\OfficeScan Client\libTmCAV.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\Pwd.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcDog.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInMain.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInTray.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\TmUpdate.dll]  <Trend Micro Inc.><2,6,0,1362>
    [c:\winnt\rsvpsp.dll]  <N/A><N/A>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 748][C:\WINNT\System32\WBEM\WinMgmt.exe]  <Microsoft Corporation><1.50.1085.0100>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
    [C:\WINNT\system32\AcSignIcon.dll]  <Autodesk><16.0.0.86>
[PID: 796][C:\WINNT\system32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
    [c:\winnt\rsvpsp.dll]  <N/A><N/A>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 964][C:\WINNT\Explorer.EXE]  <Microsoft Corporation><5.00.3700.6690>
    [C:\WINNT\system32\AcSignIcon.dll]  <Autodesk><16.0.0.86>
    [C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll]  <Autodesk><16.0.0.86>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
    [C:\WINNT\system32\PDFShell.CHS]  <Adobe Systems Incorporated><1.0>
    [C:\WINNT\system32\PDFShell.dll]  <Adobe Systems Incorporated><5.0.0.2001042700>
    [D:\Program Files\WinRAR\rarext.dll]  <N/A><N/A>
    [C:\Program Files\Trend Micro\OfficeScan Client\tmdshell.dll]  <Trend Micro Inc.><N/A>
    [C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll]  <N/A><N/A>
    [C:\WINNT\system32\nvtuicpl.cpl]  <NVIDIA Corporation><6.14.10.5216>
    [C:\WINNT\system32\NVWRSZHC.DLL]  <NVIDIA Corporation><6.14.10.5216>
    [C:\WINNT\system32\styleman.cpl]  <Autodesk, Inc.><8.0.16.86>
    [C:\WINNT\system32\plotman.cpl]  <Autodesk, Inc.><8.0.16.86>
[PID: 1124][C:\WINNT\TEMP\KR6787.EXE]  <N/A><N/A>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 1264][C:\WINNT\SOUNDMAN.EXE]  <Realtek Semiconductor Corp.><5.1.02>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 1280][C:\WINNT\system32\internat.exe]  <Microsoft Corporation><5.00.2920.0000>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 1288][C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\loadhttp.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\Pwd.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInAPI.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPIPC.dll]  <N/A><N/A>
    [C:\Program Files\Trend Micro\OfficeScan Client\TimeString.dll]  <N/A><N/A>
    [C:\Program Files\Trend Micro\OfficeScan Client\ntmonres.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInMain.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInTray.dll]  <Trend Micro Inc.><7.0.0.1040>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 1320][C:\Program Files\Common Files\Real\Update_OB\realsched.exe]  <RealNetworks, Inc.><0.1.0.3249>
    [C:\WINNT\system32\AcSignIcon.dll]  <Autodesk><16.0.0.86>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 1272][C:\Program Files\Iparmor\Iparmor.exe]  <luosoft.com><5.5.0.0>
    [C:\Program Files\Iparmor\getportlistxp.dll]  <><1, 0, 0, 1>
    [C:\Program Files\Iparmor\hookhookdll.dll]  <N/A><N/A>
    [C:\WINNT\system32\AcSignIcon.dll]  <Autodesk><16.0.0.86>
    [C:\Program Files\Iparmor\SocketInit.dll]  <N/A><N/A>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 1352][D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe]  <Adobe Systems Inc.><5, 0, 0, 0>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
[PID: 1036][C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE]  <N/A><N/A>
[PID: 1504][D:\Program Files\WinRAR\WinRAR.exe]  <N/A><N/A>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
    [C:\WINNT\system32\AcSignIcon.dll]  <Autodesk><16.0.0.86>
[PID: 2004][C:\WINNT\system32\msiexec.exe]  <Microsoft Corporation><3.1.4000.1823>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>
    [C:\WINNT\system32\SDBAPIU.DLL]  <Microsoft Corporation><1, 0, 0, 1>
    [C:\WINNT\system32\AcSignIcon.dll]  <Autodesk><16.0.0.86>
[PID: 2108][C:\DOCUME~1\wang\LOCALS~1\Temp\Rar$EX22.344\SREng2\SREng.exe]  <Smallfrogs Studio><2.0.21.505>
    [C:\Program Files\Iparmor\SocketArmor.dll]  <N/A><N/A>

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  Error. [AutoCADScriptFile]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================
我无邪 - 2006-6-12 20:40:00
请到http://forum.ikaka.com/topic.asp?board=67&artid=5188931,下载,LSPFix.exe,WinsockXPFix这两个软件。

双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹"清除"隐藏受保护的操作系统文件(推荐)"复选框。在提示确定更改时,单击“是”,清除“隐藏已知文件类型的扩展名
运行System Repair Engineer,点“启动项目,服务,点“Win32服务应用程序”勾选“隐藏微软服务”选中病毒服务hklphd,选择“删除服务”点“设置”选择“否”
重新启动电脑, 开机检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式进入Windows
运行LSPFix.exe
删除
rsvpsp.dll
附说明一份
LSPFix.exe这个软件主要用来辅助修复HijackThis扫描发现的O10项。
使用时,请关闭所有IE界面和文件夹界面后运行LSPFix,运行后,把要修复的那一个O10项从左边转到右边,点“Finish”即可。(不过这之前,需要在“I know what I`m doing”前面打勾。)
修复后,请运行WinsockXPFix,让它修复一下。
删除
c:\winnt\rsvpsp.dll
\\172.20.150.229\(还真没见过,你自己找一下吧)
另,这一项我也觉得很可疑
OfficeScanNT Listener / tmlisten]
<C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe><Trend Micro Inc.>


worldkiller - 2006-6-12 20:48:00
OfficeScanNT Listener / tmlisten]
<C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe><Trend Micro Inc.>
趋势
worldkiller - 2006-6-12 20:48:00
SCR Error. [AutoCADScriptFile]
修复了
1
查看完整版本: 【求助】急!!这个病毒如何杀?---TROJ_AGENT.CBQ
© 2000 - 2026 Rising Corp. Ltd.