恢复系统后都没有用这是什么病毒啊？？ bbs.ikaka.com

阿键123 - 2006-9-9 23:28:00

杀毒引擎初始化完毕::::::>>>
开始扫描内存进程...
系统事件：内存中发现木马!
木马名称：Backdoor.GrayBird.ad.2085
木马从内存中清除成功!
木马在硬盘清除成功!
c:\windows\explorer.exe

恢复系统后都没有用到安全模式下杀把explorer.exe都杀了连图标都没有了~~

影子110 - 2006-9-10 0:01:00

它可能长期定居在你的内存里了~
杀完毒后,
试试在关机时清除页面文件,清空缓存

控制面板>管理工具>本地安全设置>本地策略>安全选项>启用(关机:清理虚拟内存页面文件.

如果你只用IE浏览器上网~可以如下自动清空缓存(但会把cookie也一并清了)IE>属性>高级>在(关闭浏览器时清空临时文件夹)前打上勾.

将杀软设为开机扫描.(2007测试版的杀软有这个功能~)可以在你没有启动explorer时就开如查毒~~~

explorer
可以在同类系统中复制一个过来~~

deadmanzj - 2006-9-10 0:05:00

我觉得是那个木马文件注入在那桌面的进程里
请下载 System Repair Engineer，使用“智能扫描”，按下“扫描”按钮进行扫描，扫描完成后按下“保存报告”按钮保存报告日志文件（SREng.LOG），把保存的报告日志文件内容复制-粘贴上来
下载网址
http://www.kztechs.com/sreng/sreng2.zip
http://forum.ikaka.com/topic.asp?board=67&artid=5188931
日志一次粘不完，分次粘完，请不要修改

阿键123 - 2006-9-10 0:56:00

我日
我用的是木马杀客我重别人的机器里复制了一个explorer
后也说是病毒

我又从网上下载了木马专家一查好的没毒～～

妈的可能是误报～～

阿键123 - 2006-9-10 1:01:00

日志
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\CTFMON.EXE> [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [Microsoft Corporation]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [Microsoft Corporation]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [Microsoft Corporation]
<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot> [RealNetworks, Inc.]
<KvMonXP><C:\Program Files\KV2006\KVMonXP.kxp /auto> [Jiangmin Co.Ltd]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [Microsoft Corporation]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [Microsoft Corporation]

==================================
启动文件夹
[ATITool]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\ATITool.lnk><N>

==================================
服务
[COM+ System Application / COMSysApp]
<C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}><N/A>
[KVSrvXP / KVSrvXP]
<C:\Program Files\KV2006\KVSrvXP.exe /Service><Jiangmin Co. Ltd>
[KVWSC / KVWSC]
<"C:\Program Files\KV2006\kvwsc.exe"><Jiangmin Co.Ltd>
[NBService / NBService]
<C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe><Nero AG>
[MS Software Shadow Copy Provider / SwPrv]
<C:\WINDOWS\system32\dllhost.exe /Processid:{8D0203B6-03E5-48C0-B2CF-75C2FB5B1485}><N/A>

==================================
浏览器加载项
[FiltrateWebObj Class]
{42AFACEE-2A77-41EB-9EE2-D9F8AF827F90} <C:\Program Files\KV2006\KVBHO.dll, Jiangmin Co.Ltd>
[BrowseHelper Class]
{80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} <C:\Program Files\KV2006\KvShell.dll, Jiangmin Co.Ltd>
[浩方对战平台]
{0A155D3C-68E2-4215-A47A-E800A446447A} <D:\官方安全文件\浩方\GameClient.exe, 上海浩方在线信息技术有限公司>
[Messenger]
{FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[江民杀毒工具栏]
{B5A34A93-D538-43A7-8371-864CB6148D12} <C:\Program Files\KV2006\KvShell.dll, Jiangmin Co.Ltd>
[HTML Document]
{25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\mshtml.dll, N/A>
[FiltrateWebObj Class]
{42AFACEE-2A77-41EB-9EE2-D9F8AF827F90} <C:\Program Files\KV2006\KVBHO.dll, Jiangmin Co.Ltd>
[BrowseHelper Class]
{80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} <C:\Program Files\KV2006\KvShell.dll, Jiangmin Co.Ltd>
[Microsoft Web 浏览器]
{8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[江民杀毒工具栏]
{B5A34A93-D538-43A7-8371-864CB6148D12} <C:\Program Files\KV2006\KvShell.dll, Jiangmin Co.Ltd>
[RealPlayer G2 Control]
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} <C:\WINDOWS\system32\rmoc3260.dll, RealNetworks, Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\macromed\flash\flash.ocx, Macromedia, Inc.>
[上传到QQ网络硬盘]
<D:\普通工具软件\qq\AddToNetDisk.htm, N/A>
[添加到QQ自定义面板]
<D:\普通工具软件\qq\AddPanel.htm, N/A>
[添加到QQ表情]
<D:\普通工具软件\qq\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<D:\普通工具软件\qq\SendMMS.htm, N/A>

阿键123 - 2006-9-10 1:02:00

==================================
正在运行的进程
[PID: 568][\SystemRoot\System32\smss.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 648][\??\C:\WINDOWS\system32\csrss.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 672][\??\C:\WINDOWS\system32\winlogon.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 716][C:\WINDOWS\system32\services.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 728][C:\WINDOWS\system32\lsass.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 880][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 944][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\Program Files\KV2006\KVSock.dll] <Jiangmin Co. Ltd.><1, 2, 24, 51208>
[PID: 1044][C:\WINDOWS\System32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\Program Files\KV2006\KVSock.dll] <Jiangmin Co. Ltd.><1, 2, 24, 51208>
[PID: 1080][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\Program Files\KV2006\KVSock.dll] <Jiangmin Co. Ltd.><1, 2, 24, 51208>
[PID: 1524][C:\Program Files\KV2006\KVSrvXP.exe] <Jiangmin Co. Ltd><9.2.0.50822>
[C:\Program Files\KV2006\UpdateX.dll] <JiangMin Co.Ltd.><9, 0, 5, 831>
[C:\Program Files\KV2006\SvcSafe.dll] <Jiangmin Co. Ltd><9, 2, 0, 51107>
[C:\Program Files\KV2006\lang\SvcSafe0804.lng] <N/A><N/A>
[C:\Program Files\KV2006\Scan.dll] <Jiangmin Co. Ltd><1.0.0.50822>
[C:\Program Files\KV2006\FileGD.dll] <Jiangmin Co.Ltd><9.2.0.50809>
[C:\Program Files\KV2006\KvSPI.dll] <JiangMin Co. Ltd><9, 2, 2, 51029>
[C:\Program Files\KV2006\ScanHost.dll] <Jiangmin Co. Ltd><9, 2, 0, 50822>
[C:\Program Files\KV2006\KVWPSet.dll] <Jiangmin Co.Ltd><9, 0, 5, 1012>
[C:\Program Files\KV2006\EngPS.dll] <Jiangmin Co.Ltd><9, 2, 0, 50817>
[C:\Program Files\KV2006\KVSock.dll] <Jiangmin Co. Ltd.><1, 2, 24, 51208>
[C:\Program Files\KV2006\KVEnhC.DLL] <Jiangmin Co.Ltd><9, 1, 0, 50822>
[C:\Program Files\KV2006\KVEnhS.dll] <Jiangmin Co.Ltd><9, 2, 0, 51029>
[C:\Program Files\KV2006\KVEnhJ.dll] <Jiangmin Co.Ltd><9, 1, 0, 50822>
[C:\Program Files\KV2006\KVExtCab.dll] <JiangMin Co. Ltd><9, 2, 0, 50822>
[C:\Program Files\KV2006\KVExtEml.dll] <Jiangmin Co. Ltd.><9, 2, 0, 51207>
[C:\Program Files\KV2006\KVExtLZH.dll] <JiangMin Co. Ltd.><9, 2, 0, 50822>
[C:\Program Files\KV2006\KvExtRar.dll] <JiangMin Co. Ltd.><9, 2, 0, 51012>
[C:\Program Files\KV2006\KvExtZip.dll] <JiangMin Co Ltd.><9, 2, 0, 50822>
[C:\Program Files\KV2006\KVExtZ.dll] <Jiangmin Co. Ltd><9.2.0.503>
[C:\Program Files\KV2006\KVExtGz.dll] <Jiangmin Co. Ltd><9, 0, 0, 51031>
[C:\Program Files\KV2006\KVExtTar.dll] <Jiangmin Co. Ltd><9, 2, 0, 50822>
[C:\Program Files\KV2006\KVEnhK.dll] <Jiangmin Co.Ltd><9, 1, 0, 51209>
[C:\Program Files\KV2006\Fix.dll] <Jiangmin Co.Ltd><9, 2, 0, 51011>
[C:\Program Files\KV2006\KVCkMail.dll] <N/A><N/A>
[PID: 1548][C:\Program Files\KV2006\kvwsc.exe] <Jiangmin Co.Ltd><9, 0, 5, 908>
[C:\Program Files\KV2006\EngPS.dll] <Jiangmin Co.Ltd><9, 2, 0, 50817>
[C:\Program Files\KV2006\EngFace.dll] <Jiangmin Co.Ltd><9.0.0.50809>
[C:\Program Files\KV2006\UpdateX.dll] <JiangMin Co.Ltd.><9, 0, 5, 831>
[PID: 1848][C:\Program Files\Common Files\Real\Update_OB\realsched.exe] <RealNetworks, Inc.><0.1.0.3018>
[C:\Program Files\KV2006\KVHookG.dll] <Jiangmin Co.Ltd><9.0.0.0813>
[C:\Program Files\KV2006\KVMonXP.kxp] <Jiangmin Co.Ltd><9, 0, 5, 1207>
[C:\Program Files\KV2006\UpdateX.dll] <JiangMin Co.Ltd.><9, 0, 5, 831>
[C:\Program Files\KV2006\lang\Kvxp0804.lng] <N/A><N/A>
[C:\Program Files\KV2006\GUIExt.dll] <Jiangmin Co.Ltd><9, 0, 5, 927>
[C:\Program Files\KV2006\lang\GUIExt0804.lng] <JiangMin Ltd.><7, 1, 0, 200>
[C:\Program Files\KV2006\EngFace.dll] <Jiangmin Co.Ltd><9.0.0.50809>
[C:\Program Files\KV2006\EngPS.dll] <Jiangmin Co.Ltd><9, 2, 0, 50817>
[C:\Program Files\KV2006\KvOffice.dll] <JiangMin New Tech.><9.0.0.1213>
[C:\Program Files\KV2006\lang\KVOffice0804.lng] <N/A><N/A>
[C:\Program Files\KV2006\VirusUpload.dll] <N/A><2, 0, 0, 0>
[C:\Program Files\KV2006\KVHookG.dll] <Jiangmin Co.Ltd><9.0.0.0813>
[C:\Program Files\KV2006\PProtect.dll] <Jiangmin Co. Ltd.><9.0.0.921>
[PID: 1864][C:\WINDOWS\system32\ctfmon.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\Program Files\KV2006\KVHookG.dll] <Jiangmin Co.Ltd><9.0.0.0813>
[PID: 1876][D:\官方安全文件\显卡超频\ATITool\ATITool.exe] <http://atitool.techpowerup.com><0, 25, 0, 13>
[D:\官方安全文件\显卡超频\ATITool\ATITOOLHOOKS.dll] <N/A><N/A>
[C:\Program Files\KV2006\KVHookG.dll] <Jiangmin Co.Ltd><9.0.0.0813>
[C:\Program Files\KV2006\TrojDie.kxp] <Jiangmin Co.Ltd><9.0.0.0813>
[C:\Program Files\KV2006\UpdateX.dll] <JiangMin Co.Ltd.><9, 0, 5, 831>
[C:\Program Files\KV2006\lang\TrojDie0804.lng] <Jiangmin Co.Ltd><9.0.0.0813>
[C:\Program Files\KV2006\GUIExt.dll] <Jiangmin Co.Ltd><9, 0, 5, 927>
[C:\Program Files\KV2006\lang\GUIExt0804.lng] <JiangMin Ltd.><7, 1, 0, 200>
[C:\Program Files\KV2006\PProtect.dll] <Jiangmin Co. Ltd.><9.0.0.921>
[C:\Program Files\KV2006\KVHookG.dll] <Jiangmin Co.Ltd><9.0.0.0813>
[C:\Program Files\KV2006\ComUIPS.dll] <Jiangmin Ltd.><9. 5. 5. 20>
[PID: 1992][C:\Program Files\KV2006\KRegEx.exe] <Jiangmin Co.Ltd><9.0.0.0813>
[C:\Program Files\KV2006\KRegEx.dll] <Jiangmin Co. Ltd.><9.0.0.825>
[C:\Program Files\KV2006\KRegTrust.dll] <Jiangmin Co. Ltd.><9.0.0.825>
[C:\Program Files\KV2006\KVHookG.dll] <Jiangmin Co.Ltd><9.0.0.0813>
[PID: 2036][C:\Program Files\KV2006\UIHost.exe] <Jiangmin Co. Ltd><9.2.0.50822>
[C:\Program Files\KV2006\KVHookG.dll] <Jiangmin Co.Ltd><9.0.0.0813>
[C:\Program Files\KV2006\UpdateX.dll] <JiangMin Co.Ltd.><9, 0, 5, 831>
[C:\Program Files\KV2006\ComUI.dll] <Jiangmin Ltd.><9. 0. 0.509>
[C:\Program Files\KV2006\ComUIPS.dll] <Jiangmin Ltd.><9. 5. 5. 20>
[C:\Program Files\KV2006\GUIExt.dll] <Jiangmin Co.Ltd><9, 0, 5, 927>
[C:\Program Files\KV2006\lang\GUIExt0804.lng] <JiangMin Ltd.><7, 1, 0, 200>
[PID: 1004][C:\Program Files\jj4\jjsvr4.exe] <加加开发组><4.0.0.19>
[C:\Program Files\KV2006\KVHookG.dll] <Jiangmin Co.Ltd><9.0.0.0813>
[PID: 1368][C:\WINDOWS\explorer.exe] <Microsoft Corporation><6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\Program Files\KV2006\KVHookG.dll] <Jiangmin Co.Ltd><9.0.0.0813>
[C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll] <Nero AG><2, 2, 7, 0>
[C:\Program Files\KV2006\KvShell.dll] <Jiangmin Co.Ltd><9, 0, 5, 830>
[C:\Program Files\KV2006\UpdateX.dll] <JiangMin Co.Ltd.><9, 0, 5, 831>
[C:\Program Files\KV2006\lang\Kvxp0804.lng] <N/A><N/A>
[C:\Program Files\KV2006\APIImpl.dll] <JiangMin Ltd.><9.0.0.500>
[C:\Program Files\WinRAR\rarext.dll] <N/A><N/A>
[C:\WINDOWS\system32\PYJJ4.IME] <加加工作组><4.0.0.20>
[C:\Program Files\KV2006\GUIExt.dll] <Jiangmin Co.Ltd><9, 0, 5, 927>
[C:\Program Files\KV2006\lang\GUIExt0804.lng] <JiangMin Ltd.><7, 1, 0, 200>
[C:\Program Files\KV2006\KVBHO.dll] <Jiangmin Co.Ltd><9.0.0.0813>
[C:\Program Files\KV2006\KVAddrDb.dll] <Jiangmin Co.Ltd><9, 0, 0, 1018>
[PID: 844][C:\Program Files\Internet Explorer\iexplore.exe] <Microsoft Corporation><6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\Program Files\KV2006\KVHookG.dll] <Jiangmin Co.Ltd><9.0.0.0813>
[C:\Program Files\KV2006\KvShell.dll] <Jiangmin Co.Ltd><9, 0, 5, 830>
[C:\Program Files\KV2006\UpdateX.dll] <JiangMin Co.Ltd.><9, 0, 5, 831>
[C:\Program Files\KV2006\lang\Kvxp0804.lng] <N/A><N/A>
[C:\Program Files\KV2006\APIImpl.dll] <JiangMin Ltd.><9.0.0.500>
[C:\Program Files\KV2006\GUIExt.dll] <Jiangmin Co.Ltd><9, 0, 5, 927>
[C:\Program Files\KV2006\lang\GUIExt0804.lng] <JiangMin Ltd.><7, 1, 0, 200>
[C:\Program Files\KV2006\KVBHO.dll] <Jiangmin Co.Ltd><9.0.0.0813>
[C:\Program Files\KV2006\KVAddrDb.dll] <Jiangmin Co.Ltd><9, 0, 0, 1018>
[C:\Program Files\KV2006\KVSock.dll] <Jiangmin Co. Ltd.><1, 2, 24, 51208>
[C:\WINDOWS\system32\PYJJ4.IME] <加加工作组><4.0.0.20>
[C:\WINDOWS\system32\macromed\flash\flash.ocx] <Macromedia, Inc.><6,0,79,0>
[PID: 520][C:\Documents and Settings\rt\桌面\常用工具\SREng2\SREng.exe] <Smallfrogs Studio><2.0.21.505>
[C:\Program Files\KV2006\KVHookG.dll] <Jiangmin Co.Ltd><9.0.0.0813>
[C:\Program Files\KV2006\KVSock.dll] <Jiangmin Co. Ltd.><1, 2, 24, 51208>

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

deadmanzj - 2006-9-10 1:15:00

打开SREng 启动项目服务WIN32 删除
[MS Software Shadow Copy Provider / SwPrv]
<C:\WINDOWS\system32\dllhost.exe /Processid:{8D0203B6-03E5-48C0-B2CF-75C2FB5B1485}><N/A>

再删除C:\WINDOWS\system32\dllhost.exe （删除前请先压缩加密123发送到我的邮箱gudugd@yahoo.com.cn)

westbeck - 2006-9-10 1:24:00

重新启动电脑, 开机检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式进入Windows
运行(双击)System Repair Engineer，点“启动项目，服务，点“Win32服务应用程序”勾选“隐藏微软服务”选中病毒服务COM+ System Application / COMSysApp,MS Software Shadow Copy Provider / SwPrv选择“删除服务”点“设置”选择“否”(注:一个逗号隔开的是一个病毒服务名,注意看,别删漏了)

双击我的电脑，工具，文件夹选项，查看，单击选取"显示隐藏文件或文件夹"清除"隐藏受保护的操作系统文件（推荐）"复选框。在提示确定更改时，单击“是”，在隐藏文件和文件夹选项里选择显示所有文件和文件夹清除“隐藏已知文件类型的扩展名
删除：
C:\WINDOWS\system32\dllhost.exe

瑞星卡卡安全论坛