瑞星卡卡安全论坛
klauslee - 2006-9-18 15:02:00
我的电脑不幸中了病毒,瑞星杀毒软件根本无法开启,强制开了以后进行杀毒,不一会就自动关闭(10秒钟左右),在网页搜索栏目里面只要输入和杀毒相关的文字信息ie也会被强制关闭。
求教,除了对压盘重新分区安装系统以外,有没有什么方法可以解决,不胜感激!
猪知山 - 2006-9-18 15:11:00
请到http://forum.ikaka.com/topic.asp?board=28&artid=8105899
下载HijackThis
下载后运行HijackThis.rar,再运行HijackThis.exe
单机"扫描日志并保存日志"
把保存的日志复制粘贴上来.日志一次粘不完,分次粘完,请不要修改.
arronsrody - 2006-9-18 15:20:00
你这样笼统的说现象没用啊,建议扫个日志上来
klauslee - 2006-9-18 15:22:00
谢谢
下面是扫描日志:
HijackThis_815汉化版扫描日志 V1.99.1
保存于 15:08:50, 日期 2006-9-18
操作系统: Windows 2000 SP4 (WinNT 5.00.2195)
浏览器: Internet Explorer v6.00 SP1 (6.00.2800.1106)
当前运行的进程:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
c:\program files\rising\rfw\RfwMain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINNT\command\rundll32.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
F:\公司共享\HijackThis1991zww.exe
klauslee - 2006-9-18 15:23:00
O2 - BHO: 超级兔子上网精灵 - {7369D35A-5B70-4A5B-B789-B25FE09B4AF3} - C:\Program Files\Super Rabbit\MagicSet\haokanbar.dll
O2 - BHO: perfdp - {995FF616-7583-4D6B-9675-EED24EDC93BB} - C:\WINNT\system32\perfiup.dll
O2 - BHO: tkuid Class - {A2DBE85F-37BF-488F-9B0C-AE21AE05658A} - C:\WINNT\system32\contwin.dll (file missing)
O2 - BHO: DDOC - {A64E86D2-203D-4145-AA9B-2425BAF568E9} - C:\WINNT\system32\henroer.dll
O3 - IE工具栏增项: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - IE工具栏增项: 超级兔子上网精灵 - {43869BB3-22FD-4F15-9B46-238106BA2F4E} - C:\Program Files\Super Rabbit\MagicSet\haokanbar.dll
O4 - 启动项HKLM\\Run: [Synchronization Manager] mobsync.exe /logon
O4 - 启动项HKLM\\Run: [nwiz] nwiz.exe /install
O4 - 启动项HKLM\\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - 启动项HKLM\\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - 启动项HKLM\\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - 启动项HKLM\\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - 启动项HKLM\\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - 启动项HKLM\\Run: [Tray] C:\WINNT\command\rundll32.exe
O4 - 启动项HKLM\\Run: [Synchronization] rundll32.exe C:\WINNT\system32\MSCOMCT32.dll,DllUnregisterServer
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [KVFW] C:\Program Files\KVFW\kvfw.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O8 - IE右键菜单中的新增项目: &使用迅雷下载 - f:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载全部链接 - f:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - D:\Tencent\QQ\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - D:\Tencent\QQ\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - D:\Tencent\QQ\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - D:\Tencent\QQ\SendMMS.htm
O9 - 浏览器额外的按钮: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - 浏览器额外的“工具”菜单项: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - 浏览器额外的按钮: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Tencent\QQ\QQ.EXE
O9 - 浏览器额外的“工具”菜单项: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Tencent\QQ\QQ.EXE
O9 - 浏览器额外的按钮: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Tencent\QQ\QQIEHelper.dll (file missing)
O9 - 浏览器额外的“工具”菜单项: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Tencent\QQ\QQIEHelper.dll (file missing)
klauslee - 2006-9-18 15:23:00
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com.cn/webscanner/kavwebscan_unicode.cab
O16 - DPF: {1F831FA1-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://F:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://www.ppstream.com/bin/powerplayer.cab
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday 控件) - file://F:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://www.ahn.com.cn/aspservice/plugin/myfirewall20.cab
O16 - DPF: {A984ED9F-E8DA-44E5-BC18-C14B9ABEF79D} (photo_uploader Control) - http://upload.photo.163.com/photoup.cab
O16 - DPF: {AE563722-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://F:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {E689D735-1487-420D-9049-16ED198FE411} (vc Control) - http://update.viruschina.com/wmsj/vco.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview 控件) - file://F:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7A7C808-6139-46E5-A5B9-ADC6779124A3}: NameServer = 192.168.1.1
O23 - NT 服务: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - NT 服务: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - NT 服务: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - NT 服务: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - NT 服务: Rising Proxy Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - NT 服务: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - NT 服务: System Event - Unknown owner - C:\WINNT\SVCH0ST.exe (file missing)
lansely - 2006-9-18 15:24:00
就这些? 后面的呢?
klauslee - 2006-9-18 15:30:00
是不是要有这些:
启动项报告: 2006-9-18, 15:15:57
启动项扫描器版本: 1.52.2
开始于: F:\公司共享\HijackThis1991zww.EXE
系统检测: Windows 2000 SP4 (WinNT 5.00.2195)
系统检测: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* 使用默认选项
==================================================
当前运行的进程:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
c:\program files\rising\rfw\RfwMain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINNT\command\rundll32.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
F:\公司共享\HijackThis1991zww.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
--------------------------------------------------
klauslee - 2006-9-18 15:30:00
注册表中的启动项:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager = mobsync.exe /logon
nwiz = nwiz.exe /install
RfwMain = "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
RavTask = "C:\Program Files\Rising\Rav\RavTask.exe" -system
NvCplDaemon = RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Tray = C:\WINNT\command\rundll32.exe
Synchronization = rundll32.exe C:\WINNT\system32\MSCOMCT32.dll,DllUnregisterServer
--------------------------------------------------
注册表中的启动项:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Internat.exe = internat.exe
KVFW = C:\Program Files\KVFW\kvfw.exe -silent
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
RealPlayer = "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
--------------------------------------------------
Load/Run keys from C:\WINNT\WIN.INI:
load=* 未找到INI相关项目值 *
run=* 未找到INI相关项目值 *
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=* 未找到相关注册表键值 *
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=* 未找到相关注册表键值 *
HKLM\..\Windows\CurrentVersion\WinLogon: load=* 未找到相关注册表键值 *
HKLM\..\Windows\CurrentVersion\WinLogon: run=* 未找到相关注册表键值 *
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=* 未找到相关注册表键值 *
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=* 未找到相关注册表键值 *
HKCU\..\Windows\CurrentVersion\WinLogon: load=* 未找到相关注册表键值 *
HKCU\..\Windows\CurrentVersion\WinLogon: run=* 未找到相关注册表键值 *
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=
HKLM\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
klauslee - 2006-9-18 15:31:00
外壳扩展和屏幕保护程序的键值 从 C:\WINNT\SYSTEM.INI:
Shell=* 未找到INI相关项目值 *
SCRNSAVE.EXE=* 未找到INI相关项目值 *
drivers=* 未找到INI相关项目值 *
外壳扩展和屏幕保护程序的键值 从 注册表
Shell=Explorer.exe
SCRNSAVE.EXE=* 未找到相关注册表键值 *
drivers=* 未找到相关注册表键值 *
Policies Shell key:
HKCU\..\Policies: Shell=* 未找到相关注册表键值 *
HKLM\..\Policies: Shell=* 未找到相关注册表键值 *
--------------------------------------------------
列举IE浏览器辅助对象(BHO模块):
(no name) - C:\Program Files\Super Rabbit\MagicSet\haokanbar.dll - {7369D35A-5B70-4A5B-B789-B25FE09B4AF3}
(no name) - C:\WINNT\system32\perfiup.dll - {995FF616-7583-4D6B-9675-EED24EDC93BB}
(no name) - C:\WINNT\system32\contwin.dll (file missing) - {A2DBE85F-37BF-488F-9B0C-AE21AE05658A}
(no name) - C:\WINNT\system32\henroer.dll - {A64E86D2-203D-4145-AA9B-2425BAF568E9}
--------------------------------------------------
klauslee - 2006-9-18 15:31:00
列举下载的程序文件:
[CKAVWebScan Object]
InProcServer32 = C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner Pro\kavwebscan.dll
CODEBASE = http://www.kaspersky.com.cn/webscanner/kavwebscan_unicode.cab
[InstaFred]
InProcServer32 = C:\WINNT\DOWNLO~1\InstFred.ocx
CODEBASE = file://F:\Program Files\AutoCAD 2002\InstFred.ocx
[PowerList Control]
InProcServer32 = C:\DOCUME~1\aa\APPLIC~1\ppStream\100~1.139\POWERL~1.OCX
CODEBASE = http://www.ppstream.com/bin/powerplayer.cab
[WebActivater Control]
InProcServer32 = C:\WINNT\system32\WEBACT~1.OCX
CODEBASE = http://game.qq.com/QQGame2.cab
[MSN Photo Upload Tool]
InProcServer32 = C:\WINNT\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
[AcDcToday 控件]
InProcServer32 = C:\WINNT\DOWNLO~1\ACDCTO~1.OCX
CODEBASE = file://F:\Program Files\AutoCAD 2002\AcDcToday.ocx
[SysMonOCX Control]
InProcServer32 = C:\WINNT\DOWNLO~1\SYSMON~1.OCX
CODEBASE = http://www.ahn.com.cn/aspservice/plugin/myfirewall20.cab
[photo_uploader Control]
InProcServer32 = C:\PROGRA~1\PHOTO_~1\PHOTO_~1.OCX
CODEBASE = http://upload.photo.163.com/photoup.cab
[NOXLATE-BANR]
InProcServer32 = C:\WINNT\DOWNLO~1\InstBanr.ocx
CODEBASE = file://F:\Program Files\AutoCAD 2002\InstBanr.ocx
[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash8b.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
[vc Control]
InProcServer32 = C:\WINNT\DOWNLO~1\vco.ocx
CODEBASE = http://update.viruschina.com/wmsj/vco.cab
[VqqSpeedDlProxy Class]
InProcServer32 = C:\WINNT\vqqsdl.dll
CODEBASE = http://218.85.138.27/vqqsdl1009.cab
[AcPreview 控件]
InProcServer32 = C:\WINNT\DOWNLO~1\ACPREV~1.OCX
CODEBASE = file://F:\Program Files\AutoCAD 2002\AcPreview.ocx
--------------------------------------------------
列举 ShellServiceObjectDelayLoad 项目:
Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll
--------------------------------------------------
报告完毕,共 7,358 字节
报告生成用时:0.047秒
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
mopery - 2006-9-18 15:32:00
O23 - NT 服务: System Event - Unknown owner - C:\WINNT\SVCH0ST.exe (file missing)
打开注册表编辑器,展开:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
搜索 System Event 删除...
修复
O2 - BHO: perfdp - {995FF616-7583-4D6B-9675-EED24EDC93BB} - C:\WINNT\system32\perfiup.dll
O2 - BHO: tkuid Class - {A2DBE85F-37BF-488F-9B0C-AE21AE05658A} - C:\WINNT\system32\contwin.dll (file missing)
O2 - BHO: DDOC - {A64E86D2-203D-4145-AA9B-2425BAF568E9} - C:\WINNT\system32\henroer.dll
O4 - 启动项HKLM\\Run: [Tray] C:\WINNT\command\rundll32.exe
O4 - 启动项HKLM\\Run: [Synchronization] rundll32.exe C:\WINNT\system32\MSCOMCT32.dll,DllUnregisterServer
删除
C:\WINNT\system32\perfiup.dll
C:\WINNT\system32\henroer.dll
C:\WINNT\command\rundll32.exe
C:\WINNT\system32\MSCOMCT32.dll
http://download5.pctutu.com/soft/winspeed782.zip
用超级兔子清理王在安全模式下卸载流氓软件...
mopery - 2006-9-18 15:32:00
开始-所有程序-瑞星杀毒软件-添加删除组件-修复
klauslee - 2006-9-18 15:33:00
我的运行HijackThis.exe单机"扫描日志并保存日志"后日志只有上面的部分
klauslee - 2006-9-18 15:33:00
好的
谢谢
我试试
klauslee - 2006-9-18 15:35:00
不行
程序被自动关闭
jy02024049 - 2006-9-18 15:40:00
不用试了,我中的是和你一样的病毒,用瑞星2007查都查不出来.卡巴也没用,格式化也不行,估计得用低格了.....
klauslee - 2006-9-18 15:44:00
啊
夸张!!
真的没有任何别的办法了啊????
跪求高手啊 硬盘里面的资料还很多 啊
1
© 2000 - 2026 Rising Corp. Ltd.