我中毒了．这个病毒会把.exe修改为~.exe bbs.ikaka.com

我爱电脑安全 - 2006-9-27 19:43:00

这个病毒会把.exe修改为~.exe ．．什么病毒啊？怎么杀？谢谢高手赐教

仙剑VS景天 - 2006-9-27 19:45:00

别告诉我是金威,用HJ扫一下贴上来

我爱电脑安全 - 2006-9-27 20:11:00

Logfile of HijackThis v1.99.1
Scan saved at 20:01:36 上午, on 2006-9-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\Ati2evxx.exe
D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
d:\program files\rising\rfw\rfwsrv.exe
d:\Program Files\Rising\Rav\Ravmond.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
d:\program files\rising\rfw\RfwMain.exe
C:\windows\system32\shadow\ShadowService.exe
D:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\windows\SOUNDMAN.EXE
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
D:\Program Files\Rising\Rav\RavTask.exe
C:\windows\system32\ctfmon.exe
d:\program files\rising\rfw\RfwCfg.exe
D:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.442\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: iebar - {F3A84AA2-A658-42A6-B701-6E43EF08C6C6} - C:\WINDOWS\system32\Ndvdsapi32.dll
O3 - Toolbar: 江民杀毒工具栏 - {B5A34A93-D538-43A7-8371-864CB6148D12} - D:\KV2004\KvShell.dll (file missing)
O3 - Toolbar: 搜虎 - {7A38130D-BEB7-4d60-BE7A-4C4AB6A85CD1} - C:\windows\vcbar11.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IgfxTray] ; C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] ; C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RfwMain] "D:\Program Files\rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTimer] D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] D:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [TkBellExe] ; "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] ; %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [AtiPTA] ; atiptaxx.exe
O4 - HKLM\..\Run: [RavTask] "d:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [DAEMON Tools-1033] ; "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RunShadowTip] C:\windows\system32\shadow\ShadowTip.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Super Rabbit IEPro] D:\Program Files\Super Rabbit\MagicSet\SRIECLI.EXE /LOAD
O4 - HKCU\..\Run: [sb.exe] C:\windows\system32\sb.exe
O4 - Startup: 腾讯QQ.lnk = D:\Program Files\Tencent\QQ.exe
O4 - Global Startup: Microsoft Office.lnk = D:\program\office2k\Office\OSA9.EXE
O8 - Extra context menu item: &使用迅雷下载 - D:\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\Thunder\getAllurl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://D:\program\office2k\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\program\office2k\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ.EXE (file missing)
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Program Files\Tencent\QQIEHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Program Files\Tencent\QQIEHelper.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFD1F28-C034-4E0C-B614-3BF9764254B5}: NameServer = 202.98.96.68 61.139.2.69
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: KVSrvXP - Unknown owner - D:\KV2004\KVSrvXP.exe (file missing)
O23 - Service: KVWSC - Unknown owner - D:\KV2004\KVwsc.exe (file missing)
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - d:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - d:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: Shadow System Service (ShadowSystemService) - Unknown owner - C:\windows\system32\shadow\ShadowService.exe

我爱电脑安全 - 2006-9-27 20:11:00

麻烦帮看看谢谢

仙剑VS景天 - 2006-9-27 20:14:00

后面有这个的修复一下file missing,你到底用江民还是瑞星?

我爱电脑安全 - 2006-9-27 20:16:00

瑞星啊　正版的

我爱电脑安全 - 2006-9-27 20:19:00

修复了不过还是会生成啊

水树雨下 - 2006-9-27 20:20:00

任务管理器中止这个进程C:\windows\system32\sb.exe
删除C:\windows\system32\sb.exe
用超级兔子清理流氓软件，顺便用兔子的进程管理检查一下C:\windows\system32\shadow\ShadowService.exe
有问题的话清理掉

deadmanzj - 2006-9-27 20:26:00

那好象是影子系统的。。。这毒没样本啊。。。哎。。源文件没。感染后的文件不知道有用没，M拿去了

我爱电脑安全 - 2006-9-27 20:26:00

忘了说了.开始是中了威金.后来杀掉了.但是就这种情况

我爱电脑安全 - 2006-9-27 20:27:00

任务管理器中止这个进程C:\windows\system32\sb.exe.,找不到

我爱电脑安全 - 2006-9-27 20:31:00

我用HJ修复了C:\windows\system32\sb.exe.

我爱电脑安全 - 2006-9-27 20:33:00

还要干什么啊.哪个高手来谢谢啊..我现在什么都不敢弄了

我爱电脑安全 - 2006-9-27 20:36:00

在WINDOWS目录下还生成WindowsUpdate.log、Cert.EXE等文件。还会下很多东西

我爱电脑安全 - 2006-9-27 20:43:00

555555大家快来帮我

我爱电脑安全 - 2006-9-27 20:47:00

现在的日志：
Logfile of HijackThis v1.99.1
Scan saved at 20:37:37 上午, on 2006-9-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\Ati2evxx.exe
D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
d:\program files\rising\rfw\rfwsrv.exe
d:\Program Files\Rising\Rav\Ravmond.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
d:\program files\rising\rfw\RfwMain.exe
C:\windows\system32\shadow\ShadowService.exe
D:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\windows\SOUNDMAN.EXE
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
D:\Program Files\Rising\Rav\RavTask.exe
C:\windows\system32\ctfmon.exe
D:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.412\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: iebar - {F3A84AA2-A658-42A6-B701-6E43EF08C6C6} - C:\WINDOWS\system32\Ndvdsapi32.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IgfxTray] ; C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] ; C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RfwMain] "D:\Program Files\rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTimer] D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] D:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [TkBellExe] ; "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] ; %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [AtiPTA] ; atiptaxx.exe
O4 - HKLM\..\Run: [RavTask] "d:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [DAEMON Tools-1033] ; "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RunShadowTip] C:\windows\system32\shadow\ShadowTip.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Super Rabbit IEPro] D:\Program Files\Super Rabbit\MagicSet\SRIECLI.EXE /LOAD
O4 - Startup: 腾讯QQ.lnk = D:\Program Files\Tencent\QQ.exe
O4 - Global Startup: Microsoft Office.lnk = D:\program\office2k\Office\OSA9.EXE
O8 - Extra context menu item: &使用迅雷下载 - D:\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\Thunder\getAllurl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://D:\program\office2k\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\program\office2k\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFD1F28-C034-4E0C-B614-3BF9764254B5}: NameServer = 202.98.96.68 61.139.2.69
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - d:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - d:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: Shadow System Service (ShadowSystemService) - Unknown owner - C:\windows\system32\shadow\ShadowService.exe

我爱电脑安全 - 2006-9-27 21:06:00

帮忙！！！！！！！！！！！

不想一个人玩 - 2006-9-27 21:27:00

这个日志没什么问题啊...

不想一个人玩 - 2006-9-27 21:28:00

PS:问下楼主你中了威金以后,电脑是怎么活下来的?用什么杀的?

我爱电脑安全 - 2006-9-27 22:32:00

我中了以后就杀毒.就杀出来了啊.没重起

我爱电脑安全 - 2006-9-27 22:34:00

用瑞星最新版杀的.我用了影子系统.但是我取消以后,因为EXE文件都被修改过.我启动到桌面就死机.然后我进安全模式把启动时被修改过的文件都删了.就好了.不过问题还是存在

我爱电脑安全 - 2006-9-27 22:45:00

大家帮忙

临时的000 - 2006-9-28 18:31:00

我也中了LZ的这种症状的毒，检查结果如图

现在正在用NOD32杀毒中...........

cxzxwb - 2006-9-28 19:01:00

要~.exe修复软件的加QQ68218219

水树雨下 - 2006-9-28 19:15:00

瑞星……金山……

瑞星卡卡安全论坛