流氓杀毒软件！WinAntiVirus!! bbs.ikaka.com

joyjoyce - 2006-10-12 2:11:00

我的电脑不知道中的什么招，前几天先是总弹出一个中文杀毒软件的窗口，说什么我的电脑不安全，没有杀毒软件，推荐安装什么狗P杀毒软件。。。后来升级了瑞星杀了一下，11个木马程序。

结果现在还是会蹦出那个窗口，就是换成winantivirus这个软件了，然后不管怎么选，都必定要进到：http://www.winantivirus.com/download/2006/index.php?aid=nm_mg_wav_kw1_ed2&lid=soft&affid=nm_862_f8fbed9a567711dba1a400167647fa98_d82027b6%201366a606bfe043ec9abb17ec8b22f43c&ex=1&ax=1网站里，让你下载这个杀毒软件。而且每次开机，如果要是没有连上网的话就会出现IE窗口需要保持连接或者脱机工作的选项。

垃圾瑞星，每次查都能查出那11个毒，也能杀，就是杀不干净，而且windows/temp里总会有东西下载下来试图连接网络。

我真无奈了。。希望高手赐教，在BAIDU上找了下，好像并没有太多人出现这个问题啊。。

瑞星阿，一直挺信任你的，现在却让我失望了。。。

注册表记录：
\??\C:\WINDOWS\system32\winlogon.exe HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE jroecm01 2006-10-12 02:20 修改同意修改

杀毒记录：
病毒名称处理结果发现日期扫描方式路径文件
Trojan.Pakes.ix 删除成功 2006-10-08 23:39 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\GZNB285H srvgtb[1].exe
Trojan.Pakes.ix 删除成功 2006-10-08 23:39 文件监控 C:\WINDOWS\TEMP winDA.tmp
Trojan.Pakes.ix 重新启动计算机后删除文件 2006-10-09 00:05 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\TUOL150V srvrhv[1].exe
Trojan.Pakes.ix 删除成功 2006-10-09 00:05 文件监控 C:\WINDOWS\TEMP winE4.tmp
Trojan.Pakes.ix 删除成功 2006-10-09 00:36 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\TUOL150V srvrhv[1].exe
Trojan.Pakes.ix 重新启动计算机后删除文件 2006-10-09 00:36 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\8F53YY39 srvggp[1].exe
Trojan.Pakes.ix 删除成功 2006-10-09 00:36 文件监控 C:\WINDOWS\TEMP winED.tmp
Trojan.Dialer.zxp 删除成功 2006-10-09 01:00 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\GZNB285H q387[1].exe
Trojan.Dialer.zxp 删除成功 2006-10-09 01:00 文件监控 C:\WINDOWS\TEMP winEF.tmp
Trojan.Pakes.ix 删除成功 2006-10-09 01:44 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\TUOL150V srvsrm[1].exe
Trojan.Pakes.ix 删除成功 2006-10-09 01:44 文件监控 C:\WINDOWS\TEMP winF7.tmp
Trojan.Pakes.ix 删除成功 2006-10-09 02:09 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\8F53YY39 srvggp[1].exe
Trojan.Pakes.ix 删除成功 2006-10-09 02:09 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\GFXNEUNT srvuzk[1].exe
Trojan.Pakes.ix 删除成功 2006-10-09 02:09 文件监控 C:\WINDOWS\TEMP win10E.tmp
Trojan.Dialer.zxp 删除成功 2006-10-09 02:13 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\XCSRDLCP q387[1].exe
Trojan.Dialer.zxp 删除成功 2006-10-09 02:13 文件监控 C:\WINDOWS\TEMP win111.tmp
Trojan.Pakes.ix 删除成功 2006-10-09 02:38 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\S9EVG923 srvjag[1].exe
Trojan.Pakes.ix 删除成功 2006-10-09 02:38 文件监控 C:\WINDOWS\TEMP winD3.tmp
Trojan.Pakes.ix 删除成功 2006-10-09 03:03 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\CTARGHIR srvwws[1].exe
Trojan.Pakes.ix 删除成功 2006-10-09 03:03 文件监控 C:\WINDOWS\TEMP winE2.tmp
Trojan.Dialer.zxp 删除成功 2006-10-09 03:07 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\GFXNEUNT q387[1].exe
Trojan.Dialer.zxp 删除成功 2006-10-09 03:07 文件监控 C:\WINDOWS\TEMP winE4.tmp
Trojan.Pakes.ix 删除成功 2006-10-09 03:32 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\XCSRDLCP srvshq[1].exe
Trojan.Pakes.ix 删除成功 2006-10-09 03:32 文件监控 C:\WINDOWS\TEMP winEB.tmp
Trojan.Pakes.ix 删除成功 2006-10-09 03:56 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\C5I749MN srvzod[1].exe
Trojan.Pakes.ix 删除成功 2006-10-09 03:56 文件监控 C:\WINDOWS\TEMP winEF.tmp
Trojan.Dialer.zxp 重新启动计算机后删除文件 2006-10-09 04:00 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\CTARGHIR q387[1].exe
Trojan.Dialer.zxp 删除成功 2006-10-09 04:00 文件监控 C:\WINDOWS\TEMP winF1.tmp
Trojan.Pakes.ix 删除成功 2006-10-09 04:25 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\S9EVG923 srvpzp[1].exe
Trojan.Pakes.ix 删除成功 2006-10-09 04:25 文件监控 C:\WINDOWS\TEMP winF4.tmp
Trojan.Pakes.ix 删除成功 2006-10-09 04:51 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\8F53YY39 srvupz[1].exe
Trojan.Pakes.ix 删除成功 2006-10-09 04:51 文件监控 C:\WINDOWS\TEMP winFD.tmp
Trojan.Dialer.zxp 删除成功 2006-10-09 04:54 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\CTARGHIR q387[1].exe
Trojan.Dialer.zxp 删除成功 2006-10-09 04:54 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\C5I749MN q387[1].exe
Trojan.Dialer.zxp 删除成功 2006-10-09 04:54 文件监控 C:\WINDOWS\TEMP winFF.tmp
Trojan.Pakes.ix 删除成功 2006-10-09 05:20 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\GZNB285H srvhhs[1].exe
Trojan.Pakes.ix 删除成功 2006-10-09 05:20 文件监控 C:\WINDOWS\TEMP win103.tmp
Trojan.Pakes.ix 删除成功 2006-10-09 05:43 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\EF27ETQ3 srvred[1].exe
Trojan.Pakes.ix 删除成功 2006-10-09 05:43 文件监控 C:\WINDOWS\TEMP win109.tmp
Trojan.Dialer.zxp 删除成功 2006-10-09 22:26 文件监控 C:\WINDOWS\TEMP win13D.tmp
Trojan.DL.Agent.mfz 删除成功 2006-10-10 23:29 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\C5I749MN srvixf[1].exe
Trojan.DL.Agent.mfz 删除成功 2006-10-10 23:29 文件监控 C:\WINDOWS\TEMP win152.tmp
Trojan.Pakes.ix 重新启动计算机后删除文件 2006-10-10 23:33 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\8F53YY39 srvano[1].exe
Trojan.Pakes.ix 删除成功 2006-10-10 23:33 文件监控 C:\WINDOWS\TEMP win154.tmp
Trojan.DL.Agent.mfz 删除成功 2006-10-10 23:36 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\8F53YY39 srvtqw[1].exe
Trojan.DL.Agent.mfz 删除成功 2006-10-10 23:36 文件监控 C:\WINDOWS\TEMP win156.tmp
Trojan.Pakes.ix 删除成功 2006-10-11 13:07 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\8567G9EB srvqac[1].exe
Trojan.Pakes.ix 删除成功 2006-10-11 13:07 文件监控 C:\WINDOWS\TEMP win164.tmp
Trojan.DL.Agent.mfz 删除成功 2006-10-11 13:31 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\61F0DKF2 srvmdv[1].exe
Trojan.DL.Agent.mfz 删除成功 2006-10-11 13:31 文件监控 C:\WINDOWS\TEMP win169.tmp
Trojan.Pakes.ix 删除成功 2006-10-11 13:54 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\GZNB285H srvvbd[1].exe
Trojan.Pakes.ix 删除成功 2006-10-11 13:55 文件监控 C:\WINDOWS\TEMP win16C.tmp
Trojan.DL.Agent.mfz 删除成功 2006-10-11 17:06 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\XCSRDLCP srvbbt[1].exe
Trojan.DL.Agent.mfz 删除成功 2006-10-11 17:06 文件监控 C:\WINDOWS\TEMP win189.tmp
Trojan.Pakes.ix 删除成功 2006-10-11 17:09 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\EF27ETQ3 srvljn[1].exe
Trojan.Pakes.ix 删除成功 2006-10-11 17:09 文件监控 C:\WINDOWS\TEMP win18B.tmp
Trojan.DL.Agent.mfz 删除成功 2006-10-11 21:35 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\8TA301YJ srvfts[1].exe
Trojan.DL.Agent.mfz 删除成功 2006-10-11 21:35 文件监控 C:\WINDOWS\TEMP win192.tmp
Trojan.Pakes.ix 删除成功 2006-10-11 21:39 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\GFXNEUNT srvtya[1].exe
Trojan.Pakes.ix 删除成功 2006-10-11 21:39 文件监控 C:\WINDOWS\TEMP win195.tmp
Trojan.DL.Zlob.egs 删除成功 2006-10-12 02:21 文件监控 C:\WINDOWS\system32 ishost.exe
Trojan.DL.Agent.mfz 删除成功 2006-10-12 03:34 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\GFXNEUNT srvuqv[1].exe
Trojan.DL.Agent.mfz 删除成功 2006-10-12 03:34 文件监控 C:\WINDOWS\TEMP win1B4.tmp
Trojan.Pakes.ix 重新启动计算机后删除文件 2006-10-12 03:37 文件监控 C:\Documents and Settings\Ramon\Local Settings\Temporary Internet Files\Content.IE5\8567G9EB srvbdp[1].exe
Trojan.Pakes.ix 删除成功 2006-10-12 03:37 文件监控 C:\WINDOWS\TEMP win1B6.tmp

（上面有无数的病毒，帖子长度有限制，怎么能把我的杀毒记录上传？）
就是这个东西，但是一直杀不干净！！！

不言放弃 - 2006-10-12 14:14:00

【回复“joyjoyce”的帖子】
http://forum.ikaka.com/topic.asp?board=67&artid=5188931
下载HIJACKTHIS
导出全部日志

joyjoyce - 2006-10-12 14:59:00

HijackThis@Qoo的扫描日志 V1.97.7
Scan saved at 16:46:22, on 2006-10-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\Ravmond.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\program files\rising\rfw\RfwMain.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Lenovo\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Lenovo\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Lenovo\PowerCinema\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\lenovo\GUA\GUA.exe
C:\Program Files\lenovo\IGRS\IGRS.exe
C:\Program Files\lenovo\IGRS\Ext\IgrsMonitor.exe
C:\Program Files\lenovo\IGRS\Ext\router.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\Program Files\lenovo\IGRS\Ext\wmcsvc.exe
C:\Program Files\lenovo\IGRS Profiles\File Profile\IgrsFile.exe
C:\Program Files\Lenovo\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\conime.exe
D:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\Ramon\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Ramon\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWA6P_0001_N91M1807NetInstaller.exe
C:\Documents and Settings\Ramon\桌面\hijackthis1.97_qoo\HijackThis.exe

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] ; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] ; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [tsnpstd3] ; C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ntuser.ini
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.dat
O4 - Startup: webct_upload_applet.properties
O4 - Global Startup: NTUSER.DAT
O4 - Global Startup: NTUSER.DAT.LOG
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O15 - Trusted Zone: http://www.icbc.com.cn

joyjoyce - 2006-10-12 15:00:00

我用兔子，显示我的IE被system32下的mllmk.dll加载，我在GOOGLE上查到很多国外的信息，没有一个是中文的。。。mllmk.dll就是个木马。。

不言放弃 - 2006-10-12 15:17:00

【回复“joyjoyce”的帖子】
楼主用的HJACKTHIS版本太低
请下载最新版本

OK？

聚缘de雨季 - 2006-10-23 22:46:00

我也是这个问题.被c:\windows\system32\下有一个awtqr.dll文件.开机随电脑自动加载到winlogo和.explorer下面去.用killbox也删除不掉..瑞星查不到病毒.请问各位兄弟姐妹有什么好的方法可以告之么?

瑞星卡卡安全论坛