【求助】高手进来看看，我发现这个病毒写的一些文件 bbs.ikaka.com

凌夜月风 - 2006-11-29 21:37:00

我机子虽然安了正版的瑞星，可还是不能完全把病毒阻挡，每次杀完了，但过不了多久又要冒出来
病毒特点是：在c:\winnt\temp;c:\winnt\system32;c:\winnt\intel;c:\winnt\down等等下生成很多*.EXE文件,比如svch0st.exe zt.exe c.exe 我杀了好几次了...今天又冒了出来.而且我看有个文件是文本文件，我打开一看发现里面是这么写的:
[DOWNLOADNUMS]

updatetm=1
downfile=5
killproc=0
removreg=0

[STARTHTMPAGE]

mainpage=http://www.sina.com.cn

[DOWNMAINLIST]

mainfile=http://222.77.185.140/my.exe

[DOWNFILELIST]

downfile1=http://222.77.178.218/my/svchost.exe
downfile2=http://222.77.178.218/my/csrss.exe
downfile3=http://222.77.178.218/my/winlogon.exe
downfile4=http://222.77.178.218/my/rudll123.exe
downfile5=http://222.77.178.218/my/qq.exe

[DOWNKILLLIST]

killproc1=CDPLAYER.EXE

[REMOVREGLIST]

removreg1=HKEY_LOCAL_MACHINE\SOFTWARE\C07ft5Y\WinXP*test

好象是去某个网站下载病毒和木马......请高手帮我分析下,谢了~!!

叶·幽思 - 2006-11-29 21:40:00

把杀毒软件所不能清除的病毒文件名与路径贴上来

请用置顶处反毒工具集中的扫描一个log贴上来。
1 解压缩sreng2.zip
2 运行SREng2.exe
3 智能扫描=》扫描=》保存报告
4 把日志SREngLOG.log中的报告完整拷贝贴上来，不要修改

友情提示：
扫描前关闭所有手工打开的软件和窗口，扫描后将日志发上来。但请不要用附件形式贴。

注意在没有进一步提示前，勿要胡乱修复，否则系统可能变的情况更糟。

凌夜月风 - 2006-11-29 21:40:00

还有的现象就是在我的C:\Program Files下会生成eset文件夹，里面有个rund1132.exe文件，瑞星会提示这个文件在修改系统里的东西，我全点的否

凌夜月风 - 2006-11-29 21:47:00

回老大：当今天病毒感染的时候我是用诺盾任务管理器看到进程里面有很多可疑的*.exe，都在我前面说的文件夹下，瑞星我才升级的却对这些很明显的病毒无视，害的我只有自己安全模式下手动删。以前也基本上是手动删的，但今天好象总有个我没找到的病毒文件在作怪。我马上把扫描日子放上来。现在进程可能是正常的

凌夜月风 - 2006-11-29 21:50:00

Windows 2000 Professional Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe> [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Synchronization Manager><mobsync.exe /logon> [Microsoft Corporation]
<PowerStrip><f:\program files\powerstrip\pstrip.exe> [EnTech Taiwan]
<NvCplDaemon><RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot> [RealNetworks, Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [Microsoft Corporation]
<Userinit><userinit.exe,> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINNT\system32\RavExt.dll> [Beijing Rising Technology Co., Ltd.]

==================================
启动文件夹
[ipmac]
<C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\ipmac.bat><N>

==================================
服务
[Logical Disk Manager Administrative Service / dmadmin]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Macromedia Licensing Service / Macromedia Licensing Service]
<"C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"><N/A>
[NVIDIA Display Driver Service / NVSvc]
<C:\WINNT\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Process Communication Center / RsCCenter]
<"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
<"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

==================================
浏览器加载项
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[易趣购物]
{DE607143-AC19-423e-865A-5D70ABDF119A}? <http://click2.ad4all.net/url2/urlmanage/url.asp?id=5, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[卡卡上网安全助手]
{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINNT\system32\kakatool.dll, Beijing Rising Technology Co., Ltd.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[&使用迅雷下载]
<f:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm, N/A>
[&使用迅雷下载全部链接]
<f:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm, N/A>
[上传到QQ网络硬盘]
<F:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[使用BitComet下载(&B)]
<res://f:\Program Files\BitComet\BitComet.exe/AddLink.htm, N/A>
[使用BitComet下载全部链接]
<res://f:\Program Files\BitComet\BitComet.exe/AddAllLink.htm, N/A>
[添加到QQ自定义面板]
<F:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
<F:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<F:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

==================================

凌夜月风 - 2006-11-29 21:50:00

正在运行的进程
[PID: 136][\SystemRoot\System32\smss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 168][\??\C:\WINNT\system32\csrss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 188][\??\C:\WINNT\system32\winlogon.exe] <Microsoft Corporation><5.00.2195.6898>
[PID: 216][C:\WINNT\system32\services.exe] <Microsoft Corporation><5.00.2195.6700>
[PID: 228][C:\WINNT\system32\lsass.exe] <Microsoft Corporation><5.00.2195.6902>
[PID: 400][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 428][C:\Program Files\Rising\Rav\CCenter.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[PID: 480][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 688][C:\Program Files\Rising\Rav\RavStub.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 16>
[C:\Program Files\Rising\Rav\RsCommX.dll] <rising><18, 0, 0, 1>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[PID: 796][C:\WINNT\Explorer.EXE] <Microsoft Corporation><5.00.3700.6690>
[C:\WINNT\system32\RavExt.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 21>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[F:\Program Files\Tencent\QQ\qdshm.dll] <><1, 0, 101, 20>
[C:\Program Files\WinRAR\rarext.dll] <N/A><N/A>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\WINNT\system32\nvshell.dll] <NVIDIA Corporation><6.14.10.10531>
[PID: 872][C:\WINNT\System32\WBEM\WinMgmt.exe] <Microsoft Corporation><1.50.1085.0100>
[PID: 960][C:\WINNT\system32\internat.exe] <Microsoft Corporation><5.00.2920.0000>
[PID: 1020][C:\WINNT\system32\conime.exe] <Microsoft Corporation><5.00.2195.6655>
[PID: 556][C:\Program Files\Internet Explorer\iexplore.exe] <Microsoft Corporation><6.00.2800.1106>
[C:\WINNT\system32\kakatool.dll] <Beijing Rising Technology Co., Ltd.><2, 0, 2, 1>
[C:\WINNT\system32\xunleibho_v13.dll] <Thunder Networking Technologies,LTD><4, 6, 0, 48>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\WINNT\system32\Macromed\Flash\Flash9b.ocx] <Adobe Systems, Inc.><9,0,28,0>
[PID: 1504][G:\tool\杀毒\SREng2\SREng.exe] <Smallfrogs Studio><2.0.21.505>

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. ["hh.exe" %1]
.HLP Error. [winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

凌夜月风 - 2006-11-29 22:04:00

又发现一个情况：病毒会在C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5下生成7WSRM8ZZ，IPLG0LZ0，UAHHJ5G9，Z09NH9PI四个文件夹，里面都是一些*.ini的配置文件和一些一看就是病毒木马的*.exe文件,瑞星扫描不出来这些文件是病毒!!!

EvilSpirit - 2006-11-29 22:06:00

怎么日志这么少,是你在安全模式下扫的还是你删减了?
你说有一堆病毒运行,还要修改你的系统,可是在你扫描的日志里面没有看到很多东西啊?

凌夜月风 - 2006-11-29 22:09:00

我没删减,我是把其他软件都关了,并且进程里运行的可疑程序都被我找到在哪给手动删了，要不再扫个上来..

凌夜月风 - 2006-11-29 22:12:00

2006-11-29,21:56:49

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe> [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Synchronization Manager><mobsync.exe /logon> [Microsoft Corporation]
<PowerStrip><f:\program files\powerstrip\pstrip.exe> [EnTech Taiwan]
<NvCplDaemon><RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot> [RealNetworks, Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [Microsoft Corporation]
<Userinit><userinit.exe,> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINNT\system32\RavExt.dll> [Beijing Rising Technology Co., Ltd.]

==================================
启动文件夹
[ipmac]
<C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\ipmac.bat><N>

==================================
服务
[Logical Disk Manager Administrative Service / dmadmin]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Macromedia Licensing Service / Macromedia Licensing Service]
<"C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"><N/A>
[NVIDIA Display Driver Service / NVSvc]
<C:\WINNT\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Process Communication Center / RsCCenter]
<"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
<"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

==================================
浏览器加载项
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[易趣购物]
{DE607143-AC19-423e-865A-5D70ABDF119A}? <http://click2.ad4all.net/url2/urlmanage/url.asp?id=5, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[卡卡上网安全助手]
{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINNT\system32\kakatool.dll, Beijing Rising Technology Co., Ltd.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[&使用迅雷下载]
<f:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm, N/A>
[&使用迅雷下载全部链接]
<f:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm, N/A>
[上传到QQ网络硬盘]
<F:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[使用BitComet下载(&B)]
<res://f:\Program Files\BitComet\BitComet.exe/AddLink.htm, N/A>
[使用BitComet下载全部链接]
<res://f:\Program Files\BitComet\BitComet.exe/AddAllLink.htm, N/A>
[添加到QQ自定义面板]
<F:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
<F:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<F:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

==================================

凌夜月风 - 2006-11-29 22:14:00

正在运行的进程
[PID: 136][\SystemRoot\System32\smss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 168][\??\C:\WINNT\system32\csrss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 188][\??\C:\WINNT\system32\winlogon.exe] <Microsoft Corporation><5.00.2195.6898>
[PID: 216][C:\WINNT\system32\services.exe] <Microsoft Corporation><5.00.2195.6700>
[PID: 228][C:\WINNT\system32\lsass.exe] <Microsoft Corporation><5.00.2195.6902>
[PID: 400][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 428][C:\Program Files\Rising\Rav\CCenter.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[PID: 480][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 688][C:\Program Files\Rising\Rav\RavStub.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 16>
[C:\Program Files\Rising\Rav\RsCommX.dll] <rising><18, 0, 0, 1>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[PID: 796][C:\WINNT\Explorer.EXE] <Microsoft Corporation><5.00.3700.6690>
[C:\WINNT\system32\RavExt.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 21>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[F:\Program Files\Tencent\QQ\qdshm.dll] <><1, 0, 101, 20>
[C:\Program Files\WinRAR\rarext.dll] <N/A><N/A>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\WINNT\system32\nvshell.dll] <NVIDIA Corporation><6.14.10.10531>
[PID: 872][C:\WINNT\System32\WBEM\WinMgmt.exe] <Microsoft Corporation><1.50.1085.0100>
[PID: 960][C:\WINNT\system32\internat.exe] <Microsoft Corporation><5.00.2920.0000>
[PID: 1020][C:\WINNT\system32\conime.exe] <Microsoft Corporation><5.00.2195.6655>
[PID: 556][C:\Program Files\Internet Explorer\iexplore.exe] <Microsoft Corporation><6.00.2800.1106>
[C:\WINNT\system32\kakatool.dll] <Beijing Rising Technology Co., Ltd.><2, 0, 2, 1>
[C:\WINNT\system32\xunleibho_v13.dll] <Thunder Networking Technologies,LTD><4, 6, 0, 48>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\WINNT\system32\Macromed\Flash\Flash9b.ocx] <Adobe Systems, Inc.><9,0,28,0>
[PID: 1412][F:\Program Files\Tencent\QQ\QQ.exe] <TENCENT><0, 0, 0, 0>
[F:\Program Files\Tencent\QQ\QQBaseClassInDll.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\QQHelperDll.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\BasicCtrlDll.dll] <Tencent><5, 0, 200, 370>
[F:\Program Files\Tencent\QQ\QQAPI.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\TIMProxy.dll] <tencent><0, 3, 2, 4>
[F:\Program Files\Tencent\QQ\LoginCtrl.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\npkcntc.dll] <INCA Internet Co., Ltd.><2006, 6, 27, 1>
[F:\Program Files\Tencent\QQ\npkpdb.dll] <INCA Internet Co., Ltd.><2003, 10, 1, 1>
[F:\Program Files\Tencent\QQ\QQRes.dll] <tencent><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\WizardCtrl.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\QQMainFrame.dll] <N/A><N/A>
[C:\WINNT\system32\Macromed\Flash\Flash9b.ocx] <Adobe Systems, Inc.><9,0,28,0>
[F:\Program Files\Tencent\QQ\CQQApplication.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\NewSkin.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\HostingMgr.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\CameraDll.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\MailSummary.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\QQSpace.dll] <><1, 0, 0, 1>
[C:\WINNT\system32\msdmo.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\QQGroupMng.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\GroupLive.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\QQSysMsgMng.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\UserDefinedHead.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\QQPlugin.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\QQConfigPlugin.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\QRingMng.dll] <N/A><N/A>

凌夜月风 - 2006-11-29 22:14:00

[F:\Program Files\Tencent\QQ\PhoneAPI.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\DialerAllinOne.dll] <tencent><1, 4, 0, 0>
[F:\Program Files\Tencent\QQ\VPortal.dll] <><1, 0, 0, 4>
[F:\Program Files\Tencent\QQ\LongConnection.dll] <tencent><5, 0, 200, 160>
[F:\Program Files\Tencent\QQ\QQAvatar.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\FlashAvatarDll.dll] <><1, 4, 0, 1>
[F:\Program Files\Tencent\QQ\QQPet.dll] <><1, 0, 0, 1>
[C:\WINNT\system32\RavExt.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 21>
[F:\Program Files\Tencent\QQ\BQQApplication.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\QQAllInOne.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\SCCore.dll] <TENCENT><2, 0, 0, 1>
[F:\Program Files\Tencent\QQ\QQCustomFace.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\CommercesMng.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\PersonalDesktop.dll] <深圳市腾讯计算机系统公司QQ工作小组><1, 0, 0, 2>
[F:\Program Files\Tencent\QQ\QQAddr.dll] <深圳市腾讯计算机系统有限公司><5, 0, 101, 240>
[F:\Program Files\Tencent\QQ\QQSceneMng.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\QQPhoneHelper.dll] <腾讯科技（深圳）有限公司><2, 1, 1, 11>
[PID: 1172][F:\Program Files\Tencent\QQ\TIMPlatform.exe] <tencent><0, 3, 1, 8>
[F:\Program Files\Tencent\QQ\TIMProxy.dll] <tencent><0, 3, 2, 4>
[PID: 504][F:\Program Files\Tencent\QQ\QQ.exe] <TENCENT><0, 0, 0, 0>
[F:\Program Files\Tencent\QQ\QQBaseClassInDll.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\QQHelperDll.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\BasicCtrlDll.dll] <Tencent><5, 0, 200, 370>
[F:\Program Files\Tencent\QQ\QQAPI.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\TIMProxy.dll] <tencent><0, 3, 2, 4>
[F:\Program Files\Tencent\QQ\LoginCtrl.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\npkcntc.dll] <INCA Internet Co., Ltd.><2006, 6, 27, 1>
[F:\Program Files\Tencent\QQ\npkpdb.dll] <INCA Internet Co., Ltd.><2003, 10, 1, 1>
[F:\Program Files\Tencent\QQ\QQRes.dll] <tencent><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\QQMainFrame.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\CQQApplication.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\NewSkin.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\HostingMgr.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\CameraDll.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\MailSummary.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\QQSpace.dll] <><1, 0, 0, 1>
[C:\WINNT\system32\msdmo.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\QQGroupMng.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\GroupLive.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\QQSysMsgMng.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\UserDefinedHead.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\QQPlugin.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\QQConfigPlugin.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\QRingMng.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\PhoneAPI.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\DialerAllinOne.dll] <tencent><1, 4, 0, 0>
[F:\Program Files\Tencent\QQ\VPortal.dll] <><1, 0, 0, 4>
[F:\Program Files\Tencent\QQ\QQAvatar.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\FlashAvatarDll.dll] <><1, 4, 0, 1>
[F:\Program Files\Tencent\QQ\LongConnection.dll] <tencent><5, 0, 200, 160>
[F:\Program Files\Tencent\QQ\QQPet.dll] <><1, 0, 0, 1>
[C:\WINNT\system32\RavExt.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 21>
[F:\Program Files\Tencent\QQ\QQAllInOne.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\SCCore.dll] <TENCENT><2, 0, 0, 1>
[F:\Program Files\Tencent\QQ\QQCustomFace.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\GroupConnection.dll] <Tencent><0, 3, 3, 5>
[F:\Program Files\Tencent\QQ\BQQApplication.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\CommercesMng.dll] <><1, 0, 0, 1>
[F:\Program Files\Tencent\QQ\PersonalDesktop.dll] <深圳市腾讯计算机系统公司QQ工作小组><1, 0, 0, 2>
[F:\Program Files\Tencent\QQ\QQAddr.dll] <深圳市腾讯计算机系统有限公司><5, 0, 101, 240>
[F:\Program Files\Tencent\QQ\QQSceneMng.dll] <N/A><N/A>
[PID: 1452][F:\Program Files\Tencent\QQ\qqpet\qqpet.exe] <腾讯公司><2, 43, 101, 2>
[F:\Program Files\Tencent\QQ\qqpet\Pnet.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\qqpet\QQPetResDownload.dll] <><6, 1, 101, 1>
[F:\Program Files\Tencent\QQ\qqpet\QQPetCommunity.dll] <><6, 3, 101, 1>
[C:\WINNT\system32\Macromed\Flash\Flash9b.ocx] <Adobe Systems, Inc.><9,0,28,0>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[PID: 1204][F:\Program Files\Tencent\QQ\qqpet\qqpet.exe] <腾讯公司><2, 43, 101, 2>
[F:\Program Files\Tencent\QQ\qqpet\Pnet.dll] <N/A><N/A>
[F:\Program Files\Tencent\QQ\qqpet\QQPetResDownload.dll] <><6, 1, 101, 1>
[F:\Program Files\Tencent\QQ\qqpet\QQPetCommunity.dll] <><6, 3, 101, 1>
[C:\WINNT\system32\Macromed\Flash\Flash9b.ocx] <Adobe Systems, Inc.><9,0,28,0>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[PID: 1380][I:\123\QQPetNurse.exe] <永恒E网><2.1.7.6>
[C:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[C:\WINNT\system32\Macromed\Flash\Flash9b.ocx] <Adobe Systems, Inc.><9,0,28,0>
[PID: 1628][G:\tool\杀毒\SREng2\SREng.exe] <Smallfrogs Studio><2.0.21.505>

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. ["hh.exe" %1]
.HLP Error. [winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

凌夜月风 - 2006-11-29 22:37:00

自己顶下。。
瑞星能检测到病毒的一些动作，但是杀不完，有些文件分析不出来，所以我都是手动清的..似乎能清干净,但过不了多久又会从网吧其他机子上传过来(我机子放网吧里的),病毒防火墙防不到...

凌夜月风 - 2006-11-29 22:51:00

人呢。。出来！！我在线1！！！！！

凌夜月风 - 2006-11-29 23:56:00

睡觉前再顶下~~

凌夜月风 - 2006-11-30 11:29:00

自己顶。。。今天早上起来看机子又中了....现象一样....瑞星监控被强行关闭,又是我自己手动杀的!!
下面把没杀前的日志贴出来!!毒我都自己清的差不多了,关键是想让瑞星知道这种东西,快点更新病毒库!!!

凌夜月风 - 2006-11-30 11:31:00

Windows 2000 Professional Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe> [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Synchronization Manager><mobsync.exe /logon> [Microsoft Corporation]
<PowerStrip><f:\program files\powerstrip\pstrip.exe> [EnTech Taiwan]
<NvCplDaemon><RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot> [RealNetworks, Inc.]
<Systems32><C:\WINNT\TEMP\svchost.exe> []
<r><C:\WINNT\down\rundll32.exe> []
<zts2><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zts2.exe> []
<mhs><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mhs.exe> []
<wl><C:\WINNT\Download\svhost32.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [Microsoft Corporation]
<Userinit><userinit.exe,> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINNT\system32\RavExt.dll> [Beijing Rising Technology Co., Ltd.]

==================================
启动文件夹
[ipmac]
<C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\ipmac.bat><N>

==================================
服务
[Logical Disk Manager Administrative Service / dmadmin]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Macromedia Licensing Service / Macromedia Licensing Service]
<"C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"><N/A>
[NVIDIA Display Driver Service / NVSvc]
<C:\WINNT\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Process Communication Center / RsCCenter]
<"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
<"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

==================================
浏览器加载项
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[易趣购物]
{DE607143-AC19-423e-865A-5D70ABDF119A}? <http://click2.ad4all.net/url2/urlmanage/url.asp?id=5, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[卡卡上网安全助手]
{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINNT\system32\kakatool.dll, Beijing Rising Technology Co., Ltd.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[&使用迅雷下载]
<f:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm, N/A>
[&使用迅雷下载全部链接]
<f:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm, N/A>
[上传到QQ网络硬盘]
<F:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[使用BitComet下载(&B)]
<res://f:\Program Files\BitComet\BitComet.exe/AddLink.htm, N/A>
[使用BitComet下载全部链接]
<res://f:\Program Files\BitComet\BitComet.exe/AddAllLink.htm, N/A>
[添加到QQ自定义面板]
<F:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
<F:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<F:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

凌夜月风 - 2006-11-30 11:31:00

==================================
正在运行的进程
[PID: 136][\SystemRoot\System32\smss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 168][\??\C:\WINNT\system32\csrss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 188][\??\C:\WINNT\system32\winlogon.exe] <Microsoft Corporation><5.00.2195.6898>
[PID: 216][C:\WINNT\system32\services.exe] <Microsoft Corporation><5.00.2195.6700>
[PID: 228][C:\WINNT\system32\lsass.exe] <Microsoft Corporation><5.00.2195.6902>
[PID: 400][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 428][C:\Program Files\Rising\Rav\CCenter.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[PID: 480][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 700][C:\Program Files\Rising\Rav\RavStub.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 16>
[C:\Program Files\Rising\Rav\RsCommX.dll] <rising><18, 0, 0, 1>
[C:\Program Files\Rising\Rav\RSCOMMON.DLL] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[PID: 796][C:\WINNT\Explorer.EXE] <Microsoft Corporation><5.00.3700.6690>
[C:\WINNT\tdll.dll] <N/A><N/A>
[C:\WINNT\system32\RavExt.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 21>
[PID: 524][C:\WINNT\System32\WBEM\WinMgmt.exe] <Microsoft Corporation><1.50.1085.0100>
[PID: 996][C:\Program Files\Common Files\Real\Update_OB\realsched.exe] <RealNetworks, Inc.><0.1.0.3427>
[C:\WINNT\tdll.dll] <N/A><N/A>
[PID: 1032][C:\WINNT\TEMP\svchost.exe] <N/A><N/A>
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\e9ut9.dll] <N/A><N/A>
[PID: 1052][C:\WINNT\down\rundll32.exe] <N/A><N/A>
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ecm.dll] <N/A><N/A>
[C:\WINNT\tdll.dll] <N/A><N/A>
[PID: 604][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zts2.exe] <N/A><N/A>
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\howr5dn.dll] <N/A><N/A>
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zts2.dll] <N/A><N/A>
[PID: 1100][C:\WINNT\system32\internat.exe] <Microsoft Corporation><5.00.2920.0000>
[C:\WINNT\tdll.dll] <N/A><N/A>
[PID: 1108][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mhs.exe] <N/A><N/A>
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\um2g9.dll] <N/A><N/A>
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mhs.dll] <N/A><N/A>
[PID: 1120][C:\WINNT\system32\conime.exe] <Microsoft Corporation><5.00.2195.6655>
[C:\WINNT\tdll.dll] <N/A><N/A>
[PID: 752][G:\tool\Norton任务管理器\taskmgr.exe] <Star Life Special Made Norton任务管理器><5.2.11.1>
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\e9ut9.dll] <N/A><N/A>
[C:\WINNT\tdll.dll] <N/A><N/A>
[PID: 988][G:\tool\杀毒\SREng2\SREng.exe] <Smallfrogs Studio><2.0.21.505>
[C:\WINNT\tdll.dll] <N/A><N/A>

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. ["hh.exe" %1]
.HLP Error. [winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

凌夜月风 - 2006-11-30 11:50:00

没人知道我的毒吗，我中的高级的？汗

凌夜月风 - 2006-11-30 12:02:00

DDDD

凌夜月风 - 2006-11-30 12:20:00

DDD

凌夜月风 - 2006-11-30 13:43:00

病毒再次出现，瑞星只能杀掉一部分毒。。。我马上改正版金山试下了。。。失望之极~

青ぁ龙ぞ震⊙威 - 2006-11-30 14:05:00

svch0st.exe 我见过的，是恶意网页产生的，你说产生了大量病毒文件（就是你说DOWN目录下的），应该是网络天空变种病毒

凌夜月风 - 2006-11-30 14:05:00

11

大冰宝宝 - 2006-11-30 14:10:00

我的也是啊， WIN2000感染，XP却没问题。，和楼主的情况一模一样，我手动清除了，可是还能出来，找不到根源！！！大侠帮帮忙啊。四台2000的机器，都中了，可恨的是：我的这些机器都是服务器！！！55555，而且他能自动结束瑞星的进程。

大冰宝宝 - 2006-11-30 14:11:00

都好几个人反映一样的情况了，瑞星还不急，我真。。。。哎！！！！

大冰宝宝 - 2006-11-30 14:12:00

我再顶。，必须把这个问题解决了，出了这么多新的变种，瑞星一点都察觉不出来！！！1

青ぁ龙ぞ震⊙威 - 2006-11-30 14:13:00

WIN2000感染，XP却没问题????是不是新欢乐时光？？

凌夜月风 - 2006-11-30 14:14:00

就是。。无语。。。我现在把金山的防火墙和网镖打开了而且全是最高级别，并且现在在用金山的漏洞修复修复系统漏洞（瑞星没这功能吧）。。。。。看还中不中。。。
===============
新欢乐时光。。。是个杀软都能查出来。。。

大冰宝宝 - 2006-11-30 14:15:00

DING

瑞星卡卡安全论坛