*****【紧急求助】卡卡,瑞星都对付不了,只好来求大侠们帮忙了***** bbs.ikaka.com

空袭警报 - 2006-11-30 9:28:00

前天看系统进程,发现无故多出两个sysresrv.exe,giou028.exe的东西,再用优化大师看启动项,里面有两个"?"的自动启动,将其取消后一刷新又有.在注册表里却看不到.
用任务管理器禁用giou028,然后找到将其删掉,一刷新它又自动生成了
尝试禁用sysresrv.exe,居然不能.用卡卡禁用,删掉后重启又出现了,而且这东西还试图访问网络被我用戴尔防火墙截止.
本来想进安全模式里试试杀一下,结果进不去,给几句英文字符就死在哪里了
以为升升瑞星或许能行(24号刚升过)结果一升就说网络有故障,上瑞星网也不能上,于是找到HOSTS打开一看,里头是这样的:

125.91.14.230 www.kzdh.com
125.91.14.230 www.7255.com
125.91.14.230 www.7322.com
125.91.14.230 www.7939.com
125.91.14.230 www.piaoxue.com
125.91.14.230 www.feixu.net
125.91.14.230 www.6781.com
125.91.14.230 www.7b.com.cn
125.91.14.230 7b.com.cn
125.91.14.230 www.918188.com
125.91.14.230 hao.allxue.com
125.91.14.230 good.allxue.com
125.91.14.230 baby.allxue.com
125.91.14.230 www.allxue.com
125.91.14.230 about.lank.la
125.91.14.230 www.x114x.com
125.91.14.230 www.37ss.com
125.91.14.230 www.7k.cc
125.91.14.230 www.73ss.com
125.91.14.230 www.hao123.com
125.91.14.230 www.81915.com
125.91.14.230 222.88.90.22
125.91.14.230 www.9991.com
125.91.14.230 www.my123.com
125.91.14.230 www.haokan123.com
125.91.14.230 www.5566.net
125.91.14.230 www.gjj.cc
125.91.14.230 www.2345.com
127.0.0.1 dl.hao318.com
125.91.14.230 www.123wa.com
125.91.14.230 www.ku886.com
125.91.14.230 www.5icrack.com
125.91.14.230 www.jjol.cn
127.0.0.1 www.rising.com.cn
127.0.0.1 tool.ikaka.com
127.0.0.1 www.ikaka.com
127.0.0.1 update.rising.com.cn
127.0.0.1 online.rising.com.cn
127.0.0.1 up.rising.com.cn
127.0.0.1 go.rising.com.cn
127.0.0.1 it.rising.com.cn
127.0.0.1 rising.com.cn
127.0.0.1 ikaka.com
125.91.14.230 www.xinhai168.com
125.91.14.230 ooooos.com
125.91.14.230 www.ooooos.com
125.91.14.230 www.8757.com
-------------------------------
被它屏蔽了,怎么能上去呢,清空保存,将HOSTS属性改为只读,好了这下能上了,一会又不行了,返回再一看,那些字都好好的在那里呢,而且HOSTS属性又被改回来了!
请问应当怎么办啊?请达人们帮帮我

空袭警报 - 2006-11-30 9:30:00

【回复“空袭警报”的帖子】2006-11-30,08:33:15

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Synchronization Manager><mobsync.exe /logon> [Microsoft Corporation]
<RavTask><"d:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<XFILTER><"d:\Program Files\Filseclab\xfilter\xfilter.exe" -a> [费尔安全实验室]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [Microsoft Corporation]
<Userinit><C:\WINNT\system32\userinit.exe,,"D:\Program Files\HFEE\SVOHOST.EXE" un userinit.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> []

==================================
启动文件夹
服务
[Logical Disk Manager Administrative Service / dmadmin]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[NVIDIA Driver Helper Service / NVSvc]
<C:\WINNT\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Process Communication Center / RsCCenter]
<"d:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon]
<"d:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[System Recover Servic / SysreSrv]
<sysresrv.exe><N/A>

==================================
浏览器加载项
[]
{A9930D97-9CF0-42A0-A10D-4F28836579D5} <D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX, N/A>
[Google Toolbar Helper]
{AA58ED58-01DD-4d91-8333-CF10577473F7} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[免费精彩视频超流畅在线观看]
{022C4009-5283-4365-97BF-144054B40E2E} <http://itv.mop.com, N/A>
[番茄花园]
{6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <http://www.tomatolei.com, N/A>
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[&Google]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[Shockwave ActiveX Control]
{166B1BCA-3F9C-11CF-8075-444553540000} <C:\WINNT\system32\macromed\Director\SwDir.dll, Adobe Systems, Inc.>
[KooPlayer Control]
{39D420B3-E0EB-424C-89AA-C24F8DE7EF79} <C:\WINNT\DOWNLO~1\KOOPLA~1.OCX, viviMedia>
[CCtInf Class]
{6DBB2904-082D-4DB0-944A-21C22BA121F4} <C:\WINNT\system32\BANKCE~1.DLL, >
[clienttime.client]
{C5D0DFF5-6D39-4F98-88CD-12E8430A6300} <C:\WINNT\Downloaded Program Files\client.ocx, NTSC>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[上传到QQ网络硬盘]
<D:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[使用KuGoo3下载(&K)]
<D:\Program Files\KuGoo3\KuGoo3DownX.htm, N/A>
[使用网际快车下载]
<D:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
<D:\Program Files\FlashGet\jc_all.htm, N/A>
[添加到QQ自定义面板]
<D:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
<D:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<D:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

==================================
正在运行的进程
[PID: 140][\SystemRoot\System32\smss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 164][\??\C:\WINNT\system32\csrss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 160][\??\C:\WINNT\system32\winlogon.exe] <Microsoft Corporation><5.00.2195.6997>
[PID: 212][C:\WINNT\system32\services.exe] <Microsoft Corporation><5.00.2195.7035>
[C:\WINNT\system32\dmserver.dll] <VERITAS Software Corp.><2195.6605.297.3>
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] <Filseclab Corporation><3, 0, 0, 3644>
[PID: 224][C:\WINNT\system32\lsass.exe] <Microsoft Corporation><5.00.2195.7011>
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] <Filseclab Corporation><3, 0, 0, 3644>
[PID: 384][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] <Filseclab Corporation><3, 0, 0, 3644>
[PID: 412][d:\Program Files\Rising\Rav\CCenter.exe] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[PID: 472][C:\WINNT\system32\spoolsv.exe] <Microsoft Corporation><5.00.2195.7059>
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] <Filseclab Corporation><3, 0, 0, 3644>
[PID: 504][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 532][C:\WINNT\system32\nvsvc32.exe] <NVIDIA Corporation><6.13.10.2720>
[PID: 572][C:\WINNT\system32\regsvc.exe] <Microsoft Corporation><5.00.2195.6701>
[PID: 592][C:\WINNT\system32\MSTask.exe] <Microsoft Corporation><4.71.2195.6972>
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] <Filseclab Corporation><3, 0, 0, 3644>
[PID: 636][C:\WINNT\system32\stisvc.exe] <Microsoft Corporation><5.00.2195.6656>
[C:\WINNT\system32\VM303STI.dll] <VM><4.2.510.21>
[PID: 708][C:\WINNT\system32\sysresrv.exe] <N/A><N/A>
[PID: 744][C:\WINNT\System32\WBEM\WinMgmt.exe] <Microsoft Corporation><1.50.1085.0100>
[PID: 820][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] <Filseclab Corporation><3, 0, 0, 3644>
[PID: 1080][C:\WINNT\Explorer.EXE] <Microsoft Corporation><5.00.3700.6690>
[C:\WINNT\system32\flntz.dll] <N/A><N/A>
[C:\WINNT\system32\drivers\w24agio.sys] <N/A><N/A>
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] <Filseclab Corporation><3, 0, 0, 3644>
[C:\WINNT\system32\RavExt.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 21>
[D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX] <N/A><N/A>
[PID: 296][D:\Program Files\HFEE\SVOHOST.EXE] <><3000.0.0.0>
[C:\WINNT\system32\flntz.dll] <N/A><N/A>
[C:\WINNT\system32\drivers\w24agio.sys] <N/A><N/A>
[PID: 1196][D:\Program Files\Filseclab\xfilter\xfilter.exe] <费尔安全实验室><3.0>
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] <Filseclab Corporation><3, 0, 0, 3644>
[C:\WINNT\system32\drivers\w24agio.sys] <N/A><N/A>
[C:\WINNT\system32\flntz.dll] <N/A><N/A>
[d:\Program Files\Rising\Rav\RavScrCh.dll] <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[PID: 1204][C:\WINNT\system32\rundll32.exe] <Microsoft Corporation><5.00.2134.1>
[C:\WINNT\system32\flntz.dll] <N/A><N/A>
[C:\WINNT\system32\drivers\w24agio.sys] <N/A><N/A>
[PID: 1212][C:\WINNT\system32\giou028.exe] <Microsoft Corporation><5.00.2134.1>
[C:\WINNT\system32\drivers\w24agio.sys] <N/A><N/A>
[C:\WINNT\system32\flntz.dll] <N/A><N/A>
[PID: 1112][D:\TEMP\新建文件夹 (5)\SREng2\SREng.exe] <Smallfrogs Studio><2.0.21.505>
[C:\WINNT\system32\drivers\w24agio.sys] <N/A><N/A>
[C:\WINNT\system32\flntz.dll] <N/A><N/A>
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] <Filseclab Corporation><3, 0, 0, 3644>

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================

mopery - 2006-11-30 9:34:00

建议下个 360安全卫士来解决..

空袭警报 - 2006-11-30 9:46:00

好的谢谢,这就去,将把结果第一时间报告上来,请达人们继续关注.

空袭警报 - 2006-11-30 10:07:00

太不幸了,最新版的安全卫士也没扫描出来,那个MY123专杀说我的系统里没有什么恶意软件,怎么办呀.....555~~

空袭警报 - 2006-11-30 10:27:00

怎么办呀.....555

EvilSpirit - 2006-11-30 10:37:00

[C:\WINNT\system32\drivers\w24agio.sys] <N/A><N/A>
[C:\WINNT\system32\flntz.dll] <N/A><N/A>

删掉了嘛？

空袭警报 - 2006-11-30 11:44:00

看了看那两个文件说是系统文件,删掉不会有什么影响吧?

空袭警报 - 2006-11-30 11:50:00

而且它不让删除说是正在使用...安全模式又不能进~~

空袭警报 - 2006-11-30 12:00:00

的确怀疑那两个文件,看了看06年11月27号创建,修改时间却是05年,而且没什么版本说明,可它不让删怎么办?请问有知道怎么删的吗?

ErSan - 2006-11-30 12:12:00

关注此帖,我也是那什么sys***.exe的受害者...

空袭警报 - 2006-11-30 12:35:00

用文件粉碎机将C:\WINNT\system32\drivers\w24agio.sys]
[C:\WINNT\system32\flntz.dll] ,sysresrv
删掉了,再用优化大师看启动项,靠,?变成flntz.dll与giou028了,取消重启,giou028没有了,不过sysresrv依然键在....这病毒也太毒了!

高手们快现身啊

空袭警报 - 2006-11-30 14:35:00

顶

红夜鬼1 - 2006-11-30 14:41:00

运行(双击)SRENG2，点“启动项目，服务，点“Win32服务应用程序”
勾选“隐藏微软服务”选中病毒服务
System Recover Servic
，选择“删除服务”
点“设置”选择“否”
重启按F８进入安全模式下
显示隐藏文件
删除：
sysresrv.exe
C:\WINNT\system32\drivers\w24agio.sys] <N/A><N/A>
[C:\WINNT\system32\flntz.dll] <N/A><N/A>
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] <Filseclab Corporation><3, 0, 0, 3644>

为个是什么
C:\WINNT\system32\giou028.exe

空袭警报 - 2006-12-6 15:02:00

还没解决

红夜鬼1 - 2006-12-6 15:05:00

请下载SREng2（最新版），使用“智能扫描”，按下“扫描”按钮进行扫描，
扫描完成后按下“保存报告”按钮保存报告日志文件（SREng.LOG），把保存的报告
日志文件内容复制-粘贴上来,,日志一次粘不完，分次粘完，请不要修改。

下载地址
http://www.kztechs.com/sreng/sreng2.zip

空袭警报 - 2006-12-6 15:16:00

我装了卡巴把sysresrv杀掉了,但是giou028却反复出现,hosts也被反复修改,报告马上贴上来

空袭警报 - 2006-12-6 15:21:00

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Synchronization Manager><mobsync.exe /logon> [(Verified)Microsoft Corporation]
<RavTask><"d:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<XFILTER><"d:\Program Files\Filseclab\xfilter\xfilter.exe" -a> [费尔安全实验室]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><C:\WINNT\system32\userinit.exe,,"D:\Program Files\HFEE\SVOHOST.EXE" un userinit.exe> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]

==================================
启动文件夹
N/A

==================================
服务
[卡巴斯基互联网安全套装 6.0 / AVP]
<"D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r><Kaspersky Lab>
[Logical Disk Manager Administrative Service / dmadmin]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[NVIDIA Driver Helper Service / NVSvc]
<C:\WINNT\system32\nvsvc32.exe><NVIDIA Corporation>
[System Recover Servic / SysreSrv]
<sysresrv.exe><N/A>
[Portable Media Serial Number Service / WmdmPmSN]
<C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>
[Rising Process Communication Center / RsCCenter]
<"d:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
<"d:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>

==================================
驱动程序
[BaseTDI / BaseTDI]
<System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[Cdr4_2K / Cdr4_2K]
<C:\WINNT\SYSTEM32\DRIVERS\Cdr4_2K.SYS><Roxio>
[Cdralw2k / Cdralw2k]
<C:\WINNT\SYSTEM32\DRIVERS\Cdralw2k.SYS><Roxio>
[CDRAL Place Holder Driver / Cdrw2kDrv]
<system32\DRIVERS\cdrw2k.sys><N/A>
[C-Media PCI Audio Driver (WDM) / cmpci]
<system32\drivers\cmaudio.sys><C-Media Inc>
[dmboot / dmboot]
<System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio]
<\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload]
<\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[kl1 / kl1]
<\SystemRoot\system32\drivers\kl1.sys><N/A>
[klif / klif]
<\??\C:\WINNT\system32\drivers\klif.sys><Kaspersky Lab>
[NetGroup Packet Filter Driver / Npf]
<system32\drivers\npf.sys><N/A>
[nv / nv]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[nv4 / nv4]
<system32\DRIVERS\nv4.sys><NVIDIA Corporation>
[NVDual / NVDual]
<\SystemRoot\system32\DRIVERS\nvDual.sys><N/A>
[Psx Hid to Gamepad Port Enabler / PSXGamepadEnabler]
<system32\drivers\psxpad.sys><Y.Kimura>
[Psx Port Enumerator / PsxPortEnumerator]
<System32\Drivers\psxenum.sys><Y.Kimura>
[Direct Parallel Link Driver / Ptilink]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[WAN 微型端口 (PPP over Ethernet 协议) / RMSPPPOE]
<system32\DRIVERS\RMSPPPOE.SYS><Robert Schlabbach>
[RsAntiSpyware / RsAntiSpyware]
<\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139]
<system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[VIA AGP Bus Filter / viaagp]
<\SystemRoot\System32\DRIVERS\viaagp1.sys><VIA Technologies, Inc.>
[VIA AGP Bus Filter / viaagp1]
<\SystemRoot\system32\DRIVERS\viaagp1.sys><VIA Technologies, Inc.>
[VIA USB Filter / viafilter]
<\SystemRoot\System32\Drivers\viausb.sys><VIA Technologies, Inc.>
[viaide / viaide]
<\SystemRoot\system32\DRIVERS\viaide.sys><VIA Technologies, Inc.>
[VIAPFD / VIAPFD]
<\SystemRoot\System32\Drivers\VIAPFD.SYS><VIA Technologies. Inc.>

==================================
浏览器加载项
[]
{A9930D97-9CF0-42A0-A10D-4F28836579D5} <D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX, N/A>
[Google Toolbar Helper]
{AA58ED58-01DD-4d91-8333-CF10577473F7} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[免费精彩视频超流畅在线观看]
{022C4009-5283-4365-97BF-144054B40E2E} <http://itv.mop.com, N/A>
[Web反病毒保护]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll, Kaspersky Lab>
[番茄花园]
{6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <http://www.tomatolei.com, N/A>
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[易趣购物]
{EE60714F-AC19-427e-861A-FD60ABDF119A} <http://click2.ad4all.net/url2/urlmanage/url.asp?id=1, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[&Google]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[Shockwave ActiveX Control]
{166B1BCA-3F9C-11CF-8075-444553540000} <C:\WINNT\system32\macromed\Director\SwDir.dll, Adobe Systems, Inc.>
[KooPlayer Control]
{39D420B3-E0EB-424C-89AA-C24F8DE7EF79} <C:\WINNT\DOWNLO~1\KOOPLA~1.OCX, viviMedia>
[CCtInf Class]
{6DBB2904-082D-4DB0-944A-21C22BA121F4} <C:\WINNT\system32\BANKCE~1.DLL, >
[clienttime.client]
{C5D0DFF5-6D39-4F98-88CD-12E8430A6300} <C:\WINNT\Downloaded Program Files\client.ocx, NTSC>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[上传到QQ网络硬盘]
<D:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[使用KuGoo3下载(&K)]
<D:\Program Files\KuGoo3\KuGoo3DownX.htm, N/A>
[使用网际快车下载]
<D:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
<D:\Program Files\FlashGet\jc_all.htm, N/A>
[添加到QQ自定义面板]
<D:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
<D:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<D:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

空袭警报 - 2006-12-6 15:22:00

正在运行的进程
[PID: 128][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 168][\??\C:\WINNT\system32\csrss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 164][\??\C:\WINNT\system32\winlogon.exe] [Microsoft Corporation, 5.00.2195.6997]
[D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.0.299]
[PID: 216][C:\WINNT\system32\services.exe] [Microsoft Corporation, 5.00.2195.7035]
[D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.0.299]
[C:\WINNT\system32\dmserver.dll] [VERITAS Software Corp., 2195.6605.297.3]
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] [Filseclab Corporation, 3, 0, 0, 3644]
[PID: 228][C:\WINNT\system32\lsass.exe] [Microsoft Corporation, 5.00.2195.7011]
[D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.0.299]
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] [Filseclab Corporation, 3, 0, 0, 3644]
[PID: 404][C:\WINNT\system32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] [Filseclab Corporation, 3, 0, 0, 3644]
[D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.0.299]
[PID: 428][C:\WINNT\system32\spoolsv.exe] [Microsoft Corporation, 5.00.2195.7059]
[D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.0.299]
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] [Filseclab Corporation, 3, 0, 0, 3644]
[PID: 464][C:\WINNT\system32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.0.299]
[PID: 492][C:\WINNT\system32\nvsvc32.exe] [NVIDIA Corporation, 6.13.10.2720]
[PID: 524][C:\WINNT\system32\regsvc.exe] [Microsoft Corporation, 5.00.2195.6701]
[PID: 564][C:\WINNT\system32\MSTask.exe] [Microsoft Corporation, 4.71.2195.6972]
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] [Filseclab Corporation, 3, 0, 0, 3644]
[D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.0.299]
[PID: 576][C:\WINNT\system32\stisvc.exe] [Microsoft Corporation, 5.00.2195.6656]
[C:\WINNT\system32\VM303STI.dll] [VM, 4.2.510.21]
[PID: 636][C:\WINNT\System32\WBEM\WinMgmt.exe] [Microsoft Corporation, 1.50.1085.0100]
[PID: 656][C:\WINNT\system32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] [Filseclab Corporation, 3, 0, 0, 3644]
[PID: 820][D:\Program Files\HFEE\SVOHOST.EXE] [, 3000.0.0.0]
[C:\WINNT\system32\drivers\w24agio.sys] [N/A, N/A]
[D:\Program Files\Tencent\QQ\y06c.dll] [N/A, N/A]
[PID: 836][C:\WINNT\Explorer.EXE] [Microsoft Corporation, 5.00.3700.6690]
[D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.0.299]
[C:\WINNT\system32\drivers\w24agio.sys] [N/A, N/A]
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] [Filseclab Corporation, 3, 0, 0, 3644]
[C:\WINNT\system32\RavExt.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
[d:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[d:\Program Files\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[D:\Program Files\Tencent\QQ\y06c.dll] [N/A, N/A]
[D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX] [N/A, N/A]
[D:\Program Files\WinRAR\rarext.dll] [N/A, N/A]
[D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll] [Kaspersky Lab, 6.0.0.299]
[PID: 876][d:\Program Files\Rising\Rav\CCenter.exe] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
[PID: 212][D:\Program Files\Rising\Rav\RavTask.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[D:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[D:\Program Files\Rising\Rav\RSAPPMGR.DLL] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
[D:\Program Files\Rising\Rav\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
[D:\Program Files\Rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[C:\WINNT\system32\drivers\w24agio.sys] [N/A, N/A]
[D:\Program Files\Tencent\QQ\y06c.dll] [N/A, N/A]
[PID: 288][D:\Program Files\Rising\Rav\RavMon.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 36]
[D:\Program Files\Rising\Rav\RsGuiLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 28]
[D:\Program Files\Rising\Rav\BWList.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 6]
[D:\Program Files\Rising\Rav\RSAPPMGR.DLL] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
[D:\Program Files\Rising\Rav\CfgDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
[D:\Program Files\Rising\Rav\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[D:\Program Files\Rising\Rav\RsCommX.dll] [rising, 18, 0, 0, 1]
[D:\Program Files\Rising\Rav\RsXML.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
[D:\Program Files\Rising\Rav\PngDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[C:\WINNT\system32\drivers\w24agio.sys] [N/A, N/A]
[D:\Program Files\Tencent\QQ\y06c.dll] [N/A, N/A]
[PID: 1180][D:\Program Files\Filseclab\xfilter\xfilter.exe] [费尔安全实验室, 3.0]
[D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.0.299]
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] [Filseclab Corporation, 3, 0, 0, 3644]
[C:\WINNT\system32\drivers\w24agio.sys] [N/A, N/A]
[d:\Program Files\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[D:\Program Files\Tencent\QQ\y06c.dll] [N/A, N/A]
[PID: 1188][C:\WINNT\system32\giou028.exe] [Microsoft Corporation, 5.00.2134.1]
[C:\WINNT\system32\drivers\w24agio.sys] [N/A, N/A]
[D:\Program Files\Tencent\QQ\y06c.dll] [N/A, N/A]
[PID: 1144][C:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.2800.1106]
[D:\Program Files\Tencent\QQ\y06c.dll] [N/A, N/A]
[C:\WINNT\system32\drivers\w24agio.sys] [N/A, N/A]
[c:\program files\google\googletoolbar2.dll] [Google Inc., 4, 0, 1020, 3054]
[D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.0.299]
[D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX] [N/A, N/A]
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] [Filseclab Corporation, 3, 0, 0, 3644]
[d:\Program Files\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[C:\WINNT\system32\Macromed\Flash\Flash9.ocx] [Adobe Systems, Inc., 9,0,16,0]
[C:\WINNT\system32\Macromed\Common\SwSupport.dll] [Adobe Systems, Inc., 10.1.4r20]
[PID: 704][C:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.2800.1106]
[D:\Program Files\Tencent\QQ\y06c.dll] [N/A, N/A]
[C:\WINNT\system32\drivers\w24agio.sys] [N/A, N/A]
[c:\program files\google\googletoolbar2.dll] [Google Inc., 4, 0, 1020, 3054]
[D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.0.299]
[D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX] [N/A, N/A]
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] [Filseclab Corporation, 3, 0, 0, 3644]
[d:\Program Files\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[PID: 580][D:\TEMP\新建文件夹 (5)\SREng2\SREng\SREng.exe] [Smallfrogs Studio, 2.2.6.605]
[D:\Program Files\Tencent\QQ\y06c.dll] [N/A, N/A]
[C:\WINNT\system32\drivers\w24agio.sys] [N/A, N/A]
[d:\Program Files\Filseclab\xfilter\XFILTER.DLL] [Filseclab Corporation, 3, 0, 0, 3644]
[D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll] [Kaspersky Lab, 6.0.0.299]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
MSAFD Tcpip [TCP/IP]
d:\Program Files\Filseclab\xfilter\XFILTER.DLL(Filseclab Corporation, Filseclab Personal Firewall)
MSAFD Tcpip [UDP/IP]
d:\Program Files\Filseclab\xfilter\XFILTER.DLL(Filseclab Corporation, Filseclab Personal Firewall)
MSAFD Tcpip [RAW/IP]
d:\Program Files\Filseclab\xfilter\XFILTER.DLL(Filseclab Corporation, Filseclab Personal Firewall)
RSVP UDP Service Provider
d:\Program Files\Filseclab\xfilter\XFILTER.DLL(Filseclab Corporation, Filseclab Personal Firewall)
RSVP TCP Service Provider
d:\Program Files\Filseclab\xfilter\XFILTER.DLL(Filseclab Corporation, Filseclab Personal Firewall)

空袭警报 - 2006-12-6 15:22:00

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
61.141.31.11 www.kzdh.com
61.141.31.11 www.7255.com
61.141.31.11 www.7322.com
61.141.31.11 www.7939.com
61.141.31.11 www.piaoxue.com
61.141.31.11 www.feixu.net
61.141.31.11 www.6781.com
61.141.31.11 www.7b.com.cn
61.141.31.11 7b.com.cn
61.141.31.11 www.918188.com
61.141.31.11 hao.allxue.com
61.141.31.11 good.allxue.com
61.141.31.11 baby.allxue.com
61.141.31.11 www.allxue.com
61.141.31.11 about.lank.la
61.141.31.11 www.x114x.com
61.141.31.11 www.37ss.com
61.141.31.11 www.7k.cc
61.141.31.11 www.73ss.com
61.141.31.11 www.hao123.com
61.141.31.11 www.81915.com
61.141.31.11 222.88.90.22
61.141.31.11 www.9991.com
61.141.31.11 www.my123.com
61.141.31.11 www.haokan123.com
61.141.31.11 www.5566.net
61.141.31.11 www.gjj.cc
61.141.31.11 www.2345.com
127.0.0.1 dl.hao318.com
61.141.31.11 www.123wa.com
61.141.31.11 www.ku886.com
61.141.31.11 www.5icrack.com
61.141.31.11 www.jjol.cn
127.0.0.1 www.rising.com.cn
127.0.0.1 tool.ikaka.com
127.0.0.1 www.ikaka.com
127.0.0.1 update.rising.com.cn
127.0.0.1 online.rising.com.cn
127.0.0.1 up.rising.com.cn
127.0.0.1 go.rising.com.cn
127.0.0.1 it.rising.com.cn
127.0.0.1 rising.com.cn
127.0.0.1 ikaka.com
61.141.31.11 www.xinhai168.com
61.141.31.11 ooooos.com
61.141.31.11 www.ooooos.com
61.141.31.11 www.8757.com

空袭警报 - 2006-12-6 15:25:00

请达人指点,如果可以的话我可以把病毒文见压缩上来

红夜鬼1 - 2006-12-6 15:33:00

删除QQ

运行(双击)SRENG2，点“启动项目，服务，点“Win32服务应用程序”
勾选“隐藏微软服务”选中病毒服务
System Recover Servic
，选择“删除服务”
点“设置”选择“否”
重启按F８进入安全模式下
显示隐藏文件
删除：
sysresrv.exe
C:\WINNT\system32\giou028.exe
D:\Program Files\Tencent\QQ\清空文件夹
C:\WINNT\system32\drivers\w24agio.sys
找不到
我的电脑---文件夹选项----查看----隐藏已知受系统保护的文件勾去掉,显示所有文件勾上，隐藏已知文件类型的扩展名这个勾去掉
再找

换个文件夹重装QQ

2604 - 2006-12-6 15:38:00

强行删除用unlocker

空袭警报 - 2006-12-6 15:41:00

我找不到那项服务啊

附件: 7947422006126153213.jpg

红夜鬼1 - 2006-12-6 15:43:00

找不到就算了,问一下,上面的日志什么时间扫描的

空袭警报 - 2006-12-6 15:46:00

刚刚,你说了后就按给的地址下的然后马上扫描后传上来的

空袭警报 - 2006-12-6 15:52:00

通过任务管理器看到的giou028

附件: 7947422006126154325.jpg

空袭警报 - 2006-12-6 15:59:00

传图

附件: 7947422006126155035.jpg

deadmanzj - 2006-12-6 16:02:00

21楼的，你删了什么服务？？？？？

deadmanzj - 2006-12-6 16:03:00

21楼的，你删了什么服务？？？？？[Portable Media Serial Number Service / WmdmPmSN]
<C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>是好的，以后别乱删

瑞星卡卡安全论坛