瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 失望于2007
小呀小顽童 - 2006-12-30 11:23:00
因为我电脑是双系统,仅一个系统装了瑞星,本机WIN2003却安装不上正版瑞星。
刚刚从瑞星首页获悉有免费一个月的下载,于是下载了。

一开机就发现电脑上有未知文件,经网友查实是病毒,而瑞星却根本查不出。
然后上网时突然在桌面上自动下载了几个文件,而瑞星监控却仍然无动于衷。

我于HACKJACKTHIS清了一下启动项,重新启动,发现一启动瑞星监控就被禁用了,怎么也开启不起来。检查电脑,还是查不出毒。

这次公布RAV2007一是为了救急于国人,二是顺便宣传瑞星的威力。可是我看如果不再改进,只怕此举的效果适得其反啊!
叶·幽思 - 2006-12-30 11:41:00
1、不清楚rising是否支持网络操作系统

2、未知文件名与具体路径是什么?

3、使用HJT修复相关项后要删除对应的文件,有些恶意软件隐藏了在HJT日志里看不见所以建议楼主扫SREng日志上来.
Ahtiman - 2006-12-30 11:42:00
真的吗?是不是你家电脑已经毒入膏肓拉???
黑哥001 - 2006-12-30 11:56:00
呵呵,这一阵瑞星没有前一阵子那样不尽人意,现在还可以的呀。我看你的电脑里的毒可能是鸽子。国为鸽子现在都免杀。再说象你这样不花钱得来的东西总归没有花钱买来的好,一分钱一分货吗。
小呀小顽童 - 2006-12-30 12:02:00
引用:
【Ahtiman的贴子】真的吗?是不是你家电脑已经毒入膏肓拉???
………………

新装的系统,不存在病入膏肓问题!
何况,就算再多几个病毒,也不见得能把我电脑怎么样!本人到底在计算机技术和网络上摸爬滚打不少年了。
我只是想知道事实的真相,而不是和你图口舌之争,那是毫无意义的!
与此相反,也由此反应出了你对瑞星在强毒攻击面前的极端不自信,不然何必回避正面回答?
小呀小顽童 - 2006-12-30 12:08:00
引用:
【黑哥001的贴子】呵呵,这一阵瑞星没有前一阵子那样不尽人意,现在还可以的呀。我看你的电脑里的毒可能是鸽子。国为鸽子现在都免杀。再说象你这样不花钱得来的东西总归没有花钱买来的好,一分钱一分货吗。
………………

我的资料里应该写的很清楚,我是很早以前就用序列号注册了卡卡社区的用户,而非你所言的占瑞星小便宜的人。
另外,瑞星以为是“病毒”的东西,未必不可以报“可疑”,给用户一个警醒!明明是一个有问题的文件,查杀后一点反应也没有,让用户给予了充分的信任并运行了它,实在是一件助纣为虍的事。
如果说当前向世人公布的那个免费一个月的瑞星是在“杀毒功能”和“病毒库”上有所保留的话,何不在公告上实事求是地光明正大的写明“与正版相比,杀毒功能和病毒库有所差别”呢?居心何在?
黑哥001 - 2006-12-30 12:12:00
楼主好象也是瑞星的老用户吧,和我年纪差不多,晕~~~~~~~~~~~~~~~~~
小呀小顽童 - 2006-12-30 12:14:00
引用:
【叶·幽思的贴子】1、不清楚rising是否支持网络操作系统

2、未知文件名与具体路径是什么?

3、使用HJT修复相关项后要删除对应的文件,有些恶意软件隐藏了在HJT日志里看不见所以建议楼主扫SREng日志上来.

………………

1,无从回答。
2,未知文件是my.exe.路径在桌面
3,问题并不严重,已删除掉了。在删除前曾用瑞星查无任何异相,但把副本发给瑞星另一用户代查,据报结果是染毒文件。至于上报SREng,我倒觉得不是很有必要。
作为一个论坛用户,倒是希望瑞星能完善论坛报毒功能,上传附件总是出错,令人颇为失落。
小呀小顽童 - 2006-12-30 12:16:00
引用:
【黑哥001的贴子】楼主好象也是瑞星的老用户吧,和我年纪差不多,晕~~~~~~~~~~~~~~~~~
………………

晚了你几天,你是前辈。
叶·幽思 - 2006-12-30 12:24:00
引用:
【小呀小顽童的贴子】
1,无从回答。
2,未知文件是my.exe.路径在桌面
3,问题并不严重,已删除掉了。在删除前曾用瑞星查无任何异相,但把副本发给瑞星另一用户代查,据报结果是染毒文件。至于上报SREng,我倒觉得不是很有必要。
作为一个论坛用户,倒是希望瑞星能完善论坛报毒功能,上传附件总是出错,令人颇为失落。
………………


我建议楼主扫SREng日志也是为了你能够更好的解决问题

至于上传附件出错,卡卡现在不能上传附件除了图片不是你一个人的问题.
小呀小顽童 - 2006-12-30 13:12:00
这个内容如何?
瑞星听诊信息:

未知家族病毒分析
扫描结果:
D:\WINDOWS\system\conime.exe --> 与 Backdoor.Gpigeon.Key 42%相似.


系统活动进程
D:\PROGRAM FILES\RISING\RAV1\RAVTASK.EXE
D:\PROGRAM FILES\RISING\RAV1\RAVMON.EXE
D:\WINDOWS\SYSTEM32\SMSS.EXE
D:\WINDOWS\SYSTEM32\CSRSS.EXE
D:\WINDOWS\SYSTEM32\WINLOGON.EXE
D:\WINDOWS\SYSTEM32\SERVICES.EXE
D:\WINDOWS\SYSTEM32\LSASS.EXE
D:\WINDOWS\SYSTEM32\SVCHOST.EXE
D:\WINDOWS\SYSTEM32\SVCHOST.EXE
D:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\PROGRAM FILES\RISING\RAV1\CCENTER.EXE
D:\WINDOWS\SYSTEM32\SVCHOST.EXE
D:\WINDOWS\EXPLORER.EXE
D:\WINDOWS\SYSTEM32\SVCHOST.EXE
D:\WINDOWS\SYSTEM32\SVCHOST.EXE
D:\RAV\RSDETECT2006-03-15.EXE
D:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\WINDOWS\SYSTEM32\SPOOLSV.EXE
D:\WINDOWS\SYSTEM32\MSDTC.EXE
D:\WINDOWS\SYSTEM32\SVCHOST.EXE
D:\WINDOWS\SYSTEM32\SVCHOST.EXE
D:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE
D:\WINDOWS\SYSTEM32\DFSSVC.EXE
D:\TEM\VRV2005\VRV2005\VRV2005\VRVMON.EXE
D:\WINDOWS\SYSTEM\CONIME.EXE
D:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

普通自启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
xysecond = D:\TEM\VRV2005\VRV2005\VRV2005\VRVMON.EXE
RavTask = "D:\PROGRAM FILES\RISING\RAV1\RAVTASK.EXE" -SYSTEM


系统文件关联
.exe ==> exefile = "%1" %*
.com ==> comfile = "%1" %*
.cmd ==> cmdfile = "%1" %*
.bat ==> batfile = "%1" %*
.txt ==> txtfile = notepad.exe %1
.scr ==> scrfile = "%1" /S
.reg ==> regfile = regedit.exe %1
.doc ==> WINWORD.exe = D:\OFFICE2003\Office\WINWORD.exe %1

其它启动项
WIN.INI
无信息

SYSTEM.INI
SHELL = Explorer.exe
SCRNSAVE.EXE = D:\WINDOWS\system32\logon.scr


Winlogon 启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
crypt32chain = CRYPT32.DLL
cryptnet = CRYPTNET.DLL
cscdll = CSCDLL.DLL
ScCertProp = WLNOTIFY.DLL
Schedule = WLNOTIFY.DLL
sclgntfy = SCLGNTFY.DLL
SensLogn = WLNOTIFY.DLL
termsrv = WLNOTIFY.DLL
wlballoon = WLNOTIFY.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = D:\WINDOWS\SYSTEM32\USERINIT.EXE
shell = EXPLORER.EXE


IE - BHO

Winsock SPI
MSAFD Tcpip [TCP/IP] = D:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD Tcpip [UDP/IP] = D:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD Tcpip [RAW/IP] = D:\WINDOWS\SYSTEM32\MSWSOCK.DLL
RSVP UDP Service Provider = D:\WINDOWS\SYSTEM32\MSWSOCK.DLL
RSVP TCP Service Provider = D:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{46FE3122-F21D-44E2-939B-7CA1F139D112}] SEQPACKET 0 = D:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{46FE3122-F21D-44E2-939B-7CA1F139D112}] DATAGRAM 0 = D:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{39581E09-81B8-4164-9FF4-31B7E8D496A8}] SEQPACKET 1 = D:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{39581E09-81B8-4164-9FF4-31B7E8D496A8}] DATAGRAM 1 = D:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{474C78AD-FCF7-479B-AF1C-6D35825F5CF3}] SEQPACKET 2 = D:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{474C78AD-FCF7-479B-AF1C-6D35825F5CF3}] DATAGRAM 2 = D:\WINDOWS\SYSTEM32\MSWSOCK.DLL

系统服务项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Alerter = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
ALG = D:\WINDOWS\SYSTEM32\ALG.EXE
AppMgmt = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
AudioSrv = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
BITS = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
Browser = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
CiSvc = D:\WINDOWS\SYSTEM32\CISVC.EXE
ClipSrv = D:\WINDOWS\SYSTEM32\CLIPSRV.EXE
COMSysApp = D:\WINDOWS\SYSTEM32\DLLHOST.EXE /PROCESSID:{02D4B3F1-FD88-11D1-960D-00805FC79235}
CryptSvc = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
Dfs = D:\WINDOWS\SYSTEM32\DFSSVC.EXE
Dhcp = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETWORKSERVICE
dmadmin = D:\WINDOWS\SYSTEM32\DMADMIN.EXE /COM
dmserver = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
Dnscache = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETWORKSERVICE
ERSvc = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K WINERR
Eventlog = D:\WINDOWS\SYSTEM32\SERVICES.EXE
EventSystem = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
helpsvc = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
HidServ = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
HTTPFilter = D:\WINDOWS\SYSTEM32\LSASS.EXE
ImapiService = D:\WINDOWS\SYSTEM32\IMAPI.EXE
IsmServ = D:\WINDOWS\SYSTEM32\ISMSERV.EXE
kdc = D:\WINDOWS\SYSTEM32\LSASS.EXE
lanmanserver = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
lanmanworkstation = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
LicenseService = D:\WINDOWS\SYSTEM32\LLSSRV.EXE
LmHosts = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
Messenger = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
mnmsrvc = D:\WINDOWS\SYSTEM32\MNMSRVC.EXE
MSDTC = D:\WINDOWS\SYSTEM32\MSDTC.EXE
MSIServer = D:\WINDOWS\SYSTEM32\MSIEXEC.EXE /V
NetDDE = D:\WINDOWS\SYSTEM32\NETDDE.EXE
NetDDEdsdm = D:\WINDOWS\SYSTEM32\NETDDE.EXE
Netlogon = D:\WINDOWS\SYSTEM32\LSASS.EXE
Netman = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
Nla = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
NtFrs = D:\WINDOWS\SYSTEM32\NTFRS.EXE
NtLmSsp = D:\WINDOWS\SYSTEM32\LSASS.EXE
NtmsSvc = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
PlugPlay = D:\WINDOWS\SYSTEM32\SERVICES.EXE
PolicyAgent = D:\WINDOWS\SYSTEM32\LSASS.EXE
ProtectedStorage = D:\WINDOWS\SYSTEM32\LSASS.EXE
RasAuto = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
RasMan = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
RDSessMgr = D:\WINDOWS\SYSTEM32\SESSMGR.EXE
RemoteAccess = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
RemoteRegistry = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K REGSVC
RpcLocator = D:\WINDOWS\SYSTEM32\LOCATOR.EXE
RpcSs = D:\WINDOWS\SYSTEM32\SVCHOST -K RPCSS
RsCCenter = "D:\PROGRAM FILES\RISING\RAV1\CCENTER.EXE"
RSoPProv = D:\WINDOWS\SYSTEM32\RSOPPROV.EXE
RsRavMon = "D:\PROGRAM FILES\RISING\RAV1\RAVMOND.EXE"
sacsvr = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
SamSs = D:\WINDOWS\SYSTEM32\LSASS.EXE
SCardSvr = D:\WINDOWS\SYSTEM32\SCARDSVR.EXE
Schedule = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
seclogon = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
SENS = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
SharedAccess = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
ShellHWDetection = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
Spooler = D:\WINDOWS\SYSTEM32\SPOOLSV.EXE
stisvc = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K IMGSVC
swprv = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K SWPRV
SysmonLog = D:\WINDOWS\SYSTEM32\SMLOGSVC.EXE
TapiSrv = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K TAPISRV
TermService = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K TERMSVCS
Themes = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
TlntSvr = D:\WINDOWS\SYSTEM32\TLNTSVR.EXE
TrkSvr = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
TrkWks = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
Tssdis = D:\WINDOWS\SYSTEM32\TSSDIS.EXE
uploadmgr = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
UPS = D:\WINDOWS\SYSTEM32\UPS.EXE
vds = D:\WINDOWS\SYSTEM32\VDS.EXE
VSS = D:\WINDOWS\SYSTEM32\VSSVC.EXE
W32Time = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
WebClient = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
WinDHCPsvc = D:\WINDOWS\SYSTEM32\RUNDLL32.EXE WINDHCP.OCX,START
WinHttpAutoProxySvc = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
winmgmt = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
WmdmPmSN = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
Wmi = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
WmiApSrv = D:\WINDOWS\SYSTEM32\WBEM\WMIAPSRV.EXE
wuauserv = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
WZCSVC = D:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS


文件驱动
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
DfsDriver = D:\WINDOWS\SYSTEM32\DRIVERS\DFS.SYS
MRxDAV = D:\WINDOWS\SYSTEM32\DRIVERS\MRXDAV.SYS
MRxSmb = D:\WINDOWS\SYSTEM32\DRIVERS\MRXSMB.SYS
NetBIOS = D:\WINDOWS\SYSTEM32\DRIVERS\NETBIOS.SYS
Rdbss = D:\WINDOWS\SYSTEM32\DRIVERS\RDBSS.SYS
Srv = D:\WINDOWS\SYSTEM32\DRIVERS\SRV.SYS


小呀小顽童 - 2006-12-30 13:12:00
系统驱动项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
ACPI = D:\WINDOWS\SYSTEM32\DRIVERS\ACPI.SYS
AFD = D:\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS
AsyncMac = D:\WINDOWS\SYSTEM32\DRIVERS\ASYNCMAC.SYS
atapi = D:\WINDOWS\SYSTEM32\DRIVERS\ATAPI.SYS
ati2mpad = D:\WINDOWS\SYSTEM32\DRIVERS\ATI2MPAD.SYS
Atmarpc = D:\WINDOWS\SYSTEM32\DRIVERS\ATMARPC.SYS
audstub = D:\WINDOWS\SYSTEM32\DRIVERS\AUDSTUB.SYS
BaseTDI = D:\WINDOWS\SYSTEM32\DRIVERS\BASETDI.SYS
Cdrom = D:\WINDOWS\SYSTEM32\DRIVERS\CDROM.SYS
ClusDisk = D:\WINDOWS\SYSTEM32\DRIVERS\CLUSDISK.SYS
crcdisk = D:\WINDOWS\SYSTEM32\DRIVERS\CRCDISK.SYS
Disk = D:\WINDOWS\SYSTEM32\DRIVERS\DISK.SYS
dmboot = D:\WINDOWS\SYSTEM32\DRIVERS\DMBOOT.SYS
dmio = D:\WINDOWS\SYSTEM32\DRIVERS\DMIO.SYS
dmload = D:\WINDOWS\SYSTEM32\DRIVERS\DMLOAD.SYS
E1000 = D:\WINDOWS\SYSTEM32\DRIVERS\E1000325.SYS
ExpScaner = D:\PROGRAM FILES\RISING\RAV1\EXPSCAN.SYS
Fdc = D:\WINDOWS\SYSTEM32\DRIVERS\FDC.SYS
FsVga = D:\WINDOWS\SYSTEM32\DRIVERS\FSVGA.SYS
Ftdisk = D:\WINDOWS\SYSTEM32\DRIVERS\FTDISK.SYS
Gpc = D:\WINDOWS\SYSTEM32\DRIVERS\MSGPC.SYS
HookCont = D:\PROGRAM FILES\RISING\RAV1\HOOKCONT.SYS
HookReg = D:\PROGRAM FILES\RISING\RAV1\HOOKREG.SYS
HookSys = D:\PROGRAM FILES\RISING\RAV1\HOOKSYS.SYS
HTTP = D:\WINDOWS\SYSTEM32\DRIVERS\HTTP.SYS
i8042prt = D:\WINDOWS\SYSTEM32\DRIVERS\I8042PRT.SYS
imapi = D:\WINDOWS\SYSTEM32\DRIVERS\IMAPI.SYS
IpFilterDriver = D:\WINDOWS\SYSTEM32\DRIVERS\IPFLTDRV.SYS
IpInIp = D:\WINDOWS\SYSTEM32\DRIVERS\IPINIP.SYS
IpNat = D:\WINDOWS\SYSTEM32\DRIVERS\IPNAT.SYS
IPSec = D:\WINDOWS\SYSTEM32\DRIVERS\IPSEC.SYS
isapnp = D:\WINDOWS\SYSTEM32\DRIVERS\ISAPNP.SYS
Kbdclass = D:\WINDOWS\SYSTEM32\DRIVERS\KBDCLASS.SYS
MediaDrver = D:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\YPOCALLH.SYS
MEMSCAN = D:\PROGRAM FILES\RISING\RAV1\MEMSCAN.SYS
Mouclass = D:\WINDOWS\SYSTEM32\DRIVERS\MOUCLASS.SYS
NdisTapi = D:\WINDOWS\SYSTEM32\DRIVERS\NDISTAPI.SYS
Ndisuio = D:\WINDOWS\SYSTEM32\DRIVERS\NDISUIO.SYS
NdisWan = D:\WINDOWS\SYSTEM32\DRIVERS\NDISWAN.SYS
NetBT = D:\WINDOWS\SYSTEM32\DRIVERS\NETBT.SYS
NPF = D:\WINDOWS\SYSTEM32\DRIVERS\NPF.SYS
Parport = D:\WINDOWS\SYSTEM32\DRIVERS\PARPORT.SYS
Parvdm = D:\WINDOWS\SYSTEM32\DRIVERS\PARVDM.SYS
PCI = D:\WINDOWS\SYSTEM32\DRIVERS\PCI.SYS
PCIIde = D:\WINDOWS\SYSTEM32\DRIVERS\PCIIDE.SYS
PptpMiniport = D:\WINDOWS\SYSTEM32\DRIVERS\RASPPTP.SYS
Processor = D:\WINDOWS\SYSTEM32\DRIVERS\PROCESSR.SYS
Ptilink = D:\WINDOWS\SYSTEM32\DRIVERS\PTILINK.SYS
RasAcd = D:\WINDOWS\SYSTEM32\DRIVERS\RASACD.SYS
Rasl2tp = D:\WINDOWS\SYSTEM32\DRIVERS\RASL2TP.SYS
RasPppoe = D:\WINDOWS\SYSTEM32\DRIVERS\RASPPPOE.SYS
Raspti = D:\WINDOWS\SYSTEM32\DRIVERS\RASPTI.SYS
RDPCDD = D:\WINDOWS\SYSTEM32\DRIVERS\RDPCDD.SYS
rdpdr = D:\WINDOWS\SYSTEM32\DRIVERS\RDPDR.SYS
redbook = D:\WINDOWS\SYSTEM32\DRIVERS\REDBOOK.SYS
RsNTGDI = D:\WINDOWS\SYSTEM32\DRIVERS\RSNTGDI.SYS
RSPPSYS = D:\PROGRAM FILES\RISING\RAV1\RSPPSYS.SYS
ScsiPort = D:\WINDOWS\SYSTEM32\DRIVERS\SCSIPORT.SYS
Secdrv = D:\WINDOWS\SYSTEM32\DRIVERS\SECDRV.SYS
serenum = D:\WINDOWS\SYSTEM32\DRIVERS\SERENUM.SYS
Serial = D:\WINDOWS\SYSTEM32\DRIVERS\SERIAL.SYS
SONYPVU1 = D:\WINDOWS\SYSTEM32\DRIVERS\SONYPVU1.SYS
SVKP = D:\WINDOWS\SYSTEM32\SVKP.SYS
swenum = D:\WINDOWS\SYSTEM32\DRIVERS\SWENUM.SYS
symmpi = D:\WINDOWS\SYSTEM32\DRIVERS\SYMMPI.SYS
Tcpip = D:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS
TermDD = D:\WINDOWS\SYSTEM32\DRIVERS\TERMDD.SYS
Update = D:\WINDOWS\SYSTEM32\DRIVERS\UPDATE.SYS
usbhub = D:\WINDOWS\SYSTEM32\DRIVERS\USBHUB.SYS
usbohci = D:\WINDOWS\SYSTEM32\DRIVERS\USBOHCI.SYS
USBSTOR = D:\WINDOWS\SYSTEM32\DRIVERS\USBSTOR.SYS
VgaSave = D:\WINDOWS\SYSTEM32\DRIVERS\VGA.SYS
VolSnap = D:\WINDOWS\SYSTEM32\DRIVERS\VOLSNAP.SYS
Wanarp = D:\WINDOWS\SYSTEM32\DRIVERS\WANARP.SYS
WLBS = D:\WINDOWS\SYSTEM32\DRIVERS\WLBS.SYS
xyantivirus = D:\TEM\VRV2005\VRV2005\VRV2005\FILEMON.SYS

小呀小顽童 - 2006-12-30 13:15:00
CODE]

2006-12-30,13:03:08

System Repair Engineer 2.3.13.690
Smallfrogs (http://www.KZTechs.com)

Windows Server 2003 Enterprise Edition  (Build 3790)
- 管理权限用户 - 完整功能

以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <xysecond><D:\tem\VRV2005\VRV2005\vrv2005\vrvmon.exe>  [vrv]
    <RavTask><"D:\Program Files\Rising\Rav1\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><D:\WINDOWS\system32\userinit.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><235780M.BMP>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><%SystemRoot%\system32\logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{9C0CFA58-3A6F-51ba-9EFE-5320F4F62FB1}><D:\WINDOWS\system32\bdscheca100.dll>  [N/A]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><D:\WINDOWS\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <csrss><; D:\WINDOWS\csrss.exe>  [N/A]
    <System><; D:\Program Files\Common Files\System\Updaterun.exe>  [N/A]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <Windows installer><; C:\winstall.exe>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <{202718E6-0957-2052-1008-030207290056}><; "D:\Program Files\Common Files\{202718E6-0957-2052-1008-030207290056}\Update.exe" te-110-12-0000175>  [N/A]
    <{202718E6-0958-2052-1008-030207290056}><; "D:\Program Files\Common Files\{202718E6-0958-2052-1008-030207290056}\Update.exe" te-110-12-0000175>  [N/A]

==================================
启动文件夹
N/A

==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <D:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
  <"D:\Program Files\Rising\Rav1\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon][Stopped/Auto Start]
  <"D:\Program Files\Rising\Rav1\Ravmond.exe"><N/A>
[Windows DHCP Service / WinDHCPsvc][Stopped/Auto Start]
  <D:\WINDOWS\system32\rundll32.exe windhcp.ocx,start><Microsoft Corporation>

==================================
驱动程序
[ati2mpad / ati2mpad][Running/Manual Start]
  <system32\DRIVERS\ati2mpad.sys><ATI Technologies Inc.>
[BaseTDI / BaseTDI][Running/Auto Start]
  <\??\D:\WINDOWS\system32\drivers\basetdi.sys><Beijing Rising Technology Co., Ltd.>
[Intel(R) PRO/1000 Device Driver / E1000][Running/Manual Start]
  <system32\DRIVERS\e1000325.sys><Intel Corporation>
[ExpScaner / ExpScaner][Running/Auto Start]
  <\??\D:\Program Files\Rising\Rav1\ExpScan.sys><>
[HookCont / HookCont][Running/Auto Start]
  <\??\D:\Program Files\Rising\Rav1\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
  <\??\D:\Program Files\Rising\Rav1\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
  <\??\D:\Program Files\Rising\Rav1\HookSys.sys><Rising>
[IP in IP Tunnel Driver / IpInIp][Stopped/Manual Start]
  <system32\DRIVERS\ipinip.sys><N/A>
[MicroSoft Media Services / MediaDrver][Stopped/Manual Start]
  <\??\D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\YpOCalLH.sys><N/A>
[MEMSCAN / MEMSCAN][Running/Auto Start]
  <\??\D:\Program Files\Rising\Rav1\MEMSCAN.sys><瑞星软件有限公司>
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
  <system32\DRIVERS\npf.sys><CACE Technologies>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
  <\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
  <\??\D:\Program Files\Rising\Rav1\RSPPSYS.sys><Rising>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><N/A>
[Sony USB Filter Driver (SONYPVU1) / SONYPVU1][Stopped/Manual Start]
  <system32\DRIVERS\SONYPVU1.SYS><Sony Corporation>
[SVKP / SVKP][Running/Auto Start]
  <\??\D:\WINDOWS\system32\SVKP.sys><AntiCracking>
[symmpi / symmpi][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\symmpi.sys><LSI Logic>
[xyfilemon / xyantivirus][Running/Auto Start]
  <\??\D:\tem\VRV2005\VRV2005\vrv2005\filemon.sys><BXY>

==================================
浏览器加载项
[@shdoclc.dll,-866]
  {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[上传到QQ网络硬盘]
  <D:\Program Files\Tencent\QQ\AddToNetDisk.htm, N/A>
[添加到QQ自定义面板]
  <D:\Program Files\Tencent\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
  <D:\Program Files\Tencent\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <D:\Program Files\Tencent\QQ\SendMMS.htm, N/A>

==================================
正在运行的进程
[PID: 404][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 464][\??\D:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 488][\??\D:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
[PID: 540][D:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
[PID: 552][D:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
[PID: 748][D:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
[PID: 796][D:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
[PID: 916][D:\Program Files\Rising\Rav1\CCenter.exe]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
[PID: 980][D:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
[PID: 1080][D:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
[PID: 1120][D:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
[PID: 1344][D:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
[PID: 1380][D:\WINDOWS\system32\msdtc.exe]  [Microsoft Corporation, 2001.12.4720.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
[PID: 1492][D:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
[PID: 1568][D:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1912][D:\WINDOWS\system32\Dfssvc.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
    [D:\WINDOWS\system32\windhcp.ocx]  [N/A, N/A]
[PID: 2044][D:\tem\VRV2005\VRV2005\vrv2005\vrvmon.exe]  [vrv, 1, 0, 0, 1]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
    [D:\WINDOWS\system32\windhcp.ocx]  [N/A, N/A]
    [D:\tem\VRV2005\VRV2005\vrv2005\vrvmonsc.dll]  [BeiXinYuan, 1, 0, 0, 1]
    [D:\tem\VRV2005\VRV2005\vrv2005\vrvcfg.dll]  [N/A, N/A]
    [D:\tem\VRV2005\VRV2005\vrv2005\vrvdll.dll]  [N/A, N/A]
    [D:\tem\VRV2005\VRV2005\vrv2005\UNARJ.dll]  [N/A, N/A]
    [D:\tem\VRV2005\VRV2005\vrv2005\UNZIP.dll]  [N/A, N/A]
    [D:\WINDOWS\system32\bdscheca100.dll]  [N/A, N/A]
[PID: 216][D:\Program Files\Rising\Rav1\RavTask.exe]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
    [D:\WINDOWS\system32\windhcp.ocx]  [N/A, N/A]
    [D:\Program Files\Rising\Rav1\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
    [D:\Program Files\Rising\Rav1\RSAPPMGR.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
    [D:\Program Files\Rising\Rav1\CfgDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
    [D:\Program Files\Rising\Rav1\RsCommX.dll]  [rising, 18, 0, 0, 1]
小呀小顽童 - 2006-12-30 13:15:00
[D:\WINDOWS\system32\bdscheca100.dll]  [N/A, N/A]
[PID: 340][D:\Program Files\Rising\Rav1\Ravmon.exe]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 36]
    [D:\Program Files\Rising\Rav1\RsGuiLib.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 28]
    [D:\Program Files\Rising\Rav1\BWList.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 6]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
    [D:\WINDOWS\system32\windhcp.ocx]  [N/A, N/A]
    [D:\Program Files\Rising\Rav1\RSAPPMGR.DLL]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 2]
    [D:\Program Files\Rising\Rav1\CfgDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 13]
    [D:\Program Files\Rising\Rav1\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
    [D:\Program Files\Rising\Rav1\RsCommX.dll]  [rising, 18, 0, 0, 1]
    [D:\Program Files\Rising\Rav1\RsXML.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
    [D:\Program Files\Rising\Rav1\PngDll.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
    [D:\WINDOWS\system32\bdscheca100.dll]  [N/A, N/A]
[PID: 1044][D:\WINDOWS\explorer.exe]  [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
    [D:\WINDOWS\system32\windhcp.ocx]  [N/A, N/A]
    [D:\WINDOWS\system32\bdscheca100.dll]  [N/A, N/A]
    [D:\WINDOWS\system32\RavExt.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
    [D:\winrar\rarext.dll]  [N/A, N/A]
    [D:\Program Files\Rising\Rav1\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[PID: 1616][D:\WINDOWS\system32\wbem\wmiprvse.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
    [D:\WINDOWS\system32\windhcp.ocx]  [N/A, N/A]
[PID: 804][D:\Program Files\Internet Explorer\IEXPLORE.EXE]  [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
    [D:\WINDOWS\system32\windhcp.ocx]  [N/A, N/A]
    [D:\WINDOWS\system32\bdscheca100.dll]  [N/A, N/A]
    [D:\Program Files\Rising\Rav1\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [D:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx]  [Adobe Systems, Inc., 9,0,28,0]
    [D:\WINDOWS\system32\001836F9.IME]  [LongWen Corporation, 3.8.200]
    [D:\WINDOWS\system32\icm32.dll]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 2772][D:\WINDOWS\system\conime.exe]  [N/A, N/A]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
    [D:\WINDOWS\system32\windhcp.ocx]  [N/A, N/A]
    [D:\WINDOWS\system32\bdscheca100.dll]  [N/A, N/A]
[PID: 3912][D:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
    [D:\WINDOWS\system32\windhcp.ocx]  [N/A, N/A]
    [D:\WINDOWS\system32\bdscheca100.dll]  [N/A, N/A]
    [D:\Program Files\Rising\Rav1\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [D:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx]  [Adobe Systems, Inc., 9,0,28,0]
    [D:\WINDOWS\system32\001836F9.IME]  [LongWen Corporation, 3.8.200]
[PID: 1316][D:\Program Files\Internet Explorer\IEXPLORE.EXE]  [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
    [D:\WINDOWS\system32\windhcp.ocx]  [N/A, N/A]
    [D:\WINDOWS\system32\bdscheca100.dll]  [N/A, N/A]
    [D:\Program Files\Rising\Rav1\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [D:\WINDOWS\system32\001836F9.IME]  [LongWen Corporation, 3.8.200]
    [D:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx]  [Adobe Systems, Inc., 9,0,28,0]
[PID: 2172][D:\RAV\SRENG\SREng.EXE]  [Smallfrogs Studio, 2.3.13.690]
    [D:\WINDOWS\235780M.BMP]  [N/A, N/A]
    [D:\WINDOWS\system32\windhcp.ocx]  [N/A, N/A]
    [D:\WINDOWS\system32\bdscheca100.dll]  [N/A, N/A]

==================================
文件关联
.TXT  Error. [notepad.exe %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  Error. [regedit.exe %1]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. [D:\WINDOWS\hh.exe %1]
.HLP  Error. [D:\WINDOWS\winhlp32.exe %1]
.INI  Error. [notepad.exe %1]
.INF  Error. [D:\WINDOWS\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
N/A

==================================
API HOOK
N/A

==================================


[/CODE]
小呀小顽童 - 2006-12-30 13:18:00
这是进程中的那个图片。

附件: 34650520061230130905.BMP
小呀小顽童 - 2006-12-30 13:20:00
该图片名为235780M.BMP,属性HS,64K大小。打开后无任何反应。
在网上发了,你看也不显示图片。
现在一些家伙把EXE等文件捆绑图片之中,只留图片的文件头,而且可以执行,真是可恶。
小呀小顽童 - 2006-12-30 13:46:00

怎么没答案?
小呀小顽童 - 2006-12-30 13:52:00
???已有扫描结果,为何没有答案?
小呀小顽童 - 2006-12-30 14:42:00
???
小呀小顽童 - 2006-12-30 15:01:00
怎么没人回答一下
baohe - 2006-12-30 15:18:00
【回复“小呀小顽童”的帖子】



病毒/木马的加载项:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><235780M.BMP> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{9C0CFA58-3A6F-51ba-9EFE-5320F4F62FB1}><D:\WINDOWS\system32\bdscheca100.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<csrss><; D:\WINDOWS\csrss.exe> [N/A]
<System><; D:\Program Files\Common Files\System\Updaterun.exe> [N/A]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<Windows installer><; C:\winstall.exe> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<{202718E6-0957-2052-1008-030207290056}><; "D:\Program Files\Common Files\{202718E6-0957-2052-1008-030207290056}\Update.exe" te-110-12-0000175> [N/A]
<{202718E6-0958-2052-1008-030207290056}><; "D:\Program Files\Common Files\{202718E6-0958-2052-1008-030207290056}\Update.exe" te-110-12-0000175> [N/A]

木马服务:

[Windows DHCP Service / WinDHCPsvc][Stopped/Auto Start]
<D:\WINDOWS\system32\rundll32.exe windhcp.ocx,start><Microsoft Corporation>

病毒/木马驱动:
[MicroSoft Media Services / MediaDrver][Stopped/Manual Start]
<\??\D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\YpOCalLH.sys><N/A>
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
<system32\DRIVERS\npf.sys><CACE Technologies>
[SVKP / SVKP][Running/Auto Start]
<\??\D:\WINDOWS\system32\SVKP.sys><AntiCracking>

被病毒/木马插入的进程:
[PID: 488][\??\D:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 540][D:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 552][D:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 748][D:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 796][D:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 916][D:\Program Files\Rising\Rav1\CCenter.exe] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 980][D:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 1080][D:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 1120][D:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 1344][D:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 1380][D:\WINDOWS\system32\msdtc.exe] [Microsoft Corporation, 2001.12.4720.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 1492][D:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 1568][D:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1912][D:\WINDOWS\system32\Dfssvc.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[PID: 2044][D:\tem\VRV2005\VRV2005\vrv2005\vrvmon.exe] [vrv, 1, 0, 0, 1]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[PID: 216][D:\Program Files\Rising\Rav1\RavTask.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 340][D:\Program Files\Rising\Rav1\Ravmon.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 36]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 1044][D:\WINDOWS\explorer.exe] [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 1616][D:\WINDOWS\system32\wbem\wmiprvse.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[PID: 804][D:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 2772][D:\WINDOWS\system\conime.exe] [N/A, N/A]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 3912][D:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 1316][D:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 2172][D:\RAV\SRENG\SREng.EXE] [Smallfrogs Studio, 2.3.13.690]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]

被篡改的文件关联:
.TXT Error. [notepad.exe %1]
.REG Error. [regedit.exe %1]
.CHM Error. [D:\WINDOWS\hh.exe %1]
.HLP Error. [D:\WINDOWS\winhlp32.exe %1]
.INI Error. [notepad.exe %1]
.INF Error. [D:\WINDOWS\NOTEPAD.EXE %1]



小呀小顽童 - 2006-12-30 16:45:00
引用:
【baohe的贴子】【回复“小呀小顽童”的帖子】



病毒/木马的加载项:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><235780M.BMP> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{9C0CFA58-3A6F-51ba-9EFE-5320F4F62FB1}><D:\WINDOWS\system32\bdscheca100.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<csrss><; D:\WINDOWS\csrss.exe> [N/A]
<System><; D:\Program Files\Common Files\System\Updaterun.exe> [N/A]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<Windows installer><; C:\winstall.exe> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<{202718E6-0957-2052-1008-030207290056}><; "D:\Program Files\Common Files\{202718E6-0957-2052-1008-030207290056}\Update.exe" te-110-12-0000175> [N/A]
<{202718E6-0958-2052-1008-030207290056}><; "D:\Program Files\Common Files\{202718E6-0958-2052-1008-030207290056}\Update.exe" te-110-12-0000175> [N/A]

木马服务:

[Windows DHCP Service / WinDHCPsvc][Stopped/Auto Start]
<D:\WINDOWS\system32\rundll32.exe windhcp.ocx,start><Microsoft Corporation>

病毒/木马驱动:
[MicroSoft Media Services / MediaDrver][Stopped/Manual Start]
<\??\D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\YpOCalLH.sys><N/A>
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
<system32\DRIVERS\npf.sys><CACE Technologies>
[SVKP / SVKP][Running/Auto Start]
<\??\D:\WINDOWS\system32\SVKP.sys><AntiCracking>

被病毒/木马插入的进程:
[PID: 488][\??\D:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 540][D:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 552][D:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 748][D:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 796][D:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 916][D:\Program Files\Rising\Rav1\CCenter.exe] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 3]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 980][D:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 1080][D:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 1120][D:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 1344][D:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 1380][D:\WINDOWS\system32\msdtc.exe] [Microsoft Corporation, 2001.12.4720.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 1492][D:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[PID: 1568][D:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 1912][D:\WINDOWS\system32\Dfssvc.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[PID: 2044][D:\tem\VRV2005\VRV2005\vrv2005\vrvmon.exe] [vrv, 1, 0, 0, 1]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[PID: 216][D:\Program Files\Rising\Rav1\RavTask.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 340][D:\Program Files\Rising\Rav1\Ravmon.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 36]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 1044][D:\WINDOWS\explorer.exe] [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 1616][D:\WINDOWS\system32\wbem\wmiprvse.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[PID: 804][D:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 2772][D:\WINDOWS\system\conime.exe] [N/A, N/A]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 3912][D:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 1316][D:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.3790.0 (srv03_rtm.030324-2048)]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]
[PID: 2172][D:\RAV\SRENG\SREng.EXE] [Smallfrogs Studio, 2.3.13.690]
[D:\WINDOWS\235780M.BMP] [N/A, N/A]
[D:\WINDOWS\system32\windhcp.ocx] [N/A, N/A]
[D:\WINDOWS\system32\bdscheca100.dll] [N/A, N/A]

被篡改的文件关联:
.TXT Error. [notepad.exe %1]
.REG Error. [regedit.exe %1]
.CHM Error. [D:\WINDOWS\hh.exe %1]
.HLP Error. [D:\WINDOWS\winhlp32.exe %1]
.INI Error. [notepad.exe %1]
.INF Error. [D:\WINDOWS\NOTEPAD.EXE %1]




………………

p这么严重我怎么办啊?
瑞星查电脑,根本无毒啊。
叶·幽思 - 2006-12-30 16:47:00
引用:
【小呀小顽童的贴子】p这么严重我怎么办啊?
瑞星查电脑,根本无毒啊。

………………


rising能查出来还要这个反病毒版做什么?
独孤豪侠 - 2006-12-30 16:54:00
无语.....这么多.格盘重装算了....
汗.......
高歌猛进 - 2006-12-30 16:55:00
置顶下载IceSword删除,使用方法也见置顶
小呀小顽童 - 2006-12-30 16:56:00
引用:
【叶·幽思的贴子】

rising能查出来还要这个反病毒版做什么?
………………

呵呵~~
有道理,我怎么一直没想到。
到底是出神入化的大侠,高屋见瓴,令我们大开眼界。
小呀小顽童 - 2006-12-30 16:57:00
引用:
【高歌猛进的贴子】置顶下载IceSword删除,使用方法也见置顶
………………

多谢,我已经搞定了一部分了。
叶·幽思 - 2006-12-30 17:03:00
D:\WINDOWS\235780M.BMP

这个文件推荐使用killbox替换此文件后删除.

小呀小顽童 - 2006-12-30 17:12:00
引用:
【叶·幽思的贴子】D:\WINDOWS\235780M.BMP

这个文件推荐使用killbox替换此文件后删除.


………………

WIN2003下KILLBOX不可用。

此文件非常难删除,一删除马上就出现了。网上对此有专门对策,现在已解决此文件的问题。其他文件的问题尚未解决。
其实目前虽然中毒较深,但电脑上网打字等无论速度还是应用都无任何影响。
afkp4e7 - 2006-12-30 17:22:00
PendMove延时删除
http://www.kztechs.com/pendmove/pendmove.zip
12
查看完整版本: 失望于2007
© 2000 - 2026 Rising Corp. Ltd.