高手帮忙看看怎么解决这个病毒啊在线等啊谢谢 bbs.ikaka.com

25254426 - 2007-1-7 21:36:00

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Corporation]
<bgswitch><C:\WINDOWS\system32\bgswitch.exe> [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
<run><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Alcmtr><ALCMTR.EXE> [(Verified)Realtek Semiconductor Corp.]
<RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<RfwMain><"C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup> [Beijing Rising Technology Co., Ltd.]
<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k> [N/A]
<FixCamera><C:\WINDOWS\FixCamera.exe> []
<runeip><C:\Program Files\Rising\AntiSpyware\runiep.exe> [Beijing Rising Technology Co., Ltd.]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<KKDelay><C:\Program Files\Rising\AntiSpyware\RunOnce.exe> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Corporation]

==================================
启动文件夹
N/A

==================================
服务
[53E42BF8 / 53E42BF8]
<C:\WINDOWS\system32\53E42BF8.EXE -service><Microsoft Corporation>
[8106B4F6 / 8106B4F6]
<C:\WINDOWS\system32\8106B4F6.EXE -service><Microsoft Corporation>
[ASP.NET State Service / aspnet_state]
<C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[Vsn cvwm Service / cvwm]
<C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\COMMON~1\ibss\pigw.dll,Service><Microsoft Corporation>
[Human Interface Device Access / HidServ]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Remote Registry Protect / Investor]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\oxfua.dll><Microsoft Corporation>
[LightScribeService Direct Disc Labeling Service / LightScribeService]
<"C:\Program Files\Common Files\LightScribe\LSSrvc.exe"><Hewlett-Packard Company>
[NVIDIA Display Driver Service / NVSvc]
<C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Proxy Service / RfwProxySrv]
<c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService]
<c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter]
<"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
<"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Routing Protect Access / SOCEESe]
<C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\WBEM\MKBWB.DLL,Export 1087><N/A>

==================================
驱动程序
[Rising TDI Base Driver / BaseTDI]
<System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[dump_wmimmc / dump_wmimmc]
<2 - 系统找不到指定的文件。
><N/A>
[ExpScaner / ExpScaner]
<\??\C:\Program Files\Rising\Rav\ExpScan.sys><>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus]
<system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[HookCont / HookCont]
<\??\C:\Program Files\Rising\Rav\HOOKCONT.sys><Rising>
[Kernel Mode service / HookDrv]
<\??\F:\fcz048\HookDrv.sys><N/A>
[HookReg / HookReg]
<\??\C:\Program Files\Rising\Rav\HookReg.sys><>
[HookSys / HookSys]
<\??\C:\Program Files\Rising\Rav\HookSys.sys><Rising>
[HookUrl / HookUrl]
<\??\C:\Program Files\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService]
<system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[kwiw / kwiwv]
<\SystemRoot\System32\DRIVERS\kwiwv.sys><N/A>
[MEMSCAN / MEMSCAN]
<\??\C:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件有限公司>
[mProcRs / mProcRs]
<\??\c:\program files\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[npkcrypt / npkcrypt]
<\??\C:\Program Files\Tencent\QQ\npkcrypt.sys><INCA Internet Co., Ltd.>
[nv / nv]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Padus ASPI Shell / pfc]
<system32\drivers\pfc.sys><Padus, Inc.>
[Direct Parallel Link Driver / Ptilink]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsAntiSpyware / RsAntiSpyware]
<\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising>
[RsFwDrv / RsFwDrv]
<\??\C:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI]
<\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS]
<\??\C:\Program Files\Rising\Rav\RSPPSYS.sys><Rising>
[Realtek 10/100/1000 NIC Family all in one NDIS XP Driver / RTL8023xp]
<system32\DRIVERS\Rtlnicxp.sys><Realtek Semiconductor Corporation>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139]
<system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv]
<system32\DRIVERS\secdrv.sys><N/A>
[USB PC Camera (SNPSTD3) / SNPSTD3]
<system32\DRIVERS\snpstd3.sys><N/A>
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

红夜鬼1 - 2007-1-7 21:46:00

运行(双击)SRENG2，点“启动项目，服务，点“Win32服务应用程序”
勾选“隐藏微软服务”选中病毒服务
53E42BF8
8106B4F6
Vsn cvwm Service
Remote Registry Protect
Routing Protect Access
，选择“删除服务”
点“设置”选择“否”
重启按F８进入安全模式下
显示隐藏文件
删除：
C:\WINDOWS\SYSTEM32\WBEM\MKBWB.DLL
C:\WINDOWS\system32\oxfua.dll
C:\PROGRA~1\COMMON~1\ibss\pigw.dll
C:\WINDOWS\system32\53E42BF8.EXE
C:\WINDOWS\system32\8106B4F6.EXE

25254426 - 2007-1-7 22:32:00

无法运行SRENG2这个命令

红夜鬼1 - 2007-1-7 22:39:00

引用:

【25254426的贴子】无法运行SRENG2这个命令
………………

就是你上面扫描日志用的软件

25254426 - 2007-1-7 23:08:00

高手给个SRENG2的下载地址

红夜鬼1 - 2007-1-7 23:09:00

引用:

【25254426的贴子】
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Corporation]
<bgswitch><C:\WINDOWS\system32\bgswitch.exe> [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
<run><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Alcmtr><ALCMTR.EXE> [(Verified)Realtek Semiconductor Corp.]
<RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
<RfwMain><"C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup> [Beijing Rising Technology Co., Ltd.]
<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k> [N/A]
<FixCamera><C:\WINDOWS\FixCamera.exe> []
<runeip><C:\Program Files\Rising\AntiSpyware\runiep.exe> [Beijing Rising Technology Co., Ltd.]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<KKDelay><C:\Program Files\Rising\AntiSpyware\RunOnce.exe> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Corporation]

==================================
启动文件夹
N/A

==================================
服务
[53E42BF8 / 53E42BF8]
<C:\WINDOWS\system32\53E42BF8.EXE -service><Microsoft Corporation>
[8106B4F6 / 8106B4F6]
<C:\WINDOWS\system32\8106B4F6.EXE -service><Microsoft Corporation>
[ASP.NET State Service / aspnet_state]
<C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[Vsn cvwm Service / cvwm]
<C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\COMMON~1\ibss\pigw.dll,Service><Microsoft Corporation>
[Human Interface Device Access / HidServ]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Remote Registry Protect / Investor]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\oxfua.dll><Microsoft Corporation>
[LightScribeService Direct Disc Labeling Service / LightScribeService]
<"C:\Program Files\Common Files\LightScribe\LSSrvc.exe"><Hewlett-Packard Company>
[NVIDIA Display Driver Service / NVSvc]
<C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[Rising Proxy Service / RfwProxySrv]
<c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService]
<c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter]
<"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
<"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Routing Protect Access / SOCEESe]
<C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\WBEM\MKBWB.DLL,Export 1087><N/A>

==================================
驱动程序
[Rising TDI Base Driver / BaseTDI]
<System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[dump_wmimmc / dump_wmimmc]
<2 - 系统找不到指定的文件。
><N/A>
[ExpScaner / ExpScaner]
<\??\C:\Program Files\Rising\Rav\ExpScan.sys><>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus]
<system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[HookCont / HookCont]
<\??\C:\Program Files\Rising\Rav\HOOKCONT.sys><Rising>
[Kernel Mode service / HookDrv]
<\??\F:\fcz048\HookDrv.sys><N/A>
[HookReg / HookReg]
<\??\C:\Program Files\Rising\Rav\HookReg.sys><>
[HookSys / HookSys]
<\??\C:\Program Files\Rising\Rav\HookSys.sys><Rising>
[HookUrl / HookUrl]
<\??\C:\Program Files\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService]
<system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[kwiw / kwiwv]
<\SystemRoot\System32\DRIVERS\kwiwv.sys><N/A>
[MEMSCAN / MEMSCAN]
<\??\C:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件有限公司>
[mProcRs / mProcRs]
<\??\c:\program files\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[npkcrypt / npkcrypt]
<\??\C:\Program Files\Tencent\QQ\npkcrypt.sys><INCA Internet Co., Ltd.>
[nv / nv]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Padus ASPI Shell / pfc]
<system32\drivers\pfc.sys><Padus, Inc.>
[Direct Parallel Link Driver / Ptilink]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsAntiSpyware / RsAntiSpyware]
<\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising>
[RsFwDrv / RsFwDrv]
<\??\C:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI]
<\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS]
<\??\C:\Program Files\Rising\Rav\RSPPSYS.sys><Rising>
[Realtek 10/100/1000 NIC Family all in one NDIS XP Driver / RTL8023xp]
<system32\DRIVERS\Rtlnicxp.sys><Realtek Semiconductor Corporation>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139]
<system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv]
<system32\DRIVERS\secdrv.sys><N/A>
[USB PC Camera (SNPSTD3) / SNPSTD3]
<system32\DRIVERS\snpstd3.sys><N/A>
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
………………

就这用的软件
下载地址
http://www.kztechs.com/sreng/download.html

妖狐藏马1 - 2007-1-8 0:09:00

各位高手大哥大姐小弟在者有理了我发现有好多高手怎么老是叫人把日志贴上来呢可是我门菜鸟把日志贴上来了在找高手没有了就不关了这是怎么回事啊我就不明白了我门贴上来了日志是叫你看看那个是病毒那不是啊为什么你们就不管了呢啊只是混点积分和经验吗我就不明白了我希望各位高手不要那样这只是小弟的个人看法不要责怪小弟哦我希望各位高手给点实际的回答小弟在着谢谢了也替各位菜鸟谢谢了

afkp4e7 - 2007-1-8 8:16:00

引用:

【红夜鬼1的贴子】运行(双击)SRENG2，点“启动项目，服务，点“Win32服务应用程序”
勾选“隐藏微软服务”选中病毒服务
53E42BF8
8106B4F6
Vsn cvwm Service
Remote Registry Protect
Routing Protect Access
，选择“删除服务”
点“设置”选择“否”
重启按F８进入安全模式下
显示隐藏文件
删除：
C:\WINDOWS\SYSTEM32\WBEM\MKBWB.DLL
C:\WINDOWS\system32\oxfua.dll
C:\PROGRA~1\COMMON~1\ibss\pigw.dll
C:\WINDOWS\system32\53E42BF8.EXE
C:\WINDOWS\system32\8106B4F6.EXE
………………

这已经帮你都详细写了处理方法
扫描日志只是System Repair Engineer的一个功能
System Repair Engineer简称sreng2

附件: 79532220071880742.JPG

瑞星卡卡安全论坛