瑞星卡卡安全论坛

首页 » 个人产品讨论区 » 瑞星个人防火墙V16 » 瑞星个人防火墙2011 » 求助!wintems.exe,winupgro.exe等开机后禁止我防火墙网络保护功能怎么办?
dianadiao - 2009-4-1 1:49:00
朋友们好!我的电脑中毒或木马wintems.exe, winupgro.exe, 等等,经过两三天的折腾,瑞星安全模式杀毒,windows清理助手,和XDelBox1.8剑盟版 等软件好像把他们灭了,其间还把任务管理器也清除了,说是可疑程序(我以为是假的管理器)所以我选择了删除(如今我按ctrl+alt+delete任务管理器也不出来了)。弄了一通,再分别用windows清理助手扫描,sreng2,瑞星卡卡,瑞星杀毒软件等扫描,说是没有问题。但是我的瑞星防火墙依然给我禁止网络防护(刚一打开,正常,转瞬就变成灰的,手动不开)。我的ie一打开,是两个并行,就像双眼皮儿(:default6: :default87: )我已经饱受折磨哭笑不得了。我觉得是那些该死的木马它们会变,变得可以欺骗这些扫描的软件。我该怎样才能脱离苦海?

下面是我几次扫描的纪录:
[2.8.2.8.1115 - 2.8.83.9.0329]
2009-03-30 23:13
[Trojan.srosa.hidr]
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\DRVSYSKIT
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\GERMAN.EXE
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\ENUM\ROOT\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\SROSA
[2.8.2.8.1115 - 2.8.83.9.0329]
2009-03-30 23:13
[Maybe Useless object]
C:\WINDOWS\SYSTEM32\WINTEMS.EXE

[2.8.2.8.1115 - 2.8.83.9.0329]
2009-03-31 10:55
[Trojan.srosa.hidr]
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\DRVSYSKIT
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\GERMAN.EXE
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\ENUM\ROOT\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\SROSA
[2.8.2.8.1115 - 2.8.83.9.0329]
2009-03-31 10:55
[Trojan.ttservices.apcdli]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{69B26E06-3718-496B-B77A-4BF5609E828F}\RP434\A0163771.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{69B26E06-3718-496B-B77A-4BF5609E828F}\RP434\A0163772.SYS
[2.8.2.8.1115 - 2.8.83.9.0329]
2009-03-31 10:55
[Maybe Useless object]
C:\WINDOWS\SYSTEM32\WINTEMS.EXE

[2.8.2.8.1115 - 2.8.83.9.0329]
2009-03-31 11:02
[Trojan.srosa.hidr]
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\DRVSYSKIT
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\GERMAN.EXE
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\SROSA
[2.8.2.8.1115 - 2.8.83.9.0329]
2009-03-31 11:02
[Maybe Useless object]
C:\WINDOWS\SYSTEM32\WINTEMS.EXE


[2.8.2.8.1115 - 2.8.83.9.0329]
2009-03-31 11:35
[Trojan.srosa.hidr]
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\DRVSYSKIT
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\GERMAN.EXE
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\SROSA
[2.8.2.8.1115 - 2.8.83.9.0329]
2009-03-31 11:35
[Maybe Useless object]
C:\WINDOWS\SYSTEM32\WINTEMS.EXE

我刚刚又扫描一遍,只发现文件关联有点小小问题,我就操作了一下。
下面是切图,不知道高手能不能救我,先谢谢了





















用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.1.4322)
musicname - 2009-4-1 3:53:00
该用户帖子内容已被屏蔽
dianadiao - 2009-4-1 4:41:00
您说该怎么办呢?
万事达 - 2009-4-1 9:21:00
把扫描到的日志以附件的方式跟帖上传或者贴在反病毒区。
dianadiao - 2009-4-1 18:31:00
谢谢您!

附件: 0_200903302258320328ARSP BACKUP.zip

附件: arswp 扫描日至以及生成结果文件.rar

附件: SREngLOG1-12.rar
dianadiao - 2009-4-1 18:47:00
请高手朋友帮我看看能否挽救我的系统。我不想重做系统呀。。。。。。
dianadiao - 2009-4-1 19:28:00
还有就是我的任务管理器如何恢复呢?我给误删除了。。。。。
dianadiao - 2009-4-1 23:07:00
我已经从其他电脑上把任务管理器弄回来了:default14: 。现在就是浏览器和防火墙该死的木马程序还在作祟,我抓不到她了。。。。。。。:default87: :default87: :default87:
水中蝌蚪 - 2009-4-2 9:30:00
日志没看出异常,试着卸载防火墙,断网后进行安装,联网升级。

IE是一打开弹出2个IE界面?
dianadiao - 2009-4-2 10:22:00
非常感谢您的回复
ie 我设置空白页了,但是打开时出现如下情况:
        大约20秒后 正常
另外我现在检测出如下状况

我把扫描出现的问题结果切了图见附件

附件: 诊断结果切图.rar
万事达 - 2009-4-2 10:44:00
你上传的样本有密码,重新上传或提供密码

加我Q:86898582
dianadiao - 2009-4-2 11:30:00
您好,版主。我没有加密那个文件。应该是默认加密?/////////我懵了
dianadiao - 2009-4-3 9:52:00
刚才我登陆qq是运行了qq医生,下面是可疑文件扫描结果

c:\program files\enigma software group\spyhunter\spyhuntermonitor.dll
c:\windows\ying-uninstall.exe
c:\windows\system32\wnpont.dll
c:\windows\system32\picformat32.dll
c:\windows\system32\drivers\down\1142750.exe
c:\windows\system32\drivers\down\417984.exe

以下是国外网站的一些东西,我没有看明白
Infecté par winupgro.exe et autre virus - [ 翻译此页 ]30 déc 2008 ... [29/12/2008 16:32] - C:\Documents and Settings\pablo\Application Data\drivers\downld\1142750.exe. Found ! [29/12/2008 16:32] - C:\Documents ...
www.pcentraide.com/index.php?showtopic=108789 - 192k - 网页快照 - 类似网页
http://www.google.cn/search?hl=zh-CN&rlz=1T4CULB_zh-CNCN265CN265&newwindow=1&q=417984.exe&btnG=Google+%E6%90%9C%E7%B4%A2&meta=lr%3Dlang_zh-CN%7Clang_zh-TW&aq=f&oq=
http://www.google.cn/search?hl=zh-CN&rlz=1T4CULB_zh-CNCN265CN265&newwindow=1&q=417984.exe&btnG=Google+%E6%90%9C%E7%B4%A2&meta=lr%3Dlang_zh-CN%7Clang_zh-TW&aq=f&oq=
http://img2.tapuz.co.il/forums/1_126482143.doc 

我刚下载了HJTInstall.exe
扫描结果如下:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:44, on 2009-4-3
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCENTER.EXE
C:\Program Files\Rising\Rfw\CCENTER.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rising\Rav\rsnetsvr.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\Rising\AntiSpyware\rstray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Rising\Rav\RsTray.exe
C:\Program Files\Rising\Rfw\RsTray.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\360safe\safemon\360Tray.exe
C:\Program Files\Rising\Rfw\RavTask.exe
C:\Program Files\Rising\Rav\ScanFrm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Rising\Rav\RsAgent.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Program Files\FlashGet Network\Flashget\ComDlls\bhoCATCH.dll_1.dll
O2 - BHO: WebDetectorBHO - {43BEAFD9-E005-483D-A367-146BA6C8A32E} - C:\Program Files\Tudou\飞速Tudou\tudouDetector.dll
O2 - BHO: 卡卡上网安全助手 - {98B7C13A-E9CD-4959-8B46-FBEAB41E42A8} - C:\WINDOWS\system32\UrlFilter.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: SafeMon Class - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - C:\Program Files\360safe\safemon\safemon.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [runeip] "C:\Program Files\Rising\AntiSpyware\rstray.exe" /startup
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RsTray.exe" -system
O4 - HKLM\..\Run: [RFWTray] "C:\Program Files\Rising\Rfw\RsTray.exe" -system
O4 - HKLM\..\Run: [360Safetray] C:\Program Files\360safe\safemon\360Tray.exe /start
O4 - HKLM\..\Run: [360Safebox] "C:\Program Files\360Safebox\safeboxTray.exe" /r
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &U使用纳米机器人下载并收藏 - C:\Program Files\NamiRobot\Data\du.html
O8 - Extra context menu item: 使用快车(Flas&hGet)下载 - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bholink.htm
O8 - Extra context menu item: 使用快车(Flash&Get)下载全部链接 - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bhoall.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用flvcd下载本页的视频 - C:\Program Files\flvcd\flvcd_link.htm
O8 - Extra context menu item: 转换为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选取内容为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选取内容到现有的 PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接到 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接到现有的 PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标到现有的 PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 追加到现有的 PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: 联想 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.lenovo.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {5AB9367B-DD7F-411D-A030-DF7DE5E17AAE} (ICBC Security Ctrl) - http://securitycheck.icbc.com.cn/download/NetBankSecurity_cn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221863417312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221863488453
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/newperbank/AxSafeControls.cab
O16 - DPF: {BFB79EE1-04AE-4D4A-B85E-27EE5F30C095} (ScreenCapture Class) - http://m136.mail.qq.com/zh_CN/activex/TencentMailActiveX.cab
O20 - AppInit_DLLs: kmon.dll
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rav Process Communication Center (RavCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCENTER.EXE
O23 - Service: Rising RavTask Manager (RavTask) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavTask.exe
O23 - Service: Rfw Process Communication Center (RfwCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rfw\CCENTER.EXE
O23 - Service: Rising RfwTask Manager (RfwTask) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rfw\RavTask.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavMonD.exe
O23 - Service: Rising Scan Service (RsScanSrv) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\ScanFrm.exe
--
End of file - 8778 bytes
请朋友们老师们帮忙指点指点,谢谢
dianadiao - 2009-4-3 10:15:00


引用:
原帖由 万事达 于 2009-4-2 10:44:00 发表
你上传的样本有密码,重新上传或提供密码

加我Q:86898582



感谢万事达版主费心远程帮助我解决了折磨了我数日的问题!!
现在ie正常了, 防火墙也正常运行。有了瑞星软件的保护,我心里踏实了。:default7:
再次感谢卡卡论坛,更感谢好心的万事达版主!
1
查看完整版本: 求助!wintems.exe,winupgro.exe等开机后禁止我防火墙网络保护功能怎么办?