123   2  /  3  页   跳转

求助!在线等高手帮忙解决.

收藏
一只会飞的猪
头像
初生襁褓狮
  • 帖子:70
  • 注册: 2005-07-21
  • 来自:
发表于: 2006-02-10 17:12 | 只看楼主 短消息 资料
字号: 11楼

晓得在那里关了..高兴..但是.不言放弃
http://forum.ikaka.com/topic.asp?board=28&artid=7133966

这是个后门。卡巴斯基命名为Backdoor.Win32.PcClient.ck。

查杀过程:

1、结束病毒进程dll.exe和系统进程spoolsv.exe(被病毒插入)。

2、删除下列文件:

C:\windows\system32\00007981.dll
C:\Documents and Settings\当前用户名\Local Settings\Temp\151.tmp
C:\Documents and Settings\当前用户名\Local Settings\Temp\152.tmp
C:\Documents and Settings\当前用户名\Local Settings\Temp\153.tmp
我找过这些文件夹.找不到这些文件.咋办?
gototop
 
不言放弃
头像
社区嘉宾
  • 帖子:30678
  • 注册: 2004-09-17
  • 来自:蓝色星球
发表于: 2006-02-10 17:14 | 短消息 资料
字号: 12楼

引用:
【一只会飞的猪的贴子】晓得在那里关了..高兴..但是.不言放弃
http://forum.ikaka.com/topic.asp?board=28&artid=7133966

这是个后门。卡巴斯基命名为Backdoor.Win32.PcClient.ck。

查杀过程:

1、结束病毒进程dll.exe和系统进程spoolsv.exe(被病毒插入)。

2、删除下列文件:

C:\windows\system32\00007981.dll
C:\Documents and Settings\当前用户名\Local Settings\Temp\151.tmp
C:\Documents and Settings\当前用户名\Local Settings\Temp\152.tmp
C:\Documents and Settings\当前用户名\Local Settings\Temp\153.tmp
我找过这些文件夹.找不到这些文件.咋办?
...........................

C:\Documents and Settings\当前用户名\Local Settings\Temp是IE临时文件夹
属性是隐藏

附件附件:

下载次数:98
文件类型:image/pjpeg
文件大小:
上传时间:2006-2-10 17:14:16
描述:
gototop
 
一只会飞的猪
头像
初生襁褓狮
  • 帖子:70
  • 注册: 2005-07-21
  • 来自:
发表于: 2006-02-10 17:16 | 只看楼主 短消息 资料
字号: 13楼

加我QQ行不??12740342
gototop
 
影子110
头像
叱咤花甲狮
  • 帖子:4210
  • 注册: 2005-04-10
  • 来自:怀黯
发表于: 2006-02-10 17:22 | 短消息 资料
字号: 14楼

以后要记得给系统盘做个GHOST备份~或用其它备份软件亦可~~(在系统最干净、常用软件已经安装 且已经更新至最新的时候,)
这样在电脑有麻烦的时候不至于会这么烦~~~
只要把盘上的重要数据做一下备份转移,再用还原软件恢复系统盘为初始状态,哪个盘上有删不去的病毒,格哪个盘(这是最简单,也是最笨的办法了~~
gototop
 
一只会飞的猪
头像
初生襁褓狮
  • 帖子:70
  • 注册: 2005-07-21
  • 来自:
发表于: 2006-02-10 17:28 | 只看楼主 短消息 资料
字号: 15楼

还是没有找到:\windows\system32\00007981.dll
C:\Documents and Settings\当前用户名\Local Settings\Temp\151.tmp
C:\Documents and Settings\当前用户名\Local Settings\Temp\152.tmp
C:\Documents and Settings\当前用户名\Local Settings\Temp\153.
gototop
 
BlackStone
头像
叱咤花甲狮
  • 帖子:2616
  • 注册: 2005-09-27
  • 来自:
发表于: 2006-02-10 17:29 | 短消息 资料
字号: 16楼

Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038
gototop
 
一只会飞的猪
头像
初生襁褓狮
  • 帖子:70
  • 注册: 2005-07-21
  • 来自:
发表于: 2006-02-10 17:47 | 只看楼主 短消息 资料
字号: 17楼

PIDCPUDescriptionCompany Name
093.94
n/aHardware Interrupts
n/aDeferred Procedure Calls
4
  456Windows NT Session ManagerMicrosoft Corporation
  5241.52Client Server Runtime ProcessMicrosoft Corporation
  548Windows NT Logon ApplicationMicrosoft Corporation
    5921.52Services and Controller appMicrosoft Corporation
    748Generic Host Process for Win32 ServicesMicrosoft Corporation
    816Generic Host Process for Win32 ServicesMicrosoft Corporation
    896CCenterBeijing Rising Technology Co., Ltd.
    920Generic Host Process for Win32 ServicesMicrosoft Corporation
    1012Generic Host Process for Win32 ServicesMicrosoft Corporation
    1120Generic Host Process for Win32 ServicesMicrosoft Corporation
    1136RavMondBeijing Rising Technology Co., Ltd.
      1624Rising RavStubBeijing Rising Technology Co., Ltd.
    1304Rising Personal Proxy ServiceBeijing Rising Technology Co., Ltd.
    1344Rising Personal FireWall ServiceBeijing Rising Technology Co., Ltd.
      1860Rising Personal FireWall Main ProgramBeijing Rising Technology Co., Ltd.
    176Generic Host Process for Win32 ServicesMicrosoft Corporation
    2120Generic Host Process for Win32 ServicesMicrosoft Corporation
    3860Spooler SubSystem AppMicrosoft Corporation
    604LSA Shell (Export Version)Microsoft Corporation
1284Windows ExplorerMicrosoft Corporation
1852SiS Compatible Super VGA Keyboard DaemonSilicon Integrated Systems Corporation
220Still Image (STI) DriverVM.
404RavTimerBeijing Rising Technology Co., Ltd.
  648RavMonBeijing Rising Technology Co., Ltd.
908CTF LoaderMicrosoft Corporation
780Internet ExplorerMicrosoft Corporation
8563.03Sysinternals Process ExplorerSysinternals
gototop
 
BlackStone
头像
叱咤花甲狮
  • 帖子:2616
  • 注册: 2005-09-27
  • 来自:
发表于: 2006-02-10 17:59 | 短消息 资料
字号: 18楼

是Autoruns不是procexp的日志
gototop
 
一只会飞的猪
头像
初生襁褓狮
  • 帖子:70
  • 注册: 2005-07-21
  • 来自:
发表于: 2006-02-10 18:05 | 只看楼主 短消息 资料
字号: 19楼

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ BigDogPathStill Image (STI) DriverVM.c:\windows\vm_sti.exe

+ CmaudioCmiCnfg DLLC-Media Corporationc:\windows\system\cmicnfg.cpl

+ RavTaskRavTimerBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravtask.exe

+ RfwMainRising Personal FireWall Main ProgramBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rfwmain.exe

+ SiS Windows KeyHookSiS Compatible Super VGA Keyboard DaemonSilicon Integrated Systems Corporationc:\windows\system32\keyhook.exe

+ SiSUSBRGSiSUSBrgSilicon Integrated Systems Corp.c:\windows\sisusbrg.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

+ Winpatch AutoUpdatec:\windows\system32\dll.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

+ Rising Execute File Exts hookRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Display Panning CPL ExtensionFile not found: deskpan.dll

+ HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\windows\system32\hticons.dll

+ RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

HKLM\System\CurrentControlSet\Services

+ RfwProxySrvRising Personal Proxy ServiceBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rfwproxy.exe

+ RfwServiceRising Personal Firewall ServiceBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rfwsrv.exe

+ RsCCenterCCenterBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ccenter.exe

+ RsRavMonRavMondBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmond.exe

HKLM\System\CurrentControlSet\Services

+ BaseTDIbasetdiBeijing Rising Technology Co., Ltd.c:\windows\system32\drivers\basetdi.sys

+ cmudaC-Media Audio WDM DriverC-Media Incc:\windows\system32\drivers\cmuda.sys

+ ExpScanerExpScan.sysc:\program files\rising\rav\expscan.sys

+ HOOKAPIHOOKAPI Driver瑞星软件有限公司c:\program files\rising\rav\hookapi.sys

+ HookContTDI HOOK DriverRising tech Co. ltdc:\program files\rising\rav\hookcont.sys

+ HookRegc:\program files\rising\rav\hookreg.sys

+ HookSysHooksysRisingc:\program files\rising\rav\hooksys.sys

+ HookUrlHookUrlBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\hookurl.sys

+ MEMSCANMemScan Driver瑞星软件有限公司c:\program files\rising\rav\memscan.sys

+ mProcRsRising Personal FireWall  mprocrs.sysBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\mprocrs.sys

+ npkcryptnProtect KeyCrypt DriverINCA Internet Co., Ltd.f:\qq\npkcrypt.sys

+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\windows\system32\drivers\ptilink.sys

+ RsFwDrvnt_fwdrvBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rsfwdrv.sys

+ SecdrvSafeDisc driverc:\windows\system32\drivers\secdrv.sys

+ SiS315SiS Compatible Super VGA DriverSilicon Integrated Systems Corporationc:\windows\system32\drivers\sisgrp.sys

+ SISAGPSiS AGPv3.5 FilterSilicon Integrated Systems Corporationc:\windows\system32\drivers\sisagpx.sys

+ SiSkpSiS VGA Driver ManagerSilicon Integrated Systems Corporationc:\windows\system32\drivers\srvkp.sys

+ SISNICSiS PCI Fast Ethernet Adapter DriverSiS Corporationc:\windows\system32\drivers\sisnic.sys

+ ZSMC301bVideo streaming and Capture Device DriverVMc:\windows\system32\drivers\usbvm31b.sys
gototop
 
BlackStone
头像
叱咤花甲狮
  • 帖子:2616
  • 注册: 2005-09-27
  • 来自:
发表于: 2006-02-10 18:13 | 短消息 资料
字号: 20楼

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+ Winpatch AutoUpdatec:\windows\system32\dll.exe

删除启动项
重启
删除c:\windows\system32\dll.exe试试
gototop
 
<<上一主题|下一主题>>
123   2  /  3  页   跳转
页面顶部
Powered by Discuz!NT