引用:

【天月来了的贴子】就怕这个病毒现在所作的一切，都只是为了转移注意力。 实际上还有更隐藏的木马。那就完了。 不然怎么会：此毒貌似不会重复感染同一系统。 杀毒后，再次运行样本————没有任何中毒迹象。？？？？？？？？？？？？？？？？？？ ………………

我等着吧。
昨天玩儿过之后，一直没GHOST过。
看看再说。目前系统无异常。

呵呵！！！！！！！

baohe啊！！！！

我有件事好奇哩！！！！

想看看你昨夜处理以后还没GHOST过的系统的SRENG日志。

行吗？

不知所有楼上的诸位，有没想看的？

就发这贴里。

行么？？？？

5、取消IceSword的“禁止进程创建”。将autoruns.exe改名为autorun.exe运行：
找到HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
删除：
猫叔，这里用icesword不能删除吗，autoruns没接触过，懒得再学习了

给大家一个可以申请免费个人主页的网站，无忧免费个人主页网，可以永久免费使用，免费空间6M，模板精美，可以发布文章，还可以做音乐、下载、影视类网站，大家赶紧来抢注吧！
http://www.any2000.com/?jcdqh

好像对很多杀毒软件和工具的升级程序做的破坏,我现在毒是杀了,但是很多软件无法更新病毒库了.某个svchost.exe还经常出错,我估计还是没弄干净.
这个病毒不简单啊.作者恶毒的心灵,竟然能收录那么多工具,极度扭曲.

支持一个,干得漂亮...
最近听闻中这个病毒的人不少!!

引用:

【天月来了的贴子】呵呵！！！！！！！ baohe啊！！！！ 我有件事好奇哩！！！！ 想看看你昨夜处理以后还没GHOST过的系统的SRENG日志。 行吗？ 不知所有楼上的诸位，有没想看的？ 就发这贴里。 行么？？？？ ………………

2007-04-05,17:27:17

System Repair Engineer 2.3.13.690
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\windows\system32\ctfmon.exe>  [(Verified)Microsoft Corporation]
    <AMonitor><C:\Program Files\Tiny Firewall Pro\amon.exe>  [Computer Associates International, Inc.]
    <IDMan><C:\Program Files\Internet Download Manager\IDMan.exe /onboot>  [Internet Download Manager Corp., Tonec Inc. ]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <TP4EX><tp4ex.exe>  [IBM Corporation]
    <RunShadowTip><C:\windows\system32\shadow\ShadowTip.exe>  [PowerShadow]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe,>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><UmxSbxExw.dll,>  [Computer Associates International, Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\windows\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PFW]
    <WinlogonNotify: PFW><UmxWnp.Dll>  [Computer Associates International, Inc.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\System Safety Monitor]
    <WinlogonNotify: System Safety Monitor><SSMWinlogonEx.dll>  [(Verified)System Safety Limited]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\WINDOWS\System32\AMCRYS~1.SCR>  [SereneScreen]

==================================
启动文件夹
N/A

==================================
服务
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
  <C:\windows\System32\Ati2evxx.exe><N/A>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\windows\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[IBM PM Service / IBMPMSVC][Stopped/Disabled]
  <C:\windows\system32\ibmpmsvc.exe><N/A>
[QCONSVC / QCONSVC][Running/Auto Start]
  <System32\QCONSVC.EXE><N/A>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Shadow System Service / ShadowSystemService][Running/Auto Start]
  <C:\windows\system32\shadow\ShadowService.exe><N/A>
[FW Event Manager / UmxAgent][Running/Auto Start]
  <"C:\Program Files\Tiny Firewall Pro\UmxAgent.exe"><Computer Associates International, Inc.>
[FW Configuration Interpreter / UmxCfg][Running/Auto Start]
  <"C:\Program Files\Common Files\PFShared\UmxCfg.exe"><Computer Associates International, Inc.>
[FW User-Mode Helper / UmxFwHlp][Running/Auto Start]
  <"C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe"><Computer Associates International, Inc.>
[FW Live Update / UmxLU][Running/Auto Start]
  <"C:\Program Files\Common Files\PFShared\umxlu.exe"><Tiny Software, Inc.>
[FW Policy Manager / UmxPol][Running/Auto Start]
  <"C:\Program Files\Common Files\PFShared\UmxPol.exe"><Computer Associates International, Inc.>

==================================
驱动程序
[Agere Systems Soft Modem / AgereSoftModem][Running/Manual Start]
  <System32\DRIVERS\AGRSM.sys><Agere Systems>
[ati2mtag / ati2mtag][Running/Manual Start]
  <System32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
  <System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[Intel(R) PRO Adapter Driver / E100B][Running/Manual Start]
  <System32\DRIVERS\e100b325.sys><Intel Corporation>
[IBM eGatherer Diagnostics / EGATHDRV][Stopped/Manual Start]
  <\??\C:\WINDOWS\System32\EGATHDRV.SYS><N/A>
[ExpScaner / ExpScaner][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\ExpScan.sys><>
[HookCont / HookCont][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HookSys.sys><Rising>
[IBMPMDRV / IBMPMDRV][Running/Manual Start]
  <System32\DRIVERS\ibmpmdrv.sys><IBM Corp.>
[IBMTPCHK / IBMTPCHK][Running/System Start]
  <System32\drivers\IBMBLDID.SYS><N/A>
[KmxAgent / KmxAgent][Running/System Start]
  <System32\DRIVERS\kmxagent.sys><Computer Associates International, Inc.>
[KmxBiG / KmxBiG][Running/Auto Start]
  <System32\DRIVERS\KmxBiG.sys><Computer Associates International, Inc.>
[KmxCfg / KmxCfg][Running/Manual Start]
  <System32\DRIVERS\kmxcfg.sys><Computer Associates International, Inc.>
[KmxFile / KmxFile][Running/System Start]
  <System32\DRIVERS\KmxFile.sys><Computer Associates International, Inc.>
[KmxFw / KmxFw][Running/System Start]
  <System32\DRIVERS\kmxfw.sys><Computer Associates International, Inc.>
[KmxIds / KmxIds][Running/System Start]
  <System32\DRIVERS\kmxids.sys><Computer Associates International, Inc.>
[KmxNdis / KmxNdis][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\kmxndis.sys><Computer Associates International, Inc.>
[KmxSbx / KmxSbx][Running/Auto Start]
  <System32\DRIVERS\KmxSbx.sys><Computer Associates International, Inc.>
[MEMSCAN / MEMSCAN][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件有限公司>
[NSC Infrared Device Driver / NSCIRDA][Running/Manual Start]
  <System32\DRIVERS\nscirda.sys><National Semiconductor Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
  <\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\RSPPSYS.sys><Rising>
[System Safety Monitor 2.0 Core Engine / safemon][Running/Boot Start]
  <\SystemRoot\system32\drivers\safemon.sys><System Safety Limited>
[Secdrv / Secdrv][Stopped/Manual Start]
  <System32\DRIVERS\secdrv.sys><N/A>
[Smapint / Smapint][Running/System Start]
  <System32\drivers\Smapint.sys><Microsoft Corporation>
[smwdm / smwdm][Running/Manual Start]
  <system32\drivers\smwdm.sys><Analog Devices, Inc.>
[TDSMAPI / TDSMAPI][Running/System Start]
  <System32\Drivers\TDSMAPI.SYS><N/A>
[IBM PS/2 TrackPoint Driver / Tp4Track][Running/Manual Start]
  <System32\DRIVERS\tp4track.sys><IBM Corporation>
[TPPWR / TPPWR][Running/System Start]
  <System32\drivers\Tppwr.sys><IBM Corp.>

==================================
浏览器加载项
[IDMIEHlprObj Class]
  {0055C089-8582-441B-A0BF-17B458C2A3A8} <C:\Program Files\Internet Download Manager\IDMIECC.dll, Internet Download Manager Corp., Tonec Inc.>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[AcroIEToolbarHelper Class]
  {AE7CD045-E861-484f-8273-0445EE161910} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[Adobe PDF]
  {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[卡卡上网安全助手]
  {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\windows\system32\kakatool.dll, Beijing Rising Technology Co., Ltd.>
[Office Update Installation Engine]
  {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} <C:\WINDOWS\opuc.dll, Microsoft Corporation>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[IDMIEHlprObj Class]
  {0055C089-8582-441B-A0BF-17B458C2A3A8} <C:\Program Files\Internet Download Manager\IDMIECC.dll, Internet Download Manager Corp., Tonec Inc.>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Adobe PDF]
  {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[AcroIEToolbarHelper Class]
  {AE7CD045-E861-484F-8273-0445EE161910} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[使用 IDM 下载]
  <C:\Program Files\Internet Download Manager\IEExt.htm, N/A>
[使用 IDM 下载所有链接]
  <C:\Program Files\Internet Download Manager\IEGetAll.htm, N/A>
[导出到 Microsoft Office Excel(&X)]
  <res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>

==================================
正在运行的进程
[PID: 616][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 688][\??\C:\windows\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 712][\??\C:\windows\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxWnp.Dll]  [Computer Associates International, Inc., 6, 0, 0, 2]
    [C:\windows\system32\SSMWinlogonEx.dll]  [System Safety Limited, 2.4.0.613]
[PID: 760][C:\windows\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 772][C:\windows\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 960][C:\windows\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1052][C:\windows\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1196][C:\windows\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\System32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\System32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1392][C:\windows\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\System32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\System32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1588][C:\windows\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\WINDOWS\System32\AdobePDF.dll]  [Adobe Systems Incorporated., 6.0.000]
    [C:\Program Files\Adobe\Acrobat 6.0\Distillr\adistres.dll]  [Adobe Systems Incorporated., 6.0.0.2003040700]
[PID: 1636][C:\Program Files\Common Files\PFShared\UmxCfg.exe]  [Computer Associates International, Inc., 6.0.1.48]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\Program Files\Common Files\PFShared\xmlsdp.dll]  [Computer Associates International, Inc., 6.2.0.122]
    [C:\windows\system32\msxml4.dll]  [Microsoft Corporation, 4.20.9818.0]
    [C:\Program Files\Common Files\PFShared\pthexp.dll]  [Computer Associates International, Inc., 6.0.0.19]
    [C:\Program Files\Tiny Firewall Pro\SnortImp.dll]  [Computer Associates International, Inc., 6.5.1.2]