瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 这几天中了病毒,可是查不出来请专家帮忙看看!

12   2  /  2  页   跳转

这几天中了病毒,可是查不出来请专家帮忙看看!

收藏
风电飞力
头像
初生襁褓狮
  • 帖子:12
  • 注册: 2007-08-29
  • 来自:
发表于: 2007-09-05 09:38 | 只看楼主 短消息 资料
字号: 11楼

[PID: 2936 / Administrator][F:\QQ\TIMPlatform.exe]  [TENCENT, 7,0,365,1701]
    [C:\Program Files\360safe\safemon\safemon.dll]  [, 3, 6, 1, 1001]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
    [F:\QQ\TIMProxy.dll]  [tencent, 0, 3, 2, 4]
[PID: 3056 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3612 / Administrator][C:\WINDOWS\system32\WgaTray.exe]  [Microsoft Corporation, 1.7.0018.5]
    [C:\Program Files\360safe\safemon\safemon.dll]  [, 3, 6, 1, 1001]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 3736 / SYSTEM][C:\WINDOWS\system32\cidaemon.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [c:\program files\rising\rfw\ijt_base.dll]  [Beijing Rising Technology Co., Ltd., 7.0.0.2]
    [c:\program files\rising\rfw\olemon.dll]  [Beijing Rising Technology Co., Ltd., 7.0.0.2]
[PID: 3428 / Administrator][E:\迅雷5\Program\Thunder5.exe]  [Thunder Networking Technologies,LTD, 5, 6, 7, 326]
    [C:\Program Files\360safe\safemon\safemon.dll]  [, 3, 6, 1, 1001]
    [E:\迅雷5\Program\TaskManager.dll]  [Thunder Networking Technologies,LTD, 1, 1, 2, 26]
    [E:\迅雷5\Program\download_interface.dll]  [Thunder Networking Technologies,LTD, 1, 0, 0, 46]
    [E:\迅雷5\Program\stlport_vc646.dll]  [STLport Consulting, Inc., 4.6.2003.1031]
    [E:\迅雷5\Program\asyn_dns.dll]  [Thunder Networking Technologies,LTD, 1, 0, 0, 46]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Computer, Inc., 1,0,3,1]
    [E:\迅雷5\Program\BHOStub.dll]  [Thunder Networking Technologies,LTD, 1, 1, 0, 8]
    [E:\迅雷5\Program\FloatBar.dll]  [Giganology Inc., 1, 0, 0, 2]
    [E:\迅雷5\Components\DownAndPlay\DownAndPlay.dll]  [, 1, 0, 0, 18]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
    [C:\WINDOWS\system32\AcSignIcon.dll]  [Autodesk, 17.0.54.0]
    [E:\迅雷5\Program\iTargetAD.dll]  [Thunder Networking Technologies,LTD, 1, 0, 2, 28]
    [C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx]  [Adobe Systems, Inc., 9,0,45,0]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [E:\迅雷5\Components\InMedia\iEmbedShell.dll]  [ , 1, 0, 0, 19]
    [E:\迅雷5\Components\Community\XLCommunity.dll]  [Thunder Networking Technologies,LTD, 1, 2, 1, 36]
    [E:\迅雷5\Components\Security\ThunderSafe.dll]  [深圳市迅雷网络技术有限公司, 1, 0, 2, 17]
    [E:\迅雷5\Components\Search\XLSearch.dll]  [Thunder Networking Technologies,LTD, 1, 1, 4, 15]
    [E:\迅雷5\Components\P4PClient\P4PClient.dll]  [Thunder Networking Technologies,LTD, 2, 2, 2, 55]
    [E:\迅雷5\Program\LiveUpdate.dll]  [Thunder Networking Technologies,LTD, 1, 2, 1, 20]
    [E:\迅雷5\Components\ExplorerHelper\ExplorerHelper.dll]  [Thunder Networking Technologies,LTD, 1, 0, 4, 15]
    [E:\迅雷5\Components\Tips\TipsClient.dll]  [Thunder Networking Technologies,LTD, 2, 1, 3, 58]
    [E:\迅雷5\Components\VPSHELL\VPSHELL.dll]  [XunLei, 1, 2, 0, 10]
    [E:\迅雷5\Components\UserExperience\UserExperience.dll]  [Thunder Networking Technologies,LTD, 1, 0, 0, 1]
    [E:\迅雷5\Components\ResWorker\DsXlCom.dll]  [, 1, 0, 0, 16]
    [E:\迅雷5\Components\InMedia\iEmbed10.dll]  [ , 3, 3, 1, 83]
    [E:\迅雷5\Program\RegisterDll.dll]  [Thunder Networking Technologies,LTD, 2, 13, 4, 58]
    [E:\迅雷5\Program\MSVCIRT.dll]  [Microsoft Corporation, 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [E:\迅雷5\Program\XLNet.Dll]  [Thunder Networking Technologies,LTD, 1, 2, 0, 8]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\PDM.DLL]  [Microsoft Corporation, 7.00.9466]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\2052\mdmui.dll]  [Microsoft Corporation, 7.00.9466]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MSDBG2.DLL]  [Microsoft Corporation, 7.00.9466]
    [E:\迅雷5\Plugins\TingTing\TingTing.dll]  [Thunder Networking Technologies,LTD, 1, 2, 2, 13]
    [E:\迅雷5\Plugins\BhoAdv\bho_adv.dll]  [深圳市迅雷网络技术有限公司, 1.0.1.0]
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [E:\迅雷5\Components\DownAndPlay\DapPlayer_Now.dll]  [XunLei, 1, 0, 1, 44]
    [E:\迅雷5\ComDlls\ThunderAgent_Now.dll]  [Thunder Networking Technologies,LTD, 5, 0, 3, 20]
    [E:\迅雷5\ComDlls\xunleiBHO_Now.dll]  [Thunder Networking Technologies,LTD, 5, 0, 3, 11]
    [E:\迅雷5\ComDlls\TDAtOnce_Now.dll]  [Thunder Networking Technologies,LTD, 1.0.2.9]
    [E:\迅雷5\Components\VPSHELL\VideoPicture.dll]  [XunLei, 1, 2, 0, 11]
    [E:\迅雷5\Components\ResWorker\DataProcessor_00.dll]  [Thunder Networking Technologies,LTD, 1, 0, 0, 6]
    [E:\迅雷5\Components\ResWorker\MediaWorker.dll]  [Thunder Networking Technologies,LTD, 1, 2, 0, 18]
    [C:\WINDOWS\system32\msdmo.dll]  [, ]
[PID: 3484 / Administrator][F:\BitComet\BitComet.exe]  [www.BitComet.com, 0.92]
    [C:\Program Files\360safe\safemon\safemon.dll]  [, 3, 6, 1, 1001]
    [C:\WINDOWS\system32\RavExt.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
    [C:\WINDOWS\system32\shlhook.dll]  [Beijing Rising Technology Co., Ltd., 4.0.0.9]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\PDM.DLL]  [Microsoft Corporation, 7.00.9466]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\2052\mdmui.dll]  [Microsoft Corporation, 7.00.9466]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MSDBG2.DLL]  [Microsoft Corporation, 7.00.9466]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Computer, Inc., 1,0,3,1]
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [C:\Program Files\Common Files\Microsoft Shared\INK\PENCHS.DLL]  [Microsoft Corporation, 1.0.1038.0]
gototop
 
风电飞力
头像
初生襁褓狮
  • 帖子:12
  • 注册: 2007-08-29
  • 来自:
发表于: 2007-09-05 09:38 | 只看楼主 短消息 资料
字号: 12楼

[PID: 2452 / Administrator][C:\Program Files\Rising\AntiSpyware\Ras.exe]  [Beijing Rising Technology Co., Ltd., 4.0.0.57]
    [C:\Program Files\360safe\safemon\safemon.dll]  [, 3, 6, 1, 1001]
    [C:\Program Files\Rising\AntiSpyware\RasGui.dll]  [Beijing Rising Technology Co., Ltd., 2, 0, 0, 12]
    [C:\WINDOWS\system32\RavExt.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
    [C:\WINDOWS\system32\shlhook.dll]  [Beijing Rising Technology Co., Ltd., 4.0.0.9]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Computer, Inc., 1,0,3,1]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\PDM.DLL]  [Microsoft Corporation, 7.00.9466]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\2052\mdmui.dll]  [Microsoft Corporation, 7.00.9466]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MSDBG2.DLL]  [Microsoft Corporation, 7.00.9466]
    [C:\Program Files\Common Files\Microsoft Shared\INK\PENCHS.DLL]  [Microsoft Corporation, 1.0.1038.0]
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 336 / Administrator][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\360safe\safemon\safemon.dll]  [, 3, 6, 1, 1001]
    [C:\WINDOWS\system32\AcSignIcon.dll]  [Autodesk, 17.0.54.0]
    [E:\迅雷5\ComDlls\TDAtOnce_Now.dll]  [Thunder Networking Technologies,LTD, 1.0.2.9]
    [E:\迅雷5\ComDlls\xunleiBHO_Now.dll]  [Thunder Networking Technologies,LTD, 5, 0, 3, 11]
    [E:\迅雷5\Components\ResWorker\DsBho_00.dll]  [, 1, 0, 0, 4]
    [E:\迅雷5\Components\ResWorker\DataProcessor_00.dll]  [Thunder Networking Technologies,LTD, 1, 0, 0, 6]
    [E:\Adobe Reader 7.0\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 7.0.7.2006011200]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [F:\BitComet\tools\BitCometBHO_1.1.8.30.dll]  [BitComet, 20070830]
    [F:\QQ\QQZoneHelper.dll]  [深圳市腾讯计算机系统有限公司, 1.1.0.1016]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
    [C:\Program Files\Common Files\Microsoft Shared\INK\PENCHS.DLL]  [Microsoft Corporation, 1.0.1038.0]
    [C:\Program Files\Microsoft Office\OFFICE11\msohev.dll]  [Microsoft Corporation, 11.0.5510]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Computer, Inc., 1,0,3,1]
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx]  [Adobe Systems, Inc., 9,0,45,0]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1464 / Administrator][E:\WinRAR3.62\WinRAR.exe]  [N/A, ]
    [C:\Program Files\360safe\safemon\safemon.dll]  [, 3, 6, 1, 1001]
    [C:\WINDOWS\system32\AcSignIcon.dll]  [Autodesk, 17.0.54.0]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 4088 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX19.563\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
    [C:\Program Files\360safe\safemon\safemon.dll]  [, 3, 6, 1, 1001]
    [C:\Program Files\Rising\AntiSpyware\ieprot.dll]  [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
    [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX19.563\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Computer, Inc., 1,0,3,1]

==================================
文件关联
.TXT  Error. [C:\WINDOWS\notepad.exe %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. ["hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
gototop
 
风电飞力
头像
初生襁褓狮
  • 帖子:12
  • 注册: 2007-08-29
  • 来自:
发表于: 2007-09-05 09:38 | 只看楼主 短消息 资料
字号: 13楼

HOSTS 文件
127.0.0.1      localhost
10.181.201.3 oa.dd.yepg.com
10.181.201.23 ar.dd.yepg.com

==================================
进程特权扫描
特殊特权被允许: SeLoadDriverPrivilege [PID = 616, C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMAX4.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 1360, C:\PROGRAM FILES\360SAFE\SAFEMON\360TRAY.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 1360, C:\PROGRAM FILES\360SAFE\SAFEMON\360TRAY.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 1700, C:\WINDOWS\SYSTEM32\TRAYSHELL.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 1688, C:\PROGRAM FILES\RISING\RAV\RAVTRAY.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 284, C:\PROGRAM FILES\RISING\RAV\RAVTASK.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 476, C:\PROGRAM FILES\RISING\RAV\RAVMON.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 528, C:\PROGRAM FILES\RISING\ANTISPYWARE\RUNIEP.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 3428, E:\迅雷5\PROGRAM\THUNDER5.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 2452, C:\PROGRAM FILES\RISING\ANTISPYWARE\RAS.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2452, C:\PROGRAM FILES\RISING\ANTISPYWARE\RAS.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 1464, E:\WINRAR3.62\WINRAR.EXE]

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================


[/CODE]
gototop
 
fgys2009
头像
初生襁褓狮
  • 帖子:1
  • 注册: 2010-03-26
  • 来自:
发表于: 2010-03-26 15:18 | 短消息 资料
字号: 14楼

回复:这几天中了病毒,可是查不出来请专家帮忙看看!

风电飞力,是云南电网的?,你的 System Repair Engineer log信息已造成泄密!,你怎么可以不按规定安装macfee?,按照规定你必须卸载瑞星,安装麦咖啡!

更严重的是居然把:
10.181.201.3 oa.dd.yepg.com
10.181.201.23 ar.dd.yepg.com
这么重要的信息都。。。严重警告!。。。
最后编辑fgys2009 最后编辑于 2010-03-26 15:57:28
gototop
 
辛达星郁
头像
锋芒艾服狮
  • 帖子:1507
  • 注册: 2008-07-17
  • 来自:
就爱不长大论坛9周年纪念
发表于: 2010-03-26 18:09 | 短消息 资料
字号: 15楼

回复: 这几天中了病毒,可是查不出来请专家帮忙看看!

以附件的形式上传

点击右下边的“引用”

这次我替你上传

附件附件:

下载次数:123
文件类型:text/plain
文件大小:
上传时间:2010-3-26 18:10:18
描述:txt

最后编辑辛达星郁 最后编辑于 2010-03-26 18:10:18
要深入,要专一.......
gototop
 
辛达星郁
头像
锋芒艾服狮
  • 帖子:1507
  • 注册: 2008-07-17
  • 来自:
就爱不长大论坛9周年纪念
发表于: 2010-03-26 19:52 | 短消息 资料
字号: 16楼

回复:这几天中了病毒,可是查不出来请专家帮忙看看!

建议使用删除文件工具SmtDel删除以下文件
删除工具SmtDel下载地址
http://bbs.ikaka.com/attachment.aspx?attachmentid=445131

c:\windows\system32\drivers\secdrv.sys
c:\windows\system32\drivers\mxdispdr.sys
c:\progra~1\ldap\vnkz.dll

2.删除重启后使用SREng修复下面各项:

    启动项目 -- 服务 -- Win32服务应用程序之如下项禁用:
[RsRavMon Service / RsRavMon]    <\??\C:\WINDOWS\system32\Drivers\73296.sys>
[Secdrv / Secdrv]    <system32\DRIVERS\secdrv.sys>
[mxdispdr / mxdispdr]    <\??\C:\WINDOWS\system32\drivers\mxdispdr.sys>
[Windows qifu RunThem / qifu]    <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\ldap\vnkz.dll>

    启动项目 -- 服务-- 驱动程序之如下项禁用:

[Secdrv / Secdrv]    <system32\DRIVERS\secdrv.sys>
[73375 / 73375]    <\??\C:\WINDOWS\system32\Drivers\73296.sys>
[mxdispdr / mxdispdr]    <\??\C:\WINDOWS\system32\drivers\mxdispdr.sys>

SRENG工具的各项操作看这里:
http://bbs.ikaka.com/showtopic-8545446.aspx

最后把你的QQ密码和其他密码全部改掉,八成是你QQ密码被盗,所以会自动发送消息

[HookReg / HookReg]    <\??\C:\Program Files\Rising\Rav\HookReg.sys>
[ExpScaner / ExpScaner]    <\??\C:\Program Files\Rising\Rav\ExpScan.sys>
这两个不确认
最后编辑辛达星郁 最后编辑于 2010-03-26 20:01:10
要深入,要专一.......
gototop
 
旗胡丶啥
头像
初生襁褓狮
  • 帖子:16
  • 注册: 2010-03-21
  • 来自:
发表于: 2010-03-26 20:31 | 短消息 资料
字号: 17楼

回复:这几天中了病毒,可是查不出来请专家帮忙看看!

这个嘛  我也不知道
gototop
 
龚万兵
头像
禁止访问
  • 帖子:63
  • 注册: 2008-08-29
  • 来自:
发表于: 2010-03-26 21:26 | 短消息 资料
字号: 18楼

回复:这几天中了病毒,可是查不出来请专家帮忙看看!

该用户帖子内容已被屏蔽
gototop
 
<<上一主题|下一主题>>
12   2  /  2  页   跳转
页面顶部
Powered by Discuz!NT