瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 RootKit.Win32.RESSDT.cq病毒怎么处理!!!

123   1  /  3  页   跳转

[已解决] RootKit.Win32.RESSDT.cq病毒怎么处理!!!

RootKit.Win32.RESSDT.cq病毒怎么处理!!!

机器中了RootKit.Win32.RESSDT.cq病毒,每次起机时都能被瑞星发现,但是不能彻底删除,求助电脑高手解决,在线等,谢谢(急)~~~~~~~~~~~~~~~~~~~~

用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727)
最后编辑铁幕 最后编辑于 2008-07-29 17:01:47
分享到:
gototop
 

回复: RootKit.Win32.RESSDT.cq病毒怎么处理!!!

1、参考http://bbs.ikaka.com/showtopic-8521170.aspx我的回复,提供病毒文件名、所在路径

2、阅读http://bbs.ikaka.com/showtopic-8417665.aspx这个帖,按要求提供SRENG扫描日志附件。
打酱油的……
gototop
 

回复: RootKit.Win32.RESSDT.cq病毒怎么处理!!!

C:\WINDOWS\system32\drivers\msiffei.sys
        RootKit.Win32.RESSDT.cq
gototop
 

回复:RootKit.Win32.RESSDT.cq病毒怎么处理!!!



2008-07-30,16:09:35

System Repair Engineer 2.6.11.992
Smallfrogs ([url]http://www.KZTechs.com[/url])

Windows XP Professional Service Pack 3 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    Autorun.inf
    HOSTS 文件
    进程特权扫描


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Component Publisher]
    <BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}><"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe">  [Nero AG]
    <OlympicExpress><"d:\Program Files\SogouInput\OlympicNews.exe">  [(Verified)Sogou.com]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Windows Publisher]
    <HControl><C:\WINDOWS\ATK0100\HControl.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [RealNetworks, Inc.]
    <IMSCMig><C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload>  [(Verified)Microsoft Corporation]
    <SynTPEnh><C:\Program Files\Synaptics\SynTP\SynTPEnh.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <SkyTel><SkyTel.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <Alcmtr><ALCMTR.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <SMSERIAL><C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe>  [Motorola Inc.]
    <NeroFilterCheck><C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe>  [Nero AG]
    <StartCCC><C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe>  []
    <ACU><"C:\Program Files\Atheros\ACU.exe" -nogui>  [Atheros Communications, Inc.]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [(Verified)Beijing Rising Information Technology Corporation Limited]
    <RfwMain><"C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup>  [(Verified)Beijing Rising Information Technology Corporation Limited]
    <runeip><"d:\Program Files\Rising\AntiSpyware\rstray.exe" /startup>  [(Verified)Beijing Rising Information Technology Corporation Limited]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    <KKDelay><D:\Program Files\Rising\AntiSpyware\RunOnce.exe>  [(Verified)Beijing Rising Information Technology Corporation Limited]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <kcodu><kcodu32.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><kmon.dll>  [(Verified)Beijing Rising Information Technology Corporation Limited]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll>  [(Verified)Beijing Rising Information Technology Corporation Limited]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
    <IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
    <N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install>  [Microsoft Corporation]

==================================
启动文件夹
[CCC]
  <C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\CCC.lnk --> C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\CCC.exe [ATI Technologies Inc.]><N>

==================================
服务
[Atheros 配置服务 / ACS][Running/Auto Start]
  <C:\WINDOWS\system32\acs.exe><Atheros>
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
  <C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[McAfee Framework Service / McAfeeFramework][Stopped/Auto Start]
  <"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart><(File is missing)>
[Rising Proxy  Service / RfwProxySrv][Running/Auto Start]
  <C:\Program Files\Rising\Rfw\rfwProxy.exe><Beijing Rising Information Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
  <C:\Program Files\Rising\Rfw\rfwsrv.exe><Beijing Rising Information Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Information Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Stopped/Auto Start]
  <"C:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Information Technology Co., Ltd.>

==================================
驱动程序
[Atheros Wireless Network Adapter Service / AR5211][Stopped/Manual Start]
  <system32\DRIVERS\ar5211.sys><Atheros Communications, Inc.>
[askd / askd][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\askd.ahc><N/A>
[ati2mtag / ati2mtag][Running/Manual Start]
  <system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[Microsoft 用于 High Definition Audio 的 UAA 总线驱动程序 / HDAudBus][Running/Manual Start]
  <system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[HookCont / HookCont][Running/System Start]
  <\SystemRoot\system32\drivers\HookCont.sys><Beijing Rising Information Technology Co., Ltd.>
[HookNtos / HookNtos][Running/System Start]
  <\SystemRoot\system32\drivers\HookNtos.sys><Beijing Rising Information Technology Co., Ltd.>
[HookReg / HookReg][Running/System Start]
  <\SystemRoot\system32\drivers\HookReg.sys><Beijing Rising Information Technology Co., Ltd.>
[HookSys / HookSys][Running/System Start]
  <\SystemRoot\system32\drivers\HookSys.sys><Beijing Rising Information Technology Co., Ltd.>
[HookUrl / HookUrl][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rfw\HookUrl.sys><Beijing Rising Information Technology Co., Ltd.>
[Intel AHCI Controller / iaStor][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\iaStor.sys><Intel Corporation>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
  <system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[ATK0100 ACPI UTILITY / MTsensor][Running/Manual Start]
  <system32\DRIVERS\ATKACPI.sys><>
[Intel(R) Wireless WiFi Link 适配器驱动程序(适用于 Windows XP 32 位) / NETw4x32][Running/Manual Start]
  <system32\DRIVERS\NETw4x32.sys><Intel Corporation>
[npkcrypt / npkcrypt][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\npkcrypt.sys><N/A>
[npkycryp / npkycryp][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\npkycryp.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Rising  Rfwbase Driver / RfwBase][Running/Auto Start]
  <System32\DRIVERS\rfwbase.SYS><Beijing Rising Information Technology Co., Ltd.>
[rimmptsk / rimmptsk][Running/Auto Start]
  <system32\DRIVERS\rimmptsk.sys><REDC>
[rimsptsk / rimsptsk][Running/Auto Start]
  <system32\DRIVERS\rimsptsk.sys><REDC>
[Ricoh xD-Picture Card Driver / rismxdp][Running/Auto Start]
  <system32\DRIVERS\rixdptsk.sys><REDC>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
  <\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising Technology Co., Ltd.>
[RsFwDrv / RsFwDrv][Running/System Start]
  <\??\C:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Information Technology Co., Ltd.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
  <\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Information Technology Co., Ltd.>
[Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver / RTLE8023xp][Stopped/Manual Start]
  <system32\DRIVERS\Rtenicxp.sys><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[SMSC IrCC Miniport Device Driver / SMCIRDA][Running/Manual Start]
  <system32\DRIVERS\smcirda.sys><SMSC>
[smserial / smserial][Running/Manual Start]
  <system32\DRIVERS\smserial.sys><Motorola Inc.>
[Sony USB Filter Driver (SONYPVU1) / SONYPVU1][Stopped/Manual Start]
  <system32\DRIVERS\SONYPVU1.SYS><Sony Corporation>
[Synaptics TouchPad Driver / SynTP][Running/Manual Start]
  <system32\DRIVERS\SynTP.sys><Synaptics, Inc.>
[wsimd Service / WSIMD][Running/Manual Start]
  <system32\DRIVERS\wsimd.sys><Atheros Communications, Inc.>
[msiffei / msiffei][Stopped/Manual Start]
  <System32\Drivers\msiffei.sys><N/A>

==================================
浏览器加载项
N/A

==================================
正在运行的进程
N/A

==================================
文件关联
N/A

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
进程特权扫描
特殊特权被允许: SeLoadDriverPrivilege [PID = 852, C:\WINDOWS\SYSTEM32\ACS.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 2408, C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2408, C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 284, C:\PROGRAM FILES\MOTOROLA\SMSERIAL\SM56HLPR.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 284, C:\PROGRAM FILES\MOTOROLA\SMSERIAL\SM56HLPR.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 4060, C:\PROGRAM FILES\ATHEROS\ACU.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 4060, C:\PROGRAM FILES\ATHEROS\ACU.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 2688, C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\MOM.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2688, C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\MOM.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 3032, C:\PROGRAM FILES\COMMON FILES\AHEAD\LIB\NMBGMONITOR.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 3032, C:\PROGRAM FILES\COMMON FILES\AHEAD\LIB\NMBGMONITOR.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 2984, C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\CCC.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2984, C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\CCC.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 3272, C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\CCC.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 3272, C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\CCC.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 1680, F:\下载\新建文件夹\SR_TEYQIU.COM]
特殊特权被允许: SeLoadDriverPrivilege [PID = 1680, F:\下载\新建文件夹\SR_TEYQIU.COM]

==================================
API HOOK
入口点错误:CreateProcessA (危险等级: 高,  被下面模块所HOOK: 0x00FF1FFD)
入口点错误:CreateProcessW (危险等级: 高,  被下面模块所HOOK: 0x00FF20E5)

==================================
隐藏进程
N/A

==================================


gototop
 

回复:RootKit.Win32.RESSDT.cq病毒怎么处理!!!

请将日志防附件
这么弄
难免漏楼东东
gototop
 

回复: RootKit.Win32.RESSDT.cq病毒怎么处理!!!

请帮忙看看

附件附件:

文件名:SREngLOG.log
下载次数:111
文件类型:application/octet-stream
文件大小:
上传时间:2008-7-29 16:22:16
描述:log

gototop
 

回复:RootKit.Win32.RESSDT.cq病毒怎么处理!!!

删除启动项
<kcodu><kcodu32.exe>  []
删除驱动及对应文件
[askd / askd][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\askd.ahc><N/A>
[msiffei / msiffei][Stopped/Manual Start]
  <System32\Drivers\msiffei.sys><N/A>

删除文件
C:\WINDOWS\system32\kcodu32.dll]  [N/A, ]
gototop
 

回复:RootKit.Win32.RESSDT.cq病毒怎么处理!!!

瑞星病毒查杀结果报告

清除病毒种类列表:
病毒: RootKit.Win32.RESSDT.cq 
病毒: Trojan.PSW.Win32.GameOL.opd
病毒: Trojan.PSW.Win32.GameOL.opc
病毒: Trojan.PSW.Win32.LMir.bsi
病毒: Trojan.PSW.Win32.GameOL.ovi
病毒: Trojan.PSW.Win32.GameOL.ott
病毒: Trojan.PSW.Win32.GameOL.opf
病毒: AdWare.Win32.Agent.cbo 
病毒: Trojan.PSW.Win32.LMir.bsk
病毒: Trojan.Win32.Undef.jwa 
病毒: Trojan.PSW.Win32.LMir.bsj
病毒: Trojan.PSW.Win32.XYOnline.afw
病毒: Trojan.PSW.Win32.XYOnline.aec
病毒: Trojan.PSW.Win32.Mapdimp.m
病毒: Trojan.PSW.Win32.GameOL.ovk
病毒: AdWare.Win32.Agent.bvj 
病毒: Trojan.PSW.Win32.GameOL.osc
病毒: AdWare.Win32.Agent.ccl 
病毒: Trojan.DL.Win32.Mnless.apb
病毒: RootKit.Win32.Mnless.wr 
病毒: AdWare.Win32.Cinmus.cgy 
病毒: AdWare.Win32.Agent.ccg 
病毒: Dropper.Win32.Agent.gdv 
病毒: Trojan.DL.Win32.Small.ybw
病毒: AdWare.Win32.Cpush.ba   
病毒: RootKit.Win32.Agent.bed 

MAC 地址:00:0A:EB:B1:34:70

用户来源:局域网

软件版本:20.55.10

一台本子,中了上述病毒,启动提示没有发现系统,就不认硬盘了,只好开膛破肚,拿出硬盘并机查杀,装回去就好了。

请问是那种病毒的破坏?  谢谢!
gototop
 

回复:RootKit.Win32.RESSDT.cq病毒怎么处理!!!

是RootKit.Win32.RESSDT.cq 病毒  我用的是本子
gototop
 

回复: RootKit.Win32.RESSDT.cq病毒怎么处理!!!



引用:
原帖由 确实LANDE 于 2008-7-29 16:31:00 发表
瑞星病毒查杀结果报告

清除病毒种类列表:
病毒: RootKit.Win32.RESSDT.cq 
病毒: Trojan.PSW.Win32.GameOL.opd
病毒: Trojan.PSW.Win32.GameOL.opc
病毒: Trojan.PSW.Win32.LMir.bsi
病毒: Trojan.PSW.Win32.GameOL.ovi
病毒: Trojan


你在局域网?
gototop
 
123   1  /  3  页   跳转
页面顶部
Powered by Discuz!NT