12   1  /  2  页   跳转

[已关闭] 好象中毒了,可又查不出来求助啊

好象中毒了,可又查不出来求助啊

我从学校放假回来就发现电脑好象中毒了,瑞星也生不了级,也查不出病毒只是打开网页的时候总显示"0x3018a275"指令应用的"0x00000000"内存,该内存不能为"written"
高手帮忙啊````

用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Alexa Toolbar)
分享到:
gototop
 

回复:好象中毒了,可又查不出来求助啊

什么进程?
gototop
 

回复 2F aaccbbdd 的帖子

扫描了一下日志
[AgentSvr.exe]
CommandLine = C:\WINDOWS\msagent\AgentSvr.exe -Embedding

[explorer.exe]
CommandLine = C:\WINDOWS\explorer.exe

[cmd.exe]
CommandLine = cmd /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2A.tmp.bat

[KkScan.exe]
CommandLine = "C:\Program Files\Rising\KakaToolBar\KkScan.exe"

[iexplore.exe]
CommandLine = "C:\Program Files\Internet Explorer\iexplore.exe"  -nohome

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.yahoo.com.cn
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=www.3929.cn?tn=1027228
R3 - URLSearchHook: (no name) - {F08555B0-9CC3-11D2-AA8E-000000000000} - (no file)
O2 - BHO: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\kakatool.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [HBService32] System.exe
O4 - HKLM\..\Run: [apphlp] C:\WINDOWS\system32\AppPlayer.exe
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [ms08_067_patch] "C:\WINDOWS\system32\nap32.exe" /run
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O11 - Options group: [!CNS]  中文上网
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O17 - HKLM\System\CCS\Services\Tcpip\..\{D314318D-2E67-41B8-9A89-D0E8DED9486C}: NameServer = 202.102.199.68 202.102.192.68
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O20 - AppInit_DLLs: ejaokfeb.dll,gbicejon.dll,kcjaehch.dll,dklmdino.dll,kcleelfm.dll,nlokcjnb.dll,HBSHQ.dll,lkeimgne.dll,mgcpigbo.dll,gmdhebpi.dll,nmblajed.dll
O20 - Winlogon Notify: WgaLogon
O21 - SSODL: BDB632BC - {BDB632BC-C136-4737-9B50-E899F0C3525F} - C:\WINDOWS\system32\bdbmjibc.dll
O21 - SSODL: A429DC20 - {A429DC20-402A-46EF-BA87-FA35C40ED6D1} - C:\WINDOWS\system32\akipdcig.dll
O21 - SSODL: 4C3AE1C1 - {4C3AE1C1-9188-4865-81DD-D93C2A1FBE09} - C:\WINDOWS\system32\kcjaehch.dll
O21 - SSODL: E3A84FEB - {E3A84FEB-F294-4DBB-B2AF-5C7C689090AF} - C:\WINDOWS\system32\ejaokfeb.dll
O21 - SSODL: 7584C37B - {7584C37B-B0CC-4107-AC1F-C229FE9D4D4F} - C:\WINDOWS\system32\nlokcjnb.dll
O21 - SSODL: D456D278 - {D456D278-A954-437E-A8EC-8DF424A5636A} - C:\WINDOWS\system32\dklmdino.dll
O21 - SSODL: 4C5EE5F6 - {4C5EE5F6-39D7-46AA-9215-0A3BD3E121A7} - C:\WINDOWS\system32\kcleelfm.dll
O21 - SSODL: 60C920B8 - {60C920B8-6E2A-47BF-B5DF-8CD8C2CA4E4E} - C:\WINDOWS\system32\mgcpigbo.dll
O21 - SSODL: 0B2CE387 - {0B2CE387-EE3B-4698-8ECA-BD29C176BB57} - C:\WINDOWS\system32\gbicejon.dll
O21 - SSODL: 54E2607E - {54E2607E-8169-4606-A059-6882D26994C4} - C:\WINDOWS\system32\lkeimgne.dll
O21 - SSODL: 06D1EB92 - {06D1EB92-5FB7-4A52-A3C2-B422ED2B57DB} - C:\WINDOWS\system32\gmdhebpi.dll
O21 - SSODL: 76B5A3ED - {76B5A3ED-AD10-41EE-A402-1F0828257661} - C:\WINDOWS\system32\nmblajed.dll
O23 - Service: DCOM Server Process Launcher (DcomLaunch) -  - C:\WINDOWS\system32\svchost -k dcomlaunch
O23 - Service: Human Interface Device Access (HidServ) -  - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: MS Media Control Center (MediaCenter) - @ Microsoft Corporation. All rights reserved. - C:\WINDOWS\system32\svchost.exe -k krnlsrvc
O23 - Service: Rising Proxy  Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) -  - C:\WINDOWS\system32\svchost -k rpcss
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - "C:\Program Files\Rising\Rav\CCenter.exe"
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - "C:\Program Files\Rising\Rav\Ravmond.exe"
gototop
 

回复:好象中毒了,可又查不出来求助啊

好难掌握
gototop
 

回复 3F 向暖 的帖子

木马群

Sreng官方下载
SREng/智能扫描(记得勾选“检查进程的数字签名)
等扫描完成,保存日志(LOG格式)
PS:如主程序SREng**.exe无法运行,导致无法扫描日志
将主程序改名为我爱小狮子.bat
或我爱小狮子.scr
日志放入附件
(点击我这贴右下角的“引用”或最右下角的那个较大的“回复”然后就应该知道怎么发了。)
gototop
 

回复:好象中毒了,可又查不出来求助啊

您可以下载SREng

打开后点智能扫描.勾选检查进程模块的数字签名,点扫描.把日志以log日志导出并作为附件贴到论坛里.

第二楼见SREng操作方法



如果SREng因病毒的干扰不能运行或扫描日志,您可以将SREng.exe改名为我爱小狮子.bat,我爱小狮子.com,我爱小狮子.scr.

对个人来讲,统计,仪器,高速的计算机可以让人们得到大量充裕的时间。
这个社会中,更不可缺的是具备现代化的管理经验。
gototop
 

回复: 好象中毒了,可又查不出来求助啊

这个

附件附件:

下载次数:307
文件类型:text/plain
文件大小:
上传时间:2009-2-7 12:06:25
描述:txt

gototop
 

回复 7F 向暖 的帖子

这个是什么
gototop
 

回复:好象中毒了,可又查不出来求助啊

[cmd.exe]
CommandLine = cmd /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2A.tmp.bat??
你运行了什么东西?

照上面上传sreng日志。你上传错了
gototop
 

回复: 好象中毒了,可又查不出来求助啊

不好意思啊,是这个

附件附件:

文件名:SREngLOG.log
下载次数:254
文件类型:application/octet-stream
文件大小:
上传时间:2009-2-7 12:12:09
描述:log

gototop
 
12   1  /  2  页   跳转
页面顶部
Powered by Discuz!NT