瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 中了trojan.spy.vidro.b病毒怎么办??

12   1  /  2  页   跳转

中了trojan.spy.vidro.b病毒怎么办??

收藏
阿考ak47
头像
初生襁褓狮
  • 帖子:21
  • 注册: 2006-03-22
  • 来自:
发表于: 2006-03-23 12:02 | 显示全部 短消息 资料
字号: 1楼

中了trojan.spy.vidro.b病毒怎么办??

瑞星每次都能杀,当一开机又有了!
病毒所在的文件名 文件路径
csrss.exe csrss>>\??\C:\WINDOWS\system32\csrss
Explorer.EXE Explorer.EXE\C:\WINDOWS\Explorer.EXE
最后编辑2006-03-24 20:26:31
分享到:
gototop
 
阿考ak47
头像
初生襁褓狮
  • 帖子:21
  • 注册: 2006-03-22
  • 来自:
发表于: 2006-03-23 13:32 | 显示全部 短消息 资料
字号: 2楼

请问有没有什么方法删除,病毒在内存条里
gototop
 
阿考ak47
头像
初生襁褓狮
  • 帖子:21
  • 注册: 2006-03-22
  • 来自:
发表于: 2006-03-23 14:42 | 显示全部 短消息 资料
字号: 3楼

不知道应该如何查看进程模块?
gototop
 
阿考ak47
头像
初生襁褓狮
  • 帖子:21
  • 注册: 2006-03-22
  • 来自:
发表于: 2006-03-23 14:44 | 显示全部 短消息 资料
字号: 4楼

用HijackThis是吧?我试试
gototop
 
阿考ak47
头像
初生襁褓狮
  • 帖子:21
  • 注册: 2006-03-22
  • 来自:
发表于: 2006-03-23 14:46 | 显示全部 短消息 资料
字号: 5楼

哦,好,我去下载一个
gototop
 
阿考ak47
头像
初生襁褓狮
  • 帖子:21
  • 注册: 2006-03-22
  • 来自:
发表于: 2006-03-24 13:43 | 显示全部 短消息 资料
字号: 6楼

我用icesword看了进程
进程:

System Idle Process
System
C:\WINDOWS\System32\SMSS.EXE
C:\WINDOWS\System32\CSRSS.EXE
C:\WINDOWS\System32\WINLOGON.EXE
C:\WINDOWS\System32\SERVICES.EXE
C:\WINDOWS\System32\LSASS.EXE
C:\WINDOWS\System32\SVCHOST.EXE
D:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\WService.exe
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\SVCHOST.EXE
D:\Program Files\Rising\Rav\RavMonD.exe
D:\Program Files\Rising\Rfw\rfwsrv.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\System32\SPOOLSV.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\3721\assistse.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Rising\Rav\RavStub.exe
D:\Program Files\Rising\Rfw\rfwmain.exe
C:\WINDOWS\System32\ALG.EXE
D:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\System32\NVSVC32.EXE
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\System32\dmbwo.exe
D:\Program Files\Rising\Rav\RavMon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox\JRE\BIN\javaw.exe
C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\ice\IceSword\IceSword.exe
不知道哪个是可疑的?dmbwo.exe是病毒么?
gototop
 
阿考ak47
头像
初生襁褓狮
  • 帖子:21
  • 注册: 2006-03-22
  • 来自:
发表于: 2006-03-24 14:35 | 显示全部 短消息 资料
字号: 7楼

下一步应该结束它的进程吗?
gototop
 
阿考ak47
头像
初生襁褓狮
  • 帖子:21
  • 注册: 2006-03-22
  • 来自:
发表于: 2006-03-24 15:12 | 显示全部 短消息 资料
字号: 8楼

555没办法啊……就是不太明白……我再看下
gototop
 
阿考ak47
头像
初生襁褓狮
  • 帖子:21
  • 注册: 2006-03-22
  • 来自:
发表于: 2006-03-24 15:54 | 显示全部 短消息 资料
字号: 9楼

2006-03-24,15:49:15

System Repair Engineer 2.0.12.350 (2.0 RC 1)
    Windows XP Professional Service Pack 1 - 管理权限用户 - 完整功能

以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <MSMSGS><rem "C:\Program Files\Messenger\msmsgs.exe" /background>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <SubOlccr><C:\PROGRAM FILES\UCPEN\SubOlccr.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <MsnMsgr><rem "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <WareOut><rem "C:\Program Files\WareOut\WareOut.exe">
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <WhatsNewBot><bingo9.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <ms-its><ActionScr.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <sysconf16><wormexe.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <Yahoo! Pager><"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet>
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <load><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <PHIME2002ASync><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <PHIME2002A><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <NvCplDaemon><rem RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <nwiz><rem nwiz.exe /install>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <SoundMan><SOUNDMAN.EXE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <StatusClient 2.6><C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <TomcatStartup 2.5><C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <OrderReminder><C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <WService><WService.EXE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <helper.dll><C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <assistse><"C:\PROGRA~1\3721\assistse.exe">
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <CnsMin><Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <HP Software Update><C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <BigDogPath><C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <utsgmon><Testimonials.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <DCC_send><NopeZ.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <RfwMain><"D:\Program Files\Rising\Rfw\rfwmain.exe" -Startup>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <RavTask><"D:\Program Files\Rising\Rav\RavTask.exe" -system>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <Desktop><C:\WINDOWS\System32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <dmbwo.exe><C:\WINDOWS\System32\dmbwo.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <shell><EXPLORER.EXE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <Userinit><C:\WINDOWS\system32\userinit.exe,>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <AppInit_DLLs><>
gototop
 
阿考ak47
头像
初生襁褓狮
  • 帖子:21
  • 注册: 2006-03-22
  • 来自:
发表于: 2006-03-24 15:58 | 显示全部 短消息 资料
字号: 10楼

正在运行的进程
[PID: 476][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 524][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 548][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 592][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 604][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.1106 (xpsp1.020828-1920)>
[PID: 796][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 832][D:\Program Files\Rising\Rav\CCenter.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[PID: 848][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 968][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 992][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.0 (xpclient.010817-1148)>
[PID: 1008][D:\Program Files\Rising\Rav\Ravmond.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 1, 16>
    [D:\Program Files\Rising\Rav\BWList.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 16>
    [D:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
    [D:\Program Files\Rising\Rav\RSAPPMGR.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
    [D:\Program Files\Rising\Rav\CfgDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [D:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [D:\Program Files\Rising\Rav\RsLog.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 18>
    [D:\Program Files\Rising\Rav\HOOKSYS.dll]  <Rising><18, 1, 0, 9>
    [D:\Program Files\Rising\Rav\Scanner.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 28>
    [D:\Program Files\Rising\Rav\libload.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [D:\Program Files\Rising\Rav\VirusLib.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [D:\Program Files\Rising\Rav\regmon.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 6>
    [D:\Program Files\Rising\Rav\HookWeb.dll]  <rising><18, 0, 0, 1>
    [D:\Program Files\Rising\Rav\MemMon.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 8>
    [D:\Program Files\Rising\Rav\expscan.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [D:\Program Files\Rising\Rav\mPorts.dll]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 3>
    [D:\Program Files\Rising\Rav\MailMon.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
    [D:\Program Files\Rising\Rav\SpamEng.dll]  <N/A><18, 0, 0, 6>
    [D:\Program Files\Rising\Rav\engine.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 26>
    [D:\Program Files\Rising\Rav\PostTrt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
    [D:\Program Files\Rising\Rav\UnExe.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 7>
    [D:\Program Files\Rising\Rav\ScanExec.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 8>
    [D:\Program Files\Rising\Rav\ScanEx.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 6>
    [D:\Program Files\Rising\Rav\NvFile.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 7>
    [D:\Program Files\Rising\Rav\ScanMac.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 7>
    [D:\Program Files\Rising\Rav\ScanSct.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
    [D:\Program Files\Rising\Rav\Unpacker.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[PID: 1068][d:\program files\rising\rfw\rfwsrv.exe]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 30>
    [d:\program files\rising\rfw\RfwRule.dll]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 12>
    [d:\program files\rising\rfw\rfwlog.dll]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 6>
    [d:\program files\rising\rfw\Rfwdrv.dll]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 21>
    [d:\program files\rising\rfw\MonDrv.dll]  <rs><1, 0, 0, 4>
    [d:\program files\rising\rfw\ProcLib.dll]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 9>
[PID: 1316][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.2800.1106 (xpsp1.020828-1920)>
    [C:\WINDOWS\downlo~1\CnsMin.dll]  <北京三七二一科技有限公司><1, 5, 2, 6>
    [C:\PROGRA~1\3721\helper.dll]  <><1, 0, 9, 1324>
    [C:\PROGRA~1\3721\alrex.dll]  <><1, 0, 0, 1>
    [C:\WINDOWS\downlo~1\CnsHook.dll]  <北京三七二一科技有限公司><1, 0, 2, 5>
    [C:\WINDOWS\system32\RavExt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
    [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  <Adobe Systems, Inc.><7.0.0.0>
    [C:\WINDOWS\System32\nvshell.dll]  <NVIDIA Corporation><6.14.10.5303>
    [C:\WINDOWS\System32\NVWRSZHC.DLL]  <NVIDIA Corporation><6.14.10.5303>
    [C:\PROGRA~1\3721\autolive.dll]  <><1, 1, 2, 1023>
    [C:\PROGRA~1\3721\alLiveEx.dll]  < ><1, 0, 0, 1>
    [C:\PROGRA~1\3721\Assist\asbar.dll]  <3721><1, 0, 1, 1001>
    [C:\PROGRA~1\3721\assist\asnoad.dll]  <><1, 0, 0, 9>
    [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll]  <Adobe Systems Incorporated><7.0.0.2004121400>
    [C:\Herosoft\HeroV8\VCvtShell.dll]  <herosoft><1, 0, 0, 1>
    [C:\PROGRA~1\3721\assist\repair.dll]  <北京三七二一科技有限公司><1, 0, 4, 1001>
    [C:\PROGRA~1\3721\assist\asfsks.dll]  <3721.com><2, 1, 1, 87>
    [C:\PROGRA~1\3721\assist\optimum.dll]  <N/A><N/A>
    [c:\progra~1\3721\assist\adfilter.dll]  < ><1, 0, 1, 6>
    [C:\PROGRA~1\3721\assist\assecblk.dll]  <3721><1, 0, 0, 9>
    [C:\PROGRA~1\3721\Assist\XPStyle.dll]  <N/A><N/A>
[PID: 1424][C:\WINDOWS\system32\spoolsv.exe]  <Microsoft Corporation><5.1.2600.0 (XPClient.010817-1148)>
    [C:\WINDOWS\system32\hppcappm.dll]  <Hewlett-Packard><1, 0, 11, 100>
    [C:\WINDOWS\system32\LTKRN11n.dll]  <LEAD Technologies, Inc.><11.5.0.012>
    [C:\WINDOWS\system32\LTFIL11n.DLL]  <LEAD Technologies, Inc.><11.5.0.012>
    [C:\WINDOWS\system32\HPBMMON.DLL]  <Hewlett-Packard><10.00.16>
    [C:\WINDOWS\system32\hpdomon.dll]  <Hewlett-Packard><03.42.00>
    [C:\WINDOWS\system32\HPBHealr.dll]  <N/A><N/A>
    [C:\WINDOWS\System32\spool\PRTPROCS\W32X86\HPPRN05.DLL]  <Hewlett-Packard Corporation><60.5.36.2>
    [C:\WINDOWS\system32\hppadt40.dll]  <HP><7, 0, 5, 0>
    [C:\WINDOWS\system32\HPZidr12.dll]  <HP><7, 0, 5, 0>
    [C:\WINDOWS\system32\hpbmmjno.dll]  <Hewlett-Packard><00.01.00>
gototop
 
<<上一主题|下一主题>>
12   1  /  2  页   跳转
页面顶部
Powered by Discuz!NT