瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 求助不言大侠:关于Rootkit.Vanti.gen病毒

12   1  /  2  页   跳转

求助不言大侠:关于Rootkit.Vanti.gen病毒

收藏
qrabbit
头像
初生襁褓狮
  • 帖子:18
  • 注册: 2006-05-02
  • 来自:
发表于: 2006-05-02 23:33 | 显示全部 短消息 资料
字号: 1楼

求助不言大侠:关于Rootkit.Vanti.gen病毒

不言大侠,看了你一些解决病毒的办法,将我的问题也提出来,希望你指教一下。
瑞星提示c:/windows/temp/lc.dll文件中了Rootkit.Vanti.gen 病毒,显示所有文件后在dos下删除该文件,重新启动后又出现该隐藏的lc.dll文件。回安全模式搜索不到lc.dll文件,安全模式下用ewido和瑞星查找不到病毒,注册表中搜索不到lc.dll服务。hijackthis扫描机器结果如下:

Logfile of HijackThis v1.99.1
Scan saved at 23:11:51, on 2006-5-2
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TeachingHandler - {31EBA2E2-58B2-4980-9C41-F12F5F1422C5} - C:\WINDOWS\system32\TPHANDLE.dll
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\Program Files\Tencent\qq\QQIEHelper.dll
O2 - BHO: CpapView Class - {77962960-536E-47EC-9DDB-52651519705F} - C:\WINDOWS\system32\cpap.dll (file missing)
O2 - BHO: win32core Class - {A297EEAE-A541-496B-B2AE-554AD0153B72} - C:\WINDOWS\system32\win32help01.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Documents and Settings\Bluewater\桌面\ex51\file\common\support\msdxm.ocx (file missing)
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - d:\PROGRA~1\Inventec\Dreye\DreyeMT\DREYEI~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SKYNET Personal FireWall] C:\PROGRA~1\SKYNET\FIREWALL\pfw.exe
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [iparmor] C:\Program Files\Iparmor\Iparmor.exe mini
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\Tencent\qq\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\qq\SendMMS.htm
O8 - Extra context menu item: 用比特精灵下载(&B) - D:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: 中文上网 - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O9 - Extra 'Tools' menuitem: 中文上网 - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\qq\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\qq\QQ.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Program Files\Tencent\qq\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Program Files\Tencent\qq\QQIEHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
O11 - Options group: [CDNCLIENT]  中文上网
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: APIHookDll.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: rudll - Unknown owner - C:\Program Files\rudll1.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

IceSword扫描进程信息如下:
进程:

System Idle Process
System
C:\Program Files\Rising\Rav\RavStub.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\RavMon.exe
C:\Program Files\Iparmor\Iparmor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\System32\services.exe
C:\WINDOWS\System32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Bluewater\桌面\IceSword1.12\IceSword.exe
C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Tencent\TT\TTraveler.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SkyNet\FireWall\pfw.exe
C:\Program Files\racer-henan-cnc\racer.exe
C:\Program Files\racer-henan-cnc\RacerKp.exe
请帮忙解决,不胜感激!
最后编辑2006-05-03 23:40:24
分享到:
gototop
 
qrabbit
头像
初生襁褓狮
  • 帖子:18
  • 注册: 2006-05-02
  • 来自:
发表于: 2006-05-03 00:17 | 显示全部 短消息 资料
字号: 2楼

rudll1.exe文件我搜索不到,也不知道什么东西。刚刚我用IceSword附带的IsHelp测试程序发现进程C:\WINDOWS\System32\csrss.exe
和C:\Program Files\Internet Explorer\IEXPLORE.EXE
里面有关于lc.dll的信息,接下来应该怎么清除呀。

附件附件:

下载次数:258
文件类型:image/pjpeg
文件大小:
上传时间:2006-5-3 0:17:45
描述:
预览信息:EXIF信息
gototop
 
qrabbit
头像
初生襁褓狮
  • 帖子:18
  • 注册: 2006-05-02
  • 来自:
发表于: 2006-05-03 00:19 | 显示全部 短消息 资料
字号: 3楼

图2:

附件附件:

下载次数:277
文件类型:image/pjpeg
文件大小:
上传时间:2006-5-3 0:19:02
描述:
预览信息:EXIF信息
gototop
 
qrabbit
头像
初生襁褓狮
  • 帖子:18
  • 注册: 2006-05-02
  • 来自:
发表于: 2006-05-03 20:58 | 显示全部 短消息 资料
字号: 4楼

楼上的大侠,再给帮忙看看,这是System Repair Engineer 导出的记录,正在看怎么使用ssm,不知道这个记录能否看出是灰鸽子病毒
2006-05-03,20:47:30

System Repair Engineer 2.0.12.350 (2.0 RC 1)
    Windows XP Professional Service Pack 2 - 管理权限用户 - 完整功能

以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  <MsnMsgr><; "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background>
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <load><; ?矹暨
词矵?    逷矵曐

? 耈砎??>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <nwiz><nwiz.exe /install>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <SKYNET Personal FireWall><C:\PROGRA~1\SKYNET\FIREWALL\pfw.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <AlcWzrd><ALCWZRD.EXE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <iparmor><C:\Program Files\Iparmor\Iparmor.exe mini>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <PHIME2002A><; C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  <PHIME2002ASync><; C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <shell><Explorer.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  <Userinit><C:\WINDOWS\system32\userinit.exe,>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  <AppInit_DLLs><APIHookDll.dll>
gototop
 
qrabbit
头像
初生襁褓狮
  • 帖子:18
  • 注册: 2006-05-02
  • 来自:
发表于: 2006-05-03 20:59 | 显示全部 短消息 资料
字号: 5楼

还有:
==================================
启动文件夹
[Microsoft Office]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Microsoft Office.lnk><N>

==================================
服务
[Adobe LM Service / Adobe LM Service]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[ewido security suite control / ewido security suite control]
  <C:\Program Files\ewido\security suite\ewidoctrl.exe><ewido networks>
[NVIDIA Display Driver Service / NVSvc]
  <C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>
[Rising Process Communication Center / RsCCenter]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[RsRavMon Service / RsRavMon]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[rudll / rudll]
  <2 - 系统找不到指定的文件。
><N/A>
[StarWind iSCSI Service / StarWindService]
  <C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe><Rocket Division Software>

==================================
浏览器加载项
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[IEHandle Class]
  {31EBA2E2-58B2-4980-9C41-F12F5F1422C5} <C:\WINDOWS\system32\TPHANDLE.dll, N/A>
[CNNIC_IDN]
  {35980F6E-A137-4E50-953D-813BB8556899} <C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll, >
[QQBrowserHelperObject Class]
  {54EBD53A-9BC1-480B-966A-843A333CA162} <D:\Program Files\Tencent\qq\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[CpapView Class]
  {77962960-536E-47EC-9DDB-52651519705F} <C:\WINDOWS\system32\cpap.dll, N/A>
[win32core Class]
  {A297EEAE-A541-496B-B2AE-554AD0153B72} <C:\WINDOWS\system32\win32help01.dll, N/A>
[IeCatch2 Class]
  {A5366673-E8CA-11D3-9CD9-0090271D075B} <C:\PROGRA~1\FLASHGET\jccatch.dll, Amaze Soft>
[WMHlprObj Class]
  {F5824EFB-728A-4726-A5A5-85A68B20EDC3} <C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll, >
[CNNIC_IDN]
  {35980F6E-A137-4E50-953D-813BB8556899} <C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll, >
[QQ]
  {c95fe080-8f5d-11d2-a20b-00aa003c157b} <D:\Program Files\Tencent\qq\QQ.EXE, TENCENT>
[FlashGet]
  {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <C:\PROGRA~1\FLASHGET\flashget.exe, Amaze Soft>
[QQIEFloatBarCfgCmd Class]
  {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} <D:\Program Files\Tencent\qq\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <C:\PROGRA~1\FLASHGET\fgiebar.dll, Amaze Soft>
[电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\Documents and Settings\Bluewater\桌面\ex51\file\common\support\msdxm.ocx, N/A>
[Dr.eye WebPage Translation]
  {92B255FE-94E2-4BCA-958D-3926CE38913F} <d:\PROGRA~1\Inventec\Dreye\DreyeMT\DREYEI~1.DLL, >
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[IEHandle Class]
  {31EBA2E2-58B2-4980-9C41-F12F5F1422C5} <C:\WINDOWS\system32\TPHANDLE.dll, N/A>
[CNNIC_IDN]
  {35980F6E-A137-4E50-953D-813BB8556899} <C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll, >
[QQBrowserHelperObject Class]
  {54EBD53A-9BC1-480B-966A-843A333CA162} <D:\Program Files\Tencent\qq\QQIEHelper.dll, 深圳市腾讯计算机系统有限公司>
[CpapView Class]
  {77962960-536E-47EC-9DDB-52651519705F} <C:\WINDOWS\system32\cpap.dll, N/A>
[Dr.eye WebPage Translation]
  {92B255FE-94E2-4BCA-958D-3926CE38913F} <d:\PROGRA~1\Inventec\Dreye\DreyeMT\DREYEI~1.DLL, >
[win32core Class]
  {A297EEAE-A541-496B-B2AE-554AD0153B72} <C:\WINDOWS\system32\win32help01.dll, N/A>
[IeCatch2 Class]
  {A5366673-E8CA-11D3-9CD9-0090271D075B} <C:\PROGRA~1\FLASHGET\jccatch.dll, Amaze Soft>
[Microsoft Scriptlet Component]
  {AE24FDAE-03C6-11D1-8B76-0080C744F389} <C:\WINDOWS\System32\mshtml.dll, Microsoft Corporation>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\System32\shdocvw.dll, N/A>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\macromed\flash\flash.ocx, Macromedia, Inc.>
[FlashGet Bar]
  {E0E899AB-F487-11D5-8D29-0050BA6940E3} <C:\PROGRA~1\FLASHGET\fgiebar.dll, Amaze Soft>
[WMHlprObj Class]
  {F5824EFB-728A-4726-A5A5-85A68B20EDC3} <C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll, >
[上传到QQ网络硬盘]
  <D:\Program Files\Tencent\qq\AddToNetDisk.htm, N/A>
[使用网际快车下载]
  <C:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <C:\Program Files\FlashGet\jc_all.htm, N/A>
[添加到QQ自定义面板]
  <D:\Program Files\Tencent\qq\AddPanel.htm, N/A>
[添加到QQ表情]
  <D:\Program Files\Tencent\qq\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <D:\Program Files\Tencent\qq\SendMMS.htm, N/A>
[用比特精灵下载(&B)]
  <D:\Program Files\BitSpirit\bsurl.htm, N/A>
gototop
 
qrabbit
头像
初生襁褓狮
  • 帖子:18
  • 注册: 2006-05-02
  • 来自:
发表于: 2006-05-03 20:59 | 显示全部 短消息 资料
字号: 6楼

还有:
==================================
正在运行的进程
[PID: 604][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 656][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 680][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 724][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 736][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 896][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 976][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1072][C:\Program Files\Rising\Rav\CCenter.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[PID: 1088][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1172][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1252][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1304][C:\Program Files\Rising\Rav\Ravmond.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 1, 19>
    [C:\Program Files\Rising\Rav\BWList.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 16>
    [C:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
    [C:\Program Files\Rising\Rav\CfgDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\Rising\Rav\RsLog.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 18>
    [C:\Program Files\Rising\Rav\HOOKSYS.dll]  <Rising><18, 1, 0, 9>
    [C:\Program Files\Rising\Rav\Scanner.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 28>
    [C:\Program Files\Rising\Rav\libload.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\VirusLib.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\regmon.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 6>
    [C:\Program Files\Rising\Rav\HookWeb.dll]  <rising><18, 0, 0, 1>
    [C:\Program Files\Rising\Rav\MemMon.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 8>
    [C:\Program Files\Rising\Rav\expscan.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\Rising\Rav\mPorts.dll]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 3>
    [C:\Program Files\Rising\Rav\MailMon.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
    [C:\Program Files\Rising\Rav\SpamEng.dll]  <N/A><18, 0, 0, 6>
    [C:\Program Files\Rising\Rav\engine.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 26>
    [C:\Program Files\Rising\Rav\PostTrt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 9>
    [C:\Program Files\Rising\Rav\UnExe.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 11>
    [C:\Program Files\Rising\Rav\ScanExec.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\ScanEx.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 7>
    [C:\Program Files\Rising\Rav\NvFile.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 7>
    [C:\Program Files\Rising\Rav\ScanMac.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 7>
    [C:\Program Files\Rising\Rav\ScanSct.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
    [C:\Program Files\Rising\Rav\Unpacker.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
    [C:\Program Files\Rising\Rav\ExtOLE.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
    [C:\Program Files\Rising\Rav\ScanNet.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
    [C:\Program Files\Rising\Rav\RsStore.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
[PID: 1536][C:\WINDOWS\system32\spoolsv.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\EBPMON24.DLL]  <SEIKO EPSON CORPORATION><5, 4, 0, 0>
[PID: 1760][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\RavExt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
    [C:\Program Files\ewido\security suite\shellhook.dll]  <N/A><N/A>
    [D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  <Adobe Systems, Inc.><7.0.0.0>
    [C:\WINDOWS\System32\nvcpl.dll]  <NVIDIA Corporation><6.14.10.8040>
    [C:\WINDOWS\System32\nvshell.dll]  <NVIDIA Corporation><6.14.10.10525>
    [D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll]  <Adobe Systems Incorporated><7.0.5.2005092300>
    [C:\PROGRA~1\FLASHGET\jccatch.dll]  <Amaze Soft><1, 1, 4, 0>
[PID: 1896][C:\Program Files\ewido\security suite\ewidoctrl.exe]  <ewido networks><3, 0, 0, 1>
    [C:\Program Files\ewido\security suite\lang.dll]  <privat><1, 0, 0, 1>
[PID: 1976][C:\WINDOWS\System32\nvsvc32.exe]  <NVIDIA Corporation><6.14.10.8040>
[PID: 2012][C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe]  <Rocket Division Software><2.6.1 Build 0x20050401>
[PID: 232][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 364][C:\PROGRA~1\SKYNET\FIREWALL\pfw.exe]  <广州众达天网技术有限公司><2.7.6.1001>
    [C:\PROGRA~1\SKYNET\FIREWALL\SKYMISC.DLL]  <N/A><N/A>
[PID: 416][C:\Program Files\Rising\Rav\RavTask.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 22>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
    [C:\Program Files\Rising\Rav\CfgDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
[PID: 516][C:\Program Files\Rising\Rav\Ravmon.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 1, 17>
    [C:\Program Files\Rising\Rav\RsGuiLib.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 24>
    [C:\Program Files\Rising\Rav\BWList.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 16>
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
    [C:\Program Files\Rising\Rav\CfgDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
    [C:\Program Files\Rising\Rav\PngDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
[PID: 392][C:\Program Files\Iparmor\Iparmor.exe]  <N/A><N/A>
    [C:\Program Files\Iparmor\getportlistxp.dll]  <><1, 0, 0, 1>
    [C:\Program Files\Iparmor\socketinit.dll]  <N/A><N/A>
    [C:\Program Files\Iparmor\hookhookdll.dll]  <N/A><N/A>
[PID: 624][C:\WINDOWS\system32\ctfmon.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 448][C:\WINDOWS\System32\alg.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 488][C:\Program Files\racer-henan-cnc\racer.exe]  <Putian Runway><2, 0, 51, 92>
    [C:\Program Files\racer-henan-cnc\rwxre.dll]  <Mozilla Foundation><1.7.3: 2005040616>
    [C:\Program Files\racer-henan-cnc\nspr4.dll]  <Netscape Communications Corporation><4.5 Beta>
    [C:\Program Files\racer-henan-cnc\xpcom.dll]  <Mozilla Foundation><1.7.3: 2005040616>
    [C:\Program Files\racer-henan-cnc\nss3.dll]  <Netscape Communications Corporation><3.9.1>
    [C:\Program Files\racer-henan-cnc\softokn3.dll]  <Netscape Communications Corporation><3.9.1>
    [C:\Program Files\racer-henan-cnc\gkgfx.dll]  <Mozilla Foundation><1.7.3: 2005040616>
    [C:\Program Files\racer-henan-cnc\js3250.dll]  <Netscape Communications Corporation><4.0>
    [C:\Program Files\racer-henan-cnc\components\racer_base_comp.dll]  <Putian Runway><2,0,47,87>
    [C:\Program Files\racer-henan-cnc\xpcom_compat.dll]  <Mozilla Foundation><1.7.3: 2005040616>
    [C:\Program Files\racer-henan-cnc\racer_base.dll]  <Putian Runway><2,0,47,87>
    [C:\Program Files\racer-henan-cnc\components\pipnss.dll]  <Mozilla Foundation><1.7.3: 2005040616>
    [C:\Program Files\racer-henan-cnc\components\gklayout.dll]  <Mozilla Foundation><1.7.3: 2005040616>
    [C:\Program Files\racer-henan-cnc\components\jar50.dll]  <Mozilla Foundation><1.7.3: 2005040616>
    [C:\Program Files\racer-henan-cnc\components\xpcom_compat_c.dll]  <Mozilla Foundation><1.7.3: 2005040616>
    [C:\Program Files\racer-henan-cnc\components\racer_ad_comp.dll]  <Putian Runway><2,0,47,87>
    [C:\Program Files\racer-henan-cnc\components\racer_access_dhcpplus.dll]  <Putian Runway><2,0,47,87>
    [C:\Program Files\racer-henan-cnc\dhcpplus.dll]  <北京润汇科技有限公司><0, 13, 21, 45>
    [C:\Program Files\racer-henan-cnc\components\racer_nss4_comp.dll]  <Putian Runway><2,0,47,87>
    [C:\Program Files\racer-henan-cnc\nss4.dll]  <北京普天润汇科技有限公司><1, 0, 0, 3>
    [C:\Program Files\racer-henan-cnc\wpcap.dll]  <Politecnico di Torino><3, 0, 0, 18>
    [C:\Program Files\racer-henan-cnc\pthreadVC.dll]  <N/A><N/A>
    [C:\Program Files\racer-henan-cnc\packet.dll]  <Politecnico di Torino><3, 0, 0, 18>
[PID: 728][C:\Program Files\Rising\Rav\RavStub.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
    [C:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
[PID: 3556][C:\Program Files\racer-henan-cnc\RacerKp.exe]  <北京润汇科技有限公司><1, 0, 0, 1>
[PID: 3776][D:\Program Files\Tencent\TT\TTraveler.exe]  <腾讯公司><2, 2, 0, 224>
    [D:\Program Files\Tencent\TT\PersonalDesktop.dll]  <深圳市腾讯计算机系统公司QQ工作小组><1, 0, 0, 4>
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
    [C:\WINDOWS\system32\macromed\flash\flash.ocx]  <Macromedia, Inc.><6,0,79,0>
[PID: 4048][C:\WINDOWS\system32\wuauclt.exe]  <Microsoft Corporation><5.4.3790.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1768][C:\Documents and Settings\Bluewater\桌面\sreng2\SREng.exe]  <Smallfrogs Studio><2.0.12.350>

==================================
文件关联
.TXT  Error. [Notepad.exe "%1" ]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  Error. [超级解霸3000]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================
gototop
 
qrabbit
头像
初生襁褓狮
  • 帖子:18
  • 注册: 2006-05-02
  • 来自:
发表于: 2006-05-03 22:07 | 显示全部 短消息 资料
字号: 7楼

怪了,我什么也没有操作,就是照5楼高手说的用System Repair Engineer扫描了一下系统信息,然后下载了个ssm装上准备研究一下怎么杀吊系统进程csrss.exe里面的lc.dll,可我还没看明白ssm怎么用那,结果发现c:/windows/temp/里面的那个隐藏文件lc.dll启动后没有了,这个怎么回事?我用瑞星又查了一遍,也不提示有Rootkit.Vanti.gen 病毒了,真的搞不明白呀!
gototop
 
qrabbit
头像
初生襁褓狮
  • 帖子:18
  • 注册: 2006-05-02
  • 来自:
发表于: 2006-05-03 22:18 | 显示全部 短消息 资料
字号: 8楼

那个乱码就是用System Repair Engineer点启动项目后提示什么注册表非空出了2项我就一直确定,结果注册表run里面就是乱码,我也不知道怎么回事,刚给删掉这些东西,再运行System Repair Engineer点启动项目后又出现,附图如下,这是什么意思?

附件附件:

下载次数:273
文件类型:image/pjpeg
文件大小:
上传时间:2006-5-3 22:18:28
描述:
预览信息:EXIF信息
gototop
 
qrabbit
头像
初生襁褓狮
  • 帖子:18
  • 注册: 2006-05-02
  • 来自:
发表于: 2006-05-03 22:18 | 显示全部 短消息 资料
字号: 9楼

图2;

附件附件:

下载次数:160
文件类型:image/pjpeg
文件大小:
上传时间:2006-5-3 22:18:56
描述:
预览信息:EXIF信息
gototop
 
qrabbit
头像
初生襁褓狮
  • 帖子:18
  • 注册: 2006-05-02
  • 来自:
发表于: 2006-05-03 22:39 | 显示全部 短消息 资料
字号: 10楼

我也想知道
gototop
 
<<上一主题|下一主题>>
12   1  /  2  页   跳转
页面顶部
Powered by Discuz!NT