收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 原创工具区 新近中招,请各位高手帮帮眼orz
12
返回列表 发新帖
楼主: momowie
 收起左侧

新近中招,请各位高手帮帮眼orz

[复制链接]
风雪
发表于 2007-10-5 09:35:46 | 显示全部楼层
http://www.arswp.com/download/arswp2/arswp2.zip    升级
http://down.[url]www.kingsoft.com/db/download/othertools/DubaTool_AV_Killer2.COM[/url]
System Repair Engineer2.5(SREng)或者System Repair Engineer2.5(SREng)下载System Repair Engineer2.5扫描日志上来.
如果不能运行将下载的SREngPS.EXE重命名为SREngPS.com(SREngPS.scr\SREngPS.bat\SREngPS.pif)或者改名为11BD.abc等等自己随便改运行.
sreng——智能扫描——扫描——保存日志——打开日志记事本SREngLOG——Ctrl+A——Ctrl+C——到论坛回复——Ctrl+V。
回复

举报

momowie
 楼主| 发表于 2007-10-11 19:07:34 | 显示全部楼层

所谓孽缘...

昨天中了rising700.exe,(worm.p2p.generic),window目录下生成rsmyepm.exe,system32生成rsmyepm.dll,ravlive.exe等文件(rsmyepm.dll难以删除,)
System Repair Engineer2.5安全模式下日志如下(ps启动项中AppInitDll被改成了rsmyepm.dll正常应该为空,SREng提示是病毒)
  1. 2007-10-11,18:08:01

  3. System Repair Engineer 2.5.16.900
  4. Smallfrogs (http://www.KZTechs.com)

  6. Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

  8. 以下内容被选中:
  9.     所有的启动项目(包括注册表、启动文件夹、服务等)
  10.     浏览器加载项
  11.     正在运行的进程(包括进程模块信息)
  12.     文件关联
  13.     Winsock 提供者
  14.     Autorun.inf
  15.     HOSTS 文件
  16.     进程特权扫描


  19. 启动项目
  20. 注册表
  21. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  22.       [(Verified)Microsoft Windows Publisher]
  23. [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  24.     <>  [N/A]
  25. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  26.     <"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe">  [Kaspersky Lab]
  27.     <!AVG Anti-Spyware><"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized>  [(Verified)GRISOFT LTD]
  28. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
  29.       [N/A]
  30. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  31.       [(Verified)Microsoft Windows Publisher]
  32.       [(Verified)Microsoft Windows Publisher]
  33. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  34.       []
  35. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  36.       [(Verified)Microsoft Windows Publisher]
  37. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
  38.     <{AEB6717E-7E19-11d0-97EE-00C04FD91972}>  [(Verified)Microsoft Windows Publisher]
  39.     <{57B86673-276A-48B2-BAE7-C6DBB3020EB8}>  [(Verified)GRISOFT LTD]
  40.     <{5E32FA58-3453-FA2D-BC49-F340348ACCE5}>  []
  41. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
  42.     <%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Publisher]
  43.     <%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Publisher]
  44.     <%SystemRoot%\system32\webcheck.dll>  [(Verified)Microsoft Windows Publisher]
  45.       [(Verified)Microsoft Windows Publisher]
  46. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
  47.       [(Verified)Microsoft Windows Publisher]
  48. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
  49.       [(Verified)Microsoft Windows Publisher]
  50. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
  51.       [(Verified)Microsoft Windows Publisher]
  52. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
  53.       [Kaspersky Lab]
  54. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
  55.       [(Verified)Microsoft Windows Publisher]
  56. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
  57.       [(Verified)Microsoft Windows Publisher]
  58. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
  59.       [(Verified)Microsoft Windows Publisher]
  60. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
  61.       [(Verified)Microsoft Windows Publisher]
  62. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
  63.       [(Verified)Microsoft Windows Publisher]
  64. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
  65.       [(Verified)Microsoft Windows Publisher]
  66. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
  67.     <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Publisher]
  68.     <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Publisher]
  69. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
  70.       [(Verified)Microsoft Windows Publisher]
  71. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
  72.     <浏览器自定义组件>  [(Verified)Microsoft Windows Publisher]
  73. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
  74.     <%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [N/A]
  75. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
  76.       [(Verified)Microsoft Windows Publisher]
  77. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
  78.     <%SystemRoot%\system32\ie4uinit.exe>  [(Verified)Microsoft Windows Publisher]
  79. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
  80.       [Microsoft Corporation]

  82. ==================================
  83. 启动文件夹
  84. N/A

  86. ==================================
  87. 服务
  88. [AVG Anti-Spyware Guard / AVG Anti-Spyware Guard][Running/Auto Start]
  89.   
  90. [卡巴斯基反病毒6.0个人版 / AVP][Stopped/Auto Start]
  91.   <"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r>
  92. [Human Interface Device Access / HidServ][Stopped/Disabled]
  93.   %SystemRoot%\System32\hidserv.dll>

  95. ==================================
  96. 驱动程序
  97. [360TimeProt / 360TimeProt][Stopped/Auto Start]
  98.   <\??\C:\WINDOWS\system32\drivers\360TimeProt.sys>
  99. [Service for Realtek AC97 Audio (WDM) / ALCXWDM][Stopped/Manual Start]
  100.   
  101. [AliIde / AliIde][Stopped/Boot Start]
  102.   <\SystemRoot\System32\DRIVERS\aliide.sys>
  103. [标准 IDE/ESDI 硬盘控制器 / atapi][Running/Boot Start]
  104.   <\SystemRoot\system32\DRIVERS\atapi.sys>
  105. [AVG Anti-Spyware Driver / AVG Anti-Spyware Driver][Stopped/System Start]
  106.   <\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys>
  107. [AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
  108.   
  109. [CmdIde / CmdIde][Running/Boot Start]
  110.   <\SystemRoot\System32\DRIVERS\cmdide.sys>
  111. [d346bus / d346bus][Running/Boot Start]
  112.   <\SystemRoot\system32\DRIVERS\d346bus.sys><>
  113. [d346prt / d346prt][Running/Boot Start]
  114.   <\SystemRoot\System32\Drivers\d346prt.sys><>
  115. [kl1 / kl1][Stopped/Boot Start]
  116.   <\SystemRoot\system32\drivers\kl1.sys>
  117. [klif / klif][Stopped/System Start]
  118.   <\??\C:\WINDOWS\system32\drivers\klif.sys>
  119. [MegaIDE / MegaIDE][Running/Boot Start]
  120.   <\SystemRoot\System32\DRIVERS\MegaIDE.sys>
  121. [nv / nv][Stopped/Manual Start]
  122.   
  123. [NVIDIA nForce MCP Networking Controller Driver / NVENET][Stopped/Manual Start]
  124.   
  125. [Direct Parallel Link Driver / Ptilink][Stopped/Manual Start]
  126.   
  127. [Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
  128.   
  129. [Secdrv / Secdrv][Stopped/Manual Start]
  130.   
  131. [TCP/IP Protocol Driver / Tcpip][Stopped/System Start]
  132.   
  133. [TSP / TSP][Stopped/Manual Start]
  134.   <\??\C:\WINDOWS\system32\drivers\klif.sys>
  135. [ViaIde / ViaIde][Running/Boot Start]
  136.   <\SystemRoot\system32\DRIVERS\viaide.sys>

  138. ==================================
  139. 浏览器加载项
  140. [Adobe PDF Reader Link Helper]
  141.   {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
  142. [NTIECatcher Class]
  143.   {C56CB6B0-0D96-11D6-8C65-B2868B609932}
  144. [Web反病毒统计]
  145.   {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}
  146. [信息检索(&R)]
  147.   {92780B25-18CC-41C8-B9BE-3C9C571A8263}
  148. [Windows Live Photo Upload Control]
  149.   {7FC1B346-83E6-4774-8D20-1A6B09B0E737}
  150. [RealPlayer G2 Control]
  151.   {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}
  152. [Shockwave Flash Object]
  153.   {D27CDB6E-AE6D-11CF-96B8-444553540000}
  154. [Adobe PDF Reader Link Helper]
  155.   {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
  156. [NTIECatcher Class]
  157.   {C56CB6B0-0D96-11D6-8C65-B2868B609932}
  158. [使用影音传送带下载]
  159.   
  160. [使用影音传送带下载全部链接]
  161.   
  162. [导出到 Microsoft Office Excel(&X)]
  163.   

  165. ==================================
  166. 正在运行的进程
  167. [PID: 152][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
  168. [PID: 220][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
  169. [PID: 244][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
  170.     [C:\WINDOWS\system32\rsmyepm.dll]  [N/A, ]
  171.     [C:\WINDOWS\system32\klogon.dll]  [Kaspersky Lab, 6.0.2.621]
  172.     [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
  173.     [C:\WINDOWS\system32\UNISPIM.IME]  [北京清华紫光软件股份有限公司, 3.0.0.3045]
  174.     [C:\WINDOWS\system32\upengine.dll]  [北京清华紫光软件股份有限公司, 3.0.0.3045]
  175. [PID: 292][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
  176.     [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
  177.     [C:\WINDOWS\system32\rsmyepm.dll]  [N/A, ]
  178. [PID: 304][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
  179.     [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
  180.     [C:\WINDOWS\system32\rsmyepm.dll]  [N/A, ]
  181. [PID: 460][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
  182.     [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
  183.     [C:\WINDOWS\system32\rsmyepm.dll]  [N/A, ]
  184. [PID: 528][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
  185.     [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
  186.     [C:\WINDOWS\system32\rsmyepm.dll]  [N/A, ]
  187. [PID: 592][C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe]  [GRISOFT s.r.o., 7, 5, 1, 22]
  188.     [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll]  [GRISOFT s.r.o., 4, 2, 0, 19]
  189.     [C:\WINDOWS\system32\rsmyepm.dll]  [N/A, ]
  190. [PID: 640][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
  191.     [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
  192.     [C:\WINDOWS\system32\rsmyepm.dll]  [N/A, ]
  193. [PID: 824][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
  194.     [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
  195.     [C:\WINDOWS\system32\rsmyepm.dll]  [N/A, ]
  196.     [C:\WINDOWS\system32\UNISPIM.IME]  [北京清华紫光软件股份有限公司, 3.0.0.3045]
  197.     [C:\WINDOWS\system32\upengine.dll]  [北京清华紫光软件股份有限公司, 3.0.0.3045]
  198.     [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
  199.     [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll]  [GRISOFT s.r.o., 7, 5, 1, 36]
  200. [PID: 1052][C:\Program Files\WinRAR\WinRAR.exe]  [N/A, ]
  201.     [C:\WINDOWS\system32\rsmyepm.dll]  [N/A, ]
  202.     [C:\WINDOWS\system32\UNISPIM.IME]  [北京清华紫光软件股份有限公司, 3.0.0.3045]
  203.     [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
  204.     [C:\WINDOWS\system32\upengine.dll]  [北京清华紫光软件股份有限公司, 3.0.0.3045]
  205. [PID: 1072][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.734\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
  206.     [C:\WINDOWS\system32\rsmyepm.dll]  [N/A, ]
  207.     [C:\WINDOWS\system32\UNISPIM.IME]  [北京清华紫光软件股份有限公司, 3.0.0.3045]
  208.     [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
  209.     [C:\WINDOWS\system32\upengine.dll]  [北京清华紫光软件股份有限公司, 3.0.0.3045]
  210.     [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.734\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]

  212. ==================================
  213. 文件关联
  214. .TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
  215. .EXE  OK. ["%1" %*]
  216. .COM  OK. ["%1" %*]
  217. .PIF  OK. ["%1" %*]
  218. .REG  OK. [regedit.exe "%1"]
  219. .BAT  OK. ["%1" %*]
  220. .SCR  OK. ["%1" /S]
  221. .CHM  OK. ["C:\WINDOWS\hh.exe" %1]
  222. .HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
  223. .INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
  224. .INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
  225. .VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
  226. .JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
  227. .LNK  OK. [{00021401-0000-0000-C000-000000000046}]

  229. ==================================
  230. Winsock 提供者
  231. N/A

  233. ==================================
  234. Autorun.inf
  235. N/A

  237. ==================================
  238. HOSTS 文件
  239. 127.0.0.1       localhost

  241. ==================================
  242. 进程特权扫描
  243. 特殊特权被允许: SeLoadDriverPrivilege [PID = 1052, C:\PROGRAM FILES\WINRAR\WINRAR.EXE]

  245. ==================================
  246. API HOOK
  247. N/A

  249. ==================================
  250. 隐藏进程
  251. N/A

  253. ==================================
复制代码
回复

举报

风雪
发表于 2007-10-11 20:03:05 | 显示全部楼层
用xdelbox(http://www.i170.com/attach/97670969-F47C-4A8B-9529-F0F602EFA902下载)删除下面文件(按住鼠标左键向下拖动,用鼠标从第一行拖动从上往下到最后一行,右键复制,或者(添入“文件路径”点击“添加”路径),在xdelbox窗口空白处点右键-从剪贴板导入,在抑制再生前打钩,在要删除文件上点击右键,选择立刻重启删除,如果有提示不用理会,确定。运行xdelbox前最好卸载所有可移动存储介质(包括U盘,MP3,手机存储卡等))。
C:\WINDOWS\system32\rsmyepm.dll
C:\WINDOWS\rising700.exe
C:\WINDOWS\system32\rsmyepm.exe
C:\WINDOWS\system32\ravlive.exe

然后再扫描日志上来,你的日志跟本无法看。
回复

举报

12
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-3-19 15:01 , Processed in 0.085775 second(s), 19 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表