我中毒了，红伞能查但不能杀，郁闷啊

显示全部楼层 · 发表于 2008-4-18 12:11:01

Avira AntiVir Personal
Report file date: 2008年4月18日  11:19
Scanning for 1204777 virus strains and unwanted programs.
Licensed to:    Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform:       Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Boot mode:       Normally booted
Username:       SYSTEM
Computer name: LENOVO-4ADDBA58
Version information:
BUILD.DAT    : 8.1.00.295    16479 Bytes 2008-4-9 16:24:00
AVSCAN.EXE : 8.1.2.12    311553 Bytes 2008-3-18 03:02:58
AVSCAN.DLL : 8.1.1.0       53505 Bytes 2008-2-7 02:43:38
LUKE.DLL    : 8.1.2.9       151809 Bytes 2008-2-28 02:41:24
LUKERES.DLL : 8.1.2.1       12033 Bytes 2008-2-21 02:28:42
ANTIVIR0.VDF  : 6.40.0.0    11030528 Bytes 2007-7-18 06:36:36
ANTIVIR1.VDF  : 7.0.3.2    5447168 Bytes 2008-3-7 06:07:50
ANTIVIR2.VDF  : 7.0.3.156    795136 Bytes 2008-4-11 14:34:44
ANTIVIR3.VDF  : 7.0.3.176    153088 Bytes 2008-4-16 00:14:06
Engineversion : 8.1.0.30
AEVDF.DLL    : 8.1.0.5       102772 Bytes 2008-2-26 23:31:14
AESCRIPT.DLL  : 8.1.0.23    233851 Bytes 2008-4-14 14:54:42
AESCN.DLL    : 8.1.0.13    115061 Bytes 2008-4-14 14:54:38
AERDL.DLL    : 8.1.0.19    418164 Bytes 2008-4-14 14:54:36
AEPACK.DLL : 8.1.1.1       364918 Bytes 2008-4-14 14:54:30
AEOFFICE.DLL  : 8.1.0.17    192891 Bytes 2008-4-14 14:54:24
AEHEUR.DLL : 8.1.0.18    1167735 Bytes 2008-4-14 14:54:22
AEHELP.DLL : 8.1.0.12    115063 Bytes 2008-4-14 14:51:50
AEGEN.DLL    : 8.1.0.15    299379 Bytes 2008-4-14 14:51:48
AEEMU.DLL    : 8.1.0.5       430450 Bytes 2008-4-14 14:51:46
AECORE.DLL : 8.1.0.26    168311 Bytes 2008-4-14 14:51:44
AVWINLL.DLL : 1.0.0.7       14593 Bytes 2008-1-23 11:07:54
AVPREF.DLL : 8.0.0.1       25857 Bytes 2008-2-18 04:37:52
AVREP.DLL    : 7.0.0.1       155688 Bytes 2007-4-16 07:26:48
AVREG.DLL    : 8.0.0.0       30977 Bytes 2008-1-23 11:07:50
AVARKT.DLL : 1.0.0.23    307457 Bytes 2008-2-12 02:29:24
AVEVTLOG.DLL  : 8.0.0.11    114945 Bytes 2008-2-28 02:31:32
SQLITE3.DLL : 3.3.17.1    339968 Bytes 2008-1-22 11:28:04
SMTPLIB.DLL : 1.2.0.19       28929 Bytes 2008-1-23 11:08:40
NETNT.DLL    : 8.0.0.1       7937 Bytes 2008-1-25 06:05:12
RCIMAGE.DLL : 8.0.0.35    2371841 Bytes 2008-3-10 08:37:26
RCTEXT.DLL : 8.0.32.0       86273 Bytes 2008-3-6 06:02:12
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: e:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: repair
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:, E:, F:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: high
Deviating risk categories........: +JOKE,+SPR,
Start of the scan: 2008年4月18日  11:19
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'StarWindServiceAE.exe' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ICalClk.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'Returnil.exe' - '1' Module(s) have been scanned
Scan process 'fppdis2a.exe' - '1' Module(s) have been scanned
Scan process 'cfp.exe' - '1' Module(s) have been scanned
Scan process 'CplBCL50.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
26 processes with 26 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
   [INFO]    No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
   [INFO]    No virus was found!
Boot sector 'D:\'
   [INFO]    No virus was found!
Boot sector 'E:\'
   [INFO]    No virus was found!
Boot sector 'F:\'
   [INFO]    No virus was found!
Starting to scan the registry.
The registry was scanned ( '26' files ).

Starting the file scan:
Begin scan in 'C:\' <系统>

C:\WINDOWS\system32\userinit.exe
[WARNING] The file could not be opened!
就是这个文件被病毒劫持了，老是在我的C盘根目录生成假的回收站目录。

C:\WINDOWS\system32\drivers\sptd.sys
   [WARNING] The file could not be opened!
Begin scan in 'D:\' <文件>
Begin scan in 'E:\' <软件>
Begin scan in 'F:\' <临时>
F:\pagefile.sys
   [WARNING] The file could not be opened!

End of the scan: 2008年4月18日  11:34
Used time: 14:58 min
The scan has been done completely.
4471 Scanning directories
  90207 Files were scanned
   0 viruses and/or unwanted programs were found
   0 Files were classified as suspicious:
   0 files were deleted
   0 files were repaired
   0 files were moved to quarantine
   0 files were renamed
   3 Files cannot be scanned
  90207 Files not concerned
433 Archives were scanned
   3 Warnings
   0 Notes

[ 本帖最后由 jeccci5 于 2008-4-18 12:12 编辑 ]

显示全部楼层 · 发表于 2008-4-18 12:11:48

哪有。。

显示全部楼层 · 发表于 2008-4-18 12:13:02

userinit.exe被改了

显示全部楼层 · 发表于 2008-4-18 12:13:18

啥意思？报告里面没发现病毒呀

显示全部楼层 · 发表于 2008-4-18 12:13:45

而且，这个文件不能被执行拷贝、压缩、复制等操作，想上报病毒都被法报

显示全部楼层 · 发表于 2008-4-18 12:15:13

安全模式下可以操作吗？

显示全部楼层 · 发表于 2008-4-18 12:15:23

原帖由 su-tt 于 2008-4-18 12:13 发表
啥意思？报告里面没发现病毒呀

报告是没发现病毒，但是老是在我的C盘生成假回收站病毒
正常的userinit.exe文件有签名的，我的system32目录下的userinit.exe没有签名

显示全部楼层 · 发表于 2008-4-18 12:16:58

原帖由 su-tt 于 2008-4-18 12:15 发表
安全模式下可以操作吗？

安全模式下可以拷贝复制，而且即使我重新拷贝一个好的userinit.exe文件到system32目录下，一回到windows正常模式，就又发现这个文件又被改了
另：sptd.sys这个文件可以删除吗？

显示全部楼层 · 发表于 2008-4-18 12:21:11

原帖由 jeccci5 于 2008-4-18 12:16 发表

安全模式下可以拷贝复制，而且即使我重新拷贝一个好的userinit.exe文件到system32目录下，一回到windows正常模式，就又发现这个文件又被改了
另：sptd.sys这个文件可以删除吗？

建议复制被感染的userinit.exe到其他盘，上传上来给大家看看，sptd.sys好像是装Daemon Tools 才有的

显示全部楼层 · 发表于 2008-4-18 12:22:35

用Dr. web看看行不行。

[求助] 我中毒了，红伞能查但不能杀，郁闷啊