电脑这段时间中过的毒

sweetsea

这些毒是通过QQ发的消息感染的（老爷机，没装杀软 ）


杀毒重启后，无法启动RPC服务，任务栏不正常，无法使用复制、剪切、粘贴，无法使用网络.........



    最后重装了系统，今天发现了解决问题的办法，不敢独享，发出来供大家参考。
重相同版本的操作系统上拷贝一个正常的rpcss.dll文件过来到C:\WINDOWS\system32


把以下内容保存成reg文件：
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"Description"="提供终结点映射程序 (endpoint mapper) 以及其它 RPC 服务。"
"DisplayName"="Remote Procedure Call (RPC)"
"ErrorControl"=dword:00000001
"Group"="COM Infrastructure"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,20,00,2d,00,6b,00,20,00,72,00,70,00,\
63,00,73,00,73,00,00,00
"ObjectName"="NT AUTHORITY\\NetworkService"
"Start"=dword:00000002
"Type"=dword:00000020
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
00,02,00,00,00,60,ea,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
72,00,70,00,63,00,73,00,73,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security]
"Security"=hex:01,00,14,80,a8,00,00,00,b4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,78,00,05,00,00,00,00,00,14,00,8d,00,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,18,00,8d,00,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,\
02,00,00,00,00,14,00,9d,00,00,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,\
18,00,9d,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Enum]
"0"="Root\\LEGACY_RPCSS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCSS]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCSS\0000]
"Service"="RpcSs"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Remote Procedure Call (RPC)"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCSS\0000\Control]
"ActiveService"="RpcSs"

然后双击导入注册表。
接着在cmd下用sc开服务：
sc config Remote Procedure Call(RPC) binpath= c:\windows\system32\svchost.exe -k rpcss start= auto

328397663

Hello,

reg.bak,
reg.bak,
reg.bak,
SYS05020.ADD

No malicious code were found in these files.

liu5678

楼主，你的这个密码加的。。
一解压小A就一个劲的报啊报啊报啊。
没完了。
风云也不停的提示说要生成SYS文件。
最后解压完了，发现只剩下一个.AD的文件了。

leonfg

ESET 13
C:\Documents and Settings\GUNDAM\桌面\25_200810270058120722\C\WINDOWS\SYSTEM32\22D75360.DLL - Win32/PSW.OnLineGames.NRD trojan
C:\Documents and Settings\GUNDAM\桌面\25_200810270058120722\C\WINDOWS\SYSTEM32\3474A8C2.DLL - Win32/PSW.OnLineGames.NRD trojan
C:\Documents and Settings\GUNDAM\桌面\25_200810270058120722\C\WINDOWS\SYSTEM32\495271CA.DLL - Win32/PSW.OnLineGames.NRD trojan
C:\Documents and Settings\GUNDAM\桌面\25_200810270058120722\C\WINDOWS\SYSTEM32\5102A80.SYS - Win32/PSW.Agent.NIM trojan
C:\Documents and Settings\GUNDAM\桌面\25_200810270058120722\C\WINDOWS\SYSTEM32\8566F82E.DLL - Win32/PSW.OnLineGames.NRD trojan
C:\Documents and Settings\GUNDAM\桌面\25_200810270058120722\C\WINDOWS\SYSTEM32\9FD8DB.SYS - Win32/PSW.Agent.NIM trojan
C:\Documents and Settings\GUNDAM\桌面\25_200810270058120722\C\WINDOWS\SYSTEM32\E4814792.DLL - Win32/PSW.OnLineGames.NRD trojan
C:\Documents and Settings\GUNDAM\桌面\25_200810270058120722\C\WINDOWS\SYSTEM32\GDIPRO.DLL - Win32/PSW.OnLineGames.NQY trojan
C:\Documents and Settings\GUNDAM\桌面\25_200810270058120722\C\WINDOWS\SYSTEM32\HBQQXX.DLL - Win32/PSW.OnLineGames.NRS trojan
C:\Documents and Settings\GUNDAM\桌面\25_200810270058120722\C\WINDOWS\SYSTEM32\HBWD.DLL - Win32/PSW.OnLineGames.NRG trojan
C:\Documents and Settings\GUNDAM\桌面\25_200810270058120722\C\WINDOWS\SYSTEM32\HBWOW.DLL - Win32/PSW.WOW.CAN trojan
C:\Documents and Settings\GUNDAM\桌面\25_200810270058120722\C\WINDOWS\SYSTEM32\SYS05020.DLL - Win32/PSW.OnLineGames.NRK trojan
C:\Documents and Settings\GUNDAM\桌面\25_200810270058120722\C\WINDOWS\SYSTEM32\SYSTEM.EXE - Win32/PSW.OnLineGames.NRF trojan