大家看下哪个病毒是在DOS下可以穿透gho文件的病毒

liwenj14

本人今天拿个里面装着克隆包的工具硬盘帮客户恢复个系统，没有想到客户的那台机病毒太历害，搞得我里面克隆包全部带病毒了，所有的克隆包克回去的系统都加载了客户那台朵的桌面和一些软件！
Start of the scan: 2007年1月28日  13:09

Start scanning boot sectors:
Boot sector 'F:\'
      [NOTE]      No virus was found!

Starting the file scan:

Begin scan in 'F:\'
F:\WINDOWS\iexpl0re.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\iexp1ore.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp6296.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp697.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\wsye.exe
      [DETECTION] Is the Trojan horse TR/Agent.13824.11
      [INFO]      The file was deleted!
F:\WINDOWS\winlog0n.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp1019.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp359.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp3085.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\svohost.exe
      [DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp7.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp8668.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp8760.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\winlgon.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\Dz.exe
      [DETECTION] Is the Trojan horse TR/Crypt.Np.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp6009.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp100.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp880.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\G_SERVER2006KEY.DLL
      [DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp9478.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp8631.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\~tmp3402.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\svohost.DLL
      [DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
      [INFO]      The file was deleted!
F:\WINDOWS\synn.exe
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '462a318e.qua'!
F:\WINDOWS\wstti.exe
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46303188.qua'!
F:\WINDOWS\rund1132.exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\system32\cns.dat
      [DETECTION] Contains signature of the application APPL/Inst.Yok.3
      [INFO]      The file was deleted!
F:\WINDOWS\system32\cns.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Baido
      [INFO]      The file was deleted!
F:\WINDOWS\system32\cns.dll
      [DETECTION] Is the Trojan horse TR/Dldr.Baido
      [INFO]      The file was deleted!
F:\WINDOWS\system32\Rpcsk.dll
      [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\system32\Rpcs.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\system32\Rpcs.dll
      [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\system32\cq.exe
      [DETECTION] Is the Trojan horse TR/PSW.LdPinch.jm1
      [INFO]      The file was deleted!
F:\WINDOWS\system32\WWSSsd.dll
      [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\system32\MgSyr.dll
      [DETECTION] Is the Trojan horse TR/Dldr.Agent.OL.1
      [INFO]      The file was deleted!
F:\WINDOWS\system32\Rpcse.exe
      [DETECTION] Is the Trojan horse TR/Hijack.Explor.1885
      [INFO]      The file was deleted!
F:\WINDOWS\system32\Rpcsi.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\system32\Rpcsi.dll
      [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
      [INFO]      The file was deleted!
F:\WINDOWS\system32\3D01A431.dll
      [DETECTION] Is the Trojan horse TR/Dldr.Crypti.FV.2
      [INFO]      The file was deleted!
F:\WINDOWS\system32\3D01A431.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Crypti.FV.1
      [INFO]      The file was deleted!
F:\WINDOWS\system32\3D01A431T.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Crypti.FV.1
      [INFO]      The file was deleted!
F:\WINDOWS\system32\BDWin.dll
      [DETECTION] Is the Trojan horse TR/Spy.Agent.OZ
      [INFO]      The file was deleted!
F:\WINDOWS\system32\FECF1883.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Agent.aoj.1
      [INFO]      The file was deleted!
F:\WINDOWS\system32\BDWin.exe
      [DETECTION] Is the Trojan horse TR/Agent.39
      [INFO]      The file was deleted!
F:\WINDOWS\system32\BDTWin.exe
      [DETECTION] Is the Trojan horse TR/Agent.39
      [INFO]      The file was deleted!
F:\WINDOWS\system32\LgSyl.dll
      [DETECTION] Is the Trojan horse TR/Dldr.Agent.OL.1
      [INFO]      The file was deleted!
F:\WINDOWS\system32\LgSym.dll
      [DETECTION] Is the Trojan horse TR/Dldr.Agent.OL.1
      [INFO]      The file was deleted!
F:\WINDOWS\system32\LgSyzr.dll
      [DETECTION] Is the Trojan horse TR/Dldr.Agent.OL.1
      [INFO]      The file was deleted!
F:\WINDOWS\system32\msccr.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '461f31b0.qua'!
F:\WINDOWS\system32\mscci.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '461f31b1.qua'!
F:\WINDOWS\Downloaded Program Files\cnsmin.dll
      [DETECTION] Is the Trojan horse TR/Drop.ZSKiller.1
      [INFO]      The file was deleted!
F:\WINDOWS\Downloaded Program Files\keepmainM.cab
  [0] Archive type: CAB (Microsoft)
  --> cnsminkp.vxd
      [DETECTION] Contains signature of the application APPL/Inst.Yok.6
  --> cns1.dll
      [DETECTION] Is the Trojan horse TR/Dldr.Baido
  --> cns1.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Baido
      [INFO]      The file was deleted!
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDQF4HIV\k[1].exe
      [DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Hupigon.DP Backdoor server programs
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\banner.jpg
      [DETECTION] The file name contains an executable file extension disguised as a harmless one HEUR-DBLEXT/Crypted
      [INFO]      The file was moved to '462a324b.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\4698my.exe
      [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\rel39.tmp
      [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\ck3.exe.exe
      [DETECTION] Contains signature of the dropper DR/Delphi.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\c8.exe.exe
      [DETECTION] Contains signature of the dropper DR/Delphi.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\shua.exe.exe
      [DETECTION] Contains signature of the dropper DR/Delphi.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\7870my.exe
      [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\xxx38.tmp
      [DETECTION] Is the Trojan horse TR/Crypt.NSAnti.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\rel40.tmp
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\rel91.tmp
      [DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\rel93.tmp
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\xxx89.tmp
      [DETECTION] Is the Trojan horse TR/Crypt.NSAnti.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\rel90.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46283253.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\kljsdown1984.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\rel3A.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46283254.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\rel3B.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '47baf801.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\rel3D.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46283256.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\rel3E.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '47baf803.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\rel3F.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46283255.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\xxx19.tmp
      [DETECTION] Is the Trojan horse TR/Crypt.NSAnti.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\7253my.exe
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '45f13222.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\rel8B.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46283250.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\rel8C.tmp
      [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\xxx1A.tmp
      [DETECTION] Is the Trojan horse TR/Crypt.NSAnti.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\rel8D.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46283257.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\rel8F.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '47baf80c.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\kljsdown07114.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\xxx1C3.tmp
      [DETECTION] Is the Trojan horse TR/Crypt.NSAnti.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\rel1C4.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46283258.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\rel1C6.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '47baf80d.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\rel1C8.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '4628325a.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\rel1CA.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46283259.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\rel1CB.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '47baf80e.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\rel1CC.tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '4628325b.qua'!
F:\Documents and Settings\sf\Local Settings\Temp\rel1CF.tmp
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\upsy.dll
      [DETECTION] Is the Trojan horse TR/PSW.Legmir.BH.1
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\TIMPLATF0RM.exe
      [DETECTION] Is the Trojan horse TR/PSW.Legmir.BH
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temp\$$VONEW.tmp
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\YFENA5M7\IEXPL0RE[1].exe
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46143240.qua'!
F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\G5UV89YN\SVCH0ST[1].exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\G5UV89YN\007[1].exe
      [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\GXUZSPAN\TIMPLATF0RM[1].exe
      [DETECTION] Is the Trojan horse TR/PSW.Legmir.BH
      [INFO]      The file was deleted!
F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\GXUZSPAN\IECONFIG[1].exe
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '45ff3243.qua'!
F:\Program Files\Common Files\Update
      [DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
      [INFO]      The file was deleted!
F:\Program Files\Internet Explorer\IEXPLORE.Sys
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46143267.qua'!
F:\Program Files\Internet Explorer\IEXPLORE.jmp
      [DETECTION] Contains signature of the dropper DR/Delphi.Gen
      [INFO]      The file was deleted!
F:\Program Files\Internet Explorer\IEXPLORE.Dat
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '478499ac.qua'!
F:\Program Files\Internet Explorer\IEXPLORE.win
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46143269.qua'!
F:\Program Files\Internet Explorer\IEXPLORE.Bak
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46143268.qua'!
F:\Program Files\Internet Explorer\IEXPLORE.bbs
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '478499ad.qua'!
F:\Program Files\Internet Explorer\IEXPLORE.Tmp
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '4614326a.qua'!
F:\Program Files\Internet Explorer\IEXPLORE.New
      [DETECTION] Contains signature of the dropper DR/Delphi.Gen
      [INFO]      The file was deleted!
F:\Program Files\Internet Explorer\IEXPLORE.ime
      [DETECTION] Contains signature of the dropper DR/Delphi.Gen
      [INFO]      The file was deleted!
F:\Program Files\Internet Explorer\Connection Wizard\isignup.sys
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '46253297.qua'!
F:\Program Files\Internet Explorer\Connection Wizard\isignup.bak
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '47b48e7c.qua'!
F:\Program Files\Internet Explorer\PLUGINS\system.jmp
      [DETECTION] Contains signature of the dropper DR/Delphi.Gen
      [INFO]      The file was deleted!
F:\Program Files\Yahoo!\Assistant\yalliveex.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '462832d0.qua'!
F:\Program Files\Yahoo!\Assistant\ylive.exe
      [DETECTION] Is the Trojan horse TR/Drop.ZSKille.7.B
      [INFO]      The file was deleted!
F:\Program Files\Yahoo!\Assistant\Assist\ypatch.dll
      [DETECTION] Is the Trojan horse TR/Drop.ZSKille.7.B
      [INFO]      The file was deleted!


End of the scan: 2007年1月28日  13:19
Used time: 10:40 min

The scan has been done completely

mofunzone

都这样了这个系统还能运行起来。。
我实在无语了。。
至于是哪个病毒穿的ghost我也不清楚。。

起点

不会是弄反了把客户的盘克隆到工具盘了把

至于dos下的感染gho文件病毒个人还没听说过

不过你进dos是重启/系统本身带的dos工具箱
还是关机后再开机用光盘启动的?
从来都是用后面这种据说前面那种方法会有些病毒留在内存
至今还没见过,仅仅听说过

fairypyr

有个问题,如果中毒的Ghost.exe,在纯DOS下恢复*.gho文件,系统会不会带毒,那位大使给糊弄玩玩.

[ 本帖最后由 fairypyr 于 2007-1-29 09:07 编辑 ]

physir

哇，厉害死 千七外样毒
估计是被 3楼 第1句说中了

liwenj14

弄反了，那你还不如说我是个电脑白痴

physir

重启计算机，内存断电哪来病毒驻留？光盘引导，硬盘病毒怎能动弹？

是否会真有感染GHO文件的情况，用Ghostexp看看不就知道了。其实这种情况是难过登天的，那么大一个文件，要插入其中，晕。

人有时候会不小心的。或许是恢复后打开其它分区重新感染上熊猫的，至于鸽子除非那下子熊猫感染了鸽子

physir

俗话说：神仙打鼓有时错