我崩溃，有这么牛B的木马.病毒啊

显示全部楼层 · 发表于 2007-6-7 19:50:26

估计所有关于杀毒方面的。exe文件都打不开

显示全部楼层 · 发表于 2007-6-7 20:02:03

我中的是木马啊
因为发现插上U盘以后
换另一台电脑显示AUTO

显示全部楼层 · 发表于 2007-6-7 20:04:07

先一键恢复，然后下载冰刃放到桌面上，用冰刃查看各盘的文件，如果发现AUTORUN和可疑的文件，就删除。删除后再用杀软杀毒

记住操作过程中不要打开非系统盘

显示全部楼层 · 发表于 2007-6-7 20:19:15

楼上的我就是这么弄的
这是扫描后的内容

2007-06-07,20:15:35
System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)
Windows XP Home Edition Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能
以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<IgfxTray><C:\WINDOWS\system32\igfxtray.exe> [(Verified)Microsoft Windows Publisher]
<HotKeysCmds><C:\WINDOWS\system32\hkcmd.exe> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<SoundMan><SOUNDMAN.EXE> [(Verified)Microsoft Windows Publisher]
<AGRSMMSG><AGRSMMSG.exe> [(Verified)Microsoft Windows Publisher]
<NovoKey><C:\Program Files\NovoKey\NovoKey.exe> []
<Apoint><C:\Program Files\Apoint2K\Apoint.exe> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<ZCfgSvc.exe><C:\WINDOWS\system32\ZCfgSvc.exe> [Intel Corporation]
<PRONoMgr.exe><C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe> [Intel(R) Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Sebring]
<WinlogonNotify: Sebring><C:\WINDOWS\system32\LgNotify.dll> [Intel Corporation]
==================================
启动文件夹
N/A
==================================
服务
[Application Management / AppMgmt][Stopped/Manual Start]
<C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A>
[RegSrvc / RegSrvc][Running/Auto Start]
<C:\WINDOWS\system32\RegSrvc.exe><Intel Corporation>
[Spectrum24 Event Monitor / S24EventMonitor][Running/Auto Start]
<C:\WINDOWS\system32\S24EvMon.exe><Intel Corporation>
==================================
驱动程序
[AEGIS Protocol (IEEE 802.1x) v3.0.0.5 / AegisP][Running/Auto Start]
<system32\DRIVERS\AegisP.sys><Meetinghouse Data Communications>
[Agere Systems Soft Modem / AgereSoftModem][Running/Manual Start]
<system32\DRIVERS\AGRSM.sys><Agere Systems>
[Service for WDM 3D Audio Driver / ALCXSENS][Running/Manual Start]
<system32\drivers\ALCXSENS.SYS><Sensaura Ltd>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[Alps Pointing-device Filter Driver / ApfiltrService][Running/Manual Start]
<system32\DRIVERS\Apfiltr.sys><Alps Electric Co., Ltd.>
[Atheros Wireless Network Adapter Service / AR5211][Stopped/Manual Start]
<system32\DRIVERS\ar5211.sys><Atheros Communications, Inc.>
[ialm / ialm][Running/Manual Start]
<system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver / RTL8023xp][Running/Manual Start]
<system32\DRIVERS\Rtlnicxp.sys><Realtek Semiconductor Corporation>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
<system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[WLAN Transport / s24trans][Running/Auto Start]
<system32\DRIVERS\s24trans.sys><Intel Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[适用于 Windows XP 的英特尔(R) PRO/无线 2200 适配器驱动程序 / w22n51][Stopped/Manual Start]
<system32\DRIVERS\w22n51.sys><Intel? Corporation>
[Intel(R) PRO/Wireless 7100 Adapter 驱动程序 / w70n51][Stopped/Manual Start]
<system32\DRIVERS\w70n51.sys><Intel? Corporation>
==================================
浏览器加载项
[联想]
{6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <http://www.lenovo.com, N/A>
[Messenger]
{FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
==================================
正在运行的进程
[PID: 356][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 428][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 452][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\LgNotify.dll] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 496][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1724][C:\WINDOWS\system32\ZCfgSvc.exe] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\PfMgrApi.dll] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\PsRegApi.dll] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\WConfig.DLL] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\WiFiAdap.DLL] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\PsGuiMgr.dll] [Intel Corporation., 8, 1, 0, 44]
[C:\WINDOWS\system32\ShellNav.dll] [, 1, 0, 0, 1]
[C:\WINDOWS\system32\C1XStngs.dll] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\LSAWRAPI.dll] [N/A, ]
[C:\Program Files\Intel\PROSetWireless\PROSet\CHS\ZcSvcCHS.dll] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\S24MUDLL.dll] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\D8021Xps.dll] [N/A, ]
[C:\Program Files\Intel\PROSetWireless\PROSet\CHS\C1XStCHS.dll] [Intel Corporation, 8, 1, 0, 44]
[C:\Program Files\Intel\PROSetWireless\PROSet\CHS\PmApiCHS.dll] [Intel Corporation, 8, 1, 0, 44]
[PID: 628][C:\WINDOWS\system32\1XConfig.exe] [Intel, 8, 1, 0, 44]
[C:\WINDOWS\system32\IntelAE5.dll] [Meetinghouse Data Communications, 5, 0, 3, 1]
[C:\WINDOWS\system32\PsRegApi.dll] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\D8021Xps.dll] [N/A, ]
[PID: 1720][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1172][C:\WINDOWS\system32\wscntfy.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1472][C:\WINDOWS\system32\igfxtray.exe] [Intel Corporation, 3.0.0.3792]
[C:\WINDOWS\system32\hccutils.DLL] [Intel Corporation, 3.0.0.3792]
[C:\WINDOWS\system32\igfxdev.dll] [Intel Corporation, 3.0.0.3792]
[C:\WINDOWS\system32\igfxsrvc.dll] [Intel Corporation, 3.0.0.3792]
[C:\WINDOWS\system32\igfxres.dll] [Intel Corporation, 3.0.0.3792]
[C:\WINDOWS\system32\igfxress.dll] [Intel Corporation, 3.0.0.3792]
[PID: 1476][C:\WINDOWS\system32\hkcmd.exe] [Intel Corporation, 3.0.0.3792]
[C:\WINDOWS\system32\hccutils.DLL] [Intel Corporation, 3.0.0.3792]
[C:\WINDOWS\system32\igfxdev.dll] [Intel Corporation, 3.0.0.3792]
[C:\WINDOWS\system32\igfxsrvc.dll] [Intel Corporation, 3.0.0.3792]
[C:\WINDOWS\system32\igfxres.dll] [Intel Corporation, 3.0.0.3792]
[C:\WINDOWS\system32\igfxhk.dll] [Intel Corporation, 3.0.0.3792]
[PID: 1460][C:\WINDOWS\SOUNDMAN.EXE] [Realtek Semiconductor Corp., 5.1.0.24]
[PID: 1468][C:\WINDOWS\AGRSMMSG.exe] [Agere Systems, 2.1.23 2.1.23 01/22/2003 17:47:39]
[PID: 1688][C:\Program Files\NovoKey\NovoKey.exe] [, 1, 0, 0, 0]
[PID: 1760][C:\Program Files\Apoint2K\Apoint.exe] [Alps Electric Co., Ltd., 5.5.1.185]
[C:\WINDOWS\system32\VXDIF.DLL] [Alps Electric Co., Ltd., 6.0.2.69]
[C:\Program Files\Apoint2K\Apoint.DLL] [Alps Electric Co., Ltd., 5.5.1.257]
[C:\Program Files\Apoint2K\EzAuto.dll] [Alps Electric Co., Ltd., 5.5.1.85]
[C:\Program Files\Apoint2K\EzLaunch.DLL] [Alps Electric Co., Ltd., 5.5.1.61]
[PID: 1904][C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe] [Intel(R) Corporation, 6.1.304.0]
[C:\Program Files\Intel\PROSetWireless\NCS\PROSet\CHSPGUIR.dll] [Intel(R) Corporation, 6.1.304.0]
[C:\WINDOWS\system32\Pn802_11.dll] [Intel Corporation., 1, 0, 0, 0]
[C:\WINDOWS\system32\PfMgrApi.dll] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\PsRegApi.dll] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\WConfig.DLL] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\WiFiAdap.DLL] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\C1XStngs.dll] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\ShellNav.dll] [, 1, 0, 0, 1]
[C:\WINDOWS\system32\LSAWRAPI.dll] [N/A, ]
[C:\Program Files\Intel\PROSetWireless\PROSet\CHS\PNC11CHS.dll] [Intel Corporation., 1, 0, 0, 0]
[C:\WINDOWS\system32\S24MUDLL.dll] [Intel Corporation, 8, 1, 0, 44]
[C:\WINDOWS\system32\D8021Xps.dll] [N/A, ]
[C:\Program Files\Intel\PROSetWireless\PROSet\CHS\PmApiCHS.dll] [Intel Corporation, 8, 1, 0, 44]
[PID: 2052][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2096][C:\Program Files\Apoint2K\Apntex.exe] [Alps Electric Co., Ltd., 5.5.1.16]
[C:\WINDOWS\system32\VXDIF.DLL] [Alps Electric Co., Ltd., 6.0.2.69]
[PID: 2120][C:\WINDOWS\system32\conime.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2488][F:\sreng\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
[D:\]
[AutoRun]
open=8EC94FF6.exe
shell\open=打开(&O)
shell\open\Command=8EC94FF6.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=8EC94FF6.exe
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================

复制代码

显示全部楼层 · 发表于 2007-6-7 20:21:20

先看看这个http://bbs.kafan.cn/viewthread.php?tid=79940&extra=page%3D2
   如嫌麻烦就简化些,使用狙剑在启动项中找到病毒相关内容(通过所属公司,文件创建时间,文件属性等甄别)，然后锁定系统，删除启动项，重启计算机，再删除文件.
   如不能启动.可将扩展名改为.com后执行即可.病毒程序利用Debuger关联，使得当前大多数的杀毒软件与安全软件在启动时都会调用木马程序以调试状态启动。而狙剑的自启动项检查，在此之前是不检查此项的，当然了，新版已经加入了。
   嫌不直观就到http://free.ys168.com/?wangsea下载wsyscheck(0602)中文版,利用安全检查下-常规检查中禁用程序管理中,用右键单击选中文件-允许这个文件运行,即可解除映像劫持,执行工具软件.
   还可以用汉化版autoruns,钩选选项中校验数字签名＆隐藏有微软签名的项目后,删除映像劫持下内容.

显示全部楼层 · 发表于 2007-6-7 20:27:41

冰刃不知道那个是要删除的啊

显示全部楼层 · 发表于 2007-6-7 20:31:46

15楼的看不懂啊

显示全部楼层 · 发表于 2007-6-7 20:34:31

用冰刃没有看到红色标识的

显示全部楼层 · 发表于 2007-6-7 20:47:28

我只有2个盘

显示全部楼层 · 发表于 2007-6-7 20:49:02

用冰刃查D盘
删除这个Autorun.inf
[D:\]
[AutoRun]
open=8EC94FF6.exe
shell\open=打开(&O)
shell\open\Command=8EC94FF6.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=8EC94FF6.exe

[已解决] 我崩溃，有这么牛B的木马.病毒啊