原帖由
多问题 于 2009-6-8 19:33:00 发表
这是可疑文件,瑞星说没毒可金山说有毒 说是 Win32.HackTool.Jakuz.li.114688(黑客工具)
帮我看下
附件:
您所在的用户组无法下载或查看附件[img]file:///C:/DOCUME%7E1/K/LOCALS%7E1/Temp/moz-screenshot-2.jpg[/img]这个是图......
运行后,在当前用户临时文件夹中释放一个.bat,该.bat内容如下:
@rem ----- ExeScript Options Begin -----
@rem ScriptType: console
@rem DestDirectory: temp
@rem Icon: none
@rem OutputFile: C:\冲突检测工具.exe
@rem Comments: 冲突检测工具
@rem CompanyName: 冲突检测工具
@rem FileDescription: 1.0.
@rem LegalCopyright: 冲突检测工具
@rem ProductName: 1.0
@rem ----- ExeScript Options End -----
@echo off
::-----------------------------------------------
:: 冲突检测工具
::-----------------------------------------------
Title [Conflict Detection Tool]
:start
echo ===============================================================
echo .
echo 软件冲突检测工具
echo .
echo ===============================================================
pause
::命令开始-----------------------------------
@echo off
cls
:cfdt
if exist %SYSTEMROOT%\system32\drivers\BaseTdi.sys goto :BaseTdi
REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto :Shield)
:cfdtnod32
REG QUERY HKLM\SOFTWARE\ESET /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto :Nod32)
REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\easdrv /v Description >nul 2>nul
if %errorlevel%==0 (goto :Nod32)
REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\epfw /v Description >nul 2>nul
if %errorlevel%==0 (goto :Nod32)
REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\Epfwndis /v Description >nul 2>nul
if %errorlevel%==0 (goto :Nod32)
REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\epfwtdi /v Description >nul 2>nul
if %errorlevel%==0 (goto :Nod32)
REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\ekrn /v Description >nul 2>nul
if %errorlevel%==0 (goto :Nod32)
:cfdtfengyun
REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\FYTdifltDrv /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto :FengYun)
:cfdtnorton
REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services\Norton AntiVirus" /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto :Norton)
REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services\SYMDNS" /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto :Norton)
REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services\SYMFW" /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto :Norton)
REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services\SYMTDI" /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto :Norton)
REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services\Norton Internet Security" /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto :Norton)
REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services\SymEFA" /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto :Norton)
:cfdtmcafee
if exist %SYSTEMROOT%\system32\drivers\mfesmfk.sys goto :McAfee
if exist %SYSTEMROOT%\system32\drivers\mfehidk.sys goto :McAfee
if exist %SYSTEMROOT%\system32\drivers\mfebopk.sys goto :McAfee
if exist %SYSTEMROOT%\system32\drivers\mfesmfk.sys goto :McAfee
REG QUERY "HKLM\SYSTEM\SOFTWARE\McAfee HackerWatch Service" /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto ::McAfee)
REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\mfesmfk /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto ::McAfee)
REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\mferkdk /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto ::McAfee)
REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\mfehidk /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto ::McAfee)
REG QUERY HECR\MPF7.McPersonalFirewall /v ImagePath >nul 2>nul
if %errorlevel%==0 (goto ::McAfee)
:cfdtavast
if exist %SYSTEMROOT%\system32\drivers\aswMon2.SYS goto :Avast
if exist %SYSTEMROOT%\system32\Drivers\Aavmker4.SYS goto :Avast
if exist %SYSTEMROOT%\system32\Drivers\aswRdr.SYS goto :Avast
:cfdtkaspersky
if exist %SYSTEMROOT%\system32\drivers\kl1.sys goto :Kaspersky
if exist %SYSTEMROOT%\system32\drivers\klif.sys goto :Kaspersky
if exist %SYSTEMROOT%\system32\drivers\klim5.sys goto :Kaspersky
if exist %SYSTEMROOT%\system32\drivers\klbg.sys goto :Kaspersky
goto :end
:BaseTdi
msg %username% /time:2 系统中存在旧版本瑞星驱动程序,正在清理中请稍等……
reg save HKLM\SYSTEM\CurrentControlSet\Services\BaseTdi %HOMEDRIVE%\backdump\BaseTdi.hiv >nul 2>nul
reg delete HKLM\SYSTEM\CurrentControlSet\Services\BaseTdi /f >nul 2>nul
MOVE /Y %SYSTEMROOT%\system32\drivers\BaseTdi.sys %HOMEDRIVE%\backdump >nul 2>nul
MOVE /Y %SYSTEMROOT%\MEMORY.DMP %SYSTEMROOT%\temp >nul 2>nul
MOVE /Y %SYSTEMROOT%\Minidump\*.dmp %SYSTEMROOT%\temp >nul 2>nul
if not exist %SYSTEMROOT%\system32\drivers\BaseTdi.sys goto :start
:Shield
echo ==================================================================
echo ."您的计算机中存在<360安全浏览器或沙盘>程序,请卸载或更新其程序。"
echo ==================================================================
goto :cfdtnod32
:Avast
echo ==================================================================
echo . "您的计算机中存在<avast! antivirus>软件请手动进行卸载。"
echo ==================================================================
goto :cfdtkaspersky
:Kaspersky
echo ==================================================================
echo . "您的计算机中存在<Kaspersky (卡巴斯基) >软件请手动进行卸载。"
echo ==================================================================
goto :end
:McAfee
echo ==================================================================
echo . "您的计算机中存在<McAfee(麦咖啡)>软件请手动进行卸载。"
echo ==================================================================
goto :cfdtavast
:Nod32
echo ==================================================================
echo . "您的计算机中存在<NOD32>软件请手动进行卸载。"
echo ==================================================================
goto :cfdtfengyun
:FengYun
echo ==================================================================
echo . "您的计算机中存在<风云防火墙>软件请手动进行卸载。"
echo ==================================================================
goto :cfdtnorton
:Norton
echo ==================================================================
echo . "您的计算机中存在<诺顿软件>软件请手动进行卸载。"
echo ==================================================================
goto :cfdtmcafee
:end
echo ==================================================================
echo .
echo . "检测完毕,按任意键退出"
echo .
echo ==================================================================
pause
exit
::命令结束-----------------------------------
该程序运行完毕,此.bat自动删除。无其他文件释放。无注册表改动。无网络访问动作。
个人认为这个ctjcgj.exe不是病毒。