|
大版主
- 帖子:72578
- 注册:
2003-04-10
- 来自:
|
发表于:
2007-01-06 23:31
|
短消息
资料
【回复“比目鱼的跑”的帖子】 日志中的问题,分门别类罗列如下: 1、有问题的注册表启动项:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<svcshare><C:\WINDOWS\system32\drivers\spoclsv.exe> [N/A]——熊猫烧香变种。
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<wdfmgr32><C:\WINDOWS\system32\wdfmgr32.exe> [N/A]————木马
<cmdbcs><C:\WINDOWS\3.exe> [N/A]————木马
<mhs2><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mhs2.exe> [N/A]————木马
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<twin><C:\WINDOWS\system32\twunk32.exe> [N/A]————木马
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{08315C1A-9BA9-4B7C-A432-26885F78DF28}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp> [N/A]————木马
<{DD7D4640-4464-48C0-82FD-21338366D2D2}><C:\Program Files\Internet Explorer\InfoMs.tdm> [N/A]————木马
<{7071D47D-A6FF-11E0-9A84-00C04FD8DBD8}><C:\WINDOWS\system32\h071D47D.log> [N/A]————木马
<{37212F86-A6FF-11E0-9A84-00C04FD8DBD8}><C:\WINDOWS\system32\h7212F86.log> [N/A]————木马
<{140AA3CE-A6FF-11E0-9A84-00C04FD8DBD8}><C:\WINDOWS\system32\h40AA3CE.log> [N/A]————木马
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<WebCheck><%SystemRoot%\system32\webcheck.dll> [(Verified)Microsoft Corporation]————木马
2、有问题的服务项:
[HTTP SSserver / HTTPServer][Stopped/Auto Start]
<C:\WINDOWS\system32\NeroCheck.exe><Microsoft Corporation>————木马
[Server Advance / ServerAC][Stopped/Auto Start]
<C:\WINDOWS\system32\Security.exe><N/A>————木马
[Windows DHCP Service / WinDHCPsvc][Stopped/Auto Start]
<C:\WINDOWS\system32\rundll32.exe windhcp.ocx,start><Microsoft Corporation>————木马
[WinXP DHCP Service / WinXPDHCPsvc][Stopped/Auto Start]
<C:\WINDOWS\system32\rundll32.exe xpdhcp.dll,start><Microsoft Corporation>————木马
3、被病毒插入的系统进程及进程中的病毒模块:
[PID: 680][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp] [N/A, N/A]
[C:\Program Files\37212F86\8CE6B8F1.DLL] [N/A, N/A]
[PID: 212][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Common Files\System\MS37212F.DLL] [N/A, N/A]
[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp] [N/A, N/A]
[C:\Program Files\37212F86\8CE6B8F1.DLL] [N/A, N/A]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
4、被病毒插入的应用程序进程及进程中的病毒模块:
[PID: 1472][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
[C:\WINDOWS\system32\h071D47D.log] [N/A, N/A]
[C:\WINDOWS\system32\h7212F86.log] [N/A, N/A]
[C:\WINDOWS\system32\cmdbcs.dll] [N/A, N/A]
[C:\WINDOWS\system32\userspi.dll] [N/A, N/A]
[C:\WINDOWS\system32\tssoft32.acm] [DSP GROUP, INC., 1.01]
[C:\WINDOWS\system32\tsd32.dll] [N/A, N/A]
[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp] [N/A, N/A]
[C:\Program Files\37212F86\8CE6B8F1.DLL] [N/A, N/A]
[PID: 272][C:\WINDOWS\system32\conime.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\37212F86\8CE6B8F1.DLL] [N/A, N/A]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp] [N/A, N/A]
[PID: 2168][C:\WINDOWS\system32\suchost.exe] [N/A, N/A]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
[PID: 2432][C:\WINDOWS\system32\conime.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
[PID: 3740][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\37212F86\8CE6B8F1.DLL] [N/A, N/A]
[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp] [N/A, N/A]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
[C:\WINDOWS\system32\h40AA3CE.log] [N/A, N/A]
[PID: 672][C:\Documents and Settings\Administrator\桌面\sreng2\SREng.EXE] [Smallfrogs Studio, 2.3.13.690]
[C:\Program Files\37212F86\8CE6B8F1.DLL] [N/A, N/A]
[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp] [N/A, N/A]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
5、病毒进程:
[PID: 3376][C:\WINDOWS\system32\suchost.exe] [N/A, N/A]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
[PID: 3848][C:\WINDOWS\1.exe] [N/A, N/A]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
[PID: 3876][C:\WINDOWS\1.exe] [N/A, N/A]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
[PID: 4008][C:\WINDOWS\1.exe] [N/A, N/A]
[C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp] [N/A, N/A]
[C:\Program Files\37212F86\8CE6B8F1.DLL] [N/A, N/A]
[C:\Program Files\Internet Explorer\InfoMs.tdm] [N/A, N/A]
[C:\WINDOWS\system32\h071D47D.log] [N/A, N/A]
[C:\WINDOWS\system32\h7212F86.log] [N/A, N/A]
[C:\WINDOWS\system32\h40AA3CE.log] [N/A, N/A]
[PID: 3336][C:\WINDOWS\5.exe] [N/A, N/A]
[C:\WINDOWS\5.dat] [N/A, N/A]
[PID: 2348][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mhs2.exe] [N/A, N/A]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mhs2.dll] [N/A, N/A]
[PID: 344][C:\WINDOWS\7.exe] [N/A, N/A]
[C:\WINDOWS\7.dat] [N/A, N/A]熊猫烧香的处理:参考http://forum.ikaka.com/topic.asp?board=28&artid=8244813 其它的用IceSword处理: 1、用IceSword禁止进程创建,禁止协件功能。 2、用IceSword强制卸除插入[PID: 680][C:\WINDOWS\system32\svchost.exe]和[PID: 212][C:\WINDOWS\system32\svchost.exe]进程的病毒模块。 3、用IceSword结束被病毒插入的应用程序进程和病毒进程。 4、用IceSword删除病毒文件。 5、用IceSword删除病毒的启动项、服务项。 6、取消“禁止进程创建/禁止协件功能。
|
