12   1  /  2  页   跳转

[求助] 中了MSDOS.EXE 新品种

中了MSDOS.EXE 新品种

大家好,我是新手,我现在用台式机上网求救

我的手提电脑估计中msdos.exe病毒,有以下情况,想不到办法解决
-------------------
1-查看不到隐藏或系统文件,所以那些msdos.exe文件都查看不到,因此散列软件策略都选不到文件
2-进不了注册表,自己编写一个reg文件运行跟运行杀毒主程序一样,也是提示有程序正调用此文件,运行不了
3-安全模式总蓝屏,进不去
4-命令行能查到,但删除不了,一运行cmd,就莫名多了很多1.pif,2.pif进程出来
5-上网浏览相关网页都回被强制关掉浏览器,firefox也关掉
6-系统日期修改年份2004年
----------------------

用U盘复制了日志过来,U盘都好像傻掉了,请看附件,谢谢!

用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NETSPX1)

附件附件:

文件名:SREngLOG.log
下载次数:166
文件类型:application/octet-stream
文件大小:
上传时间:2008-7-22 12:36:28
描述:log

最后编辑fatgee 最后编辑于 2008-07-22 12:36:28
分享到:
gototop
 

回复: 中了MSDOS.EXE 新品种

请上传病机的SRENG扫描日志附件
打酱油的……
gototop
 

回复: 中了MSDOS.EXE 新品种

运行SRENG扫描工具前先把系统日期(主要是年份)修改为正常
打酱油的……
gototop
 

回复:中了MSDOS.EXE 新品种

已经上传扫描日志报告,但忘了修改年份 ,谢谢!
gototop
 

回复:中了MSDOS.EXE 新品种

nnd,我也中了
gototop
 

回复:中了MSDOS.EXE 新品种

是不是wuauclt1.exe也被替换了?
gototop
 

回复:中了MSDOS.EXE 新品种

安全软件被劫持到:C:\WINDOWS\system32\dllcache\wuauclt.exe
gototop
 

回复: 中了MSDOS.EXE 新品种

问题项目如下:

注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <test><C:\WINDOWS\system32\wuauclt1.exe>  [(Verified)]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><SysWoWCvC.dll kaotxb.dll longasus.dll myusemt.dll msspcyn.dll jsnoer.dll woswelc.dll jolin0.dll googlons.dll welyri.dll zipyqld.dll theralte.dll cmopes.dll thcron.dll rnesony.dll comrsdo.dll soeehy.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
    <IFEO[360rpt.exe]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SAFE.exe]
    <IFEO[360SAFE.exe]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe]
    <IFEO[360safebox.exe]><ntsd -D>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
    <IFEO[360tray.exe]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE]
    <IFEO[ANTIARP.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE]
    <IFEO[Ast.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE]
    <IFEO[AutoRunKiller.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE]
    <IFEO[AvMonitor.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE]
    <IFEO[AVP.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE]
    <IFEO[CCenter.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE]
    <IFEO[Frameworkservice.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE]
    <IFEO[GFUpd.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE]
    <IFEO[GuardField.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE]
    <IFEO[IceSword.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE]
    <IFEO[Iparmor.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE]
    <IFEO[KASARP.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.EXE]
    <IFEO[kavstart.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.EXE]
    <IFEO[kmailmon.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPPMain.exe]
    <IFEO[KPPMain.exe]><ntsd -D>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE]
    <IFEO[KRegEx.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.KXP]
    <IFEO[KVMonxp.KXP]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE]
    <IFEO[KVSrvXP.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE]
    <IFEO[KVWSC.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe]
    <IFEO[KWatch.exe]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE]
    <IFEO[Mmsk.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE]
    <IFEO[Navapsvc.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.EXE]
    <IFEO[nod32krn.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE]
    <IFEO[Nod32kui.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe]
    <IFEO[QQKav.exe]><ntsd -D>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.EXE]
    <IFEO[RAV.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.EXE]
    <IFEO[RavStub.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE]
    <IFEO[Regedit.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.EXE]
    <IFEO[rfwmain.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe]
    <IFEO[rfwProxy.exe]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.EXE]
    <IFEO[rfwsrv.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe]
    <IFEO[rfwstub.exe]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE]
    <IFEO[Runiep.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe]
    <IFEO[safeboxTray.exe]><ntsd -D>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tqat.exe]
    <IFEO[tqat.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE]
    <IFEO[VPC32.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE]
    <IFEO[VPTRAY.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE]
    <IFEO[WOPTILITIES.EXE]><C:\WINDOWS\system32\dllcache\wuauclt.exe>  []

服务
[CBAF7040 / CBAF7040][Stopped/Auto Start]
  <C:\WINDOWS\system32\ABAE0600.EXE -d><(File is missing)>

驱动程序
[cqit / cqit][Stopped/Auto Start]
  <\??\C:\DOCUME~1\CHENZH~1\LOCALS~1\Temp\tmp54.tmp><N/A>
[dohs / dohs][Stopped/Auto Start]
  <\??\C:\DOCUME~1\CHENZH~1\LOCALS~1\Temp\tmp58.tmp><N/A>>
[fmsq / fmsq][Stopped/Auto Start]
  <\??\C:\DOCUME~1\CHENZH~1\LOCALS~1\Temp\tmp56.tmp><N/A>
[IIS Manager  / IIS Manager ][Stopped/Manual Start]
  <\??\C:\DOCUME~1\CHENZH~1\LOCALS~1\Temp\1.tmp><N/A>
[jtio / jtio][Stopped/Auto Start]
  <\??\C:\DOCUME~1\CHENZH~1\LOCALS~1\Temp\tmp5C.tmp><N/A>
[mnsf / mnsf][Stopped/Auto Start]
  <\??\C:\DOCUME~1\CHENZH~1\LOCALS~1\Temp\tmp5A.tmp><N/A>
[ping / ping][Stopped/Auto Start]
  <\??\C:\DOCUME~1\CHENZH~1\LOCALS~1\Temp\tmp60.tmp><N/A>
[ptfs / ptfs][Stopped/Auto Start]
  <\??\C:\DOCUME~1\CHENZH~1\LOCALS~1\Temp\tmp5E.tmp><N/A>
[umpusbxp / umpusbxp][Stopped/Manual Start]
  <system32\DRIVERS\umpusbxp.sys><N/A>
[xmasbus / xmasbus][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\xmasbus.sys><>
[xmasscsi / xmasscsi][Running/Boot Start]
  <\SystemRoot\System32\Drivers\xmasscsi.sys><>

[zftp / zftp][Stopped/Auto Start]
  <\??\C:\DOCUME~1\CHENZH~1\LOCALS~1\Temp\tmp50.tmp><N/A>

正在运行的进程
C:\WINDOWS\system32\wuauclt1.exe
C:\WINDOWS\system32\dllcache\wuauclt.exe
C:\WINDOWS\system32\kaotxbk.exe
c:\windows\system32\SysWoWCvC.dll
c:\windows\system32\kaotxb.dll
C:\Autorun.inf
C:\MSDOS.EXE
D:\Autorun.inf
D:\MSDOS.EXE
E:\MSDOS.EXE
E:\MSDOS.EXE
H:\Autorun.inf
H:\MSDOS.EXE
以及服务\驱动\注册表对应的映像文件

请先不要做任何操作(兰色为未知文件,不一定是病毒)
最后编辑超级游戏迷 最后编辑于 2008-07-22 13:19:10
打酱油的……
gototop
 

回复: 中了MSDOS.EXE 新品种

可以参考这个帖子先了解一下,没有发现beep.sys被改写的情形……
打酱油的……
gototop
 

回复:中了MSDOS.EXE 新品种

<Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)]
也有问题吧
gototop
 
12   1  /  2  页   跳转
页面顶部
Powered by Discuz!NT