引用 | 編輯
k85097ok
2007-03-31 20:08 |
樓主
▼ |
||||||||||||
x0
我學校十幾間電腦教室已經有一半的都中毒了.. 為什麼學校的電腦 有系統還原 還會中毒 ?! 而且還是中了會藏在隨身碟的病毒 導致我家也中毒了... 雖然卡巴斯基有掃出來 已刪除: 木馬程式 Trojan-PSW.Win32.QQPass.jh 檔案: L:\藝躓蚔牁.pif 已刪除: 木馬程式 Trojan-PSW.Win32.QQPass.jh 檔案: L:\笭猁訧蹋.exe 已刪除: 木馬程式 Trojan-PSW.Win32.QQPass.jh 檔案: L:\OSO.exe 但是每次插到別台電腦 那些檔案又會跑出來 我有用了 [其 他] Trojan-psw.win32 系列木馬病毒 通用批次查殺工具 ] 但是不知道病毒是否刪除了 附上SREngLOG
x0
|
引用 | 編輯
彗星風采
2007-04-01 00:45 |
1樓
▲ ▼ |
樓主的情形是中了U盤病毒..只要樓主將隨身碟插進感染的電腦內就會中..此時如果再把有毒的隨身碟插進另一台電腦也又繼續感染..而且會在目錄底下產生autorun.inf..
1..如果樓主懷疑病毒沒有清乾淨的話請多參考置頂文章線上掃毒喔! 2..樓主您所貼的報表SREng太亂了..請參考置頂教學文章再貼一次 有新版的SREng..請樓主先下載新版的SREng再跑一次報表 請再用新版的SREng報表再貼一次. 記得點選Smart Scan時左下角的Verify前面的空格一定要勾選. .........記得....產生報表之前記得關閉一些不必要的程式.這樣在判斷報表上比較方便 SREng載點--http://www.kztechs.com/sreng/download.html 另外建議一點..XP的系統還原在"個人"的感覺..只會還原病毒..我都是關閉系統還原的..僅供樓主參考 x0 |
引用 | 編輯
k85097ok
2007-04-01 10:29 |
4樓
▲ ▼ |
下面是引用k85097ok於2007-03-31 20:08發表的 如何清除隨身碟病毒(QQPass.jh): 我把常駐程式 能關的都關掉了..再貼上log給大大們看 U盤病毒 應該不會破壞電腦資料吧.. 電腦重灌好幾次了 灌完馬上又中 應該是D、E碟被感染 後來找USBCleaner6.0 有掃出來... 但是不知道是不是真的清除了 學校電腦會中毒 八成是學生幹的好事 幫學校灌電腦,也順便灌病毒 複製程式 2007-04-01,10:18:06 System Repair Engineer 2.4.12.806 Smallfrogs ([url]http://www.KZTechs.com[/url]) Windows XP Professional Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed Follow item(s) have been choosed: All Boot Items (Including Registry, Startup Folders, Services and so on) Browser Add-ons Runing Processes (Including process model information) File Associations Winsock Provider Autorun.Inf HOSTS File Boot Items Registry [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher] <Yahoo! Pager><"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet> [(Verified)Yahoo! Inc.] <MsnMsgr><"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background> [Microsoft Corporation] [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] <load><> [N/A] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] <kav><"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"> [Kaspersky Lab] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] <shell><Explorer.exe> [(Verified)Microsoft Windows Publisher] <Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows] <AppInit_DLLs><> [N/A] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] <UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon] <WinlogonNotify: klogon><C:\WINDOWS\system32\klogon.dll> [Kaspersky Lab] ================================== Startup Folders [FDVR-Server II] <C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\FDVR-Server II.lnk --> C:\PROGRA~1\FDVRII~1\SECURI~1.EXE []><N> [RC.exe] <C:\Documents and Settings\Administrator\「開始」功能表\程式集\啟動\RC.exe.lnk --> C:\PROGRA~1\DTV\DVB-TU~1.0\RC.exe [Computer & Entertainment, Inc.]><N> ================================== Services [ASP.NET State Service / aspnet_state][Stopped/Manual Start] <C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation> [ATK Keyboard Service / ATKKeyboardService][Running/Auto Start] <C:\WINDOWS\ATKKBService.exe><ASUSTeK COMPUTER INC.> [Kaspersky Anti-Virus 6.0 / AVP][Stopped/Auto Start] <"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r><Kaspersky Lab> [Human Interface Device Access / HidServ][Stopped/Disabled] <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A> [NVIDIA Display Driver Service / NVSvc][Stopped/Auto Start] <C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation> ================================== Drivers [a347bus / a347bus][Running/Boot Start] <\SystemRoot\system32\DRIVERS\a347bus.sys><> [a347scsi / a347scsi][Running/Boot Start] <\SystemRoot\System32\Drivers\a347scsi.sys><> [Enhanced Display Driver Helper Service / asuskbnt][Running/System Start] <system32\drivers\atkkbnt.sys><ASUSTeK COMPUTER INC.> [標準 IDE/ESDI 硬碟控制器 / atapi][Running/Boot Start] <\SystemRoot\system32\DRIVERS\atapi.sys><N/A> [BT878, WDM Video Capture / BT848][Running/Auto Start] <system32\drivers\PV878_A0.sys><Security Corporation> [EIO / EIO][Running/Auto Start] <\??\C:\WINDOWS\system32\drivers\EIO.sys><ASUSTeK Computer Inc.> [Microsoft UAA Function Driver for High Definition Audio 服務 / HdAudAddService][Stopped/Manual Start] <system32\drivers\HdAudio.sys><Windows (R) Server 2003 DDK provider> [Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start] <system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider> [Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start] <system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.> [kl1 / kl1][Running/Boot Start] <\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab> [klif / klif][Running/System Start] <\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab> [ATK0110 ACPI UTILITY / MTsensor][Running/Manual Start] <system32\DRIVERS\ASACPI.sys><> [nv / nv][Running/Manual Start] <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation> [直接平行連接埠連結驅動程式 / Ptilink][Running/Manual Start] <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.> [Secdrv / Secdrv][Stopped/Manual Start] <system32\DRIVERS\secdrv.sys><N/A> [UPMOST DVB250_DVB280 receiver Driver / UPMOST][Running/Manual Start] <System32\Drivers\WDM_Capture_220A.sys><Computer & Entertainment, Inc.> [世界標準電傳轉碼器 / WSTCODEC][Stopped/Manual Start] <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation> [NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller / yukonwxp][Running/Manual Start] <system32\DRIVERS\yk51x86.sys><Marvell> ================================== Browser Add-ons [AcroIEHlprObj Class] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated> [NTIECatcher Class] {C56CB6B0-0D96-11D6-8C65-B2868B609932} <C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll, Xi> [ALiBaBar_Helper] {CE439C63-384A-747A-A357-23D96B5D652B} <C:\PROGRA~1\ALiBaBar\ALiBaBar.dll, Alfred, C. S. Li> [網頁防護程式] {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll, Kaspersky Lab> [參考資料(&R)] {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, Microsoft Corporation> [ALiBaBar] {0A1375E1-56C2-11D6-8E45-8933A0FB5235} <C:\PROGRA~1\ALiBaBar\ALiBaBar.dll, Alfred, C. S. Li> [AcroIEHlprObj Class] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated> [ALiBaBar] {0A1375E1-56C2-11D6-8E45-8933A0FB5235} <C:\PROGRA~1\ALiBaBar\ALiBaBar.dll, Alfred, C. S. Li> [Windows Media Player] {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation> [Windows Media Player] {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation> [Microsoft Web Browser] {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation> [SearchAssistantOC] {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A> [NTIECatcher Class] {C56CB6B0-0D96-11D6-8C65-B2868B609932} <C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll, Xi> [ALiBaBar_Helper] {CE439C63-384A-747A-A357-23D96B5D652B} <C:\PROGRA~1\ALiBaBar\ALiBaBar.dll, Alfred, C. S. Li> [Shockwave Flash Object] {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Flash\Flash8b.ocx, Macromedia, Inc.> [MessengerChecker Class] {DA4F543C-C8A9-4E88-9A79-548CBB46F18F} <C:\Program Files\Yahoo!\Messenger\YPagerChecker.dll, Yahoo! Inc.> [使用影音傳送帶下載] <C:\Program Files\Xi\NetTransport 2\NTAddLink.html, N/A> [使用影音傳送帶下載全部連結] <C:\Program Files\Xi\NetTransport 2\NTAddList.html, N/A> [剪貼簿文字: 簡 > 繁] <res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad, N/A> [剪貼簿文字: 繁 > 簡] <res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim, N/A> [匯出至 Microsoft Office Excel(&X)] <res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A> [網頁: [簡體] 顯示] <res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim, N/A> [網頁: [繁體] 顯示] <res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad, N/A> ================================== Running Processes [PID: 720][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] [PID: 828][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] [PID: 1844][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)] [C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 6.0.1.2003110300] [C:\Program Files\WinRAR\rarext.dll] [N/A, ] [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll] [Kaspersky Lab, 6.0.0.299] [PID: 1992][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] [PID: 3308][C:\WINDOWS\system32\wuauclt.exe] [Microsoft Corporation, 5.8.0.2469 built by: lab01_n(wmbla)] [PID: 2112][C:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)] [C:\PROGRA~1\ALiBaBar\ALiBaBar.dll] [Alfred, C. S. Li, 4.0.3.0] [C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 6.0.1.2003110300] [C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll] [Xi, 1.91.12] [C:\Program Files\Xi\NetTransport 2\MFC42.DLL] [Microsoft Corporation, 6.00.9782.0] [C:\Program Files\NetLimiter\nl_lsp.dll] [N/A, ] [C:\WINDOWS\system32\nl_msgc.dll] [N/A, ] [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scr_ch_pg.dll] [Kaspersky Lab, 1.0.6.299] [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\klscav.dll] [Kaspersky Lab, 6.0.0.299] [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\pr_remote.dll] [Kaspersky Lab, 6.0.0.299] [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prloader.dll] [Kaspersky Lab, 6.0.0.299] [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prkernel.ppl] [Kaspersky Lab, 6.0.0.299] [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\params.ppl] [Kaspersky Lab, 6.0.0.299] [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\pxstub.ppl] [Kaspersky Lab, 6.0.0.299] [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\tempfile.ppl] [Kaspersky Lab, 6.0.0.299] [C:\WINDOWS\system32\Flash\Flash8b.ocx] [Macromedia, Inc., 8,0,24,0] [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\nfio.ppl] [Kaspersky Lab, 6.0.0.299] [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\fsdrvplgn.ppl] [Kaspersky Lab, 6.0.0.299] [PID: 756][C:\Documents and Settings\Administrator\桌面\SREng.EXE] [Smallfrogs Studio, 2.4.12.806] [C:\Program Files\NetLimiter\nl_lsp.dll] [N/A, ] [C:\WINDOWS\system32\nl_msgc.dll] [N/A, ] ================================== File Associations .TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1] .EXE OK. ["%1" %*] .COM OK. ["%1" %*] .PIF OK. ["%1" %*] .REG OK. [regedit.exe "%1"] .BAT OK. ["%1" %*] .SCR OK. ["%1" /S] .CHM OK. ["C:\WINDOWS\hh.exe" %1] .HLP OK. [%SystemRoot%\System32\winhlp32.exe %1] .INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1] .INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1] .VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*] .JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*] .LNK OK. [{00021401-0000-0000-C000-000000000046}] ================================== Winsock Provider NL MSAFD Tcpip [TCP/IP] C:\Program Files\NetLimiter\nl_lsp.dll(, N/A) NL MSAFD Tcpip [UDP/IP] C:\Program Files\NetLimiter\nl_lsp.dll(, N/A) NL MSAFD Tcpip [RAW/IP] C:\Program Files\NetLimiter\nl_lsp.dll(, N/A) NL RSVP UDP Service Provider C:\Program Files\NetLimiter\nl_lsp.dll(, N/A) NL RSVP TCP Service Provider C:\Program Files\NetLimiter\nl_lsp.dll(, N/A) NL LSP C:\Program Files\NetLimiter\nl_lsp.dll(, N/A) ================================== Autorun.Inf N/A ================================== HOSTS File N/A ================================== API HOOK RVA Error: LoadLibraryA (Dangerous Level: Generic, Hooked by Module: Dest Addr: 0xF4B36B25) RVA Error: LoadLibraryExA (Dangerous Level: Generic, Hooked by Module: Dest Addr: 0xF4B36D67) RVA Error: LoadLibraryExW (Dangerous Level: Generic, Hooked by Module: Dest Addr: 0xF4B36F0B) RVA Error: LoadLibraryW (Dangerous Level: Generic, Hooked by Module: Dest Addr: 0xF4B36C49) RVA Error: GetProcAddress (Dangerous Level: High, Hooked by Module: Dest Addr: 0xF4B36E8F) ================================== Hidden Process N/A ================================== x0 |
引用 | 編輯
彗星風采
2007-04-01 11:28 |
5樓
▲ ▼ |
從樓主的SREng報表中沒發現有病毒的存在唷!不過記得不要再把有毒的隨身碟插進電腦中...要不然可是又會捲土重來的
另外..從樓主的SREng報表中發現以下比較可疑的項目..請問樓主您知道是什麼嗎?如果您知道的話就沒問題了..如果您不知道的話建議您把以下的檔案上傳至免空或VT分析看看唷! Startup Folders [FDVR-Server II] <C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\FDVR-Server II.lnk --> C:\PROGRA~1\FDVRII~1\SECURI~1.EXE []><N> Drivers [BT878, WDM Video Capture / BT848][Running/Auto Start] <system32\drivers\PV878_A0.sys><Security Corporation> x0 |
引用 | 編輯
k85097ok
2007-04-02 00:14 |
6樓
▲ ▼ |
下面是引用彗星風采於2007-04-01 11:28發表的 : 那個是我的視訊擷取卡軟體.. 看來是沒問題了 謝謝各位的幫忙 不過病源是學校電腦... 這就要看資訊中心的人有沒有發現了 (學校是檢定考場,如果磁片打不開....到時就好玩了) x0 |