|
|
求助,我的PC中了WORM该用什么杀毒软件呢?
[复制链接]
|
|
|
楼主 |
发表于 19-1-2005 09:57 PM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
发表于 19-1-2005 10:11 PM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
楼主 |
发表于 19-1-2005 10:15 PM
|
显示全部楼层
look's like ot works
but there are still 2 virus at the windows folder.....
I-WORM/OPAS.I
and win32/dupator |
|
|
|
|
|
|
|
|
|
|
|
发表于 19-1-2005 10:21 PM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
楼主 |
发表于 19-1-2005 10:22 PM
|
显示全部楼层
thanks, i think i can handle the others
thanks for ur help very much
if i faces any problem again, i will write in this forum again~
thanks ya~ |
|
|
|
|
|
|
|
|
|
|
|
发表于 19-1-2005 10:25 PM
|
显示全部楼层
ksang,
How to heal viruses in DOS using AVG? (AVG6 only)
Start the computer in MS-DOS mode (using F8 key while computer is booting up, then from Windows start-up menu select "start in MS-DOS mode" or "Command prompt only").
Switch to AVG Anti-Virus destination folder using these steps (assuming this is the path AVG is installed to) C:\Program Files\Grisoft\AVG6 as destination folder):
cd \
cd progra~1
cd grisoft
cd avg6
Start AVG for MS-DOS application:
avg
In this DOS application, every feature could be selected by pressing the key with other color (or the key in combination with ALT key). So it is necessary to choose the Test menu, Complete test item, and start the test.
When the first virus is detected, the user should select Test NONSTOP option and find all infected files. At the end of test, message says "virus was detected" and user has to confirm the message by pressing Enter.
Now, test results are displayed. The user should select Select all option, then (using arrow) move down to the first virus name (which will enable Remove virus button) and choose Remove virus option.
New dialog will appear, the user has to select Heal option. All viruses will be healed. If any virus couldn't be healed, the user should remember its name and consult with us if he can remove the infected file or move the file into Virus Vault.
With Windows ME, you have to start your computer using Windows ME startup/rescue floppy, option "minimal boot" to get MS-DOS mode. |
|
|
|
|
|
|
|
|
|
|
|
楼主 |
发表于 19-1-2005 10:26 PM
|
显示全部楼层
|
why issit show that "cannot open <dorectory> file locked" |
|
|
|
|
|
|
|
|
|
|
|
发表于 19-1-2005 10:28 PM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
发表于 19-1-2005 10:29 PM
|
显示全部楼层
I think you have to do this
With Windows ME, you have to start your computer using Windows ME startup/rescue floppy, option "minimal boot" to get MS-DOS mode. |
|
|
|
|
|
|
|
|
|
|
|
楼主 |
发表于 19-1-2005 10:31 PM
|
显示全部楼层
oh....
if my pc contain some unable delete file,
i mean the chinese encoding problem(乱码) file
how can i delete it?
cause it's really waste my space |
|
|
|
|
|
|
|
|
|
|
|
发表于 19-1-2005 10:44 PM
|
显示全部楼层
can Scandisk fix it。
Have to go ,bye |
|
|
|
|
|
|
|
|
|
|
|
楼主 |
发表于 19-1-2005 10:46 PM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
发表于 21-1-2005 10:50 AM
|
显示全部楼层
Broken Link |
|
|
|
|
|
|
|
|
|
|
|
发表于 21-1-2005 11:22 AM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
发表于 21-1-2005 12:03 PM
|
显示全部楼层
Log for VX2.BetterInternet File Finder (msg126)
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
Explorer
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
Guardian Key--- is called:
User Agent String---
{F9C1692B-53F3-4CD5-8E31-F8520A59E6F5} |
|
|
|
|
|
|
|
|
|
|
|
发表于 21-1-2005 12:17 PM
|
显示全部楼层
|
你能告诉我哪三个VX2的dll 是什么名字吗 在哪个文件夹 |
|
|
|
|
|
|
|
|
|
|
|
发表于 21-1-2005 12:32 PM
|
显示全部楼层
Vendor:VX2
Category:Malware
Object Type:Process
Size:-
Location:C:\WINDOWS\system32\fp0o03d3e.dll
Last Activity:1-21-2005 2:52:08 AM
Risk Level:High
TAC index:10
Comment:(CSI MATCH)
Description:Malware. Causes Popups and may install unsolicited software.
Vendor:VX2
Category:Malware
Object Type:Process
Size:-
Location:C:\WINDOWS\system32\pvfmgr.dll
Last Activity:
Risk Level:High
TAC index:10
Comment:(CSI MATCH)
Description:Malware. Causes Popups and may install unsolicited software.
Vendor:VX2
Category:Malware
Object Type:RegValue
Size:553 Bytes
Location:software\microsoft\internet explorer\toolbar\webbrowser "{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
Last Activity:1-21-2005
Risk Level:Low
TAC index:10
Comment:
Description:Malware. Causes Popups and may install unsolicited software.
Vendor:VX2
Category:Malware
Object Type:Process
Size:-
Location:C:\WINDOWS\system32\guard.tmp
Last Activity:1-21-2005 4:28:08 AM
Risk Level:High
TAC index:10
Comment:(CSI MATCH)
Description:Malware. Causes Popups and may install unsolicited software.
[ Last edited by 稻草人 on 21-1-2005 at 12:44 PM ] |
|
|
|
|
|
|
|
|
|
|
|
发表于 21-1-2005 12:56 PM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
发表于 21-1-2005 12:57 PM
|
显示全部楼层
Using DllCompare
Copy the dllcompare.exe to your desktop, don't just run it from the download site.
it is preset to scan the System32 directory, so nothing other than you clicking the [Run locate.com] button is required.
When the scan is complete, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the [Compare] button.
It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete *in blue Completed
Click the button [Make a Log of what was Found]
To identify suspected VX2 files, look at the dates in the log, all will have been created in the month of late Nov and to current. There are other legitimate files that may also be there, so just dont delete everything in the list either |
|
|
|
|
|
|
|
|
|
|
|
发表于 21-1-2005 12:58 PM
|
显示全部楼层
sample log:
QUOTE
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
D:\WINDOWS\SYSTEM32\dad8.dll Mon Dec 13 2004 3:24:48a ..S.R 223,232 218.00 K
D:\WINDOWS\SYSTEM32\enp2l1~1.dll Mon Dec 13 2004 3:09:08a ..S.R 223,232 218.00 K
D:\WINDOWS\SYSTEM32\hr0u05~1.dll Sun Dec 12 2004 10:36:04p ..S.R 224,137 218.88 K
D:\WINDOWS\SYSTEM32\hrp805~1.dll Mon Dec 13 2004 3:24:48a ..S.R 224,107 218.85 K
D:\WINDOWS\SYSTEM32\irrml5~1.dll Sun Dec 12 2004 10:14:28p ..S.R 224,427 219.16 K
D:\WINDOWS\SYSTEM32\lmexpand.dll Sun Dec 12 2004 10:36:04p ..S.R 223,232 218.00 K
D:\WINDOWS\SYSTEM32\oabcp32r.dll Mon Dec 13 2004 3:10:04a ..S.R 224,362 219.10 K
________________________________________________
1,108 items found: 1,108 files (7 H/S), 0 directories.
Total of file sizes: 190,775,194 bytes 181.93 M
Administrator Account = True
--------------------End log---------------------
Now, most IMPORTANT that you do not reboot until all files can be entered into Killbox
Step 2
Using Killbox
Copy Killbox to your Desktop (Do not run from the download site)
Settings for Killbox
From the menu bar click the "About" and ensure you have version 2.0.0.76 or better.
Select Option Replace on Reboot
From the Dllcompare log copy & paste each full path into the Killbox topmost box.
ie: a fullpath from our sample log would be
D:\WINDOWS\SYSTEM32\dad8.dll
D:\WINDOWS\SYSTEM32\enp2l1~1.dll
etc.
With the full path to the file name in the topmost textbox, click the option Use Dummy which will create a numbered dummy file instantly for you.
Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)
Do this for every file you have matching the VX2 criteria, in the dllcompare log.
*in the sample file here, every file matches VX2 parameters and would be input into Killbox.
QUOTE
ie: Top line in Killbox would have the path
D:\WINDOWS\SYSTEM32\dad8.dll
the bottom line would show a dummy file in user Temp directory
D:\Documents and Settings\User\Local Settings\Temp\kbdummy.1
Do this same step for every file in the dllcompare log, (Or each file one of the forum experts/helpers etc. tell you to)
When you get to the last file in the Dllcompare log, also add in one additional file
C:\Windows\System32\Guard.tmp
*Be careful to include the correct path to the system32 folder, as drive letters & windows folder names change slightly from system to system
If this is an issue, click the [Browse] button in Killbox and navigate to the guard.tmp manually. (it will always be in the System32 directory, and may need to have File & Folder options to "unhide system files" enabled)
On that last file, close all programs and Reboot your computer.
Step 3
After a Reboot, Use the DllCompare again and create another log.
If all was successful, it should be empty.
At worst, it will show many less files, and you may have to repeat the step 2 again one more time.
Guard.tmp, may still exist as it creates on Shutdown, but is unprotected at this point.
Open Killbox again, paste the path to guard.tmp into the first box.
ie:
QUOTE
C:\WINDOWS\SYSTEM32\guard.tmp
This will only require a "Standard File Kill" default setting of Killbox.
If the file does exist, you will see the name guard.tmp in Blue appear. Click the Red X to delete it.
Step 4
Cleanup
Providing the Dllcompare log is free of offending VX2 .dll files you now need to repair some of the damages done to your system.
Open Killbox and Copy & Paste the path to the Desktop.ini for recycle bin.
ie:
QUOTE
C:\RECYCLER\Desktop.ini
Click Red X to delete it.
or
Simply Browse to the Directory under Croot) called RECYCLER
In killbox you will see in blue also the term Directory
Click the Red X to delete it.
*Either of these methods will fix the bug where no files are shown in recycle bin, and no option to store files into recycle bin.
For ease of use, download the VX2Finder
Click the [Restore Policy] button, this will restore the removed Debug privilege for Administrators, otherwise some utilities will not function properly.
You will also need to remove the UserAgent from the registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
*Use VX2Finder [UserAgent$] button will remove this
and the Load dll for VX2 under the Notify key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
under this key will be a sub key holding the name of the VX2 dll file, and will need to be removed.
That Subkey could be called just about anything and will be different for every System.
example:
QUOTE
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\s0pula791d.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
I will be adding a utility to make the registry modifications in the future.
At this point, your system will be *clean enough* to allow the other utilities such as Ad-aware & HiJackThis to remove the multiple other auto downloaded & unwanted applications you will have.
Hosts
From the Killbox menu bar, click Tools & select Hosts File
It will open in Notepad, just highlite the offending entries, or basically everthing under the entry
QUOTE
127.0.0.1 localhost
*Hijackthis will also remove these.
Info current as of Dec 13 |
|
|
|
|
|
|
|
|
|
| |
 本周最热论坛帖子
|
1694 
52
