今天同事的机器莫名其妙自动重启,我过去看了看,计算机--管理,居然也不能运行,报告 找不到文件NULL之类的。
看看注册表键值:
%windir%\system32\mmc.exe /s %windir%\system32\compmgmt.msc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ 20D04FE0-3AEA-1069-A2D8-08002B30309D }\shell\Manage\command 倒也正常,但是 MMC.EXE也能运行,直接运行 compmgmt.msc 也正常。 他用得是NORTON,我用的是MCAFEE,共享扫描了一下。 2005-09-08 15:39:44 未采取操作 \\192.168.3.147\c$\WINNT\system32\CD_CLINT.DLL Adware-CyDoor(Adware)
2005-09-08 15:45:01 未采取操作 \\192.168.3.147\c$\WINNT\system32\Yulsnhvt.d1l BackDoor-CKB.dll(特洛伊)
2005-09-08 15:45:01 未采取操作 \\192.168.3.147\c$\WINNT\system32\Yulsnhvt.dll BackDoor-CKB.dll(特洛伊)
2005-09-08 15:52:18 未采取操作 \\192.168.3.147\c$\WINNT\system32\drivers\Yulsnhvt.sys BackDoor-CKB.sys(特洛伊)
2005-09-08 15:53:38 扫描摘要 SF\shengfang 扫描摘要
2005-09-08 15:53:38 扫描摘要 SF\shengfang 已扫描的进程: 0
2005-09-08 15:53:38 扫描摘要 SF\shengfang 已检测进程: 0
2005-09-08 15:53:38 扫描摘要 SF\shengfang 已清除病毒的进程: 0
2005-09-08 15:53:38 扫描摘要 SF\shengfang 已扫描的引导区: 0
2005-09-08 15:53:38 扫描摘要 SF\shengfang 已检测引导区: 0
2005-09-08 15:53:38 扫描摘要 SF\shengfang 已清除病毒的引导区: 0
2005-09-08 15:53:38 扫描摘要 SF\shengfang 已扫描的文件: 7899
2005-09-08 15:53:38 扫描摘要 SF\shengfang 已感染病毒的文件: 4
2005-09-08 15:53:38 扫描摘要 SF\shengfang 文件中发现的病毒: 4
2005-09-08 15:53:38 扫描摘要 SF\shengfang 已清除病毒的文件: 0
2005-09-08 15:53:38 扫描摘要 SF\shengfang 已移动的文件: 0
2005-09-08 15:53:38 扫描摘要 SF\shengfang 已删除的文件: 0
2005-09-08 15:53:38 扫描摘要 SF\shengfang 未扫描的文件: 11
2005-09-08 15:53:38 扫描摘要 SF\shengfang 运行时间: 0:22:09
2005-09-08 15:53:38 扫描结束 SF\shengfang 按需扫描 这几个病毒都比较难找资料,只好删除掉DLL。进入安全模式居然也不能删除,只好进入纯DOS删除。
cd_client等几个文件,边锋就是用这个广告的(CYDOOR spyware)。但是强制删除可能导致个别软件无法运行。可以用替换CD_client的办法解决。
再找 CYDOOR spyware
This memory-resident adware downloads several advertisements into a target machine. However, it needs other applications and must be manually installed to successfully run on the affected system.
Upon execution, it drops the file CD_CLINT.DLL, which contains all its functionalities, in the system folder.
It also creates the following folder, where it stores all its downloaded advertisements:
%System%\AdCache
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.) BackDoor-CKB.dll
Malware type: Trojan
Aliases: BackDoor-CKB.dll
In the wild: No
Destructive: No
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP
Encrypted: Yes
Overall risk rating: Low
--------------------------------------------------------------------------------
Reported infections: Low
Damage potential: High
Distribution potential: Low
--------------------------------------------------------------------------------
Description:
This Trojan arrives as an .EXE file, which may be downloaded from the Internet by unsuspecting users. It may also be installed and used by other other malware programs.
It is capable of making the affected machine its proxy server to allow a remote malicious user access.
A proxy allows malware authors to use an infected system to hide their identity when performing malicious activities. Since the IP address of the remote user is hidden, the only address that the rest of the Web sees is the address of the infected proxy.
This Trojan is capable of stealing the following information from the affected machine:
Logged user keystrokes
Captured desktop snapshots
Running processes
This Trojan is also capable of downloading and executing files from the Internet.
字体:大 中 小 |
2005年9月8日16:34星期四 [RAN乱] 
