|
 | 作者: x818 [x818]
 论坛用户 |
登录 |
| 我今天被 Mcafe32.exe 骚扰,找不到中文资料。 http://www.answersthatwork.com/Tasklist_pages/tasklist_m.htm You have a Trojan virus which you picked up probably through the use of file sharing software like KaZaA, or through downloading and installing something from a malicious web page. At the time of writing, 16‑Jan‑2005, this Trojan is not picked up by the majority of antivirus programs. Recommendation : Get rid of this immediately : 1) Restart your PC into Safe Mode by pressing F8 continually after turning your PC ON till you get a menu where “Safe Mode” is one of the options (if you are unable to start your PC into Safe Mode, then try the following in Normal Mode). 2) Start The Ultimate Troubleshooter and go to the Services tab if you have Windows 2000/XP/2003, otherwise continue from point (4) below. 3) If you find a service which starts this task, right-click on it and change the Startup Mode to Disabled. 4) Go to the Startups tab and for each instance of this task (there are sometimes two or three entries for this malicious task) do the following : right-click on it and choose Delete from the hard disk the file that this Startup points to; next, right-click on this entry again and this time choose Delete this Startup entry. 5) Click the big green APPLY button to make your changes stick. 6) Reboot your PC into Normal Mode. 7) Download Ad-Aware or SpyBot from our Downloads library and run it to eliminate all possible adware and spyware. 8) Make sure you have an up-to-date reputable antivirus program and run a full virus scan on your PC. |
| 地主 发表时间: 05-01-18 23:51 |
| 回复: x818 [x818] 论坛用户 |
登录 |
|
http://www.bullguard.com/forum/8/Virus-or-trojan_7991.html Posted 1/13/2005 4:25 PM (GMT +1) hi i've downloaded sweeper, ad adware, trojan remover and mwav i dowloaded all the updates and run on my hard disk several times, mwav found two different backdoors wootbot and gnrbot, and there were with different .exe connected with these backdoors. I began to have troubles to connect ith internet so i tried to delete all the .exe with hijack but the situation was worst. Now i write from a friend' pc as with mine is impossible to connect. I would like to have a quick reponse to help me, i've big troubles to format hard disk anyone could help me to avoid to format? i send you the hijack log and mwav log Logfile of HijackThis v1.99.0 Scan saved at 15.35.54, on 13/01/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\AG8.3 CRK\lmgrd.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\AG8.3 CRK\ESRI.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\Hcontrol.exe C:\Programmi\Tech\Wheel Mouse\5.0\MOUSE32A.EXE C:\WINDOWS\ATKOSD.exe C:\WINDOWS\System32\sistray.EXE C:\WINDOWS\System32\khooker.exe C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe C:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\WINDOWS\System32\Flashget.exe C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\mcafe32.exe C:\Programmi\Messenger\msmsgs.exe C:\WINDOWS\system32\CH_Utility.exe C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\WINDOWS\System32\wuauclt.exe C:\Programmi\Trojan Remover\uga5.exe C:\Programmi\Trojan Remover\uga5.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\Hcontrol.exe O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Tech\Wheel Mouse\5.0\MOUSE32A.EXE O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe O4 - HKLM\..\Run: [Power_Gear] C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [mmtask] C:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [ynkqItswutv] C:\WINDOWS\System32\keqsjmgaiqrhea.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Flashget Download Manager] Flashget.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Programmi\Trojan Remover\Trjscan.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Windows Media Player] mcafe32.exe O4 - HKLM\..\RunServices: [ynkqItswutv] C:\WINDOWS\System32\keqsjmgaiqrhea.exe O4 - HKLM\..\RunServices: [Flashget Download Manager] Flashget.exe O4 - HKLM\..\RunServices: [Windows Media Player] mcafe32.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [Windows Media Player] mcafe32.exe O4 - Global Startup: Chrontel TV.lnk = C:\WINDOWS\system32\CH_Utility.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: AutoComplete Service - Acesoft - C:\Programmi\Tracks Eraser Pro\autocomp.exe O23 - Service: ESRI License Manager - Unknown - C:\AG8.3 CRK\lmgrd.exe O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe ue Jan 11 11:34:57 2005 => ********************************************************** Tue Jan 11 11:34:57 2005 => eScan AntiVirus Toolkit Utility. Tue Jan 11 11:34:57 2005 => Copyright � 2003-2004, MicroWorld Technologies Inc. Tue Jan 11 11:34:57 2005 => ********************************************************** Tue Jan 11 11:34:57 2005 => Version 4.7.9 (C:\DOCUME~1\WILLY\IMPOST~1\Temp\mwavscan.com) Tue Jan 11 11:34:57 2005 => Log File: C:\DOCUME~1\WILLY\IMPOST~1\Temp\MWAV.LOG Tue Jan 11 11:34:57 2005 => Latest Date of files inside MWAV: 10 Jan 2005 07:00:50. Tue Jan 11 11:35:02 2005 => AV Library Loaded... Tue Jan 11 11:35:02 2005 => Scanning File C:\DOCUME~1\WILLY\IMPOST~1\Temp\kavss.exe Tue Jan 11 11:35:02 2005 => Scanning File C:\DOCUME~1\WILLY\IMPOST~1\Temp\Getvlist.exe Tue Jan 11 11:35:03 2005 => Scanning File C:\DOCUME~1\WILLY\IMPOST~1\Temp\kavss.dll Tue Jan 11 11:35:03 2005 => Scanning File C:\DOCUME~1\WILLY\IMPOST~1\Temp\kavssdi.dll Tue Jan 11 11:35:03 2005 => Scanning File C:\DOCUME~1\WILLY\IMPOST~1\Temp\kavssi.dll Tue Jan 11 11:35:03 2005 => Scanning File C:\DOCUME~1\WILLY\IMPOST~1\Temp\kavvlg.dll Tue Jan 11 11:35:03 2005 => Scanning File C:\DOCUME~1\WILLY\IMPOST~1\Temp\msvlclnt.dll Tue Jan 11 11:35:03 2005 => Scanning File C:\DOCUME~1\WILLY\IMPOST~1\Temp\ipc.dll Tue Jan 11 11:35:03 2005 => Scanning File C:\DOCUME~1\WILLY\IMPOST~1\Temp\main.avi Tue Jan 11 11:35:03 2005 => Scanning File C:\DOCUME~1\WILLY\IMPOST~1\Temp\virus.avi Tue Jan 11 11:35:03 2005 => Virus Database Date: 2005/01/10 Tue Jan 11 11:35:03 2005 => Virus Database Count: 115099 Tue Jan 11 11:35:28 2005 => ********************************************************** Tue Jan 11 11:35:28 2005 => eScan AntiVirus Toolkit Utility. Tue Jan 11 11:35:28 2005 => Copyright � 2003-2004, MicroWorld Technologies Inc. Tue Jan 11 11:35:28 2005 => Tue Jan 11 11:35:28 2005 => Support: support@mwti.net Tue Jan 11 11:35:28 2005 => Web: http://www.mwti.net Tue Jan 11 11:35:28 2005 => ********************************************************** Tue Jan 11 11:35:28 2005 => Version 4.7.9 (C:\DOCUME~1\WILLY\IMPOST~1\Temp\mwavscan.com) Tue Jan 11 11:35:28 2005 => Log File: C:\DOCUME~1\WILLY\IMPOST~1\Temp\MWAV.LOG Tue Jan 11 11:35:28 2005 => OS: Windows NT Tue Jan 11 11:35:28 2005 => Latest Date of files inside MWAV: 10 Jan 2005 07:00:50. Tue Jan 11 11:35:28 2005 => Options Selected by User: Tue Jan 11 11:35:28 2005 => Memory Check: Enabled Tue Jan 11 11:35:28 2005 => Registry Check: Enabled Tue Jan 11 11:35:28 2005 => StartUp Folder Check: Enabled Tue Jan 11 11:35:28 2005 => System Folder Check: Enabled Tue Jan 11 11:35:28 2005 => System Area Check: Disabled Tue Jan 11 11:35:28 2005 => Services Check: Enabled Tue Jan 11 11:35:28 2005 => Drive Check Option Disabled Tue Jan 11 11:35:28 2005 => Folder Check: Enabled Tue Jan 11 11:35:28 2005 => Folder Selected = C:\WINDOWS Tue Jan 11 11:35:29 2005 => ***** Scanning Memory Files ***** Tue Jan 11 11:35:29 2005 => Scanning File C:\WINDOWS\SYSTEM32\CSRSS.EXE Tue Jan 11 11:35:29 2005 => Scanning File C:\WINDOWS\SYSTEM32\WINLOGON.EXE Tue Jan 11 11:35:30 2005 => Scanning File C:\WINDOWS\System32\smss.exe Tue Jan 11 11:35:30 2005 => Scanning File c:\12s17.exe Tue Jan 11 11:35:39 2005 => File c:\12s17.exe infected by "Trojan.Win32.LowZones.d" Virus. Action Taken: No Action Taken. Tue Jan 11 11:35:39 2005 => Scanning File c:\3as.exe Tue Jan 11 11:35:39 2005 => File c:\3as.exe infected by "Trojan.Win32.LowZones.d" Virus. Action Taken: No Action Taken. Tue Jan 11 11:36:17 2005 => File C:\WINDOWS\System32\Realplaysvc.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. Tue Jan 11 11:36:23 2005 => Scanning File C:\WINDOWS\System32\tasksys.exe Tue Jan 11 11:36:25 2005 => File C:\WINDOWS\System32\tasksys.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. Tue Jan 11 11:36:26 2005 => Scanning File C:\WINDOWS\System32\updatemgr.exe Tue Jan 11 11:36:26 2005 => File C:\WINDOWS\System32\updatemgr.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken. Tue Jan 11 11:36:32 2005 => Scanning File C:\WINDOWS\System32\WinSys32.exe Tue Jan 11 11:36:32 2005 => File C:\WINDOWS\System32\WinSys32.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken. l Tue Jan 11 11:36:35 2005 => ***** Scanning Registry Files ***** Tue Jan 11 11:36:50 2005 => Scanning File C:\WINDOWS\system32\tasksys.exe Tue Jan 11 11:36:53 2005 => File C:\WINDOWS\system32\tasksys.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. Tue Jan 11 11:36:53 2005 => Scanning File C:\WINDOWS\system32\updatemgr.exe Tue Jan 11 11:36:53 2005 => File C:\WINDOWS\system32\updatemgr.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken. Tue Jan 11 11:36:53 2005 => Scanning File C:\WINDOWS\system32\WinSys32.exe Tue Jan 11 11:36:54 2005 => File C:\WINDOWS\system32\WinSys32.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken. Tue Jan 11 11:36:54 2005 => Scanning File C:\WINDOWS\System32\ohyqc.exe Tue Jan 11 11:36:54 2005 => Scanning File C:\WINDOWS\system32\Realplaysvc.exe Tue Jan 11 11:36:54 2005 => File C:\WINDOWS\system32\Realplaysvc.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. Tue Jan 11 11:36:35 2005 => ***** Scanning Registry Files ***** Tue Jan 11 11:36:50 2005 => Scanning File C:\WINDOWS\system32\tasksys.exe Tue Jan 11 11:36:53 2005 => File C:\WINDOWS\system32\tasksys.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. Tue Jan 11 11:36:53 2005 => Scanning File C:\WINDOWS\system32\updatemgr.exe Tue Jan 11 11:36:53 2005 => File C:\WINDOWS\system32\updatemgr.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken. Tue Jan 11 11:36:53 2005 => Scanning File C:\WINDOWS\system32\WinSys32.exe Tue Jan 11 11:36:54 2005 => File C:\WINDOWS\system32\WinSys32.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken. Tue Jan 11 11:36:54 2005 => Scanning File C:\WINDOWS\System32\ohyqc.exe Tue Jan 11 11:36:54 2005 => Scanning File C:\WINDOWS\system32\Realplaysvc.exe Tue Jan 11 11:36:54 2005 => File C:\WINDOWS\system32\Realplaysvc.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. Tue Jan 11 11:41:07 2005 => ***** Checking for specific ITW Viruses ***** Tue Jan 11 11:41:07 2005 => Checking for Welchia Virus... Tue Jan 11 11:41:07 2005 => Checking for LovGate Virus... Tue Jan 11 11:41:07 2005 => Checking for CodeRed Virus... Tue Jan 11 11:41:07 2005 => Checking for OpaServ Virus... Tue Jan 11 11:41:07 2005 => Checking for Sobig.e Virus... Tue Jan 11 11:41:07 2005 => Checking for Winupie Virus... Tue Jan 11 11:41:07 2005 => Checking for Swen Virus... Tue Jan 11 11:41:07 2005 => Checking for JS.Fortnight Virus... Tue Jan 11 11:41:07 2005 => Checking for Novarg Virus... Tue Jan 11 11:41:07 2005 => Checking for Pagabot Virus... Tue Jan 11 11:41:07 2005 => Checking for Parite.b Virus... Tue Jan 11 11:41:07 2005 => Checking for Parite.a Virus... Tue Jan 11 11:41:07 2005 => ***** Scanning complete. ***** Tue Jan 11 11:41:07 2005 => Scan Completed. Tue Jan 11 11:41:15 2005 => Virus Database Date: 2005/01/10 Tue Jan 11 11:41:15 2005 => Virus Database Count: 115099 Tue Jan 11 11:43:07 2005 => Options Selected by User: Tue Jan 11 11:43:07 2005 => Memory Check: Enabled Tue Jan 11 11:43:07 2005 => Registry Check: Enabled Tue Jan 11 11:43:07 2005 => StartUp Folder Check: Enabled Tue Jan 11 11:43:07 2005 => System Folder Check: Enabled Tue Jan 11 11:43:07 2005 => System Area Check: Disabled Tue Jan 11 11:43:07 2005 => Services Check: Enabled Tue Jan 11 11:43:07 2005 => Drive Check: Disabled Tue Jan 11 11:43:07 2005 => All Drive Check :Enabled Tue Jan 11 11:43:07 2005 => Folder Check: Enabled Tue Jan 11 11:43:07 2005 => Folder Selected = C:\WINDOWS Tue Jan 11 11:43:08 2005 => ***** Scanning Memory Files ***** Tue Jan 11 11:43:08 2005 => Scanning File C:\WINDOWS\SYSTEM32\CSRSS.EXE Tue Jan 11 11:43:08 2005 => Scanning File C:\WINDOWS\SYSTEM32\WINLOGON.EXE Tue Jan 11 11:43:08 2005 => Scanning File C:\WINDOWS\System32\smss.exe Tue Jan 11 11:43:08 2005 => Scanning File c:\12s17.exe Tue Jan 11 11:43:08 2005 => File c:\12s17.exe infected by "Trojan.Win32.LowZones.d" Virus. Action Taken: No Action Taken. Tue Jan 11 11:44:16 2005 => Scanning File C:\WINDOWS\System32\Realplaysvc.exe Tue Jan 11 11:44:17 2005 => File C:\WINDOWS\System32\Realplaysvc.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. T Tue Jan 11 11:44:25 2005 => Scanning File C:\WINDOWS\System32\tasksys.exe Tue Jan 11 11:44:27 2005 => File C:\WINDOWS\System32\tasksys.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. Tue Jan 11 11:44:28 2005 => Scanning File C:\WINDOWS\System32\updatemgr.exe Tue Jan 11 11:44:30 2005 => File C:\WINDOWS\System32\updatemgr.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken. T Tue Jan 11 11:44:39 2005 => Scanning File C:\WINDOWS\System32\WinSys32.exe Tue Jan 11 11:44:39 2005 => File C:\WINDOWS\System32\WinSys32.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken. Tue Jan 11 11:44:42 2005 => ***** Scanning Registry Files ***** Tue Jan 11 11:44:45 2005 => Scanning HKCR\wshfile\shell\open\command Tue Jan 11 11:44:45 2005 => Scanning File C:\WINDOWS\System32\WScript.exe Tue Jan 11 11:44:45 2005 => Scanning HKCR\wsffile\shell\open\command Tue Jan 11 11:44:45 2005 => Scanning File C:\WINDOWS\System32\WScript.exe Tue Jan 11 11:44:45 2005 => ***** Scanning StartUp Folders ***** I put only a part of the log only to let you understand easely what's my problem please help me, i'm sorry but i,m not very good with the pcand my english is even worst!!!!! thaks in advance for your help willy |
| B1层 发表时间: 05-01-18 23:54 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 病毒专区
标题: Mcafe32.exe,新木马