|
|
|||||||
| 論壇說明 |
|
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
 |
|
|
主題工具 | 顯示模式 |
2003-08-17, 05:48 PM
|
#1 |
|
|
不給我灌疾風的修正檔~幫幫忙
我中了疾風,也下了修正檔,可是他不給我灌修正檔,他出現下列文字
安裝程式無法確認檔案update.inf的完整性,請確定這個電腦上的密碼編譯服務目前執行中。 大大有人也會這樣嗎,請幫幫忙 |
|
送花文章: 0,
|
|
2003-08-17, 07:29 PM
|
#2 (permalink) |
|
註冊會員
|
怎樣確定自己的電腦已經中毒 ?
<1>如果你的電腦動不動就跟你說要重新開機 (60 秒) <2>[開始]->執行->Taskmgr.exe [ENTER] 後, 看一下有沒有 MSBLAST.EXE 這個程式正在運作, 如果有, 也表示你已經中毒! =================================================== 停止惡意程式 : 1.這個步驟可以終止在記意體中執行的惡意程式. 2.開啟Windows程序管理員(Task Manager),請按鍵盤CTRL+SHIFT+ESC, 然後點選處理程序(process)標籤. 3.在所有的程序中,找出下列程序名稱: MSBLAST.EXE 4.點選此惡意程序,並按下下方的終止程序按鈕. 5.請關閉程序管理員,在開啟一次程序管理員 ,檢查程序是否確實被停止. 6.關閉程序管理員. =================================================== 移除登入檔的自動啟動程序 : 1.這個步驟從登入檔(registry)中移除自動啟動蠕蟲的程式,以避免開機時自動執行惡意程式. 2.開啟登入檔編輯程式.請點選 開始>執行, 輸入 Regedit, 然後按下 Enter鍵. 3.在左方的子視窗中, 依下列順序點選: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run 4.在右方的子視窗中,點選並刪除下列的值: Windows auto update" = MSBLAST.EXE 5.關閉登入檔編輯程式. |
|
送花文章: 0,
|
|
2003-08-17, 07:49 PM
|
#3 (permalink) |
|
註冊會員
|
疾風病毒及其變種最新說明---使用不同的方法
疾風病毒及其變種最新說明---使用不同的方法 1. 疾風病毒至今有 Lovesan,Lovsan, Blaster,Msblast and Poza 的名字 各家AV命名不同 其他廠商對此病毒的不同稱呼如下: DcomRPC.exploit, W32.Blaster.Worm (Symantec) , W32/Blaster (CERT), W32/Lovsan.worm (McAfee), W32/Msblast.A (F-Secure) , Win32/Poza.Worm , WORM_MSBLAST.A (Trend) 2. 如何判斷已中疾風病毒 a. 在你電腦 X:\Windows\Systems32\的目錄下 有下列的檔案之一 Msblast.exe, Teekids.exe or Penis32.exe b. 有重開機的訊息或畫面 c. 使用MS Word, Excel or Outlook. 有錯誤的訊息 d. svchost.exe 有錯誤的訊息 e. RPC Service Failure RPC錯誤的訊息 3. 疾風病毒攻擊的作業系統 Windows NT 4.0 Server Windows NT 4.0 Terminal Server Edition Windows 2000 Windows XP 32 bit Edition Windows XP 64 bit Edition Windows Server 2003 32 bit Edition Windows Server 2003 64 bit Edition 4. 因為一直重開機 不能下載 Microsoft修正檔修正法 a. 移除網路線 b. 你需要一支 TFTP.EXE 的檔案 這檔案原始的在 \Windows\System32\dllcache 目錄中 將它 COPY至 \Windows\System32\的目錄中 (原TFTP.EXE已中毒了) c. 接上網路線 d. 下載 Microsoft修正檔 確認「服務」裡面的「Cryptographic Services」有沒有啟動 沒有的話,啟動他.... f. 慣修正檔 Poza 開始掃瞄所有子網域,以尋找 TCP 135 埠為開啟狀態的電腦,接著隨機掃瞄幾個選擇的 B 級子網域 (255.255.0.0)。如果找到可開啟 TCP 135 埠的電腦,Poza 會利用之前提到的安全漏洞進行電腦,並在被感染的電腦上建立一個遠端控制的命令層。一旦成功入侵,Poza 會嚐試連結遠端電腦的 TCP 4444 埠。順利連結之後,Poza 會指示被感染電腦到遠端電腦下載透過 TFTP.EXE 執行 FTP 服務的 MSBLAST.EXE 檔案(檔案大小:6,176 bytes,採 UPX 自解壓縮方式封裝檔)。接著送出指令,執行被感染電腦中的 MSBLAST.EXE。 註:TFTP.EXE 是一項在 Windows 2000 之後版本的 Windows 作業系統中,預設安裝的一項工具軟體。此病毒蟲也會保持同時連結至其他 20 台被感染的電腦。 5. 如果你已經中疾風病毒 下載下列清除檔 清除後 再下載Microsoft修正檔 再慣修正檔 Microsoft修正檔 http://www.microsoft.com/taiwan/sec...ns/MS03-026.asp http://support.microsoft.com/?kbid=331953 疾風毒自動掃瞄移除工具---不止疾風病毒含其他蠕蟲病毒 及變種 此程式FOR所有版本 NT/2000/XP/2003 程式 ftp://ftp.kaspersky.com/utils/clrav.com 用法: 1. copy clrav.com 到你的windows\system32目錄下 2. 開始--->執行----->鍵入clrav.com /s----> 確定 用法說明及參數 **************************************************************************** Utility for cleaning infection by: I-Worm.BleBla.b I-Worm.Navidad I-Worm.Sircam I-Worm.Goner I-Worm.Klez.a,e,f,g,h Win32.Elkern.c I-Worm.Lentin.a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p I-Worm.Tanatos.a,b Worm.Win32.Opasoft.a,b,c,d,e,f,g,h I-Worm.Avron.a,b,c,d,e I-Worm.LovGate.a,b,c,d,e,f,g,h,i,j,k,l I-Worm.Fizzer I-Worm.Magold.a,b,c,d,e Worm.Win32.Lovesan Version 10.0.5.2 Copyright (C) Kaspersky Lab 2000-2003. All rights reserved. **************************************************************************** Command line: /s[n] - to force scaning of hard drives. Program will scan hard drive for I-Worm.Klez.a(e,f,g,h) infection in any case. n - include scaning of mapped network drives. /y - end program without pressing any key. /i - show command line info. /nr - do not reboot system automatically in any cases. /Rpt[ao][=<Report file path>] - create report file a - add report file o - report only (do not cure/delete infected files) Return codes: 0 - nothing to clean 1 - virus was deleted and system restored 2 - to finilize removal of virus you shold reboot system 3 - to finilize removal of virus you shold reboot system and start program the second time 4 - programm error. **************************************************************************** I-Worm.BleBla.b --------------- If program find HKEY_CLASSES_ROOT\rnjfile key in registry it: delete registry keys HKEY_CLASSES_ROOT\rnjfile HKEY_CLASSES_ROOT\.lha repair registry key to default value HKEY_CLASSES_ROOT\.jpg to jpegfile HKEY_CLASSES_ROOT\.jpeg to jpegfile HKEY_CLASSES_ROOT\.jpe to jpegfile HKEY_CLASSES_ROOT\.bmp to Paint.Picture HKEY_CLASSES_ROOT\.gif to giffile HKEY_CLASSES_ROOT\.avi to avifile HKEY_CLASSES_ROOT\.mpg to mpegfile HKEY_CLASSES_ROOT\.mpeg to mpegfile HKEY_CLASSES_ROOT\.mp2 to mpegfile HKEY_CLASSES_ROOT\.wmf to empty HKEY_CLASSES_ROOT\.wma to wmafile HKEY_CLASSES_ROOT\.wmv to wmvfile HKEY_CLASSES_ROOT\.mp3 to mp3file HKEY_CLASSES_ROOT\.vqf to empty HKEY_CLASSES_ROOT\.doc to word.document.8 or wordpad.document.1 HKEY_CLASSES_ROOT\.xls to excel.sheet.8 HKEY_CLASSES_ROOT\.zip to winzip HKEY_CLASSES_ROOT\.rar to winrar HKEY_CLASSES_ROOT\.arj to archivefile or winzip HKEY_CLASSES_ROOT\.reg to regfile HKEY_CLASSES_ROOT\.exe to exefile try to delete file c:\windows\sysrnj.exe I-Worm.Navidad -------------- If program find HKEY_CURRENT_USER\Software\Navidad, HKEY_CURRENT_USER\Software\xxxxmas or HKEY_CURRENT_USER\Software\Emanuel key in registry it: delete registry keys HKEY_CURRENT_USER\Software\Navidad HKEY_CURRENT_USER\Software\xxxxmas HKEY_CURRENT_USER\Software\Emanuel SOFTWARE\Microsoft\Windows\CurrentVersion\Run Win32BaseServiceMOD repair registry key to default value HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %* try to delete file winsvrc.vxd winfile.vxd wintask.exe I-Worm.Sircam ------------- If program find HKEY_LOCAL_MACHINE\Software\SirCam key in registry, "@win \recycled\sirc32.exe" in autoexec.bat or \windows\run32.exe and \windows\rundll32.exe was created on Delphi it: delete registry keys HKEY_LOCAL_MACHINE\Software\SirCam Software\Microsoft\Windows\CurrentVersion\RunServices Driver32 repair registry key to default value HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %* try to delete file %Windows drive%:\RECYCLED\SirC32.exe %Windows directory%\ScMx32.exe %Windows system directory%\SCam32.exe %Windows startup directory%\"Microsoft Internet Office.exe" %Windows drive%:\windows\rundll32.exe try to rename files %Windows drive%:\windows\Run32.exe to %Windows drive%:\windows\RunDll32.exe try to repair files autoexec.bat In case program can not delete or rename any files (it may be used at that moment) it set these files to queue to delete or rename during bootup process and offer user to reboot system. I-Worm.Goner ------------ If gone.scr process exist in memory, program will try to stop it. if file %Windows system directory%\gone.scr exist on hard drive, program will try to delete it. If program find %Windows system directory%\gone.scr key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run of system registry, it will delete this key. I-Worm.Klez.a,e-h, Win32.Elkern.c, I-Worm.Lentin.a-p, I-Worm.Tanatos.a-b, ------------------------------------------------------------------------- Worm.Win32.Opasoft.a-h, I-Worm.Avron.a-e, I-Worm.LovGate.a-l, I-Worm.Fizzer, ---------------------------------------------------------------------------- I-Worm.Magold.a-e, Worm.Win32.Lovesan ------------------------------------- If program find next processes in memory: Krn132.exe WQK.exe or any processes, infected by these viruses, it will try to unhook virus hooks and patch needed processes to stop reinfection and then stop them and delete/cure their files on hard drive and delete links to their files from system registry and other startup places. If program find that WQK.DLL library has been loaded by any processes it will rename file of this library and will remove it after system reboot. In case program find such library in memory of your PC you should reboot your PC when program finish and start it the second time after reboot to clean your system registry. If program find any infected processes in memory it will start scan of your hard drive (and all mapped network drives if you specify /netscan in command line). It will check only infection by these viruses. If you specify /s key in command line program will scan your hard drive (and all mapped network drives if you specify /sn) in all cases. If Win32.Elkern.c virus create memory mapping, program will disinfect this memory area. Program can restore next startup links used by viruses: autoexec.bat win %virus file path and name% win.ini section [Windows] run=<virus file> registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows values AppInit_DLLs Run HKEY_CLASSES_ROOT\txtfile\shell\open\command (txt association) restoring to link to notepad.exe program HKEY_CLASSES_ROOT\exefile\shell\open\command (exe association) restoring to "%1" %* HKEY_CLASSES_ROOT\comfile\shell\open\command (com association) restoring to "%1" %* HKEY_CLASSES_ROOT\batfile\shell\open\command (bat association) restoring to "%1" %* HKEY_CLASSES_ROOT\piffile\shell\open\command (pif association) restoring to "%1" %* HKEY_CLASSES_ROOT\scrfile\shell\open\command (scr association) restoring to "%1" %* installed NT services mIRC start scripts <Program Files folder>\Mirc\script.ini <Program Files folder>\Mirc32\script.ini Pirch start scripts <Program Files folder>\Pirch98\events.ini 原文於 08-16-2003 02:48 PM 經由 babayu 編輯過 |
|
|
送花文章: 0,
|
平板模式
