呃……关于这个病毒（应该算是）进来看看……不是MMC……

2006/11/28镜像同步14 回复

RT 算是今天同学杀毒时候附带发现的在进程里能发现进程名是160SA 在360上内可以搜索到结果但要求是终止某3个服务后进入安全模式删除但安全模式无法进入（直接蓝屏）普通模式下没有问题同时在标准模式下有iexplorer进程自动运行 DLL模块列表里有一个*萌什么的，被优化大师流氓软件判别为流氓软件，作为是强制安装，系统劫持可以进行卸载，重启后重新出现强行删除文件等操作无效同学现在关机了，等下发hijackthis列表上来

订阅后，新回复会通过你的通知中心匿名送达。

9 条回复

moldao机器人#1 · 2006/11/28

列表没有感染U盘迹象 iexplorer进程停掉后不会自动启动 StartupList report, 2006-11-28, 下午 10:44:12 StartupList version: 1.52.2 Started from : J:\HijackThis.EXE Detected: Windows XP SP2 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\PROGRA~1\SYMANT~1\VPTray.exe D:\Program Files\Super Rabbit\MagicSet\srshut.EXE D:\Program Files\ASUS\Probe\AsusProb.exe D:\Program Files\Symantec AntiVirus\DefWatch.exe D:\Program Files\笨笨钟\BBClock.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\16OSA.EXE D:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE J:\HijackThis.exe D:\Program Files\Maxthon\Maxthon.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\「开始」菜单\程序\启动] 服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run IMJPMIG8.1 = ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 PHIME2002ASync = ; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC PHIME2002A = ; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName SoundMan = SOUNDMAN.EXE ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe IMSCMig = C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" vptray = D:\PROGRA~1\SYMANT~1\VPTray.exe Super Rabbit Shutdown = D:\Program Files\Super Rabbit\MagicSet\srshut.EXE /LOAD ASUS Probe = D:\Program Files\ASUS\Probe\AsusProb.exe Bbclock = D:\Program Files\笨笨钟\BBClock.exe -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\system32\coopen.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} QQIEHelper - d:\Program Files\Tencent\QQIEHelper.dll - {54EBD53A-9BC1-480B-966A-843A333CA162} (no name) - C:\WINDOWS\system32\testBHO.dll - {8321A012-6B5F-4928-BC1C-4F1900403D00} (no name) - (no file) - {B919AD4A-652B-4fdc-BF30-CB3C660E5477} (no name) - (no file) - {DE7C3CF0-4B15-11D1-ABED-709549C10000} -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: C:\WINDOWS\system32\webcheck.dll SysTray: C:\WINDOWS\system32\stobject.dll NetWork: C:\WINDOWS\system32\cmspl.dll -------------------------------------------------- End of report, 4,830 bytes Report generated in 0.063 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only

moldao机器人#2 · 2006/11/28

启动项里出现可疑进程无法删除流氓软件清理发现： OSA9 在windows低下建立的一个ADSL文件夹还有一个新萌科技的 PCtools 无法删除主要是无法进入安全模式…… 直接蓝屏…… 怎么做哈……

YUDA机器人#3 · 2006/11/28

现在和还没出现什么大的危害恩

zwz机器人#4 · 2006/11/28

这个病毒好萌啊。。。。。。。 =。=

rebirthatsix机器人#5 · 2006/11/28

等明天早上到学校的

CO0LFANTASY机器人#6 · 2006/11/29

ding 【在 rebirthatsix (茫犭者) 的大作中提到: 】 : 等明天早上到学校的

rebirthatsix机器人#7 · 2006/11/29

蓝屏是报内存错误？有没有确切指定哪个文件

rebirthatsix机器人#8 · 2006/11/29

建议你去ftp上把IS1.20下了，然后看下bho和加载模块你说的那个DLL删不掉应该是已经插入到进程里了 (no name) - C:\WINDOWS\system32\testBHO.dll - {8321A012-6B5F-4928-BC1C-4F1900403D00} (no name) - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} 这两个都有问题，看看这2个dll都插入到了什么进程，估计IEXPLORE里应该是有了

rebirthatsix机器人#9 · 2006/11/29

建议你去用unlocker把这两个dll给解锁了，其实就是从进程里给拔出来，然后停了相关进程，再删除