話說有同事上星期無情情 Task Manager 灰o左
Run 唔見o左, Regedit 開唔到
Command Prompt 出 "The command prompt has been disabled by your administrator"
"Press any key to close"
問完一大餐都係估佢經 USB Thumb 中番黎
問佢要隻 HD scan
Scan 到有隻 Trojan
Delete 完以為 ok 啦
再 Scan 佢隻 USB Thumb
係 VM 用廢柴 Symantec check 無料到
再爆入去望
手動 delete 埋 autorun.inf
以為無事啦
問佢要埋隻機還原試試
我心諗...未必咁順灘啦
o依...又唔係o咼
Login Local Administrator 後
Task Manager 同 Run 都得
係 Command Prompt, Regedit 都唔得
我重以為係隻木馬殺唔晒
入 Safe Mode check 多次
點知 Safe Mode 都入唔到
去到 Mup.sys 就死o左重即刻自動 Reboot....
用自己部機 Google o左堆 tools 諗住抄過去 fix
點知神推鬼拱用o左佢隻 USB Thumb 抄
一插一開 My Computer 一望個 Drive Icon 就知出事
好地地 Removable Drive Icon 變鬼o左 Folder Icon.........
仆街....我都中埋
Google 一大餐都唔中
一係話 Group Policy set 死o左....雖則好似
一係入 Safe Mode 攪....妖, Safe Mode 都死埋呀
最後用埋 Trend Micro 個 online HouseCall scan
scan scan o下唔知o禁到邊條 link
去鬼o左一隻叫 Malwarebytes' Anti-Malware o既 site
http://www.malwarebytes.org/mbam.php
即管 d/l 後再試
竟然 scan 到有野重清埋!!!
不過 d Task Manager, Run, Command Prompt 都唔得
再搵到隻 Smart Virus Remover
http://www.technize.com/2008/01/22/smart-anti-virus/
還原番晒 d o野
好似 fix 晒咁
手多多試下用 Spybot check o下佢
一 check....嘿
將三十幾款 anti-virus program o既 site 指晒去 127.0.0.1
真係有無咁無聊呀
改晒行完 reboot 再 login
用番 corp account 做野啦
正想開 Run....又失踪了
原來隻 X 家鏟跟 User Profile 周鳩圍惹
要清完一個再一個
佢老 X 正 X 街
又要再攪過......................................
最後兩部機四個 User Profile 兩隻 USB Thumb Drive
由朝十玩到我晚六三零
中途要用部古董 T30 做野
唉
真係比死更難受...
後記
呢排太忙了
Safe Mode 個 Mup.sys 都重未執
求神拜佛唔好有事
我懶得用 Windows Setup CD 救佢
頂到我換機就啋你都 side 鳩氣
附上...Malwarebytes' Anti-Malware Log 一份
Malwarebytes' Anti-Malware 1.29
Database version: 1276
Windows 5.1.2600 Service Pack 3, v.3264
22/10/2008 17:14:03
mbam-log-2008-10-22 (17-14-02).txt
Scan type: Quick Scan
Objects scanned: 119489
Time elapsed: 10 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symantec System DB (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (Hijack.Run) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD (Hijack.CMDPrompt) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\symlssdb.exe (Backdoor.Bot) -> Delete on reboot.
.JPG)
.jpg)
.jpg)
.jpg)
.JPG)
.JPG)
