9,513
社区成员
发帖
与我相关
我的任务
分享大家帮帮忙啊,中了backdoor.trojan 病毒,该怎么杀掉啊!!!
大家帮帮忙啊,中了backdoor.trojan 病毒,该怎么杀掉啊!!!
...全文
请发表友善的回复…
发表回复
KenXP2000 2005-04-20
- 打赏
- 举报
谢谢大家,真的没有工具可以杀,只能自己手动删除文件和清理注册表吗?
thanks again!
thanks again!
kernet 2005-04-17
- 打赏
- 举报
1.杀进程
2.删除病毒体
3.清理注册表启动和其他启动项
4.修复系统。
以上最好在安全模式下操作。
2.删除病毒体
3.清理注册表启动和其他启动项
4.修复系统。
以上最好在安全模式下操作。
luckjackie 2005-04-15
- 打赏
- 举报
另,记得切入安全模式:
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode or VGA mode.
Run a full system scan and delete all the files detected as Backdoor.Trojan.
Reverse the changes made to the Windows registry.
Windows 95/98/Me only: Remove any references to the infected files that have been added to the Win.ini and System.ini files.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode or VGA mode.
Run a full system scan and delete all the files detected as Backdoor.Trojan.
Reverse the changes made to the Windows registry.
Windows 95/98/Me only: Remove any references to the infected files that have been added to the Win.ini and System.ini files.
luckjackie 2005-04-15
- 打赏
- 举报
Norton发现的就好办了,直接到Norton的病毒记录里把病毒"删除"就成了啊!
miao378 2005-04-15
- 打赏
- 举报
Backdoor.Trojan是一个特洛伊木马病毒,瑞星无法检测,用Norton AntiVirus可以发现,总是提示W32_ss.exe携带Backdoor.Trojan,但无法清除,也无法删除该文件。查到W32_ss.exe的位置在windows\system32下(我用的是XP,其他系统的位置不同,98在windows\system,2000在winnt\system32),但无法删除该文件,重启进入DOS,发现W32_ss.exe不见了,再进windows,又出现了。分析该病毒文件不只是W32_ss.exe,肯定还有其他文件,W32_ss.exe就是由其他文件在系统启动时产生的。查看windows\system32下的文件,发现有几个文件很可疑,文件名后面都没有修改日期,是一段空白,这几个文件是:boot32.sys debugg.dll c3.dll c3.sys c4.sys sdmapi.sys,再进DOS,在windows\system32里找到他们,先备份,再删除!好了,解决问题。进入windows,打开注册表,清除相关的内容。
KenXP2000 2005-04-15
- 打赏
- 举报
Norton 发现的!
大雄 2005-04-15
- 打赏
- 举报
打错了,是regedit.exe
大雄 2005-04-15
- 打赏
- 举报
你是怎么知道你中了这个木马的。是用杀毒软件查出来还是?
一般来说,看任务管理器里,把里面的可疑进程中止,记住它的名字在系统目录里查找然后移走,再运行regedti打开注册表找到run项把里面的可疑项目删除就没事了。
一般来说,看任务管理器里,把里面的可疑进程中止,记住它的名字在系统目录里查找然后移走,再运行regedti打开注册表找到run项把里面的可疑项目删除就没事了。
yslzhf 2005-04-15
- 打赏
- 举报
去www.duba.com里看看,会有的
KenXP2000 2005-04-15
- 打赏
- 举报
还有一个问题,你说的不是在win9x 平台吗?
我的是xp 的,也会中这个毒?
谢谢!
我的是xp 的,也会中这个毒?
谢谢!
KenXP2000 2005-04-15
- 打赏
- 举报
谢谢,那怎么才能杀掉呢?
木马克星行不行?
还是自己去改注册表,删除.exe 呢?
木马克星行不行?
还是自己去改注册表,删除.exe 呢?
luckjackie 2005-04-14
- 打赏
- 举报
Backdoor.Trojan
Discovered on: January 22, 1998
Last Updated on: January 31, 2004 11:57:58 AM
Backdoor.Trojan is a generic detection for a group of Backdoor Trojan Horses. All the Trojans detected as Backdoor.Trojan have one thing in common: they allow unauthorized access to an infected computer.
Type: Trojan Horse
Infection Length: varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
Virus Definitions (Intelligent Updater) *
January 26, 1998
Virus Definitions (LiveUpdate™) **
January 26, 1998
*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Moderate
Threat Metrics
Wild:
Medium
Damage:
Medium
Distribution:
Low
Damage
Payload:
Modifies files: Backdoor.Trojan may modify the system files to ensure that it is run.
Releases confidential info: A hacker can access confidential information on a compromised computer.
Compromises security settings: Allows unauthorized access to an infected computer.
When Backdoor.Trojan is executed, it may create a copy of itself in the \Windows or the \Windows\System folder. In most cases, this Trojan uses one or more of the common loading points to make sure that it runs when you start Windows. For information about common loading points, read one of these documents:
Common loading points of threats in Windows NT/2000/XP
Common loading points of threats in Windows 95/98/Me
Backdoor.Trojan opens a backdoor, which allows a hacker access to a compromised system without authorization.
Some of these Trojans display a fake error message when they are executed for the first time. This fake error message is intended to make you think that the program is defective, while it runs in the background and compromises the system.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode or VGA mode.
Run a full system scan and delete all the files detected as Backdoor.Trojan.
Reverse the changes made to the Windows registry.
Windows 95/98/Me only: Remove any references to the infected files that have been added to the Win.ini and System.ini files.
For specific details on each of these steps, read the following instructions.
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
3. Restarting the computer in Safe mode or VGA mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
For Windows NT 4 users, restart the computer in VGA mode.
4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with Backdoor.Trojan, write down the path and file names, and then click Delete.
Discovered on: January 22, 1998
Last Updated on: January 31, 2004 11:57:58 AM
Backdoor.Trojan is a generic detection for a group of Backdoor Trojan Horses. All the Trojans detected as Backdoor.Trojan have one thing in common: they allow unauthorized access to an infected computer.
Type: Trojan Horse
Infection Length: varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
Virus Definitions (Intelligent Updater) *
January 26, 1998
Virus Definitions (LiveUpdate™) **
January 26, 1998
*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Moderate
Threat Metrics
Wild:
Medium
Damage:
Medium
Distribution:
Low
Damage
Payload:
Modifies files: Backdoor.Trojan may modify the system files to ensure that it is run.
Releases confidential info: A hacker can access confidential information on a compromised computer.
Compromises security settings: Allows unauthorized access to an infected computer.
When Backdoor.Trojan is executed, it may create a copy of itself in the \Windows or the \Windows\System folder. In most cases, this Trojan uses one or more of the common loading points to make sure that it runs when you start Windows. For information about common loading points, read one of these documents:
Common loading points of threats in Windows NT/2000/XP
Common loading points of threats in Windows 95/98/Me
Backdoor.Trojan opens a backdoor, which allows a hacker access to a compromised system without authorization.
Some of these Trojans display a fake error message when they are executed for the first time. This fake error message is intended to make you think that the program is defective, while it runs in the background and compromises the system.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode or VGA mode.
Run a full system scan and delete all the files detected as Backdoor.Trojan.
Reverse the changes made to the Windows registry.
Windows 95/98/Me only: Remove any references to the infected files that have been added to the Win.ini and System.ini files.
For specific details on each of these steps, read the following instructions.
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
3. Restarting the computer in Safe mode or VGA mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
For Windows NT 4 users, restart the computer in VGA mode.
4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with Backdoor.Trojan, write down the path and file names, and then click Delete.
luckjackie 2005-04-14
- 打赏
- 举报
Backdoor.Trojan is a generic detection for a group of Backdoor Trojan Horses. All the Trojans detected as Backdoor.Trojan have one thing in common: they allow unauthorized access to an infected computer
1.泄露机密数据:用户的击键会被记录下来发送给黑客;
2.危及电脑安全:允许未授权用户访问存在后门的电脑。
技术特征:
这是一个典型的后门程序,能让远程黑客畅通无阻的任意访问受害用户的电脑。
运行后,它会:
1.将自身拷贝至%Windows%文件夹下,文件名因不同版本而不同,黑客可选择任意文件名来创建该后门木马。默认的文件名为Scandisk.exe;
2.添加键值MS Scandisk <所生成的文件,如:Scandisk.exe>至注册表
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun中;
3.添加键值Start ok
至注册表HKEY_LOCAL_MACHINESoftwareMicrosoftDirectX中;
4.然后打开一个与黑客所指定Web服务器的HTTP链接,并将受害用户的数据张贴在该站点上的脚本当中,所张帖的数据可能包括如下:
(1)受害电脑的IP地址;
(2)登陆用户的用户名;
(3)操作系统版本;
(4)计算机名;
(5)缓冲Frethem/index.htm" target="_blank" style='text-decoration: underline;color: #0000FF'>密码。
5.该木马运行后,会允许黑客远程控制受害电脑,包括:
(1)不断打开TCP端口;
(2)显示假的报错信息来隐藏其真实身份;
(3)完全控制文件系统;
(4)从主机上任意下载上传东西;
(5)运行黑客指定的任意文件。
(6)弹出对话框;
(7)查看屏幕;
(8)记录用户击键状况;
(9)一些烦人的操作,如操作键盘或鼠标、打开及关闭CD-ROM,打开或关闭监控器等等;
详细请参考http://securityresponse.symantec.com/avcenter/venc/data/backdoor.trojan.html
1.泄露机密数据:用户的击键会被记录下来发送给黑客;
2.危及电脑安全:允许未授权用户访问存在后门的电脑。
技术特征:
这是一个典型的后门程序,能让远程黑客畅通无阻的任意访问受害用户的电脑。
运行后,它会:
1.将自身拷贝至%Windows%文件夹下,文件名因不同版本而不同,黑客可选择任意文件名来创建该后门木马。默认的文件名为Scandisk.exe;
2.添加键值MS Scandisk <所生成的文件,如:Scandisk.exe>至注册表
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun中;
3.添加键值Start ok
至注册表HKEY_LOCAL_MACHINESoftwareMicrosoftDirectX中;
4.然后打开一个与黑客所指定Web服务器的HTTP链接,并将受害用户的数据张贴在该站点上的脚本当中,所张帖的数据可能包括如下:
(1)受害电脑的IP地址;
(2)登陆用户的用户名;
(3)操作系统版本;
(4)计算机名;
(5)缓冲Frethem/index.htm" target="_blank" style='text-decoration: underline;color: #0000FF'>密码。
5.该木马运行后,会允许黑客远程控制受害电脑,包括:
(1)不断打开TCP端口;
(2)显示假的报错信息来隐藏其真实身份;
(3)完全控制文件系统;
(4)从主机上任意下载上传东西;
(5)运行黑客指定的任意文件。
(6)弹出对话框;
(7)查看屏幕;
(8)记录用户击键状况;
(9)一些烦人的操作,如操作键盘或鼠标、打开及关闭CD-ROM,打开或关闭监控器等等;
详细请参考http://securityresponse.symantec.com/avcenter/venc/data/backdoor.trojan.html
luckjackie 2005-04-14
- 打赏
- 举报
病毒名称:SubSeven 2.0 Server
别名:Backdoor.Trojan, Pinkworm
发作时间:无
长度:336,867字节
感染症状:无
发作症状:无
病毒类型:黑客程序
操作平台:Windows 9x
感染对象:无
病毒性质:无
病毒介绍:
该木马首先在日本被发现,一封附件为"server.exe"的电子邮件在日本蔓延,该附件声称本身是一个可以清除Pink-
wrom病毒的反病毒软件,但实际上是一个名为SubSeven 2.0 Server的木马。该电子邮件是来自一个日本的Hotmail账号,
并声称来自微软在日本的服务器。该电子邮件要求收到邮件的人运行附件中的"server.exe"以保护计算机免受Pinkworm
病毒的侵袭,但实际上根本没有Pinkworm病毒。
该程序是SubSeven木马的2.0版本,可以参阅Backdoor.G资料。该程序起服务器程序的作用,它允许远程控制者操纵
你的计算机和获取你计算机上的资料,提供了查找、获取、 发送文件,窃取密码,改变颜色、设定,放音设备音量,改
变日期和时间等功能。
当该木马首次运行时,便会把自己安装到Windows目录下,并任意起一个文件名,默认的文件名为KERNE1.EXE,这个
文件名是可以修改的。该木马在安装的过程中会显示一些欺骗性的信息,而这些信息同样也可以修改的, 默认的信息如
下:
Error Out of system resources. (译:错误,系统资源不足)
一旦该木马被安装后,client端(控制端)便会由事先定义的端口进入sever端(被控端)。此外,这个端口也可以
被修改的。远程控制者可以知晓被控端机器上的任何信息, 被控端可以通过ICQ、IRC或者电子邮件来发送信息。
该木马的默认长度为336,867字节,但可以被其他程序所限制。
该木马随Windows一起启动。该木马会自动修改注册表、 WIN.INI和SYSTEM.INI以确保该木马的运行。一旦该木马在
Windows目录下建立一个名为run.exe的文件,便会修改注册表以运行run.exe启动被控端。
清除方法:在注册表里寻找run.exe,如果有便删除,例
如:
修改前:@=run.exe \?1\?%*?
修改后:@=\?1\?%*?
这个run.exe文件也必须删除。
别名:Backdoor.Trojan, Pinkworm
发作时间:无
长度:336,867字节
感染症状:无
发作症状:无
病毒类型:黑客程序
操作平台:Windows 9x
感染对象:无
病毒性质:无
病毒介绍:
该木马首先在日本被发现,一封附件为"server.exe"的电子邮件在日本蔓延,该附件声称本身是一个可以清除Pink-
wrom病毒的反病毒软件,但实际上是一个名为SubSeven 2.0 Server的木马。该电子邮件是来自一个日本的Hotmail账号,
并声称来自微软在日本的服务器。该电子邮件要求收到邮件的人运行附件中的"server.exe"以保护计算机免受Pinkworm
病毒的侵袭,但实际上根本没有Pinkworm病毒。
该程序是SubSeven木马的2.0版本,可以参阅Backdoor.G资料。该程序起服务器程序的作用,它允许远程控制者操纵
你的计算机和获取你计算机上的资料,提供了查找、获取、 发送文件,窃取密码,改变颜色、设定,放音设备音量,改
变日期和时间等功能。
当该木马首次运行时,便会把自己安装到Windows目录下,并任意起一个文件名,默认的文件名为KERNE1.EXE,这个
文件名是可以修改的。该木马在安装的过程中会显示一些欺骗性的信息,而这些信息同样也可以修改的, 默认的信息如
下:
Error Out of system resources. (译:错误,系统资源不足)
一旦该木马被安装后,client端(控制端)便会由事先定义的端口进入sever端(被控端)。此外,这个端口也可以
被修改的。远程控制者可以知晓被控端机器上的任何信息, 被控端可以通过ICQ、IRC或者电子邮件来发送信息。
该木马的默认长度为336,867字节,但可以被其他程序所限制。
该木马随Windows一起启动。该木马会自动修改注册表、 WIN.INI和SYSTEM.INI以确保该木马的运行。一旦该木马在
Windows目录下建立一个名为run.exe的文件,便会修改注册表以运行run.exe启动被控端。
清除方法:在注册表里寻找run.exe,如果有便删除,例
如:
修改前:@=run.exe \?1\?%*?
修改后:@=\?1\?%*?
这个run.exe文件也必须删除。
