會員 ![]() | 【軟體】疾風病毒自動掃瞄移除工具---不止疾風病毒含其他蠕蟲病毒 此程式FOR 所有的版本 NT/2000/XP/2003 程式 ftp://ftp.kaspersky.com/utils/clrav.com 用法說明及參數 **************************************************************************** Utility for cleaning infection by: I-Worm.BleBla.b I-Worm.Navidad I-Worm.Sircam I-Worm.Goner I-Worm.Klez.a,e,f,g,h Win32.Elkern.c I-Worm.Lentin.a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p I-Worm.Tanatos.a,b Worm.Win32.Opasoft.a,b,c,d,e,f,g,h I-Worm.Avron.a,b,c,d,e I-Worm.LovGate.a,b,c,d,e,f,g,h,i,j,k,l I-Worm.Fizzer I-Worm.Magold.a,b,c,d,e Worm.Win32.Lovesan Version 10.0.5.2 Copyright (C) Kaspersky Lab 2000-2003. All rights reserved. **************************************************************************** Command line: /s[n] - to force scaning of hard drives. Program will scan hard drive for I-Worm.Klez.a(e,f,g,h) infection in any case. n - include scaning of mapped network drives. /y - end program without pressing any key. /i - show command line info. /nr - do not reboot system automatically in any cases. /Rpt[ao][=<Report file path>] - create report file a - add report file o - report only (do not cure/delete infected files) Return codes: 0 - nothing to clean 1 - virus was deleted and system restored 2 - to finilize removal of virus you shold reboot system 3 - to finilize removal of virus you shold reboot system and start program the second time 4 - programm error. **************************************************************************** I-Worm.BleBla.b --------------- If program find HKEY_CLASSES_ROOT\rnjfile key in registry it: delete registry keys HKEY_CLASSES_ROOT\rnjfile HKEY_CLASSES_ROOT\.lha repair registry key to default value HKEY_CLASSES_ROOT\.jpg to jpegfile HKEY_CLASSES_ROOT\.jpeg to jpegfile HKEY_CLASSES_ROOT\.jpe to jpegfile HKEY_CLASSES_ROOT\.bmp to Paint.Picture HKEY_CLASSES_ROOT\.gif to giffile HKEY_CLASSES_ROOT\.avi to avifile HKEY_CLASSES_ROOT\.mpg to mpegfile HKEY_CLASSES_ROOT\.mpeg to mpegfile HKEY_CLASSES_ROOT\.mp2 to mpegfile HKEY_CLASSES_ROOT\.wmf to empty HKEY_CLASSES_ROOT\.wma to wmafile HKEY_CLASSES_ROOT\.wmv to wmvfile HKEY_CLASSES_ROOT\.mp3 to mp3file HKEY_CLASSES_ROOT\.vqf to empty HKEY_CLASSES_ROOT\.doc to word.document.8 or wordpad.document.1 HKEY_CLASSES_ROOT\.xls to excel.sheet.8 HKEY_CLASSES_ROOT\.zip to winzip HKEY_CLASSES_ROOT\.rar to winrar HKEY_CLASSES_ROOT\.arj to archivefile or winzip HKEY_CLASSES_ROOT\.reg to regfile HKEY_CLASSES_ROOT\.exe to exefile try to delete file c:\windows\sysrnj.exe I-Worm.Navidad -------------- If program find HKEY_CURRENT_USER\Software\Navidad, HKEY_CURRENT_USER\Software\xxxxmas or HKEY_CURRENT_USER\Software\Emanuel key in registry it: delete registry keys HKEY_CURRENT_USER\Software\Navidad HKEY_CURRENT_USER\Software\xxxxmas HKEY_CURRENT_USER\Software\Emanuel SOFTWARE\Microsoft\Windows\CurrentVersion\Run Win32BaseServiceMOD repair registry key to default value HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %* try to delete file winsvrc.vxd winfile.vxd wintask.exe I-Worm.Sircam ------------- If program find HKEY_LOCAL_MACHINE\Software\SirCam key in registry, "@win \recycled\sirc32.exe" in autoexec.bat or \windows\run32.exe and \windows\rundll32.exe was created on Delphi it: delete registry keys HKEY_LOCAL_MACHINE\Software\SirCam Software\Microsoft\Windows\CurrentVersion\RunServices Driver32 repair registry key to default value HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %* try to delete file %Windows drive%:\RECYCLED\SirC32.exe %Windows directory%\ScMx32.exe %Windows system directory%\SCam32.exe %Windows startup directory%\"Microsoft Internet Office.exe" %Windows drive%:\windows\rundll32.exe try to rename files %Windows drive%:\windows\Run32.exe to %Windows drive%:\windows\RunDll32.exe try to repair files autoexec.bat In case program can not delete or rename any files (it may be used at that moment) it set these files to queue to delete or rename during bootup process and offer user to reboot system. I-Worm.Goner ------------ If gone.scr process exist in memory, program will try to stop it. if file %Windows system directory%\gone.scr exist on hard drive, program will try to delete it. If program find %Windows system directory%\gone.scr key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run of system registry, it will delete this key. I-Worm.Klez.a,e-h, Win32.Elkern.c, I-Worm.Lentin.a-p, I-Worm.Tanatos.a-b, ------------------------------------------------------------------------- Worm.Win32.Opasoft.a-h, I-Worm.Avron.a-e, I-Worm.LovGate.a-l, I-Worm.Fizzer, ---------------------------------------------------------------------------- I-Worm.Magold.a-e, Worm.Win32.Lovesan ------------------------------------- If program find next processes in memory: Krn132.exe WQK.exe or any processes, infected by these viruses, it will try to unhook virus hooks and patch needed processes to stop reinfection and then stop them and delete/cure their files on hard drive and delete links to their files from system registry and other startup places. If program find that WQK.DLL library has been loaded by any processes it will rename file of this library and will remove it after system reboot. In case program find such library in memory of your PC you should reboot your PC when program finish and start it the second time after reboot to clean your system registry. If program find any infected processes in memory it will start scan of your hard drive (and all mapped network drives if you specify /netscan in command line). It will check only infection by these viruses. If you specify /s key in command line program will scan your hard drive (and all mapped network drives if you specify /sn) in all cases. If Win32.Elkern.c virus create memory mapping, program will disinfect this memory area. Program can restore next startup links used by viruses: autoexec.bat win %virus file path and name% win.ini section [Windows] run=<virus file> registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows values AppInit_DLLs Run HKEY_CLASSES_ROOT\txtfile\shell\open\command (txt association) restoring to link to notepad.exe program HKEY_CLASSES_ROOT\exefile\shell\open\command (exe association) restoring to "%1" %* HKEY_CLASSES_ROOT\comfile\shell\open\command (com association) restoring to "%1" %* HKEY_CLASSES_ROOT\batfile\shell\open\command (bat association) restoring to "%1" %* HKEY_CLASSES_ROOT\piffile\shell\open\command (pif association) restoring to "%1" %* HKEY_CLASSES_ROOT\scrfile\shell\open\command (scr association) restoring to "%1" %* installed NT services mIRC start scripts <Program Files folder>\Mirc\script.ini <Program Files folder>\Mirc32\script.ini Pirch start scripts <Program Files folder>\Pirch98\events.ini 用法: 1. copy clrav.com 到你的windows\system32目錄下 2. 開始--->執行----->鍵入clrav.com /s----> 確定 |
回覆 |
人不機車罔少年~機 | 對『 馬 』兒和『 蟲蟲 』 危機有用嗎 ![]() 這年頭 H 字輩的都已經不在用這類修改機碼的『馬』兒了和『 蟲蟲 』 ![]() 當然寫防毒軟體的還是只能用那套舊技術來做防範 不過聽說寫防毒的還會寫毒出來逛大街 不知是否正確 還是看看這一篇吧 寫防毒的最恨 ![]() http://forum.icst.org.tw/phpBB2/viewtopic.php?t=943 ![]() |
回覆 |
會員 ![]() | Taiwan兄 謝謝指教 我想重視資訊安全 不會只重視 防毒而不防火 下列應列為原則 有需要在另外開PROT RULE 1: Description: Loopback Protocol: TCP and UDP Direction: Both Local Port: Any Local App.: Any Remote Address Type: Single Host address: 127.0.0.1 Port type: Any Action PERMIT = = = = = = = = = = = = = = = = RULE 2: Description: Block Inbound NetBIOS TCP UDP (Notify) Protocol: TCP and UDP Direction: Incoming Port type: Port/Range First Port: 137 Last Port: 139 Local App.: Any Remote Address Type: Any Port type: Any Action DENY = = = = = = = = = = = = = = = = RULE 3: Description: Block Outbound NetBIOS TCP UDP (Notify) Protocol: TCP and UDP Direction: Outgoing Local Port: Any Local App.: Any Remote Address Type: Any Port type: Port/Range First Port: 137 Last Port: 139 Action DENY = = = = = = = = = = = = = = = = RULE 4: Description: ISP Domain Name Server Any App UDP Protocol: UDP Direction: Both Local Port: Any Local App.: Any Remote Address Type: Single Host address: (Your ISP DNS) IP number Port type: Single Port number: 53 Action PERMIT = = = = = = = = = = = = = = = = RULE 5: Description: Other DNS Protocol: TCP and UDP Direction: Both Local Port: Any Local App.: Any Remote Address Type: Any Port type: Single Port number: 53 Action DENY = = = = = = = = = = = = = = = = RULE 6: Description: Out Needed To Ping And TraceRoute Others Protocol: ICMP Direction: Outgoing ICMP Type: Echo Remote Endpoint: Any Action PERMIT = = = = = = = = = = = = = = = = RULE 7: Description: In Needed To Ping And TraceRoute Others Protocol: ICMP Direction: Incoming ICMP Type: Echo Reply, Destination Unreachable, Time Exceeded Remote Endpoint: Any Action PERMIT = = = = = = = = = = = = = = = = RULE 8: Description: In Block Ping and TraceRoute ICMP (Notify) Protocol: ICMP Direction: Incoming ICMP Type: Echo Remote Endpoint: Any Action DENY = = = = = = = = = = = = = = = = RULE 9: Description: Out Block Ping and TraceRoute ICMP (Notify) Protocol: ICMP Direction: Outgoing ICMP Type: Echo Reply, Destination Unreachable, Time Exceeded Remote Endpoint: Any Action DENY = = = = = = = = = = = = = = = = RULE 10: Description: Block ICMP (Logged) Protocol: ICMP Direction: Both ICMP Type: Echo Reply, Destination Unreachable, Source Quench, Redirect, Echo, Time Exceeded, Parameter Prob, Time Stamp, Time StampReply, Info Request, Info Reply, Address, Address Reply, Router Advertisement, Router Solicitation (ALL) Remote Endpoint: Any Action DENY = = = = = = = = = = = = = = = = RULE 11: Description: Block Common Ports (Logged) Protocol: TCP and UDP Direction: Incoming Port type: List of Ports Local App.: Any List of Ports: 113,79,21,80,443,8080,143,110,25,23,22,42,53,98 Remote Address Type: Any Port type: Any Action DENY = = = = = = = = = = = = = = = = RULE 12: Description: Back Orifice Block (Logged) Protocol: TCP and UDP Direction: Incoming Port type: List of Ports Local App.: Any List of Ports: 54320,54321,31337 Remote Address Type: Any Port type: Any Action DENY = = = = = = = = = = = = = = = = RULE 13: Description: Netbus Block (Logged) Protocol: TCP Direction: Incoming Port type: List of Ports Local App.: Any List of Ports: 12456,12345,12346,20034 Remote Address Type: Any Port type: Any Action DENY = = = = = = = = = = = = = = = = RULE 14: Description: Bootpc (Logged) Protocol: TCP and UDP Direction: Incoming Port type: Single port Local App.: Any Port number: 68 Remote Address Type: Any Port type: Any Action DENY = = = = = = = = = = = = = = = = RULE 15: Description: RPCSS (Logged) Protocol: UDP Direction: Incoming Port type: Single port Local App.: Any Port number: 135 Remote Address Type: Any Port type: Any Action DENY = = = = = = = = = = = = = = = = RULE 16: Description: Block Low Trojan Ports TCP UDP (Notify) Protocol: TCP and UDP Direction: Both Port type: Port/range Local App.: Any First port number: 1 Last port number: 79 Remote Address Type: Any Port type: Any Action DENY = = = = = = = = = = = = = = = = RULE 17: Description: Block High Trojan Ports TCP UDP (Notify) Protocol: TCP and UDP Direction: Both Port type: Port/range Local App.: Any First port number: 5000 Last port number: 65535 Remote Address Type: Any Port type: Any Action DENY = = = = = = = = = = = = = = = = RULE 18: Description: Internet Explorer-Web browsing Protocol: TCP Direction: Outgoing Port type: Any Local App.: Only selected below => iexplore.exe Remote Address Type: Any Port type: Any Action PERMIT = = = = = = = = = = = = = = = = RULE 19: Description: Outlook Express Protocol: TCP Direction: Outgoing Port type: Any Local App.: Only selected below => msimn.exe Remote Address Type: Any Port type: List of ports List of ports: 25,110,119,143 Action PERMIT = = = = = = = = = = = = = = = = RULE 20: Description: ICQ Web Access Block Protocol: TCP and UDP Direction: Outgoing Port type: Any Local App.: Only selected below => icq.exe Remote Address Type: Any Port type: Single port List of ports: 80 Action DENY = = = = = = = = = = = = = = = = RULE 21: Description: ICQ Application Protocol: TCP Direction: Outgoing Port type: Any Local App.: Only selected below => icq.exe Remote Address Type: Any Port type: Single port List of ports: 5190 Action PERMIT = = = = = = = = = = = = = = = = RULE 22: Description: Block Outbound Unauthorized Apps TCP UDP (Notify) Protocol: TCP and UDP Direction: Outgoing Port type: Any Local App.: Any Remote Address Type: Any Port type: Any Action DENY = = = = = = = = = = = = = = = = RULE 23: Description: Block Inbound Unknown Apps TCP UDP (Notify) Protocol: TCP and UDP Port type: Any Local App.: Any Remote Address Type: Any Port type: Any Action DENY If you are on a LAN you might need to allow NetBIOS to and from computers on your LAN. You should insert two rules before rule 2 and 3: RULE 2a: Description: Trusted Inbound NetBIOS TCP UDP Protocol: TCP and UDP Direction: Incoming Port type: Port/Range First Port: 137 Last Port: 139 Local App.: Any Remote Address Type: Trusted Address Group Port type: Any Action PERMIT = = = = = = = = = = = = = = = = RULE 3b: Description: Trusted Outbound NetBIOS TCP UDP Protocol: TCP and UDP Direction: Outgoing Local Port: Any Local App.: Any Remote Address Type: Trusted Address Group Port type: Port/Range First Port: 137 Last Port: 139 Action PERMIT |
回覆 |
|
XML | RSS 2.0 | RSS |
本論壇所有文章僅代表留言者個人意見,並不代表本站之立場,討論區以「即時留言」方式運作,故無法完全監察所有即時留言,若您發現文章可能有異議,請 email :[email protected] 處理。