svchost.exe应用程序错误。谁来帮帮我
我的电脑一开机就出现。svchost.exe应用程序错误。。。。应用程序异常。未知的软件异常(0XC0000409)。位置为0X75113B3D。 。按确定后玩游戏没有声音。歌也播发不了了?音频设备也没有了 svchost.exe 是个重要系统进程,很多服务都通过它进行加载,当然很多病毒也喜欢用它,所以推断你的某个关键服务被禁止或者中毒了。 查过没毒! 明显系统文件有问题,至于怎么出的问题就不得而知了,可能性有很多 在开杀毒软件时无意间看了篇文章发现次问题最新病毒
望糨糊XP人士赶快打补丁!!!
[url]http://it.rising.com.cn/Channels/Info/Virus/2006-08-14/1155523580d37075.shtml[/url]
瑞新有关文章
[url]http://www.microsoft.com/china/technet/Security/bulletin/ms06-040.mspx[/url]
补丁地址! 补丁是一定要即时打得 郁闷啊我发现已经晚了
而且不知道为什么我现在瑞新不能升级- -谁有最新的升级包发我下 [url]www.onlindown.net[/url]有病毒库下载 打不开嘛 中魔波了.... 郁闷瑞新版本是8月2号的
现在升级不行
不知道怎么杀了...
晕啊 怎么会升级不了? Virus: Worm/IRCBot.9609
CME number: 482
Date discovered: 13/08/2006
Type: Worm
In the wild: Yes
Reported Infections: Low
Distribution Potential: Medium to high
Damage Potential: Medium
Static file: Yes
File size: 9.609 Bytes
MD5 checksum: 9928A1E6601CF00D0B7826D13FB556F0
VDF version: 6.35.01.85
IVDF version: 6.35.01.85
General Methods of propagation:
• Local network
• Messenger
Aliases:
• Symantec: Backdoor.IRC.Bot
• Mcafee: IRC-Mocbot!MS06-040
• Kaspersky: Backdoor.Win32.IRCBot.st
• TrendMicro: WORM_IRCBOT.JK
• F-Secure: Backdoor.Win32.IRCBot.st
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Disable security applications
• Lowers security settings
• Registry modification
• Makes use of software vulnerability
• Third party control
Files It copies itself to the following location:
• %SYSDIR%\wgareg.exe
It deletes the initially executed copy of itself.
Registry The following registry keys are added in order to load the service after reboot:
– [HKLM\SYSTEM\CurrentControlSet\Services\wgareg]
• Type = 110
• Start = 2
• ErrorControl = 0
• ImagePath = %SYSDIR%\wgareg.exe
• DisplayName = Windows Genuine Advantage Registration Service
• ObjectName = LocalSystem
• FailureActions = %hex values%
• Description = Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.
– [HKLM\SYSTEM\CurrentControlSet\Services\wgareg\Security]
• Security = %hex values%
– [HKLM\SYSTEM\CurrentControlSet\Services\wgareg\Enum]
• 0 = Root\LEGACY_WGAREG\0000
• Count = 1
• NextInstance = 1
The following registry keys are changed:
– [HKLM\SOFTWARE\Microsoft\Ole]
Old value:
• EnableDCOM = %user defined settings%
New value:
• EnableDCOM = n
– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
Old value:
• restrictanonymous = %user defined settings%
• restrictanonymoussam = %user defined settings%
New value:
• restrictanonymous = 1
• restrictanonymoussam = 1
– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
New value:
• autoshareserver = 0
• autosharewks = 0
– [HKLM\SOFTWARE\Microsoft\security center]
Old value:
• antivirusdisablenotify = %user defined settings%
• antivirusoverride = %user defined settings%
• firewalldisablenotify = %user defined settings%
• firewalldisableoverride = %user defined settings%
New value:
• antivirusdisablenotify = 1
• antivirusoverride = 1
• firewalldisablenotify = 1
• firewalldisableoverride = 1
Deactivate Windows XP Firewall:
– [HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile]
Old value:
• enablefirewall = %user defined settings%
New value:
• enablefirewall = 0
– [HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile]
Old value:
• enablefirewall = %user defined settings%
New value:
• enablefirewall = 0
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
Old value:
• Start = %user defined settings%
New value:
• Start = 4
Messenger It is spreading via Messenger. The characteristics are described below:
– AIM Messenger
Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.
Exploit:
It makes use of the following Exploit:
–MS06-040 (Vulnerability in Server Service)
IRC To deliver system information and to provide remote control it connects to the following IRC Servers:
Server: bniu.house**********
Port: 18067
Channel: #n1
Nickname: n1-%random character string%
Password: nert4mp1
Server: ypgw.wall**********
Port: 18067
Channel: #n1
Nickname: n1-%random character string%
Password: nert4mp1
– Furthermore it has the ability to perform actions such as:
• Launch DDoS SYN flood
• Launch DDoS UDP flood
• Download file
• Execute file
• Start spreading routine
Miscellaneous Mutex:
It creates the following Mutex:
• wgareg
File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
See a brief description here.
Inserted by Philipp Wolf on Sun, 13 Aug 2006 15:49 (GMT+1)
Updated by Andrei Gherman on Mon, 14 Aug 2006 13:00 (GMT+1)
楼主说的应该是这个吧。。可耻的瑞星。。比人家老外的晚了一天。。难怪只好意思说是国内率先。。。 [quote]原帖由 [i]Eric..英雄[/i] 于 2006-8-15 01:35 发表
怎么会升级不了? [/quote]
他说产品超过许可的升级次数..无法升级
请等待新版本升级注意1套产品仅授权在1台机器上使用 [quote]原帖由 [i]眼眼12[/i] 于 2006-8-15 01:37 发表
他说产品超过许可的升级次数..无法升级
请等待新版本升级注意1套产品仅授权在1台机器上使用 [/quote]
-_,-用我的这个吧。。虽说是国外的免费软件。。但是发现这个病毒升级病毒库比瑞星还要快一天。。 [quote]原帖由 [i]眼眼12[/i] 于 2006-8-15 01:37 发表
他说产品超过许可的升级次数..无法升级
请等待新版本升级注意1套产品仅授权在1台机器上使用 [/quote]
你是自己买的瑞星还是人家给你共用的序列号? 这个病毒会自动关闭杀毒软件的实时防护系统,破坏病毒库,昨天我的NV病毒库就被破坏了,好在又Ghost回来了,然后立刻升级到了昨天的病毒库。 [quote]原帖由 [i]Eric..英雄[/i] 于 2006-8-15 01:41 发表
你是自己买的瑞星还是人家给你共用的序列号? [/quote]
不是我自己买的
是装电脑的人帮我弄的
不过瑞星是正版的
有时能更新有时不能
很怪的
谁有最新的病毒库发我下吧 [quote]原帖由 [i]wowshell[/i] 于 2006-8-15 01:41 发表
这个病毒会自动关闭杀毒软件的实时防护系统,破坏病毒库,昨天我的NV病毒库就被破坏了,好在又Ghost回来了,然后立刻升级到了昨天的病毒库。 [/quote]
我GHOST不会弄..- - 你现在去[url]www.5icrack.com[/url]下载一个SYMANTEC.ANTIVIRUS.CORPORATE.V10.0.2.2000,然后重做一边系统,装上这个,之后连上网马上运行更新病毒库,在这之前不要运行任何上网软件。等病毒库更新好了重起后再到MS网站进行补丁更新。 解决办法:
1、删除系统目录下的wgareg.exe/wgavm.exe
2、删除注册表项目[HKLM\SYSTEM\CurrentControlSet\Services\wgareg]、[HKLM\SYSTEM\CurrentControlSet\Services\wgavm] 、 [HKLM\SYSTEM\CurrentControlSet\Services\wgavm\Security]、[HKLM\SYSTEM\CurrentControlSet\Services\wgareg\Security]、[HKLM\SYSTEM\CurrentControlSet\Services\wgavm\Enum]、 [HKLM\SYSTEM\CurrentControlSet\Services\wgareg\Enum] 2个都太深奥
20楼的
那个我怎么找不到wgareg.exe/wgavm.exe
第2步怎么删除注册表里面的东西 3、将注册表中的[HKLM\SOFTWARE\Microsoft\Ole]中 EnableDCOM 改为 %user defined settings%
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]中restrictanonymous 改为 %user defined settings% 、restrictanonymoussam 改为 %user defined settings%
[HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]中删除autoshareserver = 0和autosharewks = 0
[HKLM\SOFTWARE\Microsoft\security center]中antivirusdisablenotify 、antivirusoverride 、firewalldisablenotify 、firewalldisableoverride 均改为 “%user defined settings%”
[HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile]中enablefirewall 改为 %user defined settings%
[HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile]中enablefirewall 改为 %user defined settings%
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]中Start 改为 %user defined settings% [quote]原帖由 [i]眼眼12[/i] 于 2006-8-15 01:53 发表
2个都太深奥
20楼的
那个我怎么找不到wgareg.exe/wgavm.exe
第2步怎么删除注册表里面的东西 [/quote]
一般都在系统盘windows或者windows\system32目录下,可能是隐藏文件,先在进程管理其中结束相应进程再删除
注册表在开始菜单运行里输入regedit展开相应的在上面点右键有删除选项 [HKLM]指的是[HKEY-LOCAL-MACHINE] [quote]原帖由 [i]NAGGAROK[/i] 于 2006-8-15 01:53 发表
3、将注册表中的中 EnableDCOM 改为 %user defined settings%
中restrictanonymous 改为 %user defined settings% 、restrictanonymoussam 改为 %user defined settings%
中删除autoshareserver = 0和autoshar ... [/quote]
一般人看到会晕倒 [quote]原帖由 [i]wowshell[/i] 于 2006-8-15 01:57 发表
一般人看到会晕倒 [/quote]
=。=那要是去看12楼的呢?[goda] [quote]原帖由 [i]NAGGAROK[/i] 于 2006-8-15 01:58 发表
=。=那要是去看12楼的呢? [/quote]
会吐血 :blink:说实话那么多鸟语我看得都头痛。。睡觉去。。呼啊啊~~。 我很晕不会噢...
而且我组册表里没wgavm wgareg2个文件的
页:
[1]