风云小站 » 『 求助专区 』 » 关于u3shlpdr.sys 这个恶意程序~
本页主题: 关于u3shlpdr.sys 这个恶意程序~ 打印 | 加为IE收藏 | 复制链接 | 收藏主题 | 上一主题 | 下一主题

生锈的右眼
OA/IT CE
级别: 初级会员


精华: 0
发帖: 98
威望: 267 点
风云币: 2394 元
专家分: 0 分
在线时间:50(小时)
注册时间:2007-10-03
最后登录:2008-04-27

 关于u3shlpdr.sys 这个恶意程序~

管理提醒:
本帖被 水蜜桃 执行锁定操作(2008-03-12)
在电脑里发现了这个程序 上网查得到了下面的结果,也符合我的情况
我最近就用的联想的128的魔盘 
我不理解的是  为什么联想的会出现这个东西  我那个U盘还可以用吗?有什么危害吗?这个程序究竟是干什么的?望明白的达人指点下








我的360和卡巴都经常发现u3shlpdr.sys木马,杀了不久又有了,今天决心追踪来源。
先花几天时间彻底禁止远程服务和无用服务,删除一些不怎么用的软件,清理环境,360和卡巴检测OK,环境应该可以了。
因为以前每次杀完后暂时都找不到,几天后又出现,查网有人说是联想的魔盘加密程序释放的,于是先从此着手。
重启机器,360和卡巴检测没有发现问题,于是插入联想魔盘,联想魔盘是几年前买的,64M,花了100多块,就看中加密功能,插入后浏览里面有一个passid.exe的开锁程序,这时360检测,仍没有发现木马,同时打开资源浏览器监视u3shlpdr.sys存放的目录c:\\windows\\system32\\driver\\,确定没有y3shltdr.sys,点击魔盘的passid.exe准备输入开锁密码,马上,driver目录出现了u3shlpdr.sys,360和卡巴检测出现u3shlpdr木马!
真可恶呀,信任联想才用其加密U盘保存重要资料,没想到居然其开锁程序就出现木马!这样一来所有重要资料正好被重点窃取,TMD,是联想加密程序本身就带有的,还是后来被植入的??
于是测试这个加密U盘的写入能力,不执行passid.exe,直接创建文件,不允许,改写passid.exe也不允许,这与联想魔盘说明上的一致,即未开锁前是不能写入的,里面的东西都写保护。这就意味着passid.exe里面带有的u3shlpdr木马是创建时带有的!
解决办法:用360和卡巴表面都可删除这个木马,但删除后马上检测是没有这个木马的,再点击联想魔盘的passid.exe开锁使用然后马上检测也是没有这个木马的,除非重启系统再开锁就能检测到了,木马为何知道不在刚杀完的系统重加载?怀疑是系统某些地方还保存着木马的识别标志,360和卡巴都没有完全删除。
最终处理:保存这个该死的U盘作为证据,不再信任和使用联想的产品。
本帖最近评分记录:
  • 风云币:+5(水蜜桃) 您的贴子很精彩!希望很 ..
  • 顶端 Posted: 2008-03-11 12:14 | [楼 主]
    freelive
    独自等待,悄悄离开~
    级别: 风云精英


    精华: 1
    发帖: 1003
    威望: 554 点
    风云币: 154183 元
    专家分: 5 分
    在线时间:105(小时)
    注册时间:2007-12-31
    最后登录:2008-04-27

     

    据猜测好像是加密解密得文件。

    因为某些程序加壳了,为了防止恶意得破解之类得。

    早些年得程序,或许有人也使用此程序,做成木马。

    现在杀软直接查杀了,技术在更新,不可一概而论。

    方法建议:
    1、尝试修改自启动项目

    [U3sHlpDr / U3sHlpDr][Stopped/Auto Start]
    <\??\C:\WINDOWS\System32\Drivers\U3sHlpDr.sys>

    禁止或者删除都可以。

    2、可以到lenovo官网,下载更新程序,格式化U盘。

    因为已经公认为木马,后台自启动。为了安全起见,如果以上防范还是不行的话,建议不使用,以免被木马利用。




    风云墙-荣誉会员

    其实一切与我无关~
    顶端 Posted: 2008-03-11 12:57 | 1 楼
    生锈的右眼
    OA/IT CE
    级别: 初级会员


    精华: 0
    发帖: 98
    威望: 267 点
    风云币: 2394 元
    专家分: 0 分
    在线时间:50(小时)
    注册时间:2007-10-03
    最后登录:2008-04-27

     

    感谢兄弟热心
    找个工具格了~ 魔盘密码锁那个保护程序是没了
    可是现在一插出来俩盘符了~
    多了一个 5.25的软盘  像是什么工具盘
    1.38M 本身U盘有 123M
    里面有不少文件 和一段文字说明  英文不好 不太明白

    这是怎么回事呢?



        -----------------------------------------
            Microsoft Windows Millennium Edition
              Help for Emergency Startup Disk 
        -----------------------------------------

        (c) Copyright Microsoft Corporation, 2000


    This document provides complementary or late-breaking
    information to supplement the Windows Millennium Edition
    (Windows ME) documentation.

    To close this Help file, press ALT-F-X.

    --------
    CONTENTS
    --------

    SUMMARY
      If Windows ME Starts Only in Safe Mode

    TYPES OF WINDOWS ME INSTALLATION MEDIA AND METHODS
      Windows Millennium Edition (Retail Version)
      Windows Millennium Edition (Upgrade Version) 
      How Windows ME Upgrade Setup Searches for Previous Versions
      Clean Installations
      OEM Versions of Windows ME

    IF WINDOWS ME DOES NOT START IN SAFE MODE
      Using ScanDisk to check your hard disk
      Using Windows Registry Checker

    IF SETUP STOPS AND WINDOWS ME WILL NOT START IN SAFE MODE
      A Note on Anti-Virus Software
      Setup Stops Responding During Hardware Detection

    UNINSTALLING WINDOWS ME

    INSTALLING WINDOWS ME WITH WINDOWS NT OR WINDOWS 2000

    INSTALLING WINDOWS ME ON A NEW HARD DISK


    =======
    SUMMARY
    =======

    If you have problems setting up or starting Windows ME, try
    starting your computer in Safe Mode before trying the steps
    outlined in this document.

    If you can start in Safe Mode, see the Windows Millennium Edition
    Safe Mode Troubleshooter on the Safe Mode warning page. In Safe
    Mode, you can use Windows Troubleshooting tools, such as System
    Restore, which are not available from this Startup disk.

    To start Windows in Safe Mode:

    1. Remove the Startup disk, and then restart your computer.

    2. As soon as the computer restarts, press and hold down the
      CTRL key until the Microsoft Windows Millennium Edition
      Startup Menu appears.

    3. On the Startup menu, choose Safe Mode (option 3).

    4. Follow the steps in the Safe Mode Troubleshooter.

    If Windows ME Starts Only in Safe Mode
    --------------------------------------
    If you have followed the steps outlined in the Safe Mode
    Troubleshooter and are still unable to start Windows normally,
    do the following:

    1. Close this Help file.

    2. At the command prompt, type:
        scanreg /restore
      and then press ENTER.

    3. Select the most recent backup date, and then choose Restore.


    If you try these steps and still cannot start normally:

    1. Restart your computer by using the Windows ME Startup disk,
      select option 1 on the Startup menu, and then press ENTER.

    2. Close the Help file.

    3. Try to reinstall Windows ME by following the instructions on
      your screen.

    **********
    IMPORTANT: If you have installed software that came with your
    hard disk, be sure to read the documentation that describes how
    to start your computer by using a floppy disk.
    **********

    ==================================================
    TYPES OF WINDOWS ME INSTALLATION MEDIA AND METHODS
    ==================================================

    The following section describes the versions of Windows ME and
    their installation requirements.

    Windows Millennium Edition (Retail Version)
    -------------------------------------------
    This does not require a prior version of Microsoft Windows.

    Windows Millennium Edition (Upgrade Version)
    --------------------------------------------
    Setup requires an existing copy of Microsoft Windows 95 or
    Windows 98.

    How Windows ME Upgrade Setup Searches for Previous Versions
    -----------------------------------------------------------
    Setup searches your computer to find a qualifying product to
    upgrade. If Setup is unable to find a previous version of
    Windows on your computer, Setup prompts you to insert the
    previous version's media to confirm your eligibility for the
    upgrade. This media can be a CD-ROM, floppy disks, or a folder
    on the hard disk that contains setup files. If you supply
    floppy disks, Setup may prompt you for multiple disks.

    Clean Installations
    -------------------
    You can use the Windows ME Upgrade to install Windows ME on a
    computer that does not have a prior version of Windows installed,
    such as after formatting your hard disk. This is commonly called
    a "clean install."

    Because the compliance check process is unable to find evidence
    of a prior version, Setup prompts you to insert your previous
    version media to confirm your eligibility for the upgrade. This
    media can be a CD-ROM, floppy disks, or a folder on the hard disk
    that contains setup files. If you supply floppy disks, Setup may
    prompt you for multiple disks.

    For more information about how to install Windows ME on a
    computer that has no previous operating system, see "How To
    Install Windows Millennium Edition Onto a New Hard Disk"
    referenced at the end of this document.

    OEM versions of Windows ME
    --------------------------
    An Original Equipment Manufacturer (OEM) version of Windows ME
    is a special release product made available for computer
    Manufacturers. OEMs can customize these versions of Windows ME
    specifically for their hardware and software.

    The Setup procedures and requirements outlined in this document
    may be different if you have an OEM version of Windows ME. For
    more information, read the documentation that came with your
    computer or contact your computer manufacturer.


    =========================================
    IF WINDOWS ME DOES NOT START IN SAFE MODE
    =========================================

    Any of the following conditions can cause Windows ME not to start
    in Safe Mode:

    - Your computer is infected with a virus. Run up-to-date anti-
      virus software to check for a virus and clean your computer if
      necessary. 

    - Your computer's CMOS settings are not correct. Check your
      computer's CMOS settings to make sure they are correct. Note
      that you may need to contact the computer manufacturer to
      verify these settings.

    - There is a hardware failure. Note that you may need to contact
      the computer manufacturer for more information about your
      hardware.     

    - There is an error on your computer's hard disk.  See "Using
      ScanDisk to check your hard disk."

    - There is an error in the Windows registry. See "Using the
      Windows Registry Checker."

    Using ScanDisk to Check Your Hard Disk
    --------------------------------------
    If you suspect there may be file corruption or other problems
    with your hard disk(s), run ScanDisk to check for and repair
    errors.

    To check all your hard disks for errors:

    1. At the command prompt, type:
     
      scandisk /all

    2. Press ENTER.

    To perform a full surface scan of your hard disk(s) for maximum
    protection against data loss:

    1. At the command prompt, type:

      scandisk /all /surface
     
    2. Press ENTER.

    Using Windows Registry Checker
    ------------------------------
    If you are still unable to start Windows ME in Safe Mode, run
    the Windows Registry Checker (Scanreg.exe) tool, as there may
    be a problem with the system registry.

    To start the Windows Registry Checker:

    1. At the command prompt, type:
     
      scanreg /restore

    2. Press ENTER. 

    Scanreg may not be available if Windows ME has not been
    successfully installed on your computer.


    =========================================================
    IF SETUP STOPS AND WINDOWS ME WILL NOT START IN SAFE MODE
    =========================================================

    The following section explains what you can do to recover from
    a failed Windows Setup. For more information about other Setup
    problems, see the Setup.txt file in the Win9X folder of your
    Windows ME CD.

    If you encounter any of these error messages while running Setup:

    - Invalid system disk

    - Incorrect MS-DOS version

    - Missing or corrupted Command.com

    it is likely that your computer's startup drive needs updated
    system files. Certain CMOS settings or anti-virus software can
    prevent Windows Setup from installing the correct system files
    on your computer.

    To replace your system files:

    1. Restart your computer by using the Windows ME Startup Disk,
      selecting option 1 on the Startup menu, and then pressing
      ENTER.

    2. Close the Help file.

    3. Follow the instructions on the screen to run Setup.

    4. Choose "Use Safe Recovery" if prompted.

    A Note on Anti-Virus Software
    -----------------------------
    If anti-virus programs are left running during Setup, they might
    prevent Setup from properly updating the system files.

    **********
    IMPORTANT: You might receive a warning message after the first
    restart during Setup, informing you that the Master Boot Record
    or other files have changed. If you see such a message, you MUST
    accept these changes or Setup may fail to update critical files
    that Windows ME uses to start your computer.
    **********

    Setup Stops Responding During Hardware Detection
    ------------------------------------------------
    If Setup stops responding while it is detecting the hardware in
    your computer, turn your computer off and wait a few seconds, and
    then turn it back on. You may need to do this several times.
    Choose Use "Safe Recovery" when Setup restarts. Setup could stop
    responding during several different detection modules and will
    skip areas it fails to complete successfully.

    **********
    IMPORTANT: Use the power switch to turn your computer completely
    off. Do not use the reset button or press CTRL+ALT+DEL to restart
    your computer.
    **********

    If Setup still fails to complete successfully, it may be
    necessary to start your computer in Safe Mode so that you can
    view the Help topics associated with hardware detection.


    =======================
    UNINSTALLING WINDOWS ME
    =======================

    If the above steps do not work, you can try to uninstall
    Windows ME and return to your previous version of Windows.

    To uninstall Windows ME, you must have chosen to save uninstall
    information during Windows ME Setup. The uninstall information
    is saved in the Winundo.dat and Winundo.ini files. If these
    files are deleted, you cannot uninstall Windows ME.

    **********
    IMPORTANT: You should not attempt to Uninstall Windows ME if
    the partition information for your hard disk or disks has
    changed since you last installed Windows ME successfully.
    Windows ME creates a backup copy of your partition information
    in the Suhdlog.dat file at the end of a successful installation,
    and Uninstal.exe restores the partition information listed in
    the Suhdlog.dat file to your hard disk during Uninstall. If the
    partition information on your hard disk or disks has changed
    since you last installed successfully (specifically, since the
    Suhdlog.dat file was created), then you might experience partial
    or complete data loss as a result of attempting to Uninstall
    Windows ME.
    **********

    To uninstall Windows ME:

    1. Restart your computer using the Windows ME Startup Disk,
      selecting option 1 on the Startup menu, and then pressing
      ENTER.

    2. Close the Help file.

    3. At the command prompt, type each of the following lines,
      pressing ENTER after each line.

      smartdrv
      <drive>:
      cd\<windows>\command
      uninstal.exe

      NOTE: <drive> is the drive letter of the drive containing the
      Windows folder (the default is C). <windows> is the name of
      the Windows folder (the default is "Windows").

    4. Type Y when you are prompted to continue.
      This process can take several minutes.

    NOTE: SmartDrive (Smartdrv.exe) is not required to run
    Uninstal.exe, but it can significantly speed up the process.


    =====================================================
    INSTALLING WINDOWS ME WITH WINDOWS NT OR WINDOWS 2000
    =====================================================

    You cannot install Windows ME over any version of Windows 2000
    or Windows NT, but they can exist together on a single system.
    However, for compatibility reasons, it is recommended that
    you install each to a separate hard disk or partition. If
    Windows NT is already installed, Windows ME Setup will add
    itself to the Windows NT boot menu to allow you to multi-boot
    between Windows ME and Windows NT.


    ========================================
    INSTALLING WINDOWS ME ON A NEW HARD DISK
    ========================================

    See the document "Installing Windows Millennium Edition to a
    New Hard Disk," located at <CD-ROM>:\Win9x\Cleanhd.Txt.

    You might also find the Setup readme useful. It is located at
    <CD-ROM>:\Win9X\Setup.txt.
    [ 此贴被生锈的右眼在2008-03-11 18:52重新编辑 ]
    顶端 Posted: 2008-03-11 18:46 | 2 楼
    freelive
    独自等待,悄悄离开~
    级别: 风云精英


    精华: 1
    发帖: 1003
    威望: 554 点
    风云币: 154183 元
    专家分: 5 分
    在线时间:105(小时)
    注册时间:2007-12-31
    最后登录:2008-04-27

     

    简单查看了一下,没有什么问题。

    文本的内容大概是:

    微软Windows me 紧急启动磁盘 帮助 文件

    不知道你用的什么工具格式化的U盘,和你的工具有关系。

    也就是说U盘被格式化成了 紧急启动磁盘 ,和我们常用的 矮人dos启动磁盘 差不多。

    基本上是用来急救系统用的,对你的U盘没有什么大的影响,可以正常使用了。

    描述:文件翻译
    附件: 文本翻译.txt (9 K) 下载次数:1
    风云墙-荣誉会员

    其实一切与我无关~
    顶端 Posted: 2008-03-11 19:38 | 3 楼
    帖子浏览记录 版块浏览记录
    风云小站 » 『 求助专区 』
    感谢,曾经的版主
    Total 0.008652(s) query 6, Time now is:12-26 04:24, Gzip enabled 渝ICP备20004412号-1

    Powered by PHPWind v6.3.2 Certificate Code © 2003-07 PHPWind.com Corporation
    Skin by Chen Bo