在局域网内,想访问其他计算机,系统提示说服务器没有设置事务处理,哪位高手帮帮忙?多谢了
1个回答
展开全部
想彻底解决“服务器没有事务处理”问题的同志请仔细阅读
自Windows 2000系统以后,微软就不再用NETBIOS来注册计算机名,也不再靠WINS对计算机名称进行解析,而是全部交付给了DNS。
那么Windows系统是如何通过以上名称注册和解析原理来实现在“网上邻居”上的浏览的呢?这就是要涉及到Windows系统中的一个非常重要的服务--Computer Browser Service(计算机浏览器服务)。 计算机浏览服务是一系列分布式的含有可用的网络资源列表,这些列表分布在一些计算机上,提出浏览请求的计算机充当浏览工作站,而提供浏览列表的计算机充当浏览服务器。
浏览器的种类及运行该服务的计算机为实现网络浏览目的而执行的各种职能介绍如下:
域主浏览器―――仅用于域环境。在默认情况下,域的主域控制器 (PDC) 完成该任务。 收集和维护域中可用服务器的主浏览列表,以及网络中其他域和工作组的名称。分配和同步其他子网中主浏览器的主浏览列表,该子网有属于相同域的计算机。
主浏览器 ―――收集和维护子网中可用网络服务器的主浏览列表。完全复制列出的包括主浏览列表的信息以获得网络的完整浏览列表。向同一子网上的备份浏览器分发完整列表。
备份浏览器―――从主浏览器接收本子网的浏览列表副本。根据请求向其他计算机分发浏览列表。
潜在浏览器―――在正常情况下,按非浏览器运行。在接到子网主浏览器指令后才会成为备份浏览器。
在某些条件下,如果担任指定浏览器职能的计算机失效或关闭,浏览器(或潜在浏览器)可能改作其他职能。这通常通过称作“浏览器选举”的过程来执行。在Windows操作系统的早期版本中浏览服务可理解为三个关键过程:
1)浏览信息的收集
当子网上的主浏览器收到主机声明后,将发送计算机的名称合并到当前的浏览列表中。如果名称已经存在,则刷新列表。如果名称不存在,则添加到列表。
(2)浏览信息的分发
浏览列表由子网主浏览器分发给备份浏览器。主浏览器必须周期性地向本地子网广播包含配置的域或工作组名称的声明消息。该消息确认主浏览器在网络上的存在。如果主浏览器在一段时间不能声明自己,则将发生浏览器选举。一旦主浏览器存在或(因失败事件而)被替换,其他备份浏览器周期性地与其联系以获得其所维护子网浏览列表的更新副本。
(3)向来自客户的浏览请求提供服务
当浏览客户计算机在子网上启动后,将向主浏览器请求在子网上备份浏览器的列表。主浏览器响应该请求并向客户端提供包含三个备份浏览器的列表。浏览客户端则随机地从列表中选择一个备份浏览器并与其联系以获得浏览列表副本。被选中的备份浏览器响应该客户机,给它一个域或工作组的服务器列表。客户机再从该服务器列表中取得这个服务器上的可用资源的列表。
浏览器选举
在NT域环境下或工作组环境下,浏览服务维护着一个浏览列表,它包含所有可使用的域、工作组和计算机名等,是共享资源的目录。当我们使用“网上邻居”时,就在使用这个浏览服务。这些系统的浏览服务系统同样包含了主浏览器、备份浏览器和浏览器客户等角色。
(1)选举是通过发广播来实现的,如果哪个计算机的选举条件比它收到的报文要好,则它将广播自己的选举条件,收到别人的选举条件后每个计算机根据自己在域中的角色延迟不等的时间后再做反应,这样能减少选举条件较差的计算机发送选举报文。 (2)当一个计算机选举成为主浏览器并且它的浏览列表是空时,它将广播一个请求通知的报文,强迫所有的计算机必须在30秒内给予答复,这个30秒的时间是为了防止服务器过载或报文丢失。 (3)除了承担主浏览器和备份浏览器任务的计算机外,其他计算机将向主浏览器周期性地发布通知,告知自己是可利用的资源。这个时间开始是1分钟、2分钟、4分钟、8分钟,以后就是每12分钟一次了。 (4)如果某个计算机关机了,主浏览器连续3个周期也就是36分钟没有收到它的消息,将认定它不可用,并从浏览列表中删掉它。但是它还留在备份浏览器的计算机里,备份浏览器每隔15分钟呼叫主浏览器一次以获得更新的网络资源列表,也就是说不可用的资源最多要等到36+15=51分钟后才会从网上彻底消失。这就是为什么有的计算机改了名,但旧名字依旧留在网上一段时间的原因。 在一个工作组里有一个主浏览器,那么在多个工作组、多个域甚至多个子网里中又将如何呢?这就需要一个域主浏览器,每个工作组或域的主浏览器要周期性地向这个域主浏览器发送自已所管辖的列表,这个周期开始是1分钟,5次后是15分钟。如果3个周期内没有收到这个报文,域主浏览器也将它从自己的列表中去除。也就是说,当一个工作组失效后,它还将在主列表中保留45分钟。域主浏览器默认为主域控制器,Windows XP Professional版本的计算机不能担此重任。当收到浏览列表后,计算机必须能解析里面的NetBIOS名,这就要求网络的WINS服务或DNS服务必须正常,浏览才能正常,因为浏览的选举过程是通过UDP广播实现的。
作为网络管理员,当网上邻居出现问题时,要一步步分析,看是暂时的还是选举过程出了问题。目前没有办法证明浏览列表是否完整,但有办法发现某可用资源是否在列表里,甚至可以强迫开始一次选举。
注意:重启服务器上的COMPUTER BROWSER服务,打开服务器上的ipc$,确保客户端全部打开,在服务器端用“ping 客户端IP”逐一ping过来,确保可以全部ping通。如果客户端是win2000的话,也要重启一下COMPUTER BROWSER服务,
彻底解决方法的话,最好是建立一个域,由主域控制器来充当浏览服务是最理想的。
不同情况解决方法不同,以上是原理分析,下面介绍常见的解决办法(可能不适用于您的情况):
1、局域网“服务器没有设置事务处理”是因为局域网的主控浏览服务器的列表文件坏了,首先查毒,如果没有病毒的话
解决的办法就是:先在局域网中找一台WIN2K,改个工作组名,然后依次改剩下的机器的(如果局域网中有WIN2K SERVER的就先改SERVER)
2、文章分类: 局域网
文章标题: 点击网上邻居的工作组,出现服务器没有设置事务处理
关 键 字: 0
文章作者: alonglee 转
文章来源: 0
发表时间: 2004-6-20 1:59:00
上次我发了一篇《服务器没有设置事务处理-故障处理》,后来发现这个问题并不那么简单,再找来一篇文章:
这是一个以前遇见过的问题,就是A win2000 ,发现自己的c,d默认共享没有了,ipc共享也没有了,别人在网上邻居访问A计算机会出现,“服务器没有设置事务处理”,自己访问自己用unc路径也不能访问,但A win2000访问别人没有问题,查了一下资料,发现是中毒了。
首先,我在进程中查看到一个叫wuamgrd.exe这个进程,证明中了一种叫“w32.spybot.worm的病毒“,在进程中结束她,然后在%SYSTEM%\SYSTEM32 下找\wuamgrd.EXE,把它删除,重新启动,发现问题解决,共享恢复,unc访问正常。
以下是技术资料,可以完全清除病毒:
这是一个叫w32.spybot.worm的病毒
W32.Spybot.Worm is a detection for a family of worms that spreads using KaZaA file-sharing and mIRC. This worm can also spread to computers infected with common back door Trojan horses.
W32.Spybot.Worm can perform different back door-type functions by connecting to a configurable IRC server and joining a specific channel to listen for instructions.
技术细节,这个病毒会干什么事呢?请看
W32.Spybot.Worm
Discovered on: April 16, 2003
Last Updated on: May 20, 2004 02:27:17 PM
W32.Spybot.Worm is a detection for a family of worms that spreads using KaZaA file-sharing and mIRC. This worm can also spread to computers infected with common back door Trojan horses.
W32.Spybot.Worm can perform different back door-type functions by connecting to a configurable IRC server and joining a specific channel to listen for instructions.
----------
Note: The October 8, 2003, virus definitions contain a modified W32.Spybot.Worm detection which accounts
for a minor variation discovered on October 7, 2003.
-----------------------------------------
Also Known As: Worm.P2P.SpyBot.gen [KAV], W32/Spybot-Fam [Sophos], W32/Spybot.worm.gen [McAfee], WORM_SPYBOT.GEN [Trend], Win32.Spybot.gen [CA]
Type: Worm
Infection Length: various
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
Virus Definitions (Intelligent Updater) *
April 16, 2003
Virus Definitions (LiveUpdate™) **
April 16, 2003
*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Moderate
Threat Metrics
Wild:
Medium
Damage:
Medium
Distribution:
Medium
Damage
Payload:
Releases confidential info: Sends personal data to an IRC channel.
Compromises security settings: Allows unauthorized commands to be executed on an infected machine.
Distribution
Shared drives: Spreads using the KaZaA file-sharing network, as well as spreading through mIRC.
When W32.Spybot.Worm is executed, it does the following:
Copies itself to the %System% folder.
-------------------------------------------------------------
Note: %System% is a variable. The worm locates the System folder and copies itself to that location.
By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000),
or C:\Windows\System32 (Windows XP).
----------------------------------------------------------------
如果是WINDOWS 2000系统,这个病毒会将自身复制在%SYSTEM%\SYSTEM32\下,
文件名就是wuamgrd.EXE,而且是系统,隐含属性。
文件名,图标与WINDOWS自动更新的客户端取的差不多,极易忽视。然后会在注册表中创建下列的键值
Can be configured to creates and share a folder on the KaZaA file-sharing network,
by adding the following registry value:
"dir0"="012345:<configurable path>"
to the registry key:
HKEY_CURRENT_USER\SOFTWARE\KAZAA\LocalContent
Copies itself to the configured path as file names that are designed to
trick other users into downloading and executing the worm.
Can be configured to perform Denial of Service (DoS) attacks on specified servers.
Can be configured to terminate security product processes
Connects to specified IRC servers and joins a channel to receive commands.
One such command is to copy itself to many hard-coded Windows Startup Folders, such as the following:
Documents and Settings\All Users\Menu Start\Programma’s\Opstarten
WINDOWS\All Users\Start Menu\Programs\StartUp
WINNT\Profiles\All Users\Start Menu\Programs\Startup
WINDOWS\Start Menu\Programs\Startup
Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup
----------------------------------------------------------------
Note: Symantec Security Response has received reports of variants of this worm creating zero-byte files in the Startup folder. These files may have file names such as TFTP780 or
TFTP###, where # can be any number.
-----------------主要会在下面的键值创建
Adds a variable registry value to one or more of the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionRunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionRunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
For example:
"Microsoft Update" = "wuamgrd.exe"
May log keystrokes to a file in the System folder.
May send personal information, such as the operating system, IP address, user name, and so on, to the IRC server.
May open a back-door port.
解决方法:
The following instructions pertain to all current and recent Symantec antivirus products,
including the Symantec AntiVirus and Norton AntiVirus product lines.
1.Disable System Restore (Windows Me/XP).
2.Update the virus definitions.
3.Restart the computer in Safe mode.
4.Run a full system scan, and delete all files that are detected as W32.Spybot.Worm.
Delete the value that was added to the registry.
Delete any zero-byte files in the Startup folder.
For specific details on each of these steps, read the following instructions
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily
turn off System Restore. Windows Me/XP uses this feature, which is enabled by default,
to restore the files on your computer in case they become damaged. If a virus, worm, or
Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore.
Therefore, antivirus programs or tools cannot remove threats in the System Restore folder.
As a result, System Restore has the potential of restoring an infected file on your computer,
even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"
For additional information, and an alternative to disabling Windows Me System Restore,
see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder,"
Article ID: Q263455.
2. Updating the virus definitions
Symantec Security Response fully tests all virus definitions for quality assurance before they are posted to our servers.
There are two ways to obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus definitions
These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays),
unless there is a major virus outbreak. To determine whether definitions for
this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater
The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday).
You should download the definitions from the Symantec Security Response Web site and manually install them.
To determine whether definitions for this threat are available by the Intelligent Updater, refer to the
Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the
Intelligent Updater" for detailed instructions.
3. Restarting the computer in Safe mode
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode.
NOTE: The following instructions are basic and can vary slightly depending on the operating system.
If the computer is running, shut down Windows and then turn off the power.
Wait 30 seconds, and then turn on the computer.
Start tapping the F8 key.
When the Startup Menu appears, ensure that the Safe mode option is selected. In most cases, i
t is the first item in the list and is selected by default. (If it is not selected, use the arrow keys to select it.)
Press Enter. The computer will start in Safe mode. This can take a few minutes.
When you are finished with all the troubleshooting, close all the programs and restart the
computer as you normally would.
4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products
Read the document "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products
Read the document "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with W32.Spybot.Worm, write down the file names, and then click Delete.
5. Deleting the value from the registry
WARNING: Symantec strongly recommends that you back up the registry before making any
changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files.
Modify the specified keys only. Read the document, "How to make a backup of the Windows registry,
" for instructions.
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit
then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete any values that refer to the file name that was detected as infected with W32.Spybot.Worm.
Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionRunOnce
In the right pane, delete any values that reference the file name in step d.
Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionRunServices
In the right pane, delete any values that reference the file name in step d.
Navigate to the following key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete any values that reference the file name in step d.
Exit the Registry Editor.
6. Delete the zero-byte files from the Startup folder
Follow the instructions for your version of Windows:
NOTE: There may be legitimate files on your system that start with "tftp." Delete only the zero-byte files from the Startup folder.
To delete zero-byte files in Windows 95/98/Me/NT/2000
On the Windows taskbar, click Start > Find (or Search) > Files or Folders.
Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
In the "Named" or "Search for..." box, type--or copy and paste--the following file name:
tftp*.*
Click Find Now or Search Now.
Delete the files that are zero-bytes in size and contained within any folder whose name ends with "Startup".
To delete zero-byte files in Windows XP
On the Windows taskbar, click Start > Search.
Click "All files and folders."
In the "All or part of the file name" box, type--or copy and paste--the following file name:
tftp*.*
Verify that "Look in" is set to "Local Hard Drives" or to (C:).
Click "More advanced options."
Check "Search system folders."
Check "Search subfolders."
Click Search.
Delete the files that are zero-bytes in size and contained within any folder whose name ends with "Startup".
Revision History:
May 17, 2004: Added reference to possible registry key modification.
October 8, 2003: Added information regarding updated detection released in virus definitions on this day.
August 13, 2003: Updated removal instructions for Safe Mode.
August 7, 2003:
Upgraded from Category 1 to Category 2 due to increased prevalence.
Added information pertaining to the existence of 0-byte files in the StartUp folder.
按上面方法,清除后,解决问题,也能够共享文件,IPC$等几个默认共享也全部出现了。系统正常
自Windows 2000系统以后,微软就不再用NETBIOS来注册计算机名,也不再靠WINS对计算机名称进行解析,而是全部交付给了DNS。
那么Windows系统是如何通过以上名称注册和解析原理来实现在“网上邻居”上的浏览的呢?这就是要涉及到Windows系统中的一个非常重要的服务--Computer Browser Service(计算机浏览器服务)。 计算机浏览服务是一系列分布式的含有可用的网络资源列表,这些列表分布在一些计算机上,提出浏览请求的计算机充当浏览工作站,而提供浏览列表的计算机充当浏览服务器。
浏览器的种类及运行该服务的计算机为实现网络浏览目的而执行的各种职能介绍如下:
域主浏览器―――仅用于域环境。在默认情况下,域的主域控制器 (PDC) 完成该任务。 收集和维护域中可用服务器的主浏览列表,以及网络中其他域和工作组的名称。分配和同步其他子网中主浏览器的主浏览列表,该子网有属于相同域的计算机。
主浏览器 ―――收集和维护子网中可用网络服务器的主浏览列表。完全复制列出的包括主浏览列表的信息以获得网络的完整浏览列表。向同一子网上的备份浏览器分发完整列表。
备份浏览器―――从主浏览器接收本子网的浏览列表副本。根据请求向其他计算机分发浏览列表。
潜在浏览器―――在正常情况下,按非浏览器运行。在接到子网主浏览器指令后才会成为备份浏览器。
在某些条件下,如果担任指定浏览器职能的计算机失效或关闭,浏览器(或潜在浏览器)可能改作其他职能。这通常通过称作“浏览器选举”的过程来执行。在Windows操作系统的早期版本中浏览服务可理解为三个关键过程:
1)浏览信息的收集
当子网上的主浏览器收到主机声明后,将发送计算机的名称合并到当前的浏览列表中。如果名称已经存在,则刷新列表。如果名称不存在,则添加到列表。
(2)浏览信息的分发
浏览列表由子网主浏览器分发给备份浏览器。主浏览器必须周期性地向本地子网广播包含配置的域或工作组名称的声明消息。该消息确认主浏览器在网络上的存在。如果主浏览器在一段时间不能声明自己,则将发生浏览器选举。一旦主浏览器存在或(因失败事件而)被替换,其他备份浏览器周期性地与其联系以获得其所维护子网浏览列表的更新副本。
(3)向来自客户的浏览请求提供服务
当浏览客户计算机在子网上启动后,将向主浏览器请求在子网上备份浏览器的列表。主浏览器响应该请求并向客户端提供包含三个备份浏览器的列表。浏览客户端则随机地从列表中选择一个备份浏览器并与其联系以获得浏览列表副本。被选中的备份浏览器响应该客户机,给它一个域或工作组的服务器列表。客户机再从该服务器列表中取得这个服务器上的可用资源的列表。
浏览器选举
在NT域环境下或工作组环境下,浏览服务维护着一个浏览列表,它包含所有可使用的域、工作组和计算机名等,是共享资源的目录。当我们使用“网上邻居”时,就在使用这个浏览服务。这些系统的浏览服务系统同样包含了主浏览器、备份浏览器和浏览器客户等角色。
(1)选举是通过发广播来实现的,如果哪个计算机的选举条件比它收到的报文要好,则它将广播自己的选举条件,收到别人的选举条件后每个计算机根据自己在域中的角色延迟不等的时间后再做反应,这样能减少选举条件较差的计算机发送选举报文。 (2)当一个计算机选举成为主浏览器并且它的浏览列表是空时,它将广播一个请求通知的报文,强迫所有的计算机必须在30秒内给予答复,这个30秒的时间是为了防止服务器过载或报文丢失。 (3)除了承担主浏览器和备份浏览器任务的计算机外,其他计算机将向主浏览器周期性地发布通知,告知自己是可利用的资源。这个时间开始是1分钟、2分钟、4分钟、8分钟,以后就是每12分钟一次了。 (4)如果某个计算机关机了,主浏览器连续3个周期也就是36分钟没有收到它的消息,将认定它不可用,并从浏览列表中删掉它。但是它还留在备份浏览器的计算机里,备份浏览器每隔15分钟呼叫主浏览器一次以获得更新的网络资源列表,也就是说不可用的资源最多要等到36+15=51分钟后才会从网上彻底消失。这就是为什么有的计算机改了名,但旧名字依旧留在网上一段时间的原因。 在一个工作组里有一个主浏览器,那么在多个工作组、多个域甚至多个子网里中又将如何呢?这就需要一个域主浏览器,每个工作组或域的主浏览器要周期性地向这个域主浏览器发送自已所管辖的列表,这个周期开始是1分钟,5次后是15分钟。如果3个周期内没有收到这个报文,域主浏览器也将它从自己的列表中去除。也就是说,当一个工作组失效后,它还将在主列表中保留45分钟。域主浏览器默认为主域控制器,Windows XP Professional版本的计算机不能担此重任。当收到浏览列表后,计算机必须能解析里面的NetBIOS名,这就要求网络的WINS服务或DNS服务必须正常,浏览才能正常,因为浏览的选举过程是通过UDP广播实现的。
作为网络管理员,当网上邻居出现问题时,要一步步分析,看是暂时的还是选举过程出了问题。目前没有办法证明浏览列表是否完整,但有办法发现某可用资源是否在列表里,甚至可以强迫开始一次选举。
注意:重启服务器上的COMPUTER BROWSER服务,打开服务器上的ipc$,确保客户端全部打开,在服务器端用“ping 客户端IP”逐一ping过来,确保可以全部ping通。如果客户端是win2000的话,也要重启一下COMPUTER BROWSER服务,
彻底解决方法的话,最好是建立一个域,由主域控制器来充当浏览服务是最理想的。
不同情况解决方法不同,以上是原理分析,下面介绍常见的解决办法(可能不适用于您的情况):
1、局域网“服务器没有设置事务处理”是因为局域网的主控浏览服务器的列表文件坏了,首先查毒,如果没有病毒的话
解决的办法就是:先在局域网中找一台WIN2K,改个工作组名,然后依次改剩下的机器的(如果局域网中有WIN2K SERVER的就先改SERVER)
2、文章分类: 局域网
文章标题: 点击网上邻居的工作组,出现服务器没有设置事务处理
关 键 字: 0
文章作者: alonglee 转
文章来源: 0
发表时间: 2004-6-20 1:59:00
上次我发了一篇《服务器没有设置事务处理-故障处理》,后来发现这个问题并不那么简单,再找来一篇文章:
这是一个以前遇见过的问题,就是A win2000 ,发现自己的c,d默认共享没有了,ipc共享也没有了,别人在网上邻居访问A计算机会出现,“服务器没有设置事务处理”,自己访问自己用unc路径也不能访问,但A win2000访问别人没有问题,查了一下资料,发现是中毒了。
首先,我在进程中查看到一个叫wuamgrd.exe这个进程,证明中了一种叫“w32.spybot.worm的病毒“,在进程中结束她,然后在%SYSTEM%\SYSTEM32 下找\wuamgrd.EXE,把它删除,重新启动,发现问题解决,共享恢复,unc访问正常。
以下是技术资料,可以完全清除病毒:
这是一个叫w32.spybot.worm的病毒
W32.Spybot.Worm is a detection for a family of worms that spreads using KaZaA file-sharing and mIRC. This worm can also spread to computers infected with common back door Trojan horses.
W32.Spybot.Worm can perform different back door-type functions by connecting to a configurable IRC server and joining a specific channel to listen for instructions.
技术细节,这个病毒会干什么事呢?请看
W32.Spybot.Worm
Discovered on: April 16, 2003
Last Updated on: May 20, 2004 02:27:17 PM
W32.Spybot.Worm is a detection for a family of worms that spreads using KaZaA file-sharing and mIRC. This worm can also spread to computers infected with common back door Trojan horses.
W32.Spybot.Worm can perform different back door-type functions by connecting to a configurable IRC server and joining a specific channel to listen for instructions.
----------
Note: The October 8, 2003, virus definitions contain a modified W32.Spybot.Worm detection which accounts
for a minor variation discovered on October 7, 2003.
-----------------------------------------
Also Known As: Worm.P2P.SpyBot.gen [KAV], W32/Spybot-Fam [Sophos], W32/Spybot.worm.gen [McAfee], WORM_SPYBOT.GEN [Trend], Win32.Spybot.gen [CA]
Type: Worm
Infection Length: various
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
Virus Definitions (Intelligent Updater) *
April 16, 2003
Virus Definitions (LiveUpdate™) **
April 16, 2003
*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Moderate
Threat Metrics
Wild:
Medium
Damage:
Medium
Distribution:
Medium
Damage
Payload:
Releases confidential info: Sends personal data to an IRC channel.
Compromises security settings: Allows unauthorized commands to be executed on an infected machine.
Distribution
Shared drives: Spreads using the KaZaA file-sharing network, as well as spreading through mIRC.
When W32.Spybot.Worm is executed, it does the following:
Copies itself to the %System% folder.
-------------------------------------------------------------
Note: %System% is a variable. The worm locates the System folder and copies itself to that location.
By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000),
or C:\Windows\System32 (Windows XP).
----------------------------------------------------------------
如果是WINDOWS 2000系统,这个病毒会将自身复制在%SYSTEM%\SYSTEM32\下,
文件名就是wuamgrd.EXE,而且是系统,隐含属性。
文件名,图标与WINDOWS自动更新的客户端取的差不多,极易忽视。然后会在注册表中创建下列的键值
Can be configured to creates and share a folder on the KaZaA file-sharing network,
by adding the following registry value:
"dir0"="012345:<configurable path>"
to the registry key:
HKEY_CURRENT_USER\SOFTWARE\KAZAA\LocalContent
Copies itself to the configured path as file names that are designed to
trick other users into downloading and executing the worm.
Can be configured to perform Denial of Service (DoS) attacks on specified servers.
Can be configured to terminate security product processes
Connects to specified IRC servers and joins a channel to receive commands.
One such command is to copy itself to many hard-coded Windows Startup Folders, such as the following:
Documents and Settings\All Users\Menu Start\Programma’s\Opstarten
WINDOWS\All Users\Start Menu\Programs\StartUp
WINNT\Profiles\All Users\Start Menu\Programs\Startup
WINDOWS\Start Menu\Programs\Startup
Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup
----------------------------------------------------------------
Note: Symantec Security Response has received reports of variants of this worm creating zero-byte files in the Startup folder. These files may have file names such as TFTP780 or
TFTP###, where # can be any number.
-----------------主要会在下面的键值创建
Adds a variable registry value to one or more of the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionRunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionRunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
For example:
"Microsoft Update" = "wuamgrd.exe"
May log keystrokes to a file in the System folder.
May send personal information, such as the operating system, IP address, user name, and so on, to the IRC server.
May open a back-door port.
解决方法:
The following instructions pertain to all current and recent Symantec antivirus products,
including the Symantec AntiVirus and Norton AntiVirus product lines.
1.Disable System Restore (Windows Me/XP).
2.Update the virus definitions.
3.Restart the computer in Safe mode.
4.Run a full system scan, and delete all files that are detected as W32.Spybot.Worm.
Delete the value that was added to the registry.
Delete any zero-byte files in the Startup folder.
For specific details on each of these steps, read the following instructions
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily
turn off System Restore. Windows Me/XP uses this feature, which is enabled by default,
to restore the files on your computer in case they become damaged. If a virus, worm, or
Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore.
Therefore, antivirus programs or tools cannot remove threats in the System Restore folder.
As a result, System Restore has the potential of restoring an infected file on your computer,
even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"
For additional information, and an alternative to disabling Windows Me System Restore,
see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder,"
Article ID: Q263455.
2. Updating the virus definitions
Symantec Security Response fully tests all virus definitions for quality assurance before they are posted to our servers.
There are two ways to obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus definitions
These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays),
unless there is a major virus outbreak. To determine whether definitions for
this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater
The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday).
You should download the definitions from the Symantec Security Response Web site and manually install them.
To determine whether definitions for this threat are available by the Intelligent Updater, refer to the
Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the
Intelligent Updater" for detailed instructions.
3. Restarting the computer in Safe mode
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode.
NOTE: The following instructions are basic and can vary slightly depending on the operating system.
If the computer is running, shut down Windows and then turn off the power.
Wait 30 seconds, and then turn on the computer.
Start tapping the F8 key.
When the Startup Menu appears, ensure that the Safe mode option is selected. In most cases, i
t is the first item in the list and is selected by default. (If it is not selected, use the arrow keys to select it.)
Press Enter. The computer will start in Safe mode. This can take a few minutes.
When you are finished with all the troubleshooting, close all the programs and restart the
computer as you normally would.
4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products
Read the document "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products
Read the document "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with W32.Spybot.Worm, write down the file names, and then click Delete.
5. Deleting the value from the registry
WARNING: Symantec strongly recommends that you back up the registry before making any
changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files.
Modify the specified keys only. Read the document, "How to make a backup of the Windows registry,
" for instructions.
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit
then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete any values that refer to the file name that was detected as infected with W32.Spybot.Worm.
Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionRunOnce
In the right pane, delete any values that reference the file name in step d.
Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionRunServices
In the right pane, delete any values that reference the file name in step d.
Navigate to the following key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete any values that reference the file name in step d.
Exit the Registry Editor.
6. Delete the zero-byte files from the Startup folder
Follow the instructions for your version of Windows:
NOTE: There may be legitimate files on your system that start with "tftp." Delete only the zero-byte files from the Startup folder.
To delete zero-byte files in Windows 95/98/Me/NT/2000
On the Windows taskbar, click Start > Find (or Search) > Files or Folders.
Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
In the "Named" or "Search for..." box, type--or copy and paste--the following file name:
tftp*.*
Click Find Now or Search Now.
Delete the files that are zero-bytes in size and contained within any folder whose name ends with "Startup".
To delete zero-byte files in Windows XP
On the Windows taskbar, click Start > Search.
Click "All files and folders."
In the "All or part of the file name" box, type--or copy and paste--the following file name:
tftp*.*
Verify that "Look in" is set to "Local Hard Drives" or to (C:).
Click "More advanced options."
Check "Search system folders."
Check "Search subfolders."
Click Search.
Delete the files that are zero-bytes in size and contained within any folder whose name ends with "Startup".
Revision History:
May 17, 2004: Added reference to possible registry key modification.
October 8, 2003: Added information regarding updated detection released in virus definitions on this day.
August 13, 2003: Updated removal instructions for Safe Mode.
August 7, 2003:
Upgraded from Category 1 to Category 2 due to increased prevalence.
Added information pertaining to the existence of 0-byte files in the StartUp folder.
按上面方法,清除后,解决问题,也能够共享文件,IPC$等几个默认共享也全部出现了。系统正常
参考资料: 英文凑合着看吧。
推荐律师服务:
若未解决您的问题,请您详细描述您的问题,通过百度律临进行免费专业咨询