瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 怀疑这是个病毒,请帮忙看看
真命小虫 - 2005-8-5 10:59:00
昨天,系统刚启动之后用icesword的 端口 查看发现它这个文件连接了大量ip。
当时删除之后系统好些了,今天它又出现了。

附件: 555410200585105955.rar
真命小虫 - 2005-8-5 12:28:00
没人给个答复吗?
jiequ5222 - 2005-8-5 13:26:00
楼主你怀疑这是个病毒!那就要杀病毒呀!是不是你的杀软不行呀!你是用什么的!我推荐一款PCC !杀毒强!
真命小虫 - 2005-8-5 16:15:00
引用:
【jiequ5222的贴子】楼主你怀疑这是个病毒!那就要杀病毒呀!是不是你的杀软不行呀!你是用什么的!我推荐一款PCC !杀毒强!
...........................


瑞星没说它是病毒,但它在自启动里老出现,十分可疑~
baohe - 2005-8-5 16:39:00
引用:
【真命小虫的贴子】昨天,系统刚启动之后用icesword的 端口 查看发现它这个文件连接了大量ip。
当时删除之后系统好些了,今天它又出现了。
...........................


一、附件运行后,只能进入我的当前用户临时文件夹TEMP。无其它文件创建。HijackThis日志中可发现以下两处异常:

当前运行的进程:         


C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rar$EX05.533\wdns.exe



O4 - 启动项HKLM\\Run: [izone] C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rar$EX05.533\wdns.exe

二、任务管理器进程列表中可见wdns.exe进程。可直接结束此进程。

三、注册表修改:

1、在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下添加启动加载项:
"izone"="C:\\DOCUME~1\\baohelin\\LOCALS~1\\Temp\\Rar$EX05.533\\wdns.exe"
2、在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control下添加:
"izone"=hex:00,00,00,00,46,55,5e,9a,10,0e,00,00,00,00,00,00,d4,1a,cc,ee,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00

3、将HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
下的"EnableFirewall"=dword:00000001改为"EnableFirewall"=dword:00000000。


四、查杀:结束进程wdns.exe;删除C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rar$EX05.533\wdns.exe;恢复上述注册表改动。就行了。




真命小虫 - 2005-8-5 19:50:00
谢谢
1
查看完整版本: 怀疑这是个病毒,请帮忙看看
© 2000 - 2026 Rising Corp. Ltd.