瑞星卡卡安全论坛
海蓝云天 - 2006-1-29 21:11:00
昨天晚上,我双击f盘的一个文件是,
突然,发盘里的文件被清空9G的东西只剩100多兆,
剩下没被删文件都在隐藏文件夹里,
幸好重要的文件有备份.
今天上午由出现了,我的D盘又被删了.
用瑞星也没找到.
不知道,是不是中毒了...........
影子110 - 2006-1-29 21:23:00
可能是吧,,
可能被入侵了~~
别人帮你删的~~
有没有用杀软查下~~
海蓝云天 - 2006-1-29 21:35:00
清空前,是有人攻击,不过防火墙 没让他进入
用什么杀软查?
海蓝云天 - 2006-1-30 10:49:00
自己顶
影子110 - 2006-1-30 10:55:00
你可以看看平时你的任务管理器里运行的进程中有没有什么比较可疑的进程,(比如说忽隐忽现,或很陌生~,或占用CPU异常大,或你明明没有什么网络行为,可是adsl状态中却显示你有大量的或有规律的数据包的接收与发送~~,(当然这些都要是你在连上网络的前提下),这些都是比较可疑的地方,但也不是说有这些状况时就是有问题,这需要你自己来判断~~)
还有就是可以查看下你的电脑被打开了哪些端口,启动了哪些服务~~这些都 是用来判断的依据~~~
Azuresky2005 - 2006-1-30 11:09:00
楼主可以打开运行,输入CMD,然后在命令提示符中输入 Netstat -an,即可查看你的电脑打开了多少端口,都是指向哪个IP的,如果可疑的话楼主就要采取措施了,估计楼主的机子是中彩了啊
影子110 - 2006-1-30 11:13:00
还有个比较重要的就是想法打全系统所需的补丁,把杀软升至最新,关闭文件共享,禁用那些远程服务等,
海蓝云天 - 2006-1-30 11:21:00
我用 Netstat -an
哪个比较可疑
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:7 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9 0.0.0.0:0 LISTENING
TCP 0.0.0.0:13 0.0.0.0:0 LISTENING
TCP 0.0.0.0:17 0.0.0.0:0 LISTENING
TCP 0.0.0.0:19 0.0.0.0:0 LISTENING
TCP 0.0.0.0:21 0.0.0.0:0 LISTENING
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:53 0.0.0.0:0 LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:119 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:563 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1037 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1039 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1046 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2020 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2022 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2023 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2024 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2028 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2031 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2032 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2035 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2036 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6059 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7360 0.0.0.0:0 LISTENING
TCP 125.96.55.224:139 0.0.0.0:0 LISTENING
TCP 125.96.62.93:139 0.0.0.0:0 LISTENING
TCP 125.96.62.93:1963 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:1964 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:1970 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:1987 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:1990 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:1993 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:1994 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:1998 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:1999 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:2000 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:2001 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:2003 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:2005 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:2006 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:2007 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:2009 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:2014 202.167.234.202:80 TIME_WAIT
TCP 125.96.62.93:2020 219.238.233.252:80 ESTABLISHED
TCP 125.96.62.93:2022 219.238.233.238:80 ESTABLISHED
TCP 125.96.62.93:2023 219.238.233.252:80 ESTABLISHED
TCP 125.96.62.93:2024 221.174.17.252:80 ESTABLISHED
TCP 125.96.62.93:2025 219.238.233.252:80 ESTABLISHED
TCP 125.96.62.93:2026 219.238.233.252:80 ESTABLISHED
TCP 125.96.62.93:2027 219.238.233.252:80 ESTABLISHED
TCP 125.96.62.93:2028 219.238.233.252:80 ESTABLISHED
TCP 125.96.62.93:2030 219.238.233.252:80 ESTABLISHED
TCP 125.96.62.93:2031 219.238.233.252:80 ESTABLISHED
TCP 125.96.62.93:2032 219.238.233.252:80 ESTABLISHED
TCP 125.96.62.93:2036 219.238.233.252:80 ESTABLISHED
TCP 127.0.0.1:445 127.0.0.1:2035 ESTABLISHED
TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING
TCP 127.0.0.1:2035 127.0.0.1:445 ESTABLISHED
UDP 0.0.0.0:7 *:*
UDP 0.0.0.0:9 *:*
UDP 0.0.0.0:13 *:*
UDP 0.0.0.0:17 *:*
UDP 0.0.0.0:19 *:*
UDP 0.0.0.0:68 *:*
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1035 *:*
UDP 0.0.0.0:1041 *:*
UDP 0.0.0.0:1434 *:*
UDP 0.0.0.0:1645 *:*
UDP 0.0.0.0:1646 *:*
UDP 0.0.0.0:1812 *:*
UDP 0.0.0.0:1813 *:*
UDP 0.0.0.0:3456 *:*
UDP 0.0.0.0:4000 *:*
UDP 0.0.0.0:4001 *:*
UDP 0.0.0.0:6000 *:*
UDP 0.0.0.0:6001 *:*
UDP 0.0.0.0:6002 *:*
UDP 0.0.0.0:6003 *:*
UDP 0.0.0.0:6004 *:*
UDP 0.0.0.0:6005 *:*
UDP 0.0.0.0:6006 *:*
UDP 0.0.0.0:6007 *:*
UDP 0.0.0.0:6008 *:*
UDP 0.0.0.0:6009 *:*
UDP 0.0.0.0:6010 *:*
UDP 0.0.0.0:6011 *:*
UDP 0.0.0.0:6012 *:*
UDP 0.0.0.0:6013 *:*
UDP 0.0.0.0:6014 *:*
UDP 0.0.0.0:6015 *:*
UDP 0.0.0.0:6016 *:*
UDP 0.0.0.0:6017 *:*
UDP 0.0.0.0:6018 *:*
UDP 0.0.0.0:6019 *:*
UDP 0.0.0.0:6020 *:*
UDP 0.0.0.0:6021 *:*
UDP 0.0.0.0:9000 *:*
UDP 125.96.55.224:53 *:*
UDP 125.96.55.224:137 *:*
UDP 125.96.55.224:138 *:*
UDP 125.96.55.224:500 *:*
UDP 125.96.62.93:53 *:*
UDP 125.96.62.93:137 *:*
UDP 125.96.62.93:138 *:*
UDP 125.96.62.93:500 *:*
UDP 127.0.0.1:53 *:*
UDP 127.0.0.1:1028 *:*
UDP 127.0.0.1:1029 *:*
UDP 127.0.0.1:1034 *:*
UDP 127.0.0.1:1047 *:*
UDP 127.0.0.1:1064 *:*
影子110 - 2006-1-30 11:42:00
好多,,,(只能说在我这里看不到那么多~~~)
你用的是哪个版本的瑞星,,,(2005?2006?)还是用的其它的杀软,
用没有用防火墙?
用的是哪个版本的系统,(是XP SP2吗?)
海蓝云天 - 2006-1-30 11:47:00
瑞星,2006
瑞星个人防火墙,
系统 2000server
影子110 - 2006-1-30 12:23:00
125.96.*.*
这个地址???
LISTENING(说明这个端口正处于被监听)
你用HijackThis扫个日志帖上来
HijackThis V1.99.1汉化版下载及英文原版下载地址(二楼)
http://forum.ikaka.com/topic.asp?board=67&artid=5188931
另,你可以打开 开始》控制面板》管理工具》服务(要用有管理员权限的用户打开)
看看你有哪些服务已经启动,(但暂时不要改动它~~~)
如果可能截个图帖上来看看~~~
截屏方法: 按【print screen sysrq】键,如果按 【Alt】+【print screen sysrq】键可以直接截到当前被激活的窗口,然后打开 【开始】---【程序】---【附件】---【画图】,打开画图板程序后,选择【编辑】---【粘贴】,最后选择【文件】---【另存为】,选择一个适当的目录,在文件名里写入 *.jpg 保存即可。
也可以在防火墙里的设置》祥细设置》IP规则》添加并设置一些新的规则 或到安全论坛装上网警的规则包亦可~~
海蓝云天 - 2006-1-30 12:46:00
125.96.*.*
这个地址我的IP
我用电猫上网(中电飞华)
Logfile of HijackThis v1.99.1
Scan saved at 12:44:06, on 2006-1-30
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\NMSSvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\rsvp.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\WINNT\Explorer.EXE
c:\program files\rising\rfw\RfwMain.exe
C:\WINNT\system32\conime.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\UPEngine.EXE
C:\Program Files\Rising\Rav\Smartup.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\Program Files\Tencent\TT\TTraveler.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\金山词霸 2005\XDICT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
F:\soft\248783200522382732\HijackThis.exe
R3 - URLSearchHook: (no name) -
{982CB676-38F0-4D9A-BB72-D9371ABE876E} - (no file)
O1 - Hosts: 218.5.76.116 www.hung-ya.com
O1 - Hosts: 218.5.76.116 hung-ya.com
O1 - Hosts: 218.5.76.116 www.hung-ya.com
O1 - Hosts: 218.5.76.116 hung-ya.com
O1 - Hosts: 218.5.76.116 www.bbs.hungya.com
O1 - Hosts: 218.5.76.116 bbs.hungya.com
O1 - Hosts: 218.5.76.116 www.popoq.com
O1 - Hosts: 218.5.76.116 popoq.com
O1 - Hosts: 218.5.76.116 www.jokescn.com
O1 - Hosts: 218.5.76.116 jokescn.com
O1 - Hosts: 218.5.76.116 www.xdvod.com
O1 - Hosts: 218.5.76.116 xdvod.com
O1 - Hosts: 218.5.76.116 www.qq38.com
O1 - Hosts: 218.5.76.116 qq38.com
O1 - Hosts: 218.5.76.116 www.qq38.com
O1 - Hosts: 218.5.76.116 qq38.com
O1 - Hosts: 218.5.76.116 www.5929.com
O1 - Hosts: 218.5.76.116 5929.com
O1 - Hosts: 218.5.76.116 www.xunlei.com
O1 - Hosts: 218.5.76.116 xunlei.com
O1 - Hosts: 218.5.76.116 www.verycd.com
O1 - Hosts: 218.5.76.116 verycd.com
O1 - Hosts: 218.5.76.116 www.zhao118.com
O1 - Hosts: 218.5.76.116 zhao118.com
O1 - Hosts: 218.5.76.116 www.zhao118.com
O1 - Hosts: 218.5.76.116 zhao118.com
O1 - Hosts: 218.5.76.116 www.61th.com
O1 - Hosts: 218.5.76.116 61th.com
O1 - Hosts: 218.5.76.116 www.15pp.com
O1 - Hosts: 218.5.76.116 15pp.com
O1 - Hosts: 218.5.76.116 www.vod99.com
O1 - Hosts: 218.5.76.116 vod99.com
O1 - Hosts: 218.5.76.116 www.xdvod.com
O1 - Hosts: 218.5.76.116 xdvod.com
O1 - Hosts: 218.5.76.116 www.5929.com
O1 - Hosts: 218.5.76.116 5929.com
O1 - Hosts: 218.5.76.116 www.verycd.com
O1 - Hosts: 218.5.76.116 verycd.com
O1 - Hosts: 218.5.76.116 www.haowz.com
O1 - Hosts: 218.5.76.116 haowz.com
O1 - Hosts: 218.5.76.116 www.15pp.com
O1 - Hosts: 218.5.76.116 15pp.com
O1 - Hosts: 218.5.76.116 www.61th.com
O1 - Hosts: 218.5.76.116 61th.com
O1 - Hosts: 218.5.76.116 www.wg101.com
O1 - Hosts: 218.5.76.116 wg101.com
O1 - Hosts: 218.5.76.116 www.k234.com
O1 - Hosts: 218.5.76.116 k234.com
O1 - Hosts: 218.5.76.116 www.hao358.com
O1 - Hosts: 218.5.76.116 hao358.com
O1 - Hosts: 218.5.76.116 www.hao358.com
O1 - Hosts: 218.5.76.116 hao358.com
O1 - Hosts: 218.5.76.116 www.mtvdy.com
O1 - Hosts: 218.5.76.116 mtvdy.com
O1 - Hosts: 218.5.76.116 www.20so.com
O1 - Hosts: 218.5.76.116 20so.com
O1 - Hosts: 218.5.76.116 www.dd1000.com
O1 - Hosts: 218.5.76.116 dd1000.com
O1 - Hosts: 218.5.76.116 www.v1000.com
O1 - Hosts: 218.5.76.116 v1000.com
O1 - Hosts: 218.5.76.116 www.huise.com
O1 - Hosts: 218.5.76.116 huise.com
O1 - Hosts: 218.5.76.116 www.916918.com
O1 - Hosts: 218.5.76.116 916918.com
O1 - Hosts: 218.5.76.116 www.ye263.com
O1 - Hosts: 218.5.76.116 ye263.com
O1 - Hosts: 218.5.76.116 www.c-cb.com
O1 - Hosts: 218.5.76.116 c-cb.com
O1 - Hosts: 218.5.76.116 www.zhao123.com
O1 - Hosts: 218.5.76.116 zhao123.com
O1 - Hosts: 218.5.76.116 www.51115.com
O1 - Hosts: 218.5.76.116 51115.com
O1 - Hosts: 218.5.76.116 www.4399.com
O1 - Hosts: 218.5.76.116 4399.com
O1 - Hosts: 218.5.76.116 www.chinagames.net
O1 - Hosts: 218.5.76.116 chinagames.net
O1 - Hosts: 218.5.76.116 www.skycn.com
O1 - Hosts: 218.5.76.116 skycn.com
O1 - Hosts: 218.5.76.116 www.tiexue.net
O1 - Hosts: 218.5.76.116 tiexue.net
O1 - Hosts: 218.5.76.116 www.qq163.com
O1 - Hosts: 218.5.76.116 qq163.com
O1 - Hosts: 218.5.76.116 www.tt67.com
O1 - Hosts: 218.5.76.116 tt67.com
O1 - Hosts: 218.5.76.116 www.chinamp3.com
O1 - Hosts: 218.5.76.116 chinamp3.com
O1 - Hosts: 218.5.76.116 www.pg168.com
O1 - Hosts: 218.5.76.116 pg168.com
O1 - Hosts: 218.5.76.116 www.yymp3.com
O1 - Hosts: 218.5.76.116 yymp3.com
O1 - Hosts: 218.5.76.116 www.yy138.com
O1 - Hosts: 218.5.76.116 yy138.com
O1 - Hosts: 218.5.76.116 www.dj99.com
O1 - Hosts: 218.5.76.116 dj99.com
O1 - Hosts: 218.5.76.116 www.sogua.com
O1 - Hosts: 218.5.76.116 sogua.com
O1 - Hosts: 218.5.76.116 www.snsn.net
O1 - Hosts: 218.5.76.116 snsn.net
O1 - Hosts: 218.5.76.116 www.flash8.net
O1 - Hosts: 218.5.76.116 flash8.net
O1 - Hosts: 218.5.76.116 www.mop.com
O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
海蓝云天 - 2006-1-30 12:47:00
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SohuDAIEHelper - {0CA51D02-7739-43EA-8D9A-1E8AD4327B03} -
C:\Program Files\P4P\sodaie.dll (file missing)
O2 - BHO: Yahoo!Photo - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} -
C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll (file missing)
O2 - BHO: DragSearch BHO - {62EED7C6-9F02-42f9-B634-98E2899E147B} -
C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@2052,电台(&R) -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no
file)
O3 - Toolbar: (no name) - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - (no
file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm
Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [SonudMan] C:\WINNT\system32\WNILOGON.exe
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe"
-system
O4 - HKLM\..\Run: [MS-4011 Memory Patch] F:\软件\RavSasser.exe -Patch
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program
Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用影音传送带下载 - C:\Program
Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - C:\Program
Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 导出到 Microsoft Excel(&x) -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 收藏此页到新浪ViVi -
http://vivi.sina.com.cn/collect/click.php?agent=ddt
O8 - Extra context menu item: 新浪搜索 - http://cha.sina.com.cn/ddt.html
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program
Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program
Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program
Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 用比特精灵下载(&B) - C:\Program
Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: 豪杰超级解霸V8实时播放 -
C:\Herosoft\HeroV8\MPURLGET.HTM
O9 - Extra button: 免费精彩视频超流畅在线观看 -
{022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra 'Tools' menuitem: 播霸电视 -
{022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
O9 - Extra button: 新浪UC - {2253922F-1B26-4C74-8B57-E3AEE748DBB8} -
C:\Program Files\sina\UC\UC.exe
O9 - Extra button: 豪杰超级解霸V8 -
{367E0A21-8601-4986-9C9A-153BF5ACA118} -
C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra 'Tools' menuitem: 豪杰超级解霸V8 -
{367E0A21-8601-4986-9C9A-153BF5ACA118} -
C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program
Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ -
{c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program
Files\Tencent\QQ\QQ.EXE
O9 - Extra button: 易趣购物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} -
http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: 易趣购物 -
{DE60714F-AC17-427e-861A-FD60CBDF119A} -
http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O17 -
HKLM\System\CCS\Services\Tcpip\..\{7B495F07-6AEA-42B1-BFE0-3656B3A5C
C18}: NameServer = 211.99.25.1 210.82.5.1
O17 -
HKLM\System\CCS\Services\Tcpip\..\{B1348DFF-524C-49BE-A84C-2CA49ED3
326D}: NameServer = 211.99.25.1,202.106.0.20
O21 - SSODL: SysTrays - {590498A3-4131-4D8F-BA4B-36791A9803B1} -
C:\WINNT\system32\DLMain.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LsassFTP daemon (LsassFTPD) - Unknown owner -
C:\WINNT\LsassFtpd.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program
Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Messenger - Unknown owner - C:\WINNT\system32\#.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation -
C:\WINNT\system32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINNT\system32\nvsvc32.exe
O23 - Service: Oracle OLAP 9.0.1.0.1 (OLAPServer) - Oracle Corporation -
E:\oracle\ora90\bin\xsolap.exe
O23 - Service: Oracle OLAP Agent - Unknown owner -
E:\oracle\ora90\bin\xsaagent.exe
O23 - Service: OracleOraHome90Agent - Oracle Corporation -
E:\oracle\ora90\bin\agntsrvc.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner -
E:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: OracleOraHome90HTTPServer - Unknown owner -
E:\oracle\ora90\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome90PagingServer - Unknown owner -
E:\oracle\ora90/bin/pagntsrv.exe
O23 - Service: OracleOraHome90SNMPPeerEncapsulator - Unknown owner -
E:\oracle\ora90\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome90SNMPPeerMasterAgent - Unknown owner -
E:\oracle\ora90\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome90TNSListener - Unknown owner -
E:\oracle\ora90\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation -
e:\oracle\ora90\bin\ORACLE.EXE
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising
Technology Corporation Limited - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing
Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co.,
Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner -
C:\r_server.exe" /service (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation -
C:\Tomcat 5.0\bin\tomcat.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company -
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
O23 - Service: Visibroker Smart Agent (xsSmartAgent) - Unknown owner -
E:\oracle\ora90\bin\osagent.exe
海蓝云天 - 2006-1-30 12:56:00
* HijackThis v1.99.1 *
Written by Merijn - merijn@spywareinfo.com
http://www.merijn.org/files/hijackthis.zip
http://www.merijn.org/index.html
See bottom for version history.
The different sections of hijacking possibilities have been separated into the following groups.
You can get more detailed information about an item by selecting it from the list of found items OR highlighting the relevant line below, and clicking 'Info on selected item'.
R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services
Command-line parameters:
* /autolog - Automatically scan the system, save a logfile and open it
* /ihatewhitelists - ignore all internal whitelists
* /uninstall - remove all HijackThis Registry entries, backups and quit
* Version history *
[v1.99.1]
* Added Winlogon Notify keys to O20 listing
* Fixed crashing bug on certain Win2000 and WinXP systems at O23 listing
* Fixed lots and lots of 'unexpected error' bugs
* Fixed lots of inproper functioning bugs (i.e. stuff that didn't work)
* Added 'Delete NT Service' function in Misc Tools section
* Added ProtocolDefaults to O15 listing
* Fixed MD5 hashing not working
* Fixed 'ISTSVC' autorun entries with garbage data not being fixed
* Fixed HijackThis uninstall entry not being updated/created on new versions
* Added Uninstall Manager in Misc Tools to manage 'Add/Remove Software' list
* Added option to scan the system at startup, then show results or quit if nothing found
[v1.99]
* Added O23 (NT Services) in light of newer trojans
* Integrated ADS Spy into Misc Tools section
* Added 'Action taken' to info in 'More info on this item'
[v1.98]
* Definitive support for Japanese/Chinese/Korean systems
* Added O20 (AppInit_DLLs) in light of newer trojans
* Added O21 (ShellServiceObjectDelayLoad, SSODL) in light of newer trojans
* Added O22 (SharedTaskScheduler) in light of newer trojans
* Backups of fixed items are now saved in separate folder
* HijackThis now checks if it was started from a temp folder
* Added a small process manager (Misc Tools section)
[v1.96]
* Lots of bugfixes and small enhancements! Among others:
* Fix for Japanese IE toolbars
* Fix for searchwww.com fake CLSID trick in IE toolbars and BHO's
* Attributes on Hosts file will now be restored when scanning/fixing/restoring it.
* Added several files to the LSP whitelist
* Fixed some issues with incorrectly re-encrypting data, making R0/R1 go undetected until a restart
* All sites in the Trusted Zone are now shown, with the exception of those on the nonstandard but safe domain list
[v1.95]
* Added a new regval to check for from Whazit hijack (Start Page_bak).
* Excluded IE logo change tweak from toolbar detection (BrandBitmap and SmBrandBitmap).
* New in logfile: Running processes at time of scan.
* Checkmarks for running StartupList with /full and /complete in HijackThis UI.
* New O19 method to check for Datanotary hijack of user stylesheet.
* Google.com IP added to whitelist for Hosts file check.
[v1.94]
* Fixed a bug in the Check for Updates function that could cause corrupt downloads on certain systems.
* Fixed a bug in enumeration of toolbars (Lop toolbars are now listed!).
* Added imon.dll, drwhook.dll and wspirda.dll to LSP safelist.
* Fixed a bug where DPF could not be deleted.
* Fixed a stupid bug in enumeration of autostarting shortcuts.
* Fixed info on Netscape 6/7 and Mozilla saying '%shitbrowser%' (oops).
* Fixed bug where logfile would not auto-open on systems that don't have .log filetype registered.
* Added support for backing up F0 and F1 items (d'oh!).
[v1.93]
* Added mclsp.dll (McAfee), WPS.DLL (Sygate Firewall), zklspr.dll (Zero Knowledge) and mxavlsp.dll (OnTrack) to LSP safelist.
* Fixed a bug in LSP routine for Win95.
* Made taborder nicer.
* Fixed a bug in backup/restore of IE plugins.
* Added UltimateSearch hijack in O17 method (I think).
* Fixed a bug with detecting/removing BHO's disabled by BHODemon.
* Also fixed a bug in StartupList (now version 1.52.1).
[v1.92]
* Fixed two stupid bugs in backup restore function.
* Added DiamondCS file to LSP files safelist.
* Added a few more items to the protocol safelist.
* Log is now opened immediately after saving.
* Removed rd.yahoo.com from NSBSD list (spammers are starting to use this, no doubt spyware authors will follow).
* Updated integrated StartupList to v1.52.
* In light of SpywareNuker/BPS Spyware Remover, any strings relevant to reverse-engineers are now encrypted.
* Rudimentary proxy support for the Check for Updates function.
[v1.91]
* Added rd.yahoo.com to the Nonstandard But Safe Domains list.
* Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18).
* Added listing of programs/links in Startup folders (O4).
* Fixed 'Check for Update' not detecting new versions.
[v1.9]
* Added check for Lop.com 'Domain' hijack (O17).
* Bugfix in URLSearchHook (R3) fix.
* Improved O1 (Hosts file) check.
* Rewrote code to delete BHO's, fixing a really nasty bug with orphaned BHO keys.
* Added AutoConfigURL and proxyserver checks (R1).
* IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected.
* Added check for extra protocols (O18).
[v1.81]
* Added 'ignore non-standard but safe domains' option.
* Improved Winsock LSP hijackers detection.
* Integrated StartupList updated to v1.4.
[v1.8]
* Fixed a few bugs.
* Adds detecting of free.aol.com in Trusted Zone.
* Adds checking of URLSearchHooks key, which should have only one value.
* Adds listing/deleting of Download Program Files.
* Integrated StartupList into the new 'Misc Tools' section of the Config screen!
[v1.71]
* Improves detecting of O6.
* Some internal changes/improvements.
[v1.7]
* Adds backup function! Yay!
* Added check for default URL prefix
* Added check for changing of IERESET.INF
* Added check for changing of Netscape/Mozilla homepage and default search engine.
[v1.61]
* Fixes Runtime Error when Hosts file is empty.
[v1.6]
* Added enumerating of MSIE plugins
* Added check for extra options in 'Advanced' tab of 'Internet Options'.
[v1.5]
* Adds 'Uninstall & Exit' and 'Check for update online' functions.
* Expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service)
[v1.4]
* Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer
* A few bugfixes/enhancements
[v1.3]
* Adds detecting of extra MSIE context menu items
* Added detecting of extra 'Tools' menu items and extra buttons
* Added 'Confirm deleting/ignoring items' checkbox
[v1.2]
* Adds 'Ignorelist' and 'Info' functions
[v1.1]
* Supports BHO's, some default URL changes
[v1.0]
* Original release
A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes.
影子110 - 2006-1-30 13:10:00
E:\oracle\ora90\bin
这个文件夹下的都是些什么文件??
另,修复了所有的01项的先~~
海蓝云天 - 2006-1-30 13:17:00
ORACLE 是一款数据库软件
影子110 - 2006-1-30 13:19:00
O23 - Service: Remote Administrator Service (r_server) - Unknown owner -
C:\r_server.exe" /service (file missing)
O23 - Service: Messenger - Unknown owner - C:\WINNT\system32\#.exe
O23 - Service: LsassFTP daemon (LsassFTPD) - Unknown owner -
C:\WINNT\LsassFtpd.exe (file missing)
O21 - SSODL: SysTrays - {590498A3-4131-4D8F-BA4B-36791A9803B1} -
C:\WINNT\system32\DLMain.dll (file missing)
海蓝云天 - 2006-1-30 13:40:00
刚才修改后重起,
我TT登陆时显示[warning]system is being attacked!
用IE时就没问题,
还有,刚才修复的都是什么??
天天泡泡 - 2006-1-30 13:48:00
查一下这个:
O23 - Service: Messenger - Unknown owner - C:\WINNT\system32\#.exe
看这个帖子:http://forum.ikaka.com/topic.asp?board=28&artid=6637409
海蓝云天 - 2006-1-30 14:05:00
| 引用: |
【天天泡泡的贴子】查一下这个:
O23 - Service: Messenger - Unknown owner - C:\WINNT\system32\#.exe
看这个帖子:http://forum.ikaka.com/topic.asp?board=28&artid=6637409
........................... |
结束explorer.exe就什么都没有了,
那个Tracking analyzer软件我没有找到
海蓝云天 - 2006-1-30 14:26:00
#.exe清除成功
多谢 影子110 Azuresky2005 天天泡泡
Radios - 2006-1-30 14:41:00
我的也中过这个“#.exe”,一直找不到原因,后来之后恢复系统了
安旗中国 - 2006-1-30 22:53:00
被别人删的。病毒通常会格式化驱动器
☆漫步云端★ - 2006-1-31 9:24:00
还是一句,关闭可疑进程!!!
1
© 2000 - 2026 Rising Corp. Ltd.