返回信息流我双击打开D盘的时候,突然在已有的文件下面多了好多文件,看到其中一个名叫“被屏蔽的木马”,然后一闪,这些文件全没了。
这是怎么回事?
这是一条镜像帖。来源:北邮人论坛 / security / #3388同步于 2006/9/16
该镜像源已超过 30 天没有更新,可能在源站已被删除。
Security机器人发帖
求助,好像是木马
buptbreak
2006/9/16镜像同步11 回复
订阅后,新回复会通过你的通知中心匿名送达。
9 条回复
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\conime.exe
H:\WINDOWS\system32\wscript.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\SOUNDMAN.EXE
H:\WINDOWS\system32\Rundll32.exe
H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\天网Maze\MazeSvr.exe
H:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Maxthon\Maxthon.exe
H:\Documents and Settings\4everlove\桌面\HijackThis.exe
R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - H:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
F2 - REG:system.ini: UserInit=userinit.exe,autorun.bat
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - H:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: LightFrame3IECOM - {43D29D14-460E-4F3A-9037-E60F11EF12F0} - H:\WINDOWS\system32\LightFrame3IECOM.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - d:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_002.dll
O2 - BHO: IEMoni Class - {F236CC5A-F6E4-4011-9EED-C52FDF51CE3D} - H:\WINDOWS\system32\Sbhoplin.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - H:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ExFilter] Rundll32.exe H:\WINDOWS\system32\hookdll.dll,ExecFilter solo
O4 - HKLM\..\Run: [ATIPTA] H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "d:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &使用迅雷下载 - d:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - d:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 雅虎搜索 - res://H:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O9 - Extra button: 番茄花园 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.tomatolei.com (file missing)
O9 - Extra 'Tools' menuitem: 番茄花园 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.tomatolei.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: MazeSvr - Unknown owner - D:\Program Files\天网Maze\MazeSvr.exe
看看我的盘符,呵呵
【 在 hukt 的大作中提到: 】
: H:\WINDOWS\system32\Rundll32.exe
: 先禁了吧,用这个启动的没几个好东西……
: PS,lz好多盘符啊……
PS:
LZ处理一下下面这几个东东,应该就没有问题了
H:\WINDOWS\system32\Rundll32.exe
F2 - REG:system.ini: UserInit=userinit.exe,autorun.bat
O2 - BHO: LightFrame3IECOM - {43D29D14-460E-4F3A-9037-E60F11EF12F0} - H:\WINDOWS\system32\LightFrame3IECOM.dll
- HKLM\..\Run: [ExFilter] Rundll32.exe H:\WINDOWS\system32\hookdll.dll,ExecFilter solo
O4 - HKLM\..\Run: [ExFilter] Rundll32.exe H:\WINDOWS\system32\hookdll.dll,ExecFilter solo