一直是正版瑞星2009加风云2009,进来一打开我的电脑,风云就报告explorer访问辽宁网通的一个Ip,电脑技术不算高,怀疑中木马了,还是dll注入型的,用Icesword查看explorer.exe模块,怀疑瑞星听诊器没有加载驱动,可能看不到一些隐藏进程,就用icesword测得进程如下:
进程:
System Idle Process
System
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\smss.exe
C:\Program Files\Rising\Rav\RsTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\AVC Finger-sensing Pad Driver\FspadSvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
D:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\AVC Finger-sensing Pad Driver\FsCp.exe
C:\Program Files\Lenovo\EnergyCut\utilty.exe
C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\FengYun\FYFireWall.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\rssafety.exe
C:\Program Files\Rising\Rav\ScanFrm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PPStream\PPSAP.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Rising\Rav\rsnetsvr.exe
D:\Program Files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe
C:\Documents and Settings\Administrator\桌面\IceSword122cn\IceSword122cn\IceSword.exe
D:\Program Files\QQ\Bin\TXPlatform.exe
D:\Program Files\Maxthon2\Maxthon.exe
D:\Program Files\QQ\Bin\QQ.exe
D:\Program Files\QQMusic\QQMusic.exe
瑞星听诊器扫描结果见附件,由于论坛不允许上传htm文件,所以改名了,改成了log,查看时请改回htm
用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MAXTHON 2.0)附件:
瑞星听诊信息.log