怀疑这是个病毒，请帮忙看看

瑞星卡卡安全论坛技术交流区 反病毒/反流氓软件论坛怀疑这是个病毒，请帮忙看看

	瑞星“1+2”全新解决方案巡展在广州画上圆满句号		叶院长揭秘：瑞星如何运用AI技术革新网络安全		俄乌冲突加剧网络攻击风险白俄罗斯政府遭APT攻击		瑞星ESM防病毒系统助力矿业大学筑牢网络安全防线
	实力拉满瑞星第五十次通过VB100测评		携手老友，拥抱新精彩 —— 新论坛新活动，感谢你的陪伴		护航司法，瑞星助力山西省高院构建安全防线		人工智能在网络安全领域的风险和机遇

1 / 1 页

跳转页

真命小虫初生襁褓狮帖子:424 注册: 2005-08-04 来自:	发表于： 2005-08-05 10:59 \| 只看楼主短消息资料字号：小中大 1楼怀疑这是个病毒，请帮忙看看昨天，系统刚启动之后用icesword的端口查看发现它这个文件连接了大量ip。当时删除之后系统好些了，今天它又出现了。附件: 文件名:555410200585105955.rar 下载次数:5 文件类型:application/octet-stream 文件大小: 上传时间:2005-8-5 10:59:55 描述: 2005-08-05 19:50:54
真命小虫初生襁褓狮帖子:424 注册: 2005-08-04 来自:	分享到：

真命小虫初生襁褓狮帖子:424 注册: 2005-08-04 来自:	发表于： 2005-08-05 12:28 \| 只看楼主短消息资料字号：小中大 2楼没人给个答复吗？
真命小虫初生襁褓狮帖子:424 注册: 2005-08-04 来自:

jiequ5222 初生襁褓狮帖子:17 注册: 2005-08-04 来自:	发表于： 2005-08-05 13:26 \| 短消息资料字号：小中大 3楼楼主你怀疑这是个病毒!那就要杀病毒呀!是不是你的杀软不行呀!你是用什么的!我推荐一款PCC !杀毒强!
jiequ5222 初生襁褓狮帖子:17 注册: 2005-08-04 来自:

初生襁褓狮

帖子:424
注册: 2005-08-04
来自:

发表于： 2005-08-05 16:15 | 只看楼主 短消息资料

字号：小中大 4楼

引用:

【jiequ5222的贴子】楼主你怀疑这是个病毒!那就要杀病毒呀!是不是你的杀软不行呀!你是用什么的!我推荐一款PCC !杀毒强!
...........................

瑞星没说它是病毒，但它在自启动里老出现，十分可疑～

大版主

帖子:72578
注册: 2003-04-10
来自:

发表于： 2005-08-05 16:39 | 短消息资料

字号：小中大 5楼

引用:

【真命小虫的贴子】昨天，系统刚启动之后用icesword的端口查看发现它这个文件连接了大量ip。
当时删除之后系统好些了，今天它又出现了。
...........................

一、附件运行后，只能进入我的当前用户临时文件夹TEMP。无其它文件创建。HijackThis日志中可发现以下两处异常：

当前运行的进程：

C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rar$EX05.533\wdns.exe

O4 - 启动项HKLM\\Run: [izone] C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rar$EX05.533\wdns.exe

二、任务管理器进程列表中可见wdns.exe进程。可直接结束此进程。

三、注册表修改：

1、在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下添加启动加载项：
"izone"="C:\\DOCUME~1\\baohelin\\LOCALS~1\\Temp\\Rar$EX05.533\\wdns.exe"
2、在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control下添加：
"izone"=hex:00,00,00,00,46,55,5e,9a,10,0e,00,00,00,00,00,00,d4,1a,cc,ee,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00

3、将HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
下的"EnableFirewall"=dword:00000001改为"EnableFirewall"=dword:00000000。

四、查杀：结束进程wdns.exe；删除C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rar$EX05.533\wdns.exe；恢复上述注册表改动。就行了。

真命小虫初生襁褓狮帖子:424 注册: 2005-08-04 来自:	发表于： 2005-08-05 19:50 \| 只看楼主短消息资料字号：小中大 6楼谢谢
真命小虫初生襁褓狮帖子:424 注册: 2005-08-04 来自:

<<上一主题|下一主题>>

1 / 1 页

跳转页

真命小虫初生襁褓狮帖子:424 注册: 2005-08-04 来自:	发表于： 2005-08-05 10:59 \| 只看楼主短消息资料字号：小中大 1楼怀疑这是个病毒，请帮忙看看昨天，系统刚启动之后用icesword的端口查看发现它这个文件连接了大量ip。当时删除之后系统好些了，今天它又出现了。附件: 文件名:555410200585105955.rar 下载次数:5 文件类型:application/octet-stream 文件大小: 上传时间:2005-8-5 10:59:55 描述: 2005-08-05 19:50:54
真命小虫初生襁褓狮帖子:424 注册: 2005-08-04 来自:	分享到：

瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 怀疑这是个病毒，请帮忙看看

怀疑这是个病毒，请帮忙看看

怀疑这是个病毒，请帮忙看看

附件:

文件名:555410200585105955.rar 下载次数:5 文件类型:application/octet-stream 文件大小: ShowFormatBytesStr(178263); 上传时间:2005-8-5 10:59:55 描述:

瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛怀疑这是个病毒，请帮忙看看

文件名:555410200585105955.rar

下载次数:5

文件类型:application/octet-stream

文件大小:

上传时间:2005-8-5 10:59:55

描述: