我装了一个卡巴反黑客,在网络监控里看到一个主机名是:ns-pd.online.sh.cn,ip地址为:202.96.209.133老住外发东西,还是外面发来给我。我以为是一些软件搞的鬼,我就装了一个系统,谁知装好后,我只装了卡巴,还是看到那个地址在我这里,以前是没有这种情况的,不知是种了什么木马了。
下面我是用RootkitReveal扫的
C:\$AttrDef 2006-6-8 0:29 2.50 KB Hidden from Windows API.
C:\$BadClus 2006-6-8 0:29 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 2006-6-8 0:29 7.81 GB Hidden from Windows API.
C:\$Bitmap 2006-6-8 0:29 250.04 KB Hidden from Windows API.
C:\$Boot 2006-6-8 0:29 8.00 KB Hidden from Windows API.
C:\$Extend 2006-6-8 0:29 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 2006-6-7 17:04 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 2006-6-7 17:04 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 2006-6-7 17:04 0 bytes Hidden from Windows API.
C:\$LogFile 2006-6-8 0:29 42.02 MB Hidden from Windows API.
C:\$MFT 2006-6-8 0:29 11.08 MB Hidden from Windows API.
C:\$MFTMirr 2006-6-8 0:29 4.00 KB Hidden from Windows API.
C:\$Secure 2006-6-8 0:29 0 bytes Hidden from Windows API.
C:\$UpCase 2006-6-8 0:29 128.00 KB Hidden from Windows API.
C:\$Volume 2006-6-8 0:29 0 bytes Hidden from Windows API.
D:\$AttrDef 2006-3-14 9:07 2.50 KB Hidden from Windows API.
D:\$BadClus 2006-3-14 9:07 0 bytes Hidden from Windows API.
D:\$BadClus:$Bad 2006-3-14 9:07 9.77 GB Hidden from Windows API.
D:\$Bitmap 2006-3-14 9:07 312.55 KB Hidden from Windows API.
D:\$Boot 2006-3-14 9:07 8.00 KB Hidden from Windows API.
D:\$Extend 2006-3-14 9:07 0 bytes Hidden from Windows API.
D:\$Extend\$ObjId 2006-3-14 9:08 0 bytes Hidden from Windows API.
D:\$Extend\$Quota 2006-3-14 9:08 0 bytes Hidden from Windows API.
D:\$Extend\$Reparse 2006-3-14 9:08 0 bytes Hidden from Windows API.
D:\$LogFile 2006-3-14 9:07 52.02 MB Hidden from Windows API.
D:\$MFT 2006-3-14 9:07 12.15 MB Hidden from Windows API.
D:\$MFTMirr 2006-3-14 9:07 4.00 KB Hidden from Windows API.
D:\$Secure 2006-3-14 9:07 0 bytes Hidden from Windows API.
D:\$UpCase 2006-3-14 9:07 128.00 KB Hidden from Windows API.
D:\$Volume 2006-3-14 9:07 0 bytes Hidden from Windows API.
E:\$AttrDef 2006-3-14 16:59 2.50 KB Hidden from Windows API.
E:\$BadClus 2006-3-14 16:59 0 bytes Hidden from Windows API.
E:\$BadClus:$Bad 2006-3-14 16:59 9.77 GB Hidden from Windows API.
E:\$Bitmap 2006-3-14 16:59 312.55 KB Hidden from Windows API.
E:\$Boot 2006-3-14 16:59 8.00 KB Hidden from Windows API.
E:\$Extend 2006-3-14 16:59 0 bytes Hidden from Windows API.
E:\$Extend\$ObjId 2006-3-14 17:00 0 bytes Hidden from Windows API.
E:\$Extend\$Quota 2006-3-14 17:00 0 bytes Hidden from Windows API.
E:\$Extend\$Reparse 2006-3-14 17:00 0 bytes Hidden from Windows API.
E:\$LogFile 2006-3-14 16:59 52.02 MB Hidden from Windows API.
E:\$MFT 2006-3-14 16:59 14.95 MB Hidden from Windows API.
E:\$MFTMirr 2006-3-14 16:59 4.00 KB Hidden from Windows API.
E:\$Secure 2006-3-14 16:59 0 bytes Hidden from Windows API.
E:\$UpCase 2006-3-14 16:59 128.00 KB Hidden from Windows API.
E:\$Volume 2006-3-14 16:59 0 bytes Hidden from Windows API.
E:\ 2006-7-10 17:07 5.69 KB Hidden from Windows API.
E:\ 2006-7-10 17:07 68 bytes Hidden from Windows API.
E:\ 2006-7-10 17:07 0 bytes Hidden from Windows API.
F:\$AttrDef 2006-3-14 17:11 2.50 KB Hidden from Windows API.
F:\$BadClus 2006-3-14 17:11 0 bytes Hidden from Windows API.
F:\$BadClus:$Bad 2006-3-14 17:11 10.98 GB Hidden from Windows API.
F:\$Bitmap 2006-3-14 17:11 351.52 KB Hidden from Windows API.
F:\$Boot 2006-3-14 17:11 8.00 KB Hidden from Windows API.
F:\$Extend 2006-3-14 17:11 0 bytes Hidden from Windows API.
F:\$Extend\$ObjId 2006-3-14 17:11 0 bytes Hidden from Windows API.
F:\$Extend\$Quota 2006-3-14 17:11 0 bytes Hidden from Windows API.
F:\$Extend\$Reparse 2006-3-14 17:11 0 bytes Hidden from Windows API.
F:\$LogFile 2006-3-14 17:11 58.25 MB Hidden from Windows API.
F:\$MFT 2006-3-14 17:11 7.79 MB Hidden from Windows API.
F:\$MFTMirr 2006-3-14 17:11 4.00 KB Hidden from Windows API.
F:\$Secure 2006-3-14 17:11 0 bytes Hidden from Windows API.
F:\$UpCase 2006-3-14 17:11 128.00 KB Hidden from Windows API.
F:\$Volume 2006-3-14 17:11 0 bytes Hidden from Windows API.
F:\g.\boot.ini 2006-6-12 14:30 279 bytes Hidden from Windows API.
F:\g.\bzbq.exe 2006-6-9 21:23 62 bytes Hidden from Windows API.
F:\g.\SYS.DAT 2006-6-12 14:30 2.00 KB Hidden from Windows API.
F:\g.\WIN.GHO 2006-6-12 14:30 649.98 MB Hidden from Windows API.
F:\g.\WIN00001.GHS 2006-6-12 14:30 431.85 MB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\9AA52C.dmp 2006-9-18 12:30 61.67 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJMJ6ZCV\cursor[1].htm 2006-9-18 12:29 912 bytes Visible in Windows API, directory index, but not in MFT.
E:\ 2006-7-10 17:07 5.69 KB Hidden from Windows API.
E:\ 2006-7-10 17:07 68 bytes Hidden from Windows API.
E:\ 2006-7-10 17:07 0 bytes Hidden from Windows API.
F:\g.\boot.ini 2006-6-12 14:30 279 bytes Hidden from Windows API.
F:\g.\bzbq.exe 2006-6-9 21:23 62 bytes Hidden from Windows API.
F:\g.\SYS.DAT 2006-6-12 14:30 2.00 KB Hidden from Windows API.
F:\g.\WIN.GHO 2006-6-12 14:30 649.98 MB Hidden from Windows API.
F:\g.\WIN00001.GHS 2006-6-12 14:30 431.85 MB Hidden from Windows API.