- LocCloud
-
这不是普通的木马,360杀杀木马还行,服务器上的账户问题360管不了
我感觉这台服务器很有可能被黑客远程操控了,首先你要将网络断开(否则别人可能监视你的操作),把补丁全部打好,不留漏洞。然后禁用各种远程端口,比如telnet,mstsc这些危险的端口都给禁了,再重启服务器到安全模式下去粉碎掉那些exe和bat文件,再把异常的用户全部删除。水平高的话再打开注册表看看有没有其他异常,都修改过来,再重启。应该会好些。
这提醒你了啊,作为服务器一定要有备份,尤其是WINDOWS服务器这种安全性低的,像注册表,数据库,C盘system32这些关键地方,如果中毒了你很快可以还原回来,否则病毒要是过于顽固的话,只能重装了。
- cloudcone
-
病毒名称(中文):病毒别名:威胁级别:★☆☆☆☆病毒类型:广告软件病毒长度:205664影响系统:Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个广告软件,会修改注册表中关于浏览器的数据,弹出病毒作者指定的广告页面,干扰用户的正常工作。它的部分变种可能拥有远程控制或下载器的功能。
在磁盘中释放出以下文件:
C:WINDOWSTEMP
C:WINDOWSTEMP so8199.tmp
C:WINDOWSTEMP sf8199.tmp
C:WINDOWSTEMP sg8099.tmp
C:WINDOWS
C:WINDOWSTEMP
C:WINDOWSTEMP sg8099.tmp
C:WINDOWSTEMP sg8099.tmpioSpecial.ini
C:WINDOWSTEMP sg8099.tmpmodern-wizard.bmp
C:WINDOWSTEMP sg8099.tmpInstallOptions.dll
C:PROGRA~1
C:PROGRA~1ActiveShopper
C:PROGRA~1ActiveShopperactiv.ico
C:PROGRA~1ActiveShopperTestActiv.htm
C:PROGRA~1ActiveShopperBarLcher.dll
C:PROGRA~1ActiveShopperCompBar.dll
在磁盘中删除了以下文件:
C:WINDOWSTEMP so8199.tmp
C:WINDOWSTEMP sg8099.tmp
在注册表中创建了以下信息:
"HKCR.exeMyNewsBarLauncher.IE5BarLauncher.1"
"HKCR.exeMyNewsBarLauncher.IE5BarLauncher.1CLSID"
"HKCR.exeMyNewsBarLauncher.IE5BarLauncher"
"HKCR.exeMyNewsBarLauncher.IE5BarLauncherCLSID"
"HKCR.exeMyNewsBarLauncher.IE5BarLauncherCLSIDCurVer"
"HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}{3D782BB3-F2A5-11D3-BF4C-000000000000}"
"HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}{3D782BB3-F2A5-11D3-BF4C-000000000000}ProgID"
"HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}{3D782BB3-F2A5-11D3-BF4C-000000000000}ProgIDVersionIndependentProgID"
"HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}{3D782BB3-F2A5-11D3-BF4C-000000000000}ProgIDProgrammable"
"HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}{3D782BB3-F2A5-11D3-BF4C-000000000000}ProgIDInprocServer32"
"HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}{3D782BB3-F2A5-11D3-BF4C-000000000000}ProgIDTypeLib"
"HKLMSoftwareMicrosoftInternetExplorerMainToolbar"
"HKCR.exeMyNewsBarLauncher.IE5BarLauncherBHO.1"
"HKCR.exeMyNewsBarLauncher.IE5BarLauncherBHO.1CLSID"
"HKCR.exeMyNewsBarLauncher.IE5BarLauncherBHO"
在注册表中设置了以下信息:
"HKCR.exeMyNewsBarLauncher.IE5BarLauncher.1""default""IE5BarLauncherClass"
"HKCR.exeMyNewsBarLauncher.IE5BarLauncher.1CLSID""default""{3D782BB3-F2A5-11D3-BF4C-000000000000}"
"HKCR.exeMyNewsBarLauncher.IE5BarLauncher""default""IE5BarLauncherClass"
"HKCR.exeMyNewsBarLauncher.IE5BarLauncherCLSID""default""{3D782BB3-F2A5-11D3-BF4C-000000000000}"
"HKCR.exeMyNewsBarLauncher.IE5BarLauncherCLSIDCurVer""default""MyNewsBarLauncher.IE5BarLauncher.1"
"HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}{3D782BB3-F2A5-11D3-BF4C-000000000000}""default""ActiveShopperToolBarv1.20"
"HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}{3D782BB3-F2A5-11D3-BF4C-000000000000}ProgID""default""MyNewsBarLauncher.IE5BarLauncher.1"
"HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}{3D782BB3-F2A5-11D3-BF4C-000000000000}ProgIDVersionIndependentProgID""default""MyNewsBarLauncher.IE5BarLauncher"
"HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}{3D782BB3-F2A5-11D3-BF4C-000000000000}ProgIDInprocServer32""default""C:PROGRA~1ActiveShopperBarLcher.dll"
"HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}{3D782BB3-F2A5-11D3-BF4C-000000000000}ProgIDInprocServer32""ThreadingModel""Apartment"
"HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}{3D782BB3-F2A5-11D3-BF4C-000000000000}ProgIDTypeLib""default""{3D782BA6-F2A5-11D3-BF4C-000000000000}"
"HKLMSoftwareMicrosoftInternetExplorerMainToolbar""{3D782BB3-F2A5-11D3-BF4C-000000000000}""GetPriceBar"
"HKCR.exeMyNewsBarLauncher.IE5BarLauncherBHO.1""default""IE5BarLauncherBHOClass"
"HKCR.exeMyNewsBarLauncher.IE5BarLauncherBHO.1CLSID""default""{1ADBCCE8-CF84-441E-9B38-AFC7A19C06A4}"
会从以下注册表中读取信息:
"HKLMSoftwareMicrosoftWindowsCurrentVersion"
"HKLMSoftwareMicrosoftInternetExplorerToolbar"
"HKCRMyNewsBarLauncher.IE5BarLauncher.1"
"HKCRMyNewsBarLauncher.IE5BarLauncher"
"HKCRCLSID"
"HKLMSoftware"
"HKCRMyNewsBarLauncher.IE5BarLauncherBHO.1"
"HKCRMyNewsBarLauncher.IE5BarLauncherBHO"
在磁盘中创建以下配置文件:
C:WINDOWSTEMP sg8099.tmpioSpecial.ini[Settings]"RTL""0"
C:WINDOWSTEMP sg8099.tmpioSpecial.ini[Field1]"Text""C:WINDOWSTEMP sg8099.tmpmodern-wizard.bmp"
C:WINDOWSTEMP sg8099.tmpioSpecial.ini[Settings]"NextButtonText""&Finish"
C:WINDOWSTEMP sg8099.tmpioSpecial.ini[Field2]"Bottom""38"
C:WINDOWSTEMP sg8099.tmpioSpecial.ini[Field3]"Top""45"
C:WINDOWSTEMP sg8099.tmpioSpecial.ini[Field2]"Text""CompletingtheActiveShopperVer1.20SetupWizard"
C:WINDOWSTEMP sg8099.tmpioSpecial.ini[Field3]"Bottom""185"
C:WINDOWSTEMP sg8099.tmpioSpecial.ini[Field3]"Text""ActiveShopperVer1.20hasbeeninstalledonyourcomputer. ClickFinishtoclosethiswizard