注册表的不速之客 (确切地说是在资源配置里面的“启动”项里面发现的，居然没名！)

叶秋霜 · 发表于 2006-4-27 21:25

[这个贴子最后由叶秋霜在 2006/04/27 10:33pm 第 1 次编辑]

[color=#0000FF]点击“开始”－“运行”，输入“msconfig”，回车。
看看今天到底在run些啥。发现一个没有名字却挂了勾的东东。
这个东西是什么呢？
难道是毒中隐者 rootkit ？

还望各位能人赐教。
谢谢！
（本公子这厢有礼了。）

缺月挂疏桐 · 发表于 2006-4-27 21:47

把后面的路径发上来

珺儿 · 发表于 2006-4-27 21:52

[这个贴子最后由珺儿在 2006/04/27 10:06pm 第 1 次编辑]

通常俺是看不懂地。。。。。。。。。。

叶秋霜 · 发表于 2006-4-27 21:54

就是注册表里面的那个run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
但是在里面看不到这个挂了勾的东西。
我把勾去掉，重启了。
（本公子这厢有礼了。）

叶秋霜 · 发表于 2006-4-27 21:59

没重启之前是这个样子。

重启后，还是这样子。看来在这里是看不到它的。
（本公子这厢有礼了。）

缺月挂疏桐 · 发表于 2006-4-27 22:08

启动项里去掉那个勾，确定，重启后在弹出的提示框里打勾确定。
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
按照这个路径去注册表里找。

叶秋霜 · 发表于 2006-4-27 22:14

下面引用由缺月挂疏桐在 2006/04/27 10:08pm 发表的内容：
启动项里去掉那个勾，确定，重启后在弹出的提示框里打勾确定。
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
按照这个路径去注册表里找。

谢谢。
刚才已经找了啊。看不到什么啊。
没有“项”、没有各类串值。摆明能隐身。
可能就是rootkit咯。刚刚找到点资料如下：
参考：《 Rootkit：隐秘的黑客攻击》
Rootkit 是一种特殊类型的 malware（恶意软件）。Rootkit 之所以特殊是因为您不知道它们在做什么事情。Rootkit 基本上是无法检测到的，而且几乎不可能删除它们。虽然检测工具在不断增多，但是恶意软件的开发者也在不断寻找新的途径来掩盖他们的踪迹。
Rootkit 的目的在于隐藏自己以及其他软件不被发现。它可以通过阻止用户识别和删除攻击者的软件来达到这个目的。Rootkit 几乎可以隐藏任何软件，包括文件服务器、键盘记录器、Botnet 和 Remailer。许多 Rootkit 甚至可以隐藏大型的文件集合并允许攻击者在您的计算机上保存许多文件，而您无法看到这些文件。
Rootkit 本身不会像病毒或蠕虫那样影响计算机的运行。攻击者可以找出目标系统上的现有漏洞。漏洞可能包括：开放的网络端口、未打补丁的系统或者具有脆弱的管理员密码的系统。在获得存在漏洞的系统的访问权限之后，攻击者便可手动安装一个 Rootkit。这种类型的偷偷摸摸的攻击通常不会触发自动执行的网络安全控制功能，例如入侵检测系统。
找出 Rootkit 十分困难。有一些软件包可以检测 Rootkit。这些软件包可划分为以下两类：基于签名的检查程序和基于行为的检查程序。基于签名（特征码）的检查程序，例如大多数病毒扫描程序，会检查二进制文件是否为已知的 Rootkit。基于行为的检查程序试图通过查找一些代表 Rootkit 主要行为的隐藏元素来找出 Rootkit。一个流行的基于行为的 Rootkit 检查程序是 Rootkit Revealer.
在发现系统中存在 Rootkit 之后，能够采取的补救措施也较为有限。由于 Rootkit 可以将自身隐藏起来，所以您可能无法知道它们已经在系统中存在了多长的时间。而且您也不知道 Rootkit 已经对哪些信息造成了损害。对于找出的 Rootkit，最好的应对方法便是擦除并重新安装系统。虽然这种手段很严厉，但是这是得到证明的唯一可以彻底删除 Rootkit 的方法。
防止 Rootkit 进入您的系统是能够使用的最佳办法。为了实现这个目的，可以使用与防范所有攻击计算机的恶意软件一样的深入防卫策略。深度防卫的要素包括：病毒扫描程序、定期更新软件、在主机和网络上安装防火墙，以及强密码策略。
（本公子这厢有礼了。）

缺月挂疏桐 · 发表于 2006-4-27 22:20

[这个贴子最后由缺月挂疏桐在 2006/04/27 10:21pm 第 1 次编辑]

run下面去看，如果有某个键没有“项、各类串值”的就删除掉……

叶秋霜 · 发表于 2006-4-27 22:29

下面引用由缺月挂疏桐在 2006/04/27 10:20pm 发表的内容：
run下面去看，如果有某个键没有“项、各类串值”的就删除掉……

老兄啊。里面个个项都是有名字的。
就是看不到在上面第1张图里面那个打了勾的东西。
按理说，既然能在系统配置里的“启动”项看到run里面有这个东西，那注册表里面的这个run里面怎么就找不到呢？
（本公子这厢有礼了。）

缺月挂疏桐 · 发表于 2006-4-27 22:35

更新病毒库，去安全模式下查杀，最好用个专杀木马的软件在安全模式下也杀一遍（同样别忘了先升级病毒库）

叶秋霜 · 发表于 2006-4-27 22:57

下面引用由缺月挂疏桐在 2006/04/27 10:35pm 发表的内容：
更新病毒库，去安全模式下查杀，最好用个专杀木马的软件在安全模式下也杀一遍（同样别忘了先升级病毒库）

我下载了个颇有名气的专门查rootkit绿色软件RootkitRevealer,查到注册表几个可疑的注册项目。
导出个扫描日志。看看：
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1708537768-1993962763-1957994488-1003\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLo2006-4-27 20:504 bytesData mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1708537768-1993962763-1957994488-1003\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHi2006-4-27 20:504 bytesData mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1708537768-1993962763-1957994488-1003\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLo2006-4-27 20:504 bytesData mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1708537768-1993962763-1957994488-1003\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHi2006-4-27 20:504 bytesData mismatch between Windows API and raw hive data.
E:\temp\2712142686600.tmp2006-4-27 22:294.30 KBHidden from Windows API.
E:\Temporary Internet Files\Content.IE5\0LM701U7\CEB4C3FCC3FB_1146146291[1].jpg2006-4-27 22:1642.84 KBVisible in Windows API, MFT, but not in directory index.
E:\Temporary Internet Files\Content.IE5\0LM701U7\CEB4C3FCC3FB_1146146291[2].jpg2006-4-27 22:2942.84 KBVisible in Windows API, directory index, but not in MFT.
E:\Temporary Internet Files\Content.IE5\0LM701U7\post[1]2006-4-27 22:2916.82 KBHidden from Windows API.
E:\Temporary Internet Files\Content.IE5\0LM701U7\post[2].cgi2006-4-27 22:2965.34 KBHidden from Windows API.
E:\Temporary Internet Files\Content.IE5\0LM701U7\topic[1]2006-4-27 22:2917.77 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\0LM701U7\upfile[1]2006-4-27 22:291.79 KBHidden from Windows API.
E:\Temporary Internet Files\Content.IE5\4927C1QV\136012747_85[1].jpg2006-4-25 22:243.01 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\ads[1].htm2006-4-26 0:175.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\amaxit[1].htm2006-4-25 23:5318.30 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\commontop[1].js2006-4-25 13:2334.35 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\content[10].js2006-4-25 13:2918.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\content[11].js2006-4-25 20:2118.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\content[8].js2006-4-25 13:2618.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\content[9].js2006-4-25 13:2818.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\count_down[1].htm2006-4-25 23:460 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\count_down[2].htm2006-4-25 23:470 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\ipub_tag_tracker[1].php2006-4-25 23:240 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\ql[1].ashx2006-4-25 23:392.30 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\rd[1].php2006-4-25 23:24463 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\redirect[3].js2006-4-25 20:1914.14 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\resultslist[3].js2006-4-25 20:2148.94 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\search[2].htm2006-4-25 23:437.74 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\search[3].htm2006-4-26 0:0439.31 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\spacer[1].gif2006-4-25 22:2443 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\status_failed[1].gif2006-4-24 22:39661 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\tgar[10].js2006-4-25 13:232.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\tgar[11].js2006-4-25 13:242.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\tgar[12].js2006-4-25 20:212.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\tgar[13].js2006-4-25 20:312.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\tgar[14].js2006-4-25 20:522.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\tgar[15].js2006-4-25 21:072.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\tgar[16].js2006-4-25 21:462.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\tgar[17].js2006-4-25 21:462.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\tgar[18].js2006-4-25 21:462.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\tgar[19].js2006-4-25 21:562.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\tgar[20].js2006-4-25 21:572.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\tgar[21].js2006-4-25 22:002.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\tgar[8].js2006-4-25 0:132.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\4927C1QV\wusetup[1].cab2006-4-25 13:2315.86 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\136014873_med[1].gif2006-4-25 22:2414.41 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\140025406_med[1].gif2006-4-25 22:2416.07 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\140042586_85[1].jpg2006-4-25 22:244.38 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\adfshow[1].htm2006-4-25 22:37985 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\ads[1].htm2006-4-25 23:43
4.30 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\ads[2].htm2006-4-26 0:174.34 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\CA23W5632006-4-25 23:432.16 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\commontop[4].js2006-4-25 21:4634.35 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\content[12].js2006-4-25 13:2318.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\content[13].js2006-4-25 13:2418.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\content[14].js2006-4-25 20:2118.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\content[15].js2006-4-25 20:2818.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\content[16].js2006-4-25 20:3218.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\content[17].js2006-4-25 20:5318.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\content[18].js2006-4-25 21:5518.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\content[19].js2006-4-25 21:5718.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\content[20].js2006-4-25 21:5818.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\help[1].htm2006-4-26 0:082.13 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\history[2].aspx2006-4-24 22:406.78 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\index[1].htm2006-4-25 22:342.24 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\redirect[1].js2006-4-25 13:2314.14 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\resultslist[1].js2006-4-25 13:2348.94 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\resultslist[2].js2006-4-25 21:4648.94 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\search[2].htm2006-4-25 23:4312.15 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\spupdateids[3].js2006-4-25 20:201.01 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\status_successful[1].gif2006-4-24 22:39604 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\tgar[10].js2006-4-25 13:282.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\tgar[11].js2006-4-25 13:292.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\tgar[12].js2006-4-25 20:192.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\tgar[9].js2006-4-25 13:262.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\toc[3].js2006-4-25 20:219.96 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\wherefrom[1].htm2006-4-26 0:170 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\windowsvista[1]2006-4-25 23:355.89 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\CDEF4T67\WindowsXP-KB828741-x86-CHS[1].EXE2006-4-25 22:583.08 MBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\IH4V25Y5\upfile[1]2006-4-27 22:291.79 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\IH4V25Y5\wtid[1].js2006-4-27 21:5888 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\135256072_med[1].gif2006-4-25 22:2412.50 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\adfshow[1].htm2006-4-25 22:374.01 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\ads[1].htm2006-4-25 23:435.46 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\CAN68ZRX2006-4-25 23:431.59 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\CAQC5TL3.HTM2006-4-25 22:071.10 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\content[10].js2006-4-25 21:4618.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\content[6].js2006-4-25 13:2418.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\content[7].js2006-4-25 13:2618.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\content[8].js2006-4-25 13:2818.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\content[9].js2006-4-25 13:5518.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\Default[1].htm2006-4-25 22:37104.48 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\redirect[4].js2006-4-25 21:4614.14 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\search[2].htm2006-4-25 23:4639.31 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\search[4].htm2006-4-26 0:0433.97 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\sorttabled[1].gif2006-4-24 22:39126 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\spupdateids[1].js2006-4-25 13:231.01 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\spupdateids[2].js2006-4-25 21:461.01 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\t193920[1].html2006-4-25 23:4118.67 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\tgar[13].js2006-4-25 13:232.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\tgar[14].js2006-4-25 13:232.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\tgar[15].js2006-4-25 20:212.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\tgar[16].js2006-4-25 20:212.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\tgar[17].js2006-4-25 20:282.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\tgar[18].js2006-4-25 20:322.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\tgar[19].js2006-4-25 20:532.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\tgar[20].js2006-4-25 21:552.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\tgar[21].js2006-4-25 21:572.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\tgar[22].js2006-4-25 21:582.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\toc[1].js2006-4-25 13:239.96 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\toc[2].js2006-4-25 21:469.96 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\topic[1].jsp2006-4-25 23:4135.69 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\ODQFGHUJ\webcomtop[3].js2006-4-25 20:2048.87 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\04[1]2006-4-25 23:2441.59 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\136077155_85[1].jpg2006-4-25 22:243.11 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\138649492_85[1].jpg2006-4-25 22:243.31 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\139226067_85[1].jpg2006-4-25 22:243.32 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\adfshow[1].swf2006-4-25 22:37192 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\archiver[1].html2006-4-25 23:403.22 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\CA72CRNX2006-4-26 0:171.58 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\CAPK6L5R2006-4-26 0:172.13 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\commontop[2].js2006-4-25 20:2034.35 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\content[10].js2006-4-25 20:2118.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\content[11].js2006-4-25 20:3118.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\content[12].js2006-4-25 20:5218.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\content[13].js2006-4-25 21:0718.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\content[14].js2006-4-25 21:4618.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\content[15].js2006-4-25 21:4618.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\content[16].js2006-4-25 21:5618.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\content[17].js2006-4-25 21:5718.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\content[18].js2006-4-25 22:0018.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\content[8].js2006-4-25 0:1318.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\content[9].js2006-4-25 0:1618.53 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\log[1].gif2006-4-25 22:2443 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\search[1].htm2006-4-25 23:4520.34 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\search[3].htm2006-4-26 0:179.47 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\search[4].htm2006-4-26 0:0439.12 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\status_cancelled[1].gif2006-4-24 22:39590 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\tgar[12].js2006-4-25 13:232.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\tgar[13].js2006-4-25 13:262.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\tgar[14].js2006-4-25 13:282.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\tgar[15].js2006-4-25 13:552.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\tgar[16].js2006-4-25 20:212.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\tgar[17].js2006-4-25 21:452.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\tgar[18].js2006-4-25 21:462.19 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\visit[1].jsp2006-4-25 23:41393 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\webcomtop[1].js2006-4-25 13:2348.87 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\webcomtop[2].js2006-4-25 21:4648.87 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\wherefrom[1].htm2006-4-25 23:430 bytesVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\wusetup[2].cab2006-4-25 20:2115.86 KBVisible in Windows API, but not in MFT or directory index.
E:\Temporary Internet Files\Content.IE5\WLMBGD6B\wusetup[3].cab2006-4-25 21:4615.86 KBVisible in Windows API, but not in MFT or directory index.
[color=#DC143C]再查。剩下2个！晕！！
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed2006-4-27 22:294 bytesData mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful2006-4-27 22:294 bytesData mismatch between Windows API and raw hive data.
[color=#DC143C]再查。剩下2个！啊，连位置都变了！看来是时刻在变动。晕！！
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\637957C374381304BBC97DA5FD6E1B10\Usage\Shared2006-4-27 21:404 bytesData mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\637957C374381304BBC97DA5FD6E1B10\Usage\Agent2006-4-27 21:404 bytesData mismatch between Windows API and raw hive data.

这东西还真能隐身。每次查都有点不同。连 IceSward都看不到什么红色的东西。
（本公子这厢有礼了。）

叶秋霜 · 发表于 2006-4-27 23:28

找到一篇参考性极强的文章：
★ RootKit木马的亲密接触 ★【转贴】
前一段时间Sony的CD反盗版保护RootKit被Sysinternals的Mark揭露后，在网上吵的沸沸扬扬，国外杀毒厂商也说黑客已利用了Sony的Rookit漏洞。本人前几天在一朋友的机器上发现了一个类似的木马，现把此木马的发现和删除过程与大家分享，木马技术也发展到了驱动级,希望大家提高防范意识，现在的网络真的是太不安全了。
我的安全意识还是比较强的，使用别人机器上网前都会用procexp（http://www.sysinternals.com/Files/ProcessExplorerNt.zip）查看一下有没有可疑的进程，用Autoruns（http://www.sysinternals.com/Files/Autoruns.zip）查看有没有可疑的启动项，检查未发现异常，开始上网，上了一会，关闭IE，准备关机。不经意间在防火墙网络访问信息中发现有iexplorer.exe访问网络，并且一会又消失了，因为我已经关闭了所有的IE窗口，所以这引起了我得注意。我马上打开procexp查看，但我并未发现那个iexplorer.exe，难道是防火墙误报，我下载了一个TcpView（http://www.sysinternals.com/Files/TcpView.zip），果然看到一个在进程列表中不存在的IE进程不停的访问网络。
如图：

这时我确定机器肯定中了木马，那个木马又是怎么启动的呢，我打开Autoruns仔细查找启动项，但找不到。此时我确认机器中了一个比较难缠的木马，我下载了RootkitRevealer(http://www.sysinternals.com/Files/RootkitRevealer.zip) 进行查找，果然不出所料，机器上有几个注册表隐藏项，和文件隐藏项
如图：

找到问题所在就好办了，打开IceSword （http://xfocus.net/tools/200509/IceSword_en1.12.rar），马上看到了那个IE进程
如图：

驱动注册表隐藏项，如图：

文件隐藏项，若图：

删除驱动文件，重启计算机，病毒进程立即现身，如图：

RootkitRevealer还报RPCSS服务的注册表一项被隐藏，因为驱动已经删除，再此打开注册表，木马更改的项马上现身了，若图：

将Rpcss服务的注册表项改回初始值，如图，重启问题搞定

总结：此木马为驱动级木马，底层勾了ntoskrnl.exe导出函数，实现进程隐藏，文件隐藏。
zwvmlmtz.dll：替换Rpcss服务的DLL，实现自启动功能（Rpcss服务是系统重要服务），调用驱动。
zwvmlmtz.sys：挂接系统函数，隐藏自己的注册表项，隐藏Rpcss改动的注册表项（通过regedit查询到的值不准确），隐藏文件，把自己伪装为IE进程（防火墙一般默认ＩＥ进程访问网络自动放行的）。
zwvmlmtz.d1l：木马作者真正用意所在模块。
补充1：若只删除问题文件，不把rpcss服务的DLL改回初始值会导致Rpcss服务无法启动的。
补充2：木马作者也许没有在XP系统测试，此木马在XP系统驱动无法加载，rpcss替换DLL也有问题。本文中计算机系统为win2K。
（本公子这厢有礼了。）

吟风听月 · 发表于 2006-4-28 08:06

用我推荐的进程管理器吧，不管什么东西，结束他的进程就是了。

暮雨黄昏 · 发表于 2006-4-29 01:46

感情楼主用诺顿2003做了备份的，推荐使用一键gohst做备份，诺顿装了不禁你卸不掉，还占用内存~！
NERO这种东西平常不用的就在启动项中禁掉，内省不少内存~！

注册表的不速之客 (确切地说是在资源配置里面的“启动”项里面发现的，居然没名！)

本帖子中包含更多资源