|
查看: 749|回复: 12
|
lovesan virus??
[复制链接]
|
|
|
为什么lovesan的virus一直攻击我的?
我的kaspersky已经detect到了,然后将他洗了,可是过不久又在轰击我的电脑,而却一来就5/6个一起来,有什么办法能阻止他再攻击我的电脑?
[ Last edited by okboy on 10-1-2005 at 01:21 PM ] |
|
|
|
|
|
|
|
|
|
|
|
发表于 10-1-2005 02:08 PM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
楼主 |
发表于 19-1-2005 11:19 PM
|
显示全部楼层
|
真的没办法阻止吗?我只要一关firewall,就会被攻击了。。。。 |
|
|
|
|
|
|
|
|
|
|
|
发表于 20-1-2005 08:52 AM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
发表于 20-1-2005 11:38 AM
|
显示全部楼层
lovesan is W32.Blaster.A variants that exploits a security issue related to the Remote Procedure Call (RPC) .
是冲击波的变种病毒。
请更新你的windows
http://www.microsoft.com/security/incident/blast.mspx
The worm scans the internet for a system with TCP port 135 available, and then infects it. The virus then downloads a tool, to release more copies of the virus, and broadcast packets of data to any network available. |
|
|
|
|
|
|
|
|
|
|
|
发表于 20-1-2005 11:46 AM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
楼主 |
发表于 20-1-2005 01:33 PM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
发表于 20-1-2005 02:13 PM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
楼主 |
发表于 20-1-2005 04:06 PM
|
显示全部楼层
请给我多点资料
病毒的完整名称是 Worm.Win32.Lovesan 吗
kaspersky给我的资料只是些lovesan而已,然后是从135port进来的。。。
Logfile of HijackThis v1.99.0
Scan saved at 3:46:55 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [Launch Ai Booster] C:\Program Files\ASUS\Ai Booster\OverClk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: RAID Manager.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsof ... e.cab?1105820132687
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AF4C280-CECA-4B0B-A5E5-184D05575791}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1AD66C5-8ADE-4803-A0D8-9CD8493AFF1B}: NameServer = 202.188.1.5,202.188.0.133
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
我看了也好像没问题,那就麻烦你帮我在检查一次。。。
[ Last edited by okboy on 20-1-2005 at 04:09 PM ] |
|
|
|
|
|
|
|
|
|
|
|
发表于 20-1-2005 07:05 PM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
发表于 20-1-2005 07:39 PM
|
显示全部楼层
这个
http://grc.com/files/DCOMbob.exe
是 DCOMbobulator allows any Windows user
to quickly check their system's DCOM vulnerability, then
simply shut down the unnecessary DCOM security risk.
会检测你的135 port |
|
|
|
|
|
|
|
|
|
|
|
发表于 20-1-2005 09:04 PM
|
显示全部楼层
Verifying Microsoft's DCOM Patch Effectiveness
We have confirmed reports that Microsoft's DCOM patch does not always "take" and that Windows systems have remained vulnerable to DCOM exploitation even after the patch has been applied. You would be wise, therefore, to verify the state of your system's vulnerability (with DCOM enabled) so that you can verify that Microsoft's DCOM patch was effective for you.
To do this, you must first enable DCOM in order to perform the vulnerability test, then disable it again (for protection from any possible next DCOM exploit). Use this utility to enable DCOM (with the "Enable DCOM" button on the "DCOMbobulate Me!" tab), then restart your system and use the "Local DCOM Test" button on this tab to quickly check your system. Finally, click the "Disable DCOM" button on the "DCOMbobulate Me!" tab to disable and unbind DCOM, and restart your system one final time.
A note about enabling DCOM: If this system is not protected by a personal router or firewall which is blocking access to TCP port 135, you may wish to briefly disconnect the system from the Internet while DCOM is enabled during vulnerability testing to prevent its possible compromise during that time.
Completely Closing Port 135
Unfortunately, DCOM is not the only Windows service to open and listen for incoming TCP and UDP network traffic through port 135. Therefore, although this utility will disable and thoroughly "unbind" DCOM from its use of port 135 over both TCP and UDP protocols, port 135 may still be held open by other services. (Windows 95/98/ME users will not have this problem. Their port 135 will be completely closed.)
Closing TCP port 135:
Aside from DCOM, port 135 is also held open by the Windows Task Scheduler and Distributed Transaction Coordinator (MSDTC) services under Windows NT/2000/XP/2003. If the Task Scheduler and MSDTC are stopped and disabled to prevent starting, and if this utility is used to stop and unbind DCOM's use of IP protocols, TCP port 135 will be completely closed after a system restart.
Being a big fan of stopping unnecessary services and closing ports that should not be open, I personally like the idea of stopping Windows Task Scheduler and MSDTC and completely closing port 135. But many Windows applications, including many anti-viral, anti-Trojan, and other systems, depend upon the Task Scheduler to obtain their updates. Therefore, shutting down the Task Scheduler may not be safe or recommended for you. Windows XP also uses the Task Scheduler to run its "Prefetch" system for optimizing XP's boot performance.
For these reasons we do not encourage anyone to stop their Task Scheduler service unless they are willing to accept full responsibility for the possible consequences of doing so. However, I wanted to let expert users know what was still holding TCP port 135 open after thoroughly shutting down DCOM in case they wished to take responsibility for closing it. (The Windows Task Scheduler and Distributed Transaction Coordinator are the culprits.)
Closing UDP port 135:
Aside from DCOM's possible (though non-default) use of UDP port 135 (which this utility also unbinds, UDP port 135 is held open by the infamous Windows Messenger Service. This is the service which, also running by default, has been causing havoc by facilitating unsolicited pop-up advertisements on Windows desktops. Our free " Shoot The Messenger " utility shuts down and disables the Windows Messenger Service and, in the process, closes UDP port 135. |
|
|
|
|
|
|
|
|
|
|
|
发表于 21-1-2005 02:02 AM
|
显示全部楼层
搂主你用设么firewall?
我建议你用Outpost Firewall 2.5 很好用! |
|
|
|
|
|
|
|
|
|
| |
 本周最热论坛帖子
|
变色卡
千斤顶
1694 
52
