lovesan virus??

okboy

为什么lovesan的virus一直攻击我的？

我的kaspersky已经detect到了，然后将他洗了，可是过不久又在轰击我的电脑，而却一来就5/6个一起来，有什么办法能阻止他再攻击我的电脑？

[ Last edited by okboy on 10-1-2005 at 01:21 PM ]

kaisam

你們可以試下 Microsoft 的 AntiSpyware.

http://download.microsoft.com/do ... iSpywareInstall.exe

okboy

真的没办法阻止吗？我只要一关firewall，就会被攻击了。。。。

这个问题我也发生过，一关firewall就来了

austinlim

lovesan is W32.Blaster.A variants that exploits a security issue related to the Remote Procedure Call (RPC) .
是冲击波的变种病毒。
请更新你的windows
http://www.microsoft.com/security/incident/blast.mspx

The worm scans the internet for a system with TCP port 135 available, and then infects it. The virus then downloads a tool, to release more copies of the virus, and broadcast packets of data to any network available.

austinlim

你用什么版本的windows呢

如果是英文XP就点击这里 Security Update for Windows XP (KB823980)
http://www.microsoft.com/downloa ... C-9532-3DE40F69C074

okboy

我用的是SP2不只也一样的吗？

austinlim

请给我多点资料
病毒的完整名称是 Worm.Win32.Lovesan 吗

请下载HijackThis 英文版
http://www.merijn.org/files/hijackthis.zip 然后解压到一个新的文件夹 然后scan了 把log传上来
或者下载HijackThis 1.99.0 汉化版
http://www.newhua.com/soft/37094.htm 然后解压到一个新的文件夹 然后扫描了 把日志传上来

okboy

austinlim 于 20-1-2005 02:13 PM  说 :
请给我多点资料
病毒的完整名称是 Worm.Win32.Lovesan 吗



请下载HijackThis 英文版
http://www.merijn.org/files/hijackthis.zip 然后解压到一个新的文件夹 然后scan了 把log传上来
或者下载Hij ...

请给我多点资料
病毒的完整名称是 Worm.Win32.Lovesan 吗

kaspersky给我的资料只是些lovesan而已，然后是从135port进来的。。。

Logfile of HijackThis v1.99.0
Scan saved at 3:46:55 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [Launch Ai Booster] C:\Program Files\ASUS\Ai Booster\OverClk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: RAID Manager.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsof ... e.cab?1105820132687
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AF4C280-CECA-4B0B-A5E5-184D05575791}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1AD66C5-8ADE-4803-A0D8-9CD8493AFF1B}: NameServer = 202.188.1.5,202.188.0.133
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

我看了也好像没问题，那就麻烦你帮我在检查一次。。。

[ Last edited by okboy on 20-1-2005 at 04:09 PM ]

austinlim

：）是的 没问题 帮不了了

austinlim

这个
http://grc.com/files/DCOMbob.exe
是 DCOMbobulator allows any Windows user
to quickly check their system's DCOM vulnerability, then
simply shut down the unnecessary DCOM security risk.
会检测你的135 port

austinlim

Verifying Microsoft's DCOM Patch Effectiveness

We have confirmed reports that Microsoft's DCOM patch does not always "take" and that Windows systems have remained vulnerable to DCOM exploitation even after the patch has been applied. You would be wise, therefore, to verify the state of your system's vulnerability (with DCOM enabled) so that you can verify that Microsoft's DCOM patch was effective for you.

To do this, you must first enable DCOM in order to perform the vulnerability test, then disable it again (for protection from any possible next DCOM exploit). Use this utility to enable DCOM (with the "Enable DCOM" button on the "DCOMbobulate Me!" tab), then restart your system and use the "Local DCOM Test" button on this tab to quickly check your system. Finally, click the "Disable DCOM" button on the "DCOMbobulate Me!" tab to disable and unbind DCOM, and restart your system one final time.

A note about enabling DCOM: If this system is not protected by a personal router or firewall which is blocking access to TCP port 135, you may wish to briefly disconnect the system from the Internet while DCOM is enabled during vulnerability testing to prevent its possible compromise during that time.

Completely Closing Port 135

Unfortunately, DCOM is not the only Windows service to open and listen for incoming TCP and UDP network traffic through port 135. Therefore, although this utility will disable and thoroughly "unbind" DCOM from its use of port 135 over both TCP and UDP protocols, port 135 may still be held open by other services. (Windows 95/98/ME users will not have this problem. Their port 135 will be completely closed.)

Closing TCP port 135:
Aside from DCOM, port 135 is also held open by the Windows Task Scheduler and Distributed Transaction Coordinator (MSDTC) services under Windows NT/2000/XP/2003. If the Task Scheduler and MSDTC are stopped and disabled to prevent starting, and if this utility is used to stop and unbind DCOM's use of IP protocols, TCP port 135 will be completely closed after a system restart.

Being a big fan of stopping unnecessary services and closing ports that should not be open, I personally like the idea of stopping Windows Task Scheduler and MSDTC and completely closing port 135. But many Windows applications, including many anti-viral, anti-Trojan, and other systems, depend upon the Task Scheduler to obtain their updates. Therefore, shutting down the Task Scheduler may not be safe or recommended for you. Windows XP also uses the Task Scheduler to run its "Prefetch" system for optimizing XP's boot performance.

For these reasons we do not encourage anyone to stop their Task Scheduler service unless they are willing to accept full responsibility for the possible consequences of doing so. However, I wanted to let expert users know what was still holding TCP port 135 open after thoroughly shutting down DCOM in case they wished to take responsibility for closing it. (The Windows Task Scheduler and Distributed Transaction Coordinator are the culprits.)

Closing UDP port 135:
Aside from DCOM's possible (though non-default) use of UDP port 135 (which this utility also unbinds, UDP port 135 is held open by the infamous Windows Messenger Service. This is the service which, also running by default, has been causing havoc by facilitating unsolicited pop-up advertisements on Windows desktops. Our free " Shoot The Messenger " utility shuts down and disables the Windows Messenger Service and, in the process, closes UDP port 135.

Edwen

搂主你用设么firewall?
我建议你用Outpost Firewall 2.5 很好用！