在网吧被远程控制!

刚刚上网感觉到被远程控制了(网页自动滚屏,更可疑的是有鼠标滚轮被按下的标识!而我检查过来鼠标滚轮并不能被误操作),然后我查看任务管理器里的进程把可疑的进程都结束了,然后查看系统服务里,发现下面的这个东东!竟然是WinVNC(一款著名的远程控制软件) 。。

服务名称:WinVNC4
显示名称:Remote Control Server
文件位置:C:\WINDOWS\system32\rmserver.exe

停止任务,禁止启动,恢复正常。。

根据这个文件名通过GG得知有两种可能:
1、为万象的远程监控服务程序。
2、为RealHelixServer的流媒体服务器。

看来是第一种了!

附注(文件 rmserver.exe 在 VirusTotal 的可疑文件分析结果 ):

McAfee-GW-Edition 6.8.5 Heuristic.BehavesLike.Win32.Suspicious.J

File size: 667718 bytes
MD5…: 7f4d6cb72ee03579a70988ccd41c0ada
SHA1..: 8c879898260a1bbae698e58c4f91f37a3305c87d
SHA256: f1764830f1b7a8a126e5ca2de5ac12f90d55f109ec0050ecf6fcf499401aaa20
ssdeep: 12288:poLSRndRBvVIcEUDqmPMhZL/oDp5h3w/j1rRc+d14/Jli:FvVEUDQ45h3w
71rRD2/y

PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x56e20
timedatestamp…..: 0x44e95a4d (Mon Aug 21 07:01:33 2006)
machinetype…….: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x72679 0x73000 6.12 8b46257c0d174da215d03b6f96d18cf2
.rdata 0x74000 0x95a2 0xa000 4.68 d12ef0952a5f9a54fb86695059996100
.data 0x7e000 0xae24 0x9000 5.06 14b737ad38e2ed5f9c0336362a02eb9d
.rsrc 0x89000 0x15fc0 0x16000 7.77 3723cb909e588817081f6564ea463326
.reloc 0x9f000 0x5228 0x6000 5.73 f8d78eb7cd9b98eccbf7ccbe626d406f

( 10 imports )
> USER32.dll: PostThreadMessageA, DispatchMessageA, TranslateMessage, GetMessageA, PostMessageA, SetWindowTextA, PostQuitMessage, DialogBoxParamA, GetDlgItem, GetDlgItemInt, GetDlgItemTextA, SetDlgItemInt, SetDlgItemTextA, EnableWindow, GetWindowLongA, SetWindowLongA, EndDialog, CloseDesktop, GetUserObjectInformationA, OpenInputDesktop, GetThreadDesktop, SetThreadDesktop, OpenDesktopA, GetWindowThreadProcessId, WaitForInputIdle, RegisterClassA, UnregisterClassA, CreateWindowExA, ReleaseDC, ExitWindowsEx, GetDC, KillTimer, GetIconInfo, DestroyWindow, GetWindowRect, GetDesktopWindow, IsWindowVisible, SetWindowPos, MessageBoxA, DefWindowProcA, ClientToScreen, GetClientRect, IsRectEmpty, IsIconic, IsWindow, EnumWindows, GetClassNameA, GetForegroundWindow, SetClipboardViewer, ChangeClipboardChain, CloseClipboard, GetClipboardData, OpenClipboard, GetClipboardOwner, SetClipboardData, EmptyClipboard, mouse_event, GetSystemMetrics, keybd_event, MapVirtualKeyA, GetAsyncKeyState, ToAscii, SetTimer, DrawIconEx, TrackPopupMenu, GetCursorPos, SetForegroundWindow, SystemParametersInfoA, VkKeyScanA, FindWindowA, MsgWaitForMultipleObjects, PeekMessageA, LoadImageA, SendMessageA, LoadMenuA, GetSubMenu, SetMenuDefaultItem, EnableMenuItem
> SHELL32.dll: Shell_NotifyIconA
> wm_hooks.dll: WM_Hooks_WindowClientAreaChanged, WM_Hooks_WindowBorderChanged, WM_Hooks_RectangleChanged, WM_Hooks_CursorChanged, WM_Hooks_WindowChanged, WM_Hooks_SetDiagnosticRange, WM_Hooks_EnableRealInputs, WM_Hooks_Diagnostic, WM_Hooks_Remove, WM_Hooks_EnableCursorShape, WM_Hooks_Install
> KERNEL32.dll: CreateEventA, ResumeThread, GetCurrentThread, GetCurrentThreadId, TlsGetValue, SetProcessShutdownParameters, CreateProcessA, TerminateProcess, OpenProcess, FormatMessageA, GetCurrentProcess, GetVersionExA, WaitForMultipleObjects, GetModuleFileNameA, GetProcAddress, LoadLibraryA, FreeLibrary, QueryPerformanceFrequency, QueryPerformanceCounter, GlobalUnlock, GlobalLock, GlobalFree, GlobalAlloc, GetCurrentProcessId, RtlUnwind, RaiseException, CreateThread, GetVersion, ExitProcess, GetTimeZoneInformation, GetSystemTime, GetLocalTime, InterlockedDecrement, InterlockedIncrement, IsBadWritePtr, IsBadReadPtr, HeapValidate, DebugBreak, GetStdHandle, WriteFile, OutputDebugStringA, TlsFree, TlsSetValue, FatalAppExitA, HeapFree, SetUnhandledExceptionFilter, GetCPInfo, GetACP, GetOEMCP, SetHandleCount, GetFileType, GetStartupInfoA, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, ReadFile, SetConsoleCtrlHandler, FlushFileBuffers, MultiByteToWideChar, LCMapStringA, LCMapStringW, HeapAlloc, HeapReAlloc, VirtualAlloc, IsBadCodePtr, IsValidLocale, IsValidCodePage, GetLocaleInfoA, EnumSystemLocalesA, GetUserDefaultLCID, SetFilePointer, GetStringTypeA, GetStringTypeW, SetStdHandle, CreateFileA, SetEndOfFile, GetLocaleInfoW, CompareStringA, CompareStringW, SetEnvironmentVariableA, InterlockedExchange, TlsAlloc, OpenMutexA, GetSystemTimeAsFileTime, CreateMutexA, FreeConsole, SetEvent, ResetEvent, WaitForSingleObject, GetComputerNameA, CloseHandle, LeaveCriticalSection, EnterCriticalSection, Sleep, DeleteCriticalSection, InitializeCriticalSection, GetLastError, GetModuleHandleA, FindResourceA, LoadResource, LockResource, SizeofResource, SetLastError, GetCommandLineA
> ADVAPI32.dll: SetServiceStatus, RegDeleteKeyA, RegCreateKeyA, RegOpenKeyExA, GetUserNameA, RevertToSelf, RegCloseKey, ImpersonateLoggedOnUser, OpenProcessToken, CreateProcessAsUserA, ControlService, StartServiceA, OpenServiceA, DeleteService, CloseServiceHandle, OpenSCManagerA, CreateServiceA, DeregisterEventSource, ReportEventA, RegisterEventSourceA, StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, RegDeleteValueA, RegNotifyChangeKeyValue, RegSetValueExA, RegQueryValueExA, RegEnumValueA, CryptGenRandom, CryptReleaseContext, CryptAcquireContextA, RegQueryInfoKeyA
> GDI32.dll: CreatePalette, CreateDCA, GetClipBox, CreateDIBSection, SetDIBColorTable, GetObjectA, GetBitmapBits, GetSystemPaletteEntries, GdiFlush, BitBlt, GetDeviceCaps, SelectPalette, RealizePalette, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetDIBits, ResizePalette, UnrealizeObject, SetPaletteEntries, DeleteDC, DeleteObject
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, WSAEventSelect, -, -, WSACloseEvent, WSACreateEvent, WSAEnumNetworkEvents, WSAResetEvent
> VERSION.dll: GetFileVersionInfoSizeA, VerQueryValueA, GetFileVersionInfoA
> COMCTL32.dll: PropertySheetA, CreatePropertySheetPageA
> ole32.dll: CoUninitialize, CoCreateInstance, CoInitialize

( 0 exports )

RDS…: NSRL Reference Data Set

pdfid.: –
sigcheck:
publisher….:
copyright….:
product……: Remote Control 4.0
description..: Remote Control for Win32
original name:
internal name: Remote Control 4.0
file version.: 4.0
comments…..:
signers……: –
signing date.: –
verified…..: Unsigned

trid..: Win64 Executable Generic (54.6%)
Win32 Executable MS Visual C++ (generic) (24.0%)
Windows Screen Saver (8.3%)
Win32 Executable Generic (5.4%)
Win32 Dynamic Link Library (generic) (4.8%)