红伞P版报海峰五笔和官方迅雷的unins000.exe

snakebone

如题，大伙儿看看，是真的被感染了，还是误报。

再附上我今天的全盘扫描报告。

AntiVir PersonalEdition Premium
Report file date: 2007年10月26日  10:56
Scanning for 903047 virus strains and unwanted programs.
Licensed to:      
Serial number:   
Platform:         Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Username:         
Computer name:   
Version information:
BUILD.DAT    : 308           17199 Bytes   2007-9-19 13:44:00
AVSCAN.EXE   : 7.0.6.1      290856 Bytes   2007-8-23 06:16:29
AVSCAN.DLL   : 7.0.6.0       49192 Bytes   2007-8-16 05:23:51
LUKE.DLL     : 7.0.5.3      147496 Bytes   2007-8-14 08:32:47
LUKERES.DLL  : 7.0.6.1       10280 Bytes   2007-8-21 05:35:20
ANTIVIR0.VDF : 6.40.0.0    11030528 Bytes   2007-7-18 07:27:15
ANTIVIR1.VDF : 7.0.0.0     1640448 Bytes   2007-9-13 07:26:55
ANTIVIR2.VDF : 7.0.0.91     687104 Bytes  2007-10-16 02:37:37
ANTIVIR3.VDF : 7.0.0.135    265216 Bytes  2007-10-25 02:54:59
AVEWIN32.DLL : 7.6.0.27    3019264 Bytes  2007-10-19 06:19:21
AVWINLL.DLL  : 1.0.0.7       14376 Bytes   2007-2-26 03:36:26
AVPREF.DLL   : 7.0.2.2       25640 Bytes   2007-7-18 00:39:17
AVREP.DLL    : 7.0.0.1      155688 Bytes   2007-4-16 06:16:24
AVPACK32.DLL : 7.3.0.15     360488 Bytes    2007-8-3 01:46:00
AVREG.DLL    : 7.0.1.6       30760 Bytes   2007-7-18 00:17:06
AVARKT.DLL   : 1.0.0.20     278568 Bytes   2007-8-28 05:26:33
AVEVTLOG.DLL : 7.0.0.20      86056 Bytes   2007-7-18 00:10:18
NETNT.DLL    : 7.0.0.0        7720 Bytes    2007-3-8 04:09:42
RCIMAGE.DLL  : 7.0.1.30    2576424 Bytes    2007-8-7 05:51:06
RCTEXT.DLL   : 7.0.62.0      86056 Bytes   2007-8-21 06:03:18
SQLITE3.DLL  : 3.3.17.1     339968 Bytes   2007-7-23 02:37:21
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition premium\sysscan.avp
Logging..........................: low
Primary action...................: repair
Secondary action.................: delete
Scan master boot sector..........: off
Scan boot sector.................: off
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: high
Deviating risk categories........: +APPL,+JOKE,+SPR,
Start of the scan: 2007年10月26日  10:56
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'rfwmain.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'rfwstub.exe' - '1' Module(s) have been scanned
Scan process 'rfwProxy.exe' - '1' Module(s) have been scanned
Scan process 'rfwsrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
20 processes with 20 modules were scanned
Starting to scan the registry.
The registry was scanned ( '18' files ).

Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\serialui.dll
      [WARNING]   The file could not be read!
Begin scan in 'D:\'
D:\SunWb\unins000.exe
      [DETECTION] Contains detection pattern of the SPR/Agent.FJ program
      [INFO]      A backup was created as '478a58cd.qua'  ( QUARANTINE )
      [INFO]      The file was deleted!
D:\Thunder\unins000.exe
      [DETECTION] Contains detection pattern of the SPR/Agent.FJ program
      [INFO]      A backup was created as '478a58ce.qua'  ( QUARANTINE )
      [INFO]      The file was deleted!
Begin scan in 'E:\'
Begin scan in 'F:\'

End of the scan: 2007年10月26日  11:03
Used time: 07:16 min
The scan has been done completely.
   1526 Scanning directories
  33335 Files were scanned
      2 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      2 files were deleted
      0 files were repaired
      2 files were moved to quarantine
      0 files were renamed
      2 Files cannot be scanned
  33333 Files not concerned
    440 Archives were scanned
      2 Warnings
     16 Notes

[ 本帖最后由 snakebone 于 2007-10-26 11:59 编辑 ]

scottxzt

unins000.exe无法测试.

Redevil

估计是误报
上报卡巴看看结果


Hello,
unins000(1).exe_, unins000.exe_
No malicious code were found in these files.
Please quote all when answering.
--
Best regards, Vyacheslav Zakorzhevsky
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/
http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.

> Attachment: ??unins000[1].exe.rar
> Attachment: ????unins000.rar
>  
>  
>  2007-10-26
>    MiY
.

[ 本帖最后由 Redevil 于 2007-10-26 13:15 编辑 ]

小邪邪

是误报了

mofunzone

已经上报了很多这个特征码的误报，预计2天内排除

wwtd

绝对误报，大约7月份的时候诺顿也有一次同样的误报，结果把卸载程序全部隔离了，不过赛门铁克反映还算迅速，第2天就修正了误报的问题

[ 本帖最后由 wwtd 于 2007-10-26 12:28 编辑 ]

snakebone

看来等一段时间就可以排除了。
再问问大伙儿，我有一个文件被定为warning，是C:\WINDOWS\system32\serialui.dll，以前从来没有这种事发生过，觉得不正常。在网上查了一下，说是serialui.dll ...串行端口属性页面，这是什么意思，有的朋友告诉我说被系统锁定了，所以无法扫描，这又是什么意思。望大家不吝赐教。

[ 本帖最后由 snakebone 于 2007-10-26 12:32 编辑 ]

wwtd

原帖由 snakebone 于 2007-10-26 12:28 发表 [AD]
看来等一段时间就可以排除了。
再问问大伙儿，我有一个文件被定为warning，是C:\WINDOWS\system32\serialui.dll，以前从来没有这种事发生过。在网上查了一下，说是serialui.dll ...串行端口属性页面，这是什么意思， ...

那就是这个文件正在被其它进程使用，由于锁定无法被红伞监控到，会出现警告，如果确认为安全文件，不用管它

snakebone

我想用右键压缩发上来，可右键时卡机，然后在压缩时也不让压。我没遇到过，问下正常吗？

wwtd

正常，如果不放心可以用冰刃看看是什么在锁定它