卡巴不报!MD5: FCC8C6

SONGBOWEN

狙剑的监控拦截的部分操作

程序：
< C:\Program Files\Common Files\System\lxpbnfn.exe >

要求写入：

{ C:\Program Files\Common Files\Microsoft Shared\cmvrsaw.exe }

到此注册键:

{ \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe }

是否允许?



程序：
< C:\Program Files\Common Files\System\lxpbnfn.exe >

要求写入下列程序：

{ \??\C:\Program Files\Common Files\System\otcujrh.inf }

是否允许?


程序：
< C:\Program Files\Common Files\Microsoft Shared\cmvrsaw.exe >

要求写入下列程序：

{ \??\C:\Program Files\meex.exe }

是否允许?

程序：
< C:\Program Files\Common Files\Microsoft Shared\cmvrsaw.exe >

要求写入下列程序：

{ \??\C:\Program Files\Common Files\System\lxpbnfn.exe }

是否允许?


程序：
< C:\Program Files\Common Files\Microsoft Shared\cmvrsaw.exe >

要求写入下列程序：

{ \??\C:\Program Files\Common Files\Microsoft Shared\otcujrh.inf }

是否允许?

capsshift

原帖由 SONGBOWEN 于 2007-11-5 21:43 发表
汗一个，真够BT的……

右边那个隐藏系统文件的选项，是VISTA中的啊。

wangjay1980

rommabp.exe - Virus.Win32.AutoRun.aat

Redevil

卡巴斯基互联网安全套装 7.0
The requested URL http://bbs.kafan.cn/attachment.php?aid=149430 is infected with Trojan.BAT.KillAV.gb virus



请问楼主使用主防了吗？以下是我把卡巴的文件监控关闭后只用主防的结果

[ 本帖最后由 Redevil 于 2007-11-6 00:10 编辑 ]

uhthn2002

Uhthn Anti-Spyware V3 Alpha
Version - 3.0.0
Standard Database - 810
Paranoia Database - 48490
Heuristics Analysis - Excessive
Scan in - C:\Documents and Settings\Uhthn\Desktop\rommabp.exe

C:\Documents and Settings\Uhthn\Desktop\rommabp.exe - Suspected MaliciousScope:WIN32.GENERIC.MALWARE.8

1 Files scanned
0 Infected files found
1 Suspected files found
0 Files disinfected
0 Files deleted

紫竹枫林

The file contains a virus or unwanted program 'TR/Delphi.Downloader.Gen' [trojan]
Action(s) taken:
The file was deleted!

michaelhalu

AVG和迅雷的卡巴模块都报，但FSCS不报

a256886572008

先測試rommabp.exe，生成了lxpbnfn.exe和cmvrsaw.exe

otcujrh.inf的結構

[AutoRun]
open=rommabp.exe
shell\open=打开(&O)
shell\open\Command=rommabp.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=rommabp.exe

[ 本帖最后由 a256886572008 于 2007-11-6 08:50 编辑 ]

a256886572008

再來測試lxpbnfn.exe

1.IFEO

[quote]
Ras.exe
avp.com
avp.exe
runiep.exe
PFW.exe
FYFireWall.exe
rfwmain.exe
rfwsrv.exe
KAVPF.exe
KPFW32.exe
nod32kui.exe
nod32.exe
Navapsvc.exe
Navapw32.exe
avconsol.exe
webscanx.exe
NPFMntor.exe
vsstat.exe
zjb.exe
KPfwSvc.exe
RavTask.exe
Rav.exe
RavMon.exe
mmsk.exe
WoptiClean.exe
QQKav.exe
QQDoctor.exe
EGHOST.exe
360Safe.exe
iparmo.exe
adam.exe
IceSword.exe
360rpt.exe
360tray.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32X.exe
KRegEx.exe
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
nod32krn.exe
PFWLiveUpdate.exe
QHSET.exe
RavMonD.exe
RavStub.exe
RegClean.exe
rfwcfg.exe
RsAgent.exe
Rsaupd.exe
safelive.exe
irsetup.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
upiea.exe
AST.exe
ArSwp.exe
USBCleaner.exe
rstrui.exe
KvReport.kxp
QQSC.exe
ghost.exe
AvastU3.exe
KRepair.com

[/quote]

2.HIV技術，關閉"影子"的進程並添加註冊表

3.U盤病毒 和 刪除"安全模式"的註冊表

4.隱藏文件

5.修改了U盘自动启动功能

6.添加啟動項

[ 本帖最后由 a256886572008 于 2007-11-6 08:27 编辑 ]

a256886572008

再來測試cmvrsaw.exe

1.複製自身並連網

2.替換系統文件

3.HIV技術，添加註冊表

4.添加啟動項

[ 本帖最后由 a256886572008 于 2007-11-6 08:48 编辑 ]