新发现的未知病毒

lyljj

在某个论坛下载的破解补丁，运行后改系统时间，关闭瑞星监控（从它的批处理看的，没装瑞星不知道怎么样）。用的卡巴6.0，发现不了。
用冰刃和autoruns逐个手动删除了，压缩包里是那个补丁文件是主体，下面三个是释放出来的病毒文件，其中一个是自解压压缩包。盼高手帮我看看都是什么，我手动清理漏掉什么了没有。谢谢了。

Graybird

4个~

Starting the file scan:

Begin scan in 'E:\d.part1.rar'
Begin scan in 'E:\d.part2.rar'
E:\d.part2.rar
  [0] Archive type: RAR
    --> cmb.exe
      [1] Archive type: RAR SFX (self extracting)
      --> knlps.sys
          [DETECTION] Contains detection pattern of the application APPL/Killapp
      --> psn.exe
          [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      --> knlps.exe
          [DETECTION] Contains detection pattern of the SPR/Tool.ProcKill.KernelPS.0.4 program
      [WARNING]   The file was ignored!
Begin scan in 'E:\d.part3.rar'
E:\d.part3.rar
  [0] Archive type: RAR
  --> msisv.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [WARNING]   The file was ignored!

ALEXBLAIR

熊猫卫士	9.04.03.0001	2007.12.26	2007-12-26	Application/Killapp.D	3.967
江民杀毒	10.00.650	2007.12.26	2007-12-26	Backdoor/Huigezi.2007.azar	1.404
Prevx	V2	20071227	2007-12-27	Generic.Malware	33.407
AVG	7.5.49.442	269.17.9/1198	2007-12-26	KillApp.AA	2.965
SOPHOS	2.49.1	4.21	2007-12-27	Mal/Behav-058	11.394
VBA32	3.12.2.5	20071226.2107	2007-12-26	MalwareScope.Trojan-PSW.Game.14	5.384
迈克菲	5.2.00	5193	2007-12-26	New Win32	4.762
F-PROT	4.4.1.52	20071226	2007-12-26	Possible W32/Heuristic-162!Eldorado (not disinfectable)	16.957
QuickHeal	9.00	2007.12.26	2007-12-26	Suspicious - DNAScan	6.090
Dr.WEB	4.44.0.9170	2007.12.26	2007-12-26	Tool.KnlKillp	4.928
AntiVir	7.6.0.46	7.0.1.158	2007-12-26	TR/Dldr.Agent.zsa	3.353
MKS_VIR	2.01	2007.12.26	2007-12-26	Trojan.Prockill.AAC	5.785
ClamAV	0.91.2	5263	2007-12-27	VirTool.Kernps.A	2.024
IKARUS	T3.1.01.15	2007.12.27.70054	2007-12-27	Virus.Win32.WinFixer.S	1.347
CP Secure	1.1.0.655	2007.12.27	2007-12-27	W32.Net.W.Randon.ap	11.075
安博士V3	2007.12.27.00	2007.12.27	2007-12-27	Win-AppCare/Prockill.25088	1.414
BitDefender	7.60825.962334	7.16526	2007-12-27	Win32.Huhk.A	7.320
nProtect	2007-12-27.00	1103584	2007-12-27	Win32.Huhk.A	5.858
AVAST	1.0.8	071226-0	2007-12-26	Win32:WinFixer-S [Trj]	6.077

lyljj

Huigezi.2007， 看来对付国产病毒还是用江民比较好……
谢谢楼上的二位，我这就再找个灰鸽子专杀看看

fsr717af

原帖由 ALEXBLAIR 于 2007-12-27 12:13 发表
熊猫卫士9.04.03.00012007.12.262007-12-26Application/Killapp.D
3.967江民杀毒10.00.6502007.12.262007-12-26Backdoor/Huigezi.2007.azar
1.404PrevxV2200712272007-12-27Generic.Malware
33.407AVG7.5.49.4422 ...

怎么看也不像未知啊

ALEXBLAIR

原帖由 fsr717af 于 2007-12-27 12:32 发表

怎么看也不像未知啊

我把没报得剔出了。。。。

let11

被微点全部干掉

mofunzone

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\My Documents\d'
C:\Documents and Settings\Administrator\My Documents\d\
  anybackup.1.75破解补丁.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Agent.zsa
      [INFO]      The file was deleted!
  cmb.exe
    [0] Archive type: RAR SFX (self extracting)
    --> knlps.sys
        [DETECTION] Contains detection pattern of the application APPL/Killapp
        [WARNING]   Infected files in archives cannot be repaired!
    --> vbs.vbs
    --> bat.bat
    --> psn.exe
        [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
        [WARNING]   Infected files in archives cannot be repaired!
    --> knlps.exe
        [DETECTION] Contains detection pattern of the SPR/Tool.ProcKill.KernelPS.0.4 program
        [WARNING]   Infected files in archives cannot be repaired!
      [INFO]      The file was deleted!
  mcist.exe
      [DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
      [INFO]      The file was deleted!
  msisv.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [INFO]      The file was deleted!


End of the scan: 2007年12月26日  20:47
Used time: 00:04 min

The scan has been done completely.

      1 Scanning directories
      9 Files were scanned
      6 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      4 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      0 Files cannot be scanned
      3 Files not concerned
      1 Archives were scanned
      3 Warnings
      0 Notes

a256886572008

2007-12-27 12:50:18    執行應用程序      操作:允許
程序路徑:C:\WINDOWS\Explorer.EXE
檔案路徑:D:\anybackup.1.75破解补丁.exe
觸發規則:所有程序規則->系統程式_黑名單->?:\*


2007-12-27 12:50:25    執行應用程序      操作:允許
程序路徑:D:\anybackup.1.75破解补丁.exe
檔案路徑:C:\Documents and Settings\Hung Jui Hung\Local Settings\Temp\temparation.tmp
觸發規則:所有程序規則->*

2007-12-27 12:51:13    執行應用程序      操作:允許
程序路徑:C:\Documents and Settings\Hung Jui Hung\Local Settings\Temp\temparation.tmp
檔案路徑:C:\WINDOWS\system32\cmd.exe
指令列:/c del "C:\DOCUME~1\HUNGJU~1\LOCALS~1\Temp\TEMPAR~1.TMP"
觸發規則:所有程序規則->系統程式_黑名單->*\cmd.exe

2007-12-27 12:50:28    執行應用程序      操作:允許
程序路徑:C:\Documents and Settings\Hung Jui Hung\Local Settings\Temp\temparation.tmp
檔案路徑:C:\WINDOWS\system32\svchost.exe
觸發規則:所有程序規則->*


2007-12-27 12:50:31    修改其它程序記憶體      操作:允許
程序路徑:C:\Documents and Settings\Hung Jui Hung\Local Settings\Temp\temparation.tmp
目標程序:C:\WINDOWS\system32\svchost.exe
觸發規則:所有程序規則->*

2007-12-27 12:51:15    建立檔案      操作:允許
程序路徑:C:\WINDOWS\system32\svchost.exe
檔案路徑:C:\Program Files\cmb.exe
觸發規則:所有程序規則->全域設定_可執行檔案1_普通模式->*.exe


2007-12-27 12:51:26    執行應用程序      操作:封鎖
程序路徑:C:\WINDOWS\system32\svchost.exe
檔案路徑:C:\Program Files\cmb.exe
觸發規則:所有程序規則->*

a256886572008

2007-12-27 13:03:38    執行應用程序      操作:允許
程序路徑:C:\WINDOWS\Explorer.EXE
檔案路徑:D:\psn.exe
觸發規則:所有程序規則->系統程式_黑名單->?:\*


2007-12-27 13:03:44    執行應用程序      操作:允許
程序路徑:D:\psn.exe
檔案路徑:D:\psn.exe
觸發規則:所有程序規則->系統程式_黑名單->?:\*

2007-12-27 13:03:49    結束/建立執行緒      操作:封鎖
程序路徑:D:\psn.exe
目標程序:C:\WINDOWS\Explorer.EXE
觸發規則:所有程序規則->*


2007-12-27 13:03:57    修改其它程序記憶體      操作:允許
程序路徑:D:\psn.exe
目標程序:C:\WINDOWS\Explorer.EXE
觸發規則:所有程序規則->系統程式_白名單->%windir%\explorer.exe


2007-12-27 13:04:01    建立檔案      操作:允許
程序路徑:C:\WINDOWS\Explorer.EXE
檔案路徑:C:\WINDOWS\msisv.exe
觸發規則:所有程序規則->全域設定_可執行檔案1_普通模式->*.exe

2007-12-27 13:04:16    建立登錄檔值      操作:封鎖
程序路徑:C:\WINDOWS\Explorer.EXE
登錄檔路徑:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3B5C01D2-3541-080B-0602-050403070505}
登錄檔名稱:[Key]
觸發規則:所有程序規則->其他重要項目_普通模式->*\SOFTWARE\Microsoft\Active Setup\Installed Components*

2007-12-27 13:04:44    安裝整體掛鉤      操作:封鎖
程序路徑:C:\WINDOWS\Explorer.EXE
檔案路徑:C:\WINDOWS\Explorer.EXE
觸發規則:所有程序規則->*

2007-12-27 13:04:18    執行應用程序      操作:允許
程序路徑:C:\WINDOWS\Explorer.EXE
檔案路徑:C:\Program Files\Internet Explorer\IEXPLORE.EXE
指令列:-nohome
觸發規則:所有程序規則->系統程式_白名單->%ProgramFiles%\Internet Explorer\IEXPLORE.EXE


2007-12-27 13:04:21    修改其它程序記憶體      操作:允許
程序路徑:C:\WINDOWS\Explorer.EXE
目標程序:C:\Program Files\Internet Explorer\IEXPLORE.EXE
觸發規則:所有程序規則->*

2007-12-27 13:05:17    刪除檔案      操作:允許
程序路徑:C:\Program Files\Internet Explorer\IEXPLORE.EXE
檔案路徑:D:\psn.exe
觸發規則:所有程序規則->全域設定_可執行檔案1_普通模式->*.exe

[ 本帖最后由 a256886572008 于 2007-12-27 13:11 编辑 ]