毒网？

显示全部楼层 · 发表于 2008-2-2 11:17:45

http://www.8wen.com/search/docs/%E8%AE%BA%E6%96%87/1
未命名.JPG

显示全部楼层 · 发表于 2008-2-2 11:23:19

HTM和js的天下

显示全部楼层 · 发表于 2008-2-2 11:24:52

2008-2-2 11:23:59 found HTTP://QQQ.521TOWN.COM/DOWN.EXE
2008-2-2 11:27:57 found HTTP://QQQ.AISHENGHO.COM/DOWN.EXE
http://qqq.hao1658.com/down.exe

好像木解完 ps.这仨是xxx.aishengho.com/3.htm上面的

[ 本帖最后由 qianwenxiang 于 2008-2-2 11:32 编辑 ]

显示全部楼层 · 发表于 2008-2-2 11:25:53

扫描报告
2008年2月2日 11:25:28 - 11:25:28
计算机名称: CN-89FF4B9EA4D6
扫描类型: 扫描目标
目标: E:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QXR4PSF6\search_bot[1].js

--------------------------------------------------------------------------------

结果: 找到 1 恶意软件
Trojan-Downloader.HTML.Agent.gm (病毒)
E:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QXR4PSF6\search_bot[1].js 操作: 已重命名

显示全部楼层 · 发表于 2008-2-2 11:26:36

原帖由 qianwenxiang 于 2008-2-2 11:24 发表
HTTP://QQQ.521TOWN.COM/DOWN.EXE

Begin scan in 'C:\Documents and Settings\Administrator\桌面\DOWN.EXE'
C:\Documents and Settings\Administrator\桌面\DOWN.EXE
[DETECTION] Is the Trojan horse TR/Dropper.Gen

显示全部楼层 · 发表于 2008-2-2 14:16:27

1)http://www.8wen.com/css/main.css
2)http://www.8wen.com/js/doc_title.js
3)http://www.8wen.com/js/search_top.js
4)http://www.8wen.com/js/search_right_bottom.js
5)http://www.8wen.com/js/search_bot.js
6)http://www.google-analytics.com/urchin.js
7)http://www.8wen.com/js/doc_title.js
8)http://www.8wen.com/js/search_top.js
9)http://www.8wen.com/js/search_right_bottom.js
10)http://www.8wen.com/js/search_bot.js
11)http://www.google-analytics.com/urchin.js
12)www.8wen.com/search/docs/è®ºæ–‡/

显示全部楼层 · 发表于 2008-2-2 14:17:18

rising20.29.50未杀！

显示全部楼层 · 发表于 2008-2-2 14:23:31

AV终结者? 释放驱动 ifeo 卡巴同学注意了.

down.exe : INFECTED with W32/Malware (Signature: W32/Smalldrp.RJP)

[ DetectionInfo ]
* Sandbox name: W32/Malware
* Signature name: W32/Smalldrp.RJP
* Compressed: YES
* TLS hooks: NO
* Executable type: Application
* Executable file structure: OK

[ General information ]
* Drops files in %WINSYS% folder.
* File length: 12244 bytes.
* MD5 hash: 2468b8ba58235d21a0cfb53bd8373448.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\drivers\pcihdd2.sys.
* Deletes file C:\WINDOWS\SYSTEM32\drivers\pcihdd2.sys.
* Creates file C:\WINDOWS\SYSTEM32\lssass.exe.
* Creates file C:\WINDOWS\SYSTEM32\drivers\ati32srv.sys.
* Creates file C:\_uninsep.bat.
* Creates file C:\WINDOWS\SYSTEM32\HDDGuard.dll.

[ Changes to registry ]
* Creates key "HKLM\System\CurrentControlSet\Services\DeepFree Update".
* Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\drivers\pcihdd2.sys" in key "HKLM\System\CurrentControlSet\Services\DeepFree Update".
* Sets value "DisplayName"="DeepFree Update" in key "HKLM\System\CurrentControlSet\Services\DeepFree Update".
* Creates key "HKLM\System\CurrentControlSet\Services\ATI2HDDSRV".
* Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\drivers\ati32srv.sys" in key "HKLM\System\CurrentControlSet\Services\ATI2HDDSRV".
* Sets value "DisplayName"="ATI2HDDSRV" in key "HKLM\System\CurrentControlSet\Services\ATI2HDDSRV".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com".
* Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\avp.exe".
* Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\avp.exe".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\runiep.exe".
* Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\runiep.exe".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\PFW.exe".
* Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\PFW.exe".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\FYFireWall.exe".
* Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\FYFireWall.exe".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\rfwmain.exe".
* Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\rfwmain.exe".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\rfwsrv.exe".
* Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\rfwsrv.exe".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\KAVPF.exe".
* Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\KAVPF.exe".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\KPFW32.exe".
* Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\KPFW32.exe".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\nod32kui.exe".
* Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\nod32kui.exe".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\nod32.exeNavapsvc.exe".
* Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\nod32.exeNavapsvc.exe".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Navapw32.exe".
* Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Navapw32.exe".
* Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\avconsol.exe".
* Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\avconsol.exe".

[ Changes to system settings ]
* Creates WindowsHook monitoring messages activity.

[ Process/window information ]
* Creates service "DeepFree Update (DeepFree Update)" as "C:\WINDOWS\SYSTEM32\drivers\pcihdd2.sys".
* Creates process "C:\WINDOWS\SYSTEM32\lssass.exe".
* Creates a mutex 2008-1-29.
* Creates service "ATI2HDDSRV (ATI2HDDSRV)" as "C:\WINDOWS\SYSTEM32\drivers\ati32srv.sys".
* Terminates AV software.
* Enumerates running processes.
* Creates process ""C:\Program Files\Internet Explorer\iexplore.exe"TAIL_ANTI".
* Enumerates running processes several parses....
* Creates process ""C:\Program Files\Internet Explorer\iexplore.exe"TAIL_JQG".

[ 本帖最后由 hj5abc 于 2008-2-2 14:39 编辑 ]

显示全部楼层 · 发表于 2008-2-2 14:25:34

eset pass

显示全部楼层 · 发表于 2008-2-2 14:47:10

貌似现在没有问题

[已鉴定] 毒网？

在线网页解析！

回复 3楼 qianwenxiang 的帖子