我的电脑上装了s3和费尔。晚上s3突然跳出一个名为2008.exe文件的运行请求,觉得挺奇怪的,就禁止了。接着费尔也出现高危提示。virusTotal扫描结果如下
File 2008.exe received on 04.05.2008 15:46:02 (CET)
Antivirus | Version | Last Update | Result | AhnLab-V3 | 2008.4.4.1 | 2008.04.04 | - | AntiVir | 7.6.0.81 | 2008.04.04 | BDS/Pcclient.ahj | Authentium | 4.93.8 | 2008.04.05 | - | Avast | 4.7.1098.0 | 2008.04.04 | Win32:Agent-EPC | AVG | 7.5.0.516 | 2008.04.05 | BackDoor.PcClient.2.Y | BitDefender | 7.2 | 2008.04.05 | - | CAT-QuickHeal | 9.50 | 2008.04.05 | - | ClamAV | 0.92.1 | 2008.04.05 | - | DrWeb | 4.44.0.09170 | 2008.04.05 | Trojan.Proxy.origin | eSafe | 7.0.15.0 | 2008.04.01 | - | eTrust-Vet | 31.3.5672 | 2008.04.04 | - | Ewido | 4.0 | 2008.04.05 | Backdoor.PcClient.ajh | F-Prot | 4.4.2.54 | 2008.04.05 | - | F-Secure | 6.70.13260.0 | 2008.04.05 | PCClient.gen4 | FileAdvisor | 1 | 2008.04.05 | - | Fortinet | 3.14.0.0 | 2008.04.05 | - | Ikarus | T3.1.1.20.0 | 2008.04.05 | Backdoor.Win32.PcClient.yw | Kaspersky | 7.0.0.125 | 2008.04.05 | - | McAfee | 5267 | 2008.04.04 | - | Microsoft | 1.3408 | 2008.04.05 | Trojan:Win32/Mejdho.A | NOD32v2 | 3004 | 2008.04.05 | - | Norman | 5.80.02 | 2008.04.04 | PCClient.gen4 | Panda | 9.0.0.4 | 2008.04.05 | - | Prevx1 | V2 | 2008.04.05 | Heuristic: Suspicious Self Modifying File | Rising | 20.38.60.00 | 2008.04.03 | - | Sophos | 4.28.0 | 2008.04.05 | - | Sunbelt | 3.0.1032.0 | 2008.04.05 | - | Symantec | 10 | 2008.04.05 | - | TheHacker | 6.2.92.265 | 2008.04.04 | - | VBA32 | 3.12.6.3 | 2008.03.25 | Trojan.Proxy | VirusBuster | 4.3.26:9 | 2008.04.04 | Backdoor.PcClient.Gen.3 | Webwasher-Gateway | 6.6.2 | 2008.04.04 | Trojan.Backdoor.Pcclient.ahj | Additional information | File size: 61537 bytes | MD5...: 6a213c67b68fb7e9d4050b1176202ae6 | SHA1..: 2458b725868715b2c2a4b264fc9ed04aa2deb1c8 | SHA256: 343c99673253d032951a27688620bab0285c95e2d83e83e09b7198e1c5e45c0b | SHA512: d8ee09aeb9a8e7b8aa70aac46ee7e2f2c533f6ce528b5821d6524d20e5d09497
fbe3b113ccd6961a0d9aa9d24deaaefbcc79e49f890944186a836acb192c415f | PEiD..: - | PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x40254f
timedatestamp.....: 0x47496b87 (Sun Nov 25 12:33:11 2007)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x16f2 0x1800 5.90 bae7d875dc11cccf16195b07b0588e4a
.rdata 0x3000 0x662 0x800 4.20 312ba160fb488c21a559ebc2c23497cd
.data 0x4000 0x1158 0x200 1.64 c001d0d5f2e7bd96cdc0fb83da0cb252
( 6 imports )
> SHLWAPI.dll: StrChrA, StrStrA, StrToIntA
> USER32.dll: PostThreadMessageA, wsprintfA
> ADVAPI32.dll: DeleteService, OpenSCManagerA, OpenServiceA, CloseServiceHandle, QueryServiceStatus, ControlService
> ole32.dll: CoCreateGuid
>MSVCRT.dll: __p__commode, __p__fmode, __set_app_type, _except_handler3,_controlfp, _adjust_fdiv, __setusermatherr, _initterm, _acmdln, exit,_XcptFilter, _exit, __CxxFrameHandler, time, srand, rand, memcpy,memset, __2@YAPAXI@Z, __3@YAXPAX@Z, __getmainargs
> KERNEL32.dll: SetFilePointer, GetModuleFileNameA, DeleteFileA, GetModuleHandleA,GetStartupInfoA, ReadFile, CreateMutexA, GetLastError,GetFileAttributesExA, ReleaseMutex, lstrcpyA, lstrlenA, Sleep,LoadLibraryA, GetProcAddress, FreeLibrary, CreateFileA, WriteFile,GetSystemDirectoryA, lstrcatA, WaitForSingleObject, CloseHandle,GetFileTime, SetFileTime
( 0 exports ) |
ps:: 刚刚费尔又出现这个提示了,提示又在system32下生成同样的文件。刚打开论坛的时候也提示发现木马。怕怕
Date | Virus Name | Virus Type | User | Filename | Scan Type | ######## | Trojan.Undef.dsn.ndtg | 木马 | hongf | C:\WINDOWS\system32\2008.exe | Realtime scan | ######## | Trojan.Undef.dsn.ndtg | 木马 | hongf | C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\H1R5TU1B\2[1].exe | Realtime scan | ######## | 注册表监控 | 错误的值 | hongf | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows[AppInit_DLLs]=d:\progra~1\netchina\s3\ncappctl.dll | Realtime scan |
[ 本帖最后由 mikelon 于 2008-4-5 21:55 编辑 ] |