貌似中了，过红伞，动作太多用comodo结束进程

qwerasdf123

还不知道中没中

刚查了一下 D+的event ， 竟然让它在system32生成了个svdhost.exe，现在找不到了
大意了。。。

[ 本帖最后由 qwerasdf123 于 2008-6-4 06:37 编辑 ]

电影结束了

帮你补上。。。。
5个。。。
AVK06的BD全挂

[ 本帖最后由 电影结束了 于 2008-6-4 08:40 编辑 ]

qwerasdf123

这个破玩意是 一个鬼佬网站的powerdvd8 破解版里面带的
setup运行之后直接生成
动作一堆，可惜我没仔细看
等到反应过来不对劲，已经改了几个注册表值，还好阻止了访问具体的ip

每次我想省点小钱的时候，就出这种事

。。。

啊弥陀佛

木马名称:未知木马
程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\桌面\NPF.SYS
是木马程序!
已成功阻止其运行,是否要删除此文件?


木马名称:未知木马
程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\桌面\PACKET.DLL
是木马程序!
已成功阻止其运行,是否要删除此文件?

木马名称:未知木马
程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\桌面\WPCAP.DLL
是木马程序!
已成功阻止其运行,是否要删除此文件?

曲中求

已经有朋友先扫了

AhnLab-V3 2008.5.30.1 2008.06.03 -
AntiVir 7.8.0.26 2008.06.03 -
Authentium 5.1.0.4 2008.06.04 -
Avast 4.8.1195.0 2008.06.04 -
AVG 7.5.0.516 2008.06.04 BackDoor.RBot.AS
BitDefender 7.2 2008.06.04 -
CAT-QuickHeal 9.50 2008.06.03 Backdoor.Rbot.fsb
ClamAV 0.92.1 2008.06.04 -
DrWeb 4.44.0.09170 2008.06.03 -
eSafe 7.0.15.0 2008.06.03 -
eTrust-Vet 31.4.5845 2008.06.03 -
Ewido 4.0 2008.06.03 -
F-Prot 4.4.4.56 2008.06.02 -
Fortinet 3.14.0.0 2008.06.04 -
GData 2.0.7306.1023 2008.06.03 -
Ikarus T3.1.1.26.0 2008.06.04 -
Kaspersky 7.0.0.125 2008.06.04 -
McAfee 5309 2008.06.03 -
Microsoft None 2008.06.04 -
NOD32v2 3156 2008.06.03 -
Norman 5.80.02 2008.06.03 -
Panda 9.0.0.4 2008.06.04 Suspicious file
Prevx1 V2 2008.06.04 Malicious Software
Rising 20.47.12.00 2008.06.03 -
Sophos 4.29.0 2008.06.04 Sus/ComPack-C
Sunbelt 3.0.1143.1 2008.06.03 -
Symantec 10 2008.06.03 -
TheHacker 6.2.92.333 2008.06.03 -
VBA32 3.12.6.7 2008.06.03 -
VirusBuster 4.3.26:9 2008.06.03 -
Webwasher-Gateway 6.6.2 2008.06.03 Virus.Win32.FileInfector.gen (suspicious)
附加信息
File size: 946176 bytes
MD5...: ba27107f68b56ba9ce991a954259d75a
SHA1..: 22ea9418a7a4aecd997210e69e2ee32297e5e517
SHA256: 688b6881983936d406a21688bf0230d20e96edc33c6b5d6ab60a226e4d8fa19c
SHA512: bde1a6ab315289c6311caf48d396ad7d8fff0d14a37e65b7726bfeab48520588
7c4080ce0099c0397e2b62c2fea0a25ccf954dc76e13c967d4349f9a0e53dd9d
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4b7000
timedatestamp.....: 0x4843ac92 (Mon Jun 02 08:17:22 2008)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x26b96 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x28000 0xd592 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.data 0x36000 0x30a20 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.text1 0x67000 0x50000 0x43000 7.97 f729c94e5d6451c17b86085e1346dfd9
.adata 0xb7000 0x10000 0xd000 7.01 1038710a721073c352871d7b8aef5713
.data1 0xc7000 0x20000 0xb000 3.74 f38b9059d55a7031a666ba4082234abe
.pdata 0xe7000 0x90000 0x8a000 8.00 de4e81a92bc78591e067eaddc7af0074
.rsrc 0x177000 0x5b000 0x1000 0.50 1b19e9bed5126f945766ecb9072a1d55

( 3 imports )
> KERNEL32.dll: CreateThread, GlobalUnlock, GlobalLock, GlobalAlloc, GetTickCount, WideCharToMultiByte, IsBadReadPtr, GlobalAddAtomA, GlobalAddAtomW, GetModuleHandleA, GlobalFree, GlobalGetAtomNameA, GlobalDeleteAtom, GlobalGetAtomNameW, FreeConsole, GetEnvironmentVariableA, VirtualProtect, VirtualAlloc, GetProcAddress, GetLastError, LoadLibraryA, SetLastError, SetThreadPriority, GetCurrentThread, CreateProcessA, GetCommandLineA, GetStartupInfoA, SetEnvironmentVariableA, ReleaseMutex, WaitForSingleObject, CreateMutexA, OpenMutexA, GetCurrentThreadId, CreateFileA, FindClose, FindFirstFileA, FindFirstFileW, VirtualQueryEx, GetExitCodeProcess, ReadProcessMemory, UnmapViewOfFile, ContinueDebugEvent, SetThreadContext, GetThreadContext, WaitForDebugEvent, SuspendThread, DebugActiveProcess, ResumeThread, CreateProcessW, GetCommandLineW, GetStartupInfoW, CloseHandle, DuplicateHandle, GetCurrentProcess, CreateFileMappingA, VirtualProtectEx, WriteProcessMemory, ExitProcess, FlushFileBuffers, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetConsoleMode, GetConsoleCP, SetFilePointer, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, LCMapStringW, MultiByteToWideChar, LCMapStringA, HeapSize, HeapReAlloc, QueryPerformanceCounter, VirtualFree, HeapCreate, HeapDestroy, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, RtlUnwind, DeleteCriticalSection, GetStdHandle, WriteFile, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, Sleep, EnterCriticalSection, LeaveCriticalSection, GetVersionExA, InitializeCriticalSection, GetCurrentProcessId, GetModuleFileNameW, GetShortPathNameW, GetModuleFileNameA, MapViewOfFile, GetShortPathNameA, GetSystemTimeAsFileTime, HeapFree, HeapAlloc, GetProcessHeap, RaiseException, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage
> USER32.dll: GetDesktopWindow, MoveWindow, SetPropA, EnumThreadWindows, GetPropA, GetMessageA, GetSystemMetrics, SetTimer, GetAsyncKeyState, KillTimer, BeginPaint, EndPaint, SetWindowTextA, GetDlgItem, CreateDialogIndirectParamA, ShowWindow, UpdateWindow, LoadStringA, LoadStringW, FindWindowA, WaitForInputIdle, MessageBoxA, InSendMessage, UnpackDDElParam, FreeDDElParam, DefWindowProcA, LoadCursorA, RegisterClassW, CreateWindowExW, RegisterClassA, CreateWindowExA, GetWindowThreadProcessId, SendMessageW, SendMessageA, PeekMessageA, TranslateMessage, DispatchMessageA, EnumWindows, IsWindowUnicode, PackDDElParam, PostMessageW, PostMessageA, IsWindow, DestroyWindow
> GDI32.dll: CreateDCA, CreateDIBitmap, CreateCompatibleDC, SelectObject, SelectPalette, RealizePalette, BitBlt, DeleteDC, DeleteObject, CreatePalette

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogr ... EC2E040DB0064612FE0
packers (F-Prot): Armadillo
packers (Kaspersky): Armadillo


注意: VirusTotal 是 Hispasec Sistemas 提供的免费服务. 我们不保证任何该服务的可用性和持续性. 尽管使用多种反病毒引擎所提供的检测率优于使用单一产品, 但这些结果并不保证文件无害. 目前来说, 没有任何一种解决方案可以提供 100% 的病毒和恶意软件检测率. 如果您购买了一款声称具有此能力的产品, 那么您可能已经成为受害者.

曲中求

Suspicious Files and Miscellaneous Uploads

Thank you for your submission. Below you can see the current status of the uploaded files.


--------------------------------------------------------------------------------


We received the following archive files:



File ID  Filename Size (Byte) Result
25036417  virus.zip 955.27 KB OK

A listing of files contained inside archives alongside their results can be found below:

File ID  Filename Size (Byte) Result
25036405  466F9D5D.TMP  103 Byte  UNDER ANALYSIS
2240030  npf.sys  41.52 KB  CLEAN
25016315  packet.dll  86.63 KB  CLEAN
25036396  test0.10.exe  924 KB  UNDER ANALYSIS
1241169  wpcap.dll  234.61 KB  KNOWN CLEAN


Please find a detailed report concerning each individual sample below:

Filename Result
466F9D5D.TMP  UNDER ANALYSIS

The file '466F9D5D.TMP' has been determined to be 'UNDER ANALYSIS'.

Filename Result
npf.sys  CLEAN

The file 'npf.sys' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

Filename Result
packet.dll  CLEAN

The file 'packet.dll' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

Filename Result
test0.10.exe  UNDER ANALYSIS

The file 'test0.10.exe' has been determined to be 'UNDER ANALYSIS'.

Filename Result
wpcap.dll  KNOWN CLEAN

The file 'wpcap.dll' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Winpcap 4.0.1'.

ranguangning

【EQ崩溃时涉及到的两个文件】

欠妳緈諨

IKARUS
一个
D:\病毒测试\临时解压\桌面.rar:\npf.sys
D:\病毒测试\临时解压\桌面.rar:\packet.dll
D:\病毒测试\临时解压\桌面.rar:\svdhost.exe - 可疑代码段 被发现 (Level: 10)
D:\病毒测试\临时解压\桌面.rar:\wpcap.dll
D:\病毒测试\临时解压\桌面.rar:\466F9D5D.TMP
D:\病毒测试\临时解压\桌面.rar

        6 文件被扫描
          (1 压缩档 5 文件)
        0 特征码被侦测
        1 可疑代码段被发现
        耗时: 0:01.703

dbpe

老外的东西就是比国内的NB






郁闷EQ居然让它注册成服务 启动项？？？(注意  EQ规则启动项是禁止创建的 可能我规则设的太.............）


而且没反映。   风云报了


[ 本帖最后由 dbpe 于 2008-6-5 11:28 编辑 ]

scottxzt

看来Panda 9.0.0.4 2008.06.04 Suspicious file  挺管用的.