查看: 3406|回复: 16
收起左侧

[已鉴定] 还是缓存里面的,可能让360处理了,复制不出来~!

 关闭 [复制链接]
jpzy
发表于 2008-6-6 16:23:11 | 显示全部楼层 |阅读模式
http://www.feifei110.cn/ms.exe

肯定不是好东西~~~
dbpe
发表于 2008-6-6 16:28:48 | 显示全部楼层
  1. 2008-06-06 16:25:28         
  2. C:\Documents and Settings\Administrator\桌面\ms.exe
  3. C:\WINDOWS\system32\net.exe
  4. stop "Security Center"
  5. ->禁止执行的系统程序->%windir%\system32\net*.exe


  6. 2008-06-06 16:25:28         
  7. C:\Documents and Settings\Administrator\桌面\ms.exe
  8. C:\WINDOWS\system32\net.exe
  9. stop "Windows Firewall/Internet Connection Sharing (ICS)"
  10. ->禁止执行的系统程序->%windir%\system32\net*.exe


  11. 2008-06-06 16:25:29         
  12. C:\Documents and Settings\Administrator\桌面\ms.exe
  13. C:\WINDOWS\system32\net.exe
  14. stop System Restore Service
  15. ->禁止执行的系统程序->%windir%\system32\net*.exe


  16. 2008-06-06 16:25:29         
  17. C:\Documents and Settings\Administrator\桌面\ms.exe
  18. C:\WINDOWS\system32\net.exe
  19. stop "Security Center"
  20. ->禁止执行的系统程序->%windir%\system32\net*.exe


  21. 2008-06-06 16:25:29         
  22. C:\Documents and Settings\Administrator\桌面\ms.exe
  23. C:\WINDOWS\system32\net.exe
  24. stop "Windows Firewall/Internet Connection Sharing (ICS)"
  25. ->禁止执行的系统程序->%windir%\system32\net*.exe


  26. 2008-06-06 16:25:30         
  27. C:\Documents and Settings\Administrator\桌面\ms.exe
  28. C:\WINDOWS\system32\net.exe
  29. stop System Restore Service
  30. ->禁止执行的系统程序->%windir%\system32\net*.exe


  31. 2008-06-06 16:25:35         
  32. C:\Sandbox\Administrator\DefaultBox\user\current\Local Settings\Temp\SETUP.EXE
  33. C:\WINDOWS\system32\cmd.exe
  34. /c c:\_uninsep.bat
  35. ->禁止执行的系统程序->*\cmd.exe


  36. 2008-06-06 16:25:35         
  37. C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe
  38. C:\WINDOWS\system32\cmd.exe
  39. /c ping "t" > c:\net.txt
  40. ->禁止执行的系统程序->*\cmd.exe


  41. 2008-06-06 16:25:35         
  42. C:\Sandbox\Administrator\DefaultBox\user\current\Local Settings\Temp\SETUP.EXE
  43. C:\WINDOWS\system32\cmd.exe
  44. /c c:\_uninsep.bat
  45. ->禁止执行的系统程序->*\cmd.exe


  46. 2008-06-06 16:25:38         
  47. C:\Documents and Settings\Administrator\桌面\ms.exe
  48. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe
  49. Debugger
  50. TASKMAN.EXE
  51. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  52. 2008-06-06 16:25:38         
  53. C:\Documents and Settings\Administrator\桌面\ms.exe
  54. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe
  55. Debugger
  56. TASKMAN.EXE
  57. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  58. 2008-06-06 16:25:38         
  59. C:\Documents and Settings\Administrator\桌面\ms.exe
  60. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\360safe.exe
  61. Debugger
  62. TASKMAN.EXE
  63. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  64. 2008-06-06 16:25:38         
  65. C:\Documents and Settings\Administrator\桌面\ms.exe
  66. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\360safe.exe
  67. Debugger
  68. TASKMAN.EXE
  69. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  70. 2008-06-06 16:25:38         
  71. C:\Documents and Settings\Administrator\桌面\ms.exe
  72. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\360safebox.exe
  73. Debugger
  74. TASKMAN.EXE
  75. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  76. 2008-06-06 16:25:38         
  77. C:\Documents and Settings\Administrator\桌面\ms.exe
  78. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\360safebox.exe
  79. Debugger
  80. TASKMAN.EXE
  81. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  82. 2008-06-06 16:25:38         
  83. C:\Documents and Settings\Administrator\桌面\ms.exe
  84. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\safeboxTray.exe
  85. Debugger
  86. TASKMAN.EXE
  87. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  88. 2008-06-06 16:25:38         
  89. C:\Documents and Settings\Administrator\桌面\ms.exe
  90. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\safeboxTray.exe
  91. Debugger
  92. TASKMAN.EXE
  93. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  94. 2008-06-06 16:25:38         
  95. C:\Documents and Settings\Administrator\桌面\ms.exe
  96. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe
  97. Debugger
  98. TASKMAN.EXE
  99. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  100. 2008-06-06 16:25:38         
  101. C:\Documents and Settings\Administrator\桌面\ms.exe
  102. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe
  103. Debugger
  104. TASKMAN.EXE
  105. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  106. 2008-06-06 16:25:38         
  107. C:\Documents and Settings\Administrator\桌面\ms.exe
  108. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\Rav.exe
  109. Debugger
  110. TASKMAN.EXE
  111. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  112. 2008-06-06 16:25:38         
  113. C:\Documents and Settings\Administrator\桌面\ms.exe
  114. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\Rav.exe
  115. Debugger
  116. TASKMAN.EXE
  117. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  118. 2008-06-06 16:25:38         
  119. C:\Documents and Settings\Administrator\桌面\ms.exe
  120. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavMon.exe
  121. Debugger
  122. TASKMAN.EXE
  123. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  124. 2008-06-06 16:25:38         
  125. C:\Documents and Settings\Administrator\桌面\ms.exe
  126. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavMon.exe
  127. Debugger
  128. TASKMAN.EXE
  129. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  130. 2008-06-06 16:25:38         
  131. C:\Documents and Settings\Administrator\桌面\ms.exe
  132. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavMonD.exe
  133. Debugger
  134. TASKMAN.EXE
  135. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  136. 2008-06-06 16:25:38         
  137. C:\Documents and Settings\Administrator\桌面\ms.exe
  138. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavMonD.exe
  139. Debugger
  140. TASKMAN.EXE
  141. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  142. 2008-06-06 16:25:38         
  143. C:\Documents and Settings\Administrator\桌面\ms.exe
  144. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\CCenter.exe
  145. Debugger
  146. TASKMAN.EXE
  147. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  148. 2008-06-06 16:25:38         
  149. C:\Documents and Settings\Administrator\桌面\ms.exe
  150. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\CCenter.exe
  151. Debugger
  152. TASKMAN.EXE
  153. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  154. 2008-06-06 16:25:38         
  155. C:\Documents and Settings\Administrator\桌面\ms.exe
  156. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavStub.exe
  157. Debugger
  158. TASKMAN.EXE
  159. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  160. 2008-06-06 16:25:38         
  161. C:\Documents and Settings\Administrator\桌面\ms.exe
  162. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavStub.exe
  163. Debugger
  164. TASKMAN.EXE
  165. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  166. 2008-06-06 16:25:38         
  167. C:\Documents and Settings\Administrator\桌面\ms.exe
  168. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavTask.exe
  169. Debugger
  170. TASKMAN.EXE
  171. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  172. 2008-06-06 16:25:38         
  173. C:\Documents and Settings\Administrator\桌面\ms.exe
  174. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavTask.exe
  175. Debugger
  176. TASKMAN.EXE
  177. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  178. 2008-06-06 16:25:38         
  179. C:\Documents and Settings\Administrator\桌面\ms.exe
  180. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\SmartUp.exe
  181. Debugger
  182. TASKMAN.EXE
  183. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  184. 2008-06-06 16:25:39         
  185. C:\Documents and Settings\Administrator\桌面\ms.exe
  186. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\SmartUp.exe
  187. Debugger
  188. TASKMAN.EXE
  189. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  190. 2008-06-06 16:25:39         
  191. C:\Documents and Settings\Administrator\桌面\ms.exe
  192. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\runiep.exe
  193. Debugger
  194. TASKMAN.EXE
  195. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  196. 2008-06-06 16:25:39         
  197. C:\Documents and Settings\Administrator\桌面\ms.exe
  198. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\runiep.exe
  199. Debugger
  200. TASKMAN.EXE
  201. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  202. 2008-06-06 16:25:39         
  203. C:\Documents and Settings\Administrator\桌面\ms.exe
  204. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwmain.exe
  205. Debugger
  206. TASKMAN.EXE
  207. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  208. 2008-06-06 16:25:39         
  209. C:\Documents and Settings\Administrator\桌面\ms.exe
  210. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwmain.exe
  211. Debugger
  212. TASKMAN.EXE
  213. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  214. 2008-06-06 16:25:39         
  215. C:\Documents and Settings\Administrator\桌面\ms.exe
  216. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwProxy.exe
  217. Debugger
  218. TASKMAN.EXE
  219. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  220. 2008-06-06 16:25:39         
  221. C:\Documents and Settings\Administrator\桌面\ms.exe
  222. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwProxy.exe
  223. Debugger
  224. TASKMAN.EXE
  225. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  226. 2008-06-06 16:25:39         
  227. C:\Documents and Settings\Administrator\桌面\ms.exe
  228. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwsrv.exe
  229. Debugger
  230. TASKMAN.EXE
  231. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  232. 2008-06-06 16:25:39         
  233. C:\Documents and Settings\Administrator\桌面\ms.exe
  234. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwsrv.exe
  235. Debugger
  236. TASKMAN.EXE
  237. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  238. 2008-06-06 16:25:39         
  239. C:\Documents and Settings\Administrator\桌面\ms.exe
  240. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwstub.exe
  241. Debugger
  242. TASKMAN.EXE
  243. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  244. 2008-06-06 16:25:39         
  245. C:\Documents and Settings\Administrator\桌面\ms.exe
  246. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwstub.exe
  247. Debugger
  248. TASKMAN.EXE
  249. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  250. 2008-06-06 16:25:39         
  251. C:\Documents and Settings\Administrator\桌面\ms.exe
  252. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwcfg.exe
  253. Debugger
  254. TASKMAN.EXE
  255. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  256. 2008-06-06 16:25:39         
  257. C:\Documents and Settings\Administrator\桌面\ms.exe
  258. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwcfg.exe
  259. Debugger
  260. TASKMAN.EXE
  261. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  262. 2008-06-06 16:25:45         
  263. C:\Documents and Settings\Administrator\桌面\ms.exe
  264. C:\WINDOWS\system32\cmd.exe
  265. /c del C:\NTDUBECT.EXE
  266. ->禁止执行的系统程序->*\cmd.exe


  267. 2008-06-06 16:26:02         
  268. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\6.exe
  269. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  270. midimapms
  271. {4F4F0064-71E0-4f0d-0014-708476C7815F}
  272. ->自动运行->*\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad*


  273. 2008-06-06 16:26:06         
  274. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\6.exe
  275. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
  276. {4F4F0064-71E0-4f0d-0014-708476C7815F}
  277. ->资源管理器->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks*


  278. 2008-06-06 16:26:11         
  279. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\6.exe
  280. C:\WINDOWS\system32\cmd.exe
  281. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\71.tmp.bat
  282. ->禁止执行的系统程序->*\cmd.exe


  283. 2008-06-06 16:26:13         
  284. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\3.exe
  285. C:\WINDOWS\system32\cmd.exe
  286. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFD1553243.bat
  287. ->禁止执行的系统程序->*\cmd.exe


  288. 2008-06-06 16:26:15         
  289. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\4.exe
  290. C:\WINDOWS\system32\cmd.exe
  291. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFD1554355.bat
  292. ->禁止执行的系统程序->*\cmd.exe


  293. 2008-06-06 16:26:18         
  294. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\7.exe
  295. C:\WINDOWS\system32\cmd.exe
  296. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp.bat
  297. ->禁止执行的系统程序->*\cmd.exe


  298. 2008-06-06 16:26:20         
  299. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\8.exe
  300. C:\WINDOWS\system32\cmd.exe
  301. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\73.tmp.bat
  302. ->禁止执行的系统程序->*\cmd.exe


  303. 2008-06-06 16:26:31         
  304. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\11.exe
  305. C:\WINDOWS\system32\cmd.exe
  306. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\74.tmp.bat
  307. ->禁止执行的系统程序->*\cmd.exe


  308. 2008-06-06 16:26:44         
  309. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\14.exe
  310. C:\WINDOWS\system32\cmd.exe
  311. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\75.tmp.bat
  312. ->禁止执行的系统程序->*\cmd.exe


  313. 2008-06-06 16:26:47         
  314. C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe
  315. C:\WINDOWS\system32\cmd.exe
  316. /c ping "t" > c:\net.txt
  317. ->禁止执行的系统程序->*\cmd.exe

复制代码

[ 本帖最后由 dbpe 于 2008-6-6 16:30 编辑 ]

Temp.rar

41.2 KB, 下载次数: 37

生产物

C.part01.rar

500 KB, 下载次数: 54

C.part02.rar

223.74 KB, 下载次数: 50

HC303
发表于 2008-6-6 16:29:33 | 显示全部楼层
红伞KILL掉。
When accessing data from the URL, "http://www.feifei110.cn/ms.exe"
a virus or unwanted program 'TR/Killav.TY.1' [trojan] was found.
Action taken: Ignored
HC303
发表于 2008-6-6 16:31:14 | 显示全部楼层
产物干掉2个。
Begin scan in 'C:\Documents and Settings\桌面\Temp'
C:\Documents and Settings\桌\Temp\Temp\SETUP.EXE
      [DETECTION] Is the Trojan horse TR/Downloader.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\桌面\Temp\Temp\~f70.tmp
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
aaad2008
发表于 2008-6-6 16:31:16 | 显示全部楼层
avast!都杀
woai_jolin
发表于 2008-6-6 16:32:06 | 显示全部楼层
2008-6-6 16:32:57        内核        文件 'G:\v\ms.exe' 已发送到 ESET 进行分析。
woai_jolin
发表于 2008-6-6 16:33:38 | 显示全部楼层
2008-6-6 16:33:46        HTTP 过滤器        文件        http://www.mm027.cn/p30.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:45        HTTP 过滤器        文件        http://www.mm027.cn/p29.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:44        HTTP 过滤器        文件        http://www.mm027.cn/p28.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:44        HTTP 过滤器        文件        http://www.mm027.cn/p27.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:43        HTTP 过滤器        文件        http://www.mm027.cn/p26.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:42        HTTP 过滤器        文件        http://www.mm027.cn/p25.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:41        HTTP 过滤器        文件        http://www.mm027.cn/p24.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:40        HTTP 过滤器        文件        http://www.mm027.cn/p22.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:39        HTTP 过滤器        文件        http://www.mm027.cn/p20.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:38        HTTP 过滤器        文件        http://www.mm027.cn/p19.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:38        HTTP 过滤器        文件        http://www.mm027.cn/p18.exe        Win32/PSW.OnLineGames.OAF 特洛伊木马        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:37        HTTP 过滤器        文件        http://www.mm027.cn/p16.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:36        HTTP 过滤器        文件        http://www.mm027.cn/p14.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:35        HTTP 过滤器        文件        http://www.mm027.cn/p13.exe        Win32/PSW.OnLineGames.OAF 特洛伊木马        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:34        HTTP 过滤器        文件        http://www.mm027.cn/p11.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:34        HTTP 过滤器        文件        http://www.mm027.cn/p10.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:32        HTTP 过滤器        文件        http://www.mm027.cn/p6.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:31        HTTP 过滤器        文件        http://www.mm027.cn/p5.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:30        HTTP 过滤器        文件        http://www.mm027.cn/p4.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:30        HTTP 过滤器        文件        http://www.mm027.cn/p3.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:29        HTTP 过滤器        文件        http://www.mm027.cn/p2.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:28        HTTP 过滤器        文件        http://www.mm027.cn/p1.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:27        HTTP 过滤器        文件        http://www.mm027.cn/p1.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
产物all kill
HC303
发表于 2008-6-6 16:33:44 | 显示全部楼层
其余的上报:
25038463  71.tmp.bat  89 Byte  UNDER ANALYSIS
25038464  72.tmp.bat  89 Byte  UNDER ANALYSIS
25038465  73.tmp.bat  89 Byte  UNDER ANALYSIS
25038466  74.tmp.bat  91 Byte  UNDER ANALYSIS
25038467  75.tmp.bat  91 Byte  UNDER ANALYSIS
25038468  76.tmp.bat  91 Byte  UNDER ANALYSIS
25038469  ~DFD1553243.bat  189 Byte  UNDER ANALYSIS
25038470  ~DFD1554355.bat  189 Byte  UNDER ANALYSIS
25038471  ~DFD1590907.bat  191 Byte  UNDER ANALYSIS
4039214  71.tmp  0 Byte  KNOWN CLEAN
4039214  72.tmp  0 Byte  KNOWN CLEAN
4039214  73.tmp  0 Byte  KNOWN CLEAN
4039214  74.tmp  0 Byte  KNOWN CLEAN
4039214  75.tmp  0 Byte  KNOWN CLEAN
4039214  76.tmp  0 Byte  KNOWN CLEAN
HC303
发表于 2008-6-6 16:35:54 | 显示全部楼层
C的那些
egin scan in 'C:\Documents and Settings\\桌面\a\C'
C:\Documents and Settings\\桌面\a\C\NTDUBECT.EXE
      [DETECTION] Is the Trojan horse TR/Killav.TY.1
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\0.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\1.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\10.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\11.exe
    --> Object
      [1] Archive type: RSRC
      --> Object
          [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.alhf
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\12.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\13.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\14.exe
      [DETECTION] Is the Trojan horse TR/Dropper.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\15.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\16.exe
    --> Object
      [1] Archive type: RSRC
      --> Object
          [DETECTION] Is the Trojan horse TR/PSW.Nilage.cnj
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\17.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\18.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\19.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\2.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\20.exe
      [DETECTION] Is the Trojan horse TR/Dropper.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\3.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\4.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\5.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\6.exe
    --> Object
      [1] Archive type: RSRC
      --> Object
          [DETECTION] Is the Trojan horse TR/PSW.Nilage.crs
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\7.exe
      [DETECTION] Is the Trojan horse TR/Dropper.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\8.exe
    --> Object
      [1] Archive type: RSRC
      --> Object
          [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.amvv
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\9.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\apzhbtde.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\cedafb.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '48acf6d6.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\hfrdzx.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '48baf6d8.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\hhrdxd.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\jfrwdh.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '49333a61.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\lpzhatde.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\mfdesy.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '48acf6d9.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\midimapgj.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '48acf6dc.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\midimapms.dll
      [DETECTION] Is the Trojan horse TR/PSW.Nilage.crs
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\midimapqn3.dll
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.alhf
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\midimaptl.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '48acf6dd.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\midimapwl.dll
      [DETECTION] Is the Trojan horse TR/PSW.Nilage.cnj
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\midimapzx.dll
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.amvv
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\mndhddwd.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\mnmhgsrv.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\pldhadwd.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\wfrdvq.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '48baf6db.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\wklsdd.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\ypdjfbmp.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\yxcschlp.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\zsdjabmp.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
HC303
发表于 2008-6-6 16:36:47 | 显示全部楼层
C余下的。
25037317  gpzhatde.sys  520 Byte  DAMAGED FILE (UNKNOWN)
25038473  gsdhadwd.sys  520 Byte  UNDER ANALYSIS
25038474  hhrdxd.dll.LoG  36 Byte  UNDER ANALYSIS
25038475  midimapgj.dat  288 Byte  UNDER ANALYSIS
25038476  midimapms.dat  288 Byte  UNDER ANALYSIS
25038477  midimapqn3.dat  288 Byte  UNDER ANALYSIS
25038478  midimaptl.dat  288 Byte  UNDER ANALYSIS
25038479  midimapwl.dat  288 Byte  UNDER ANALYSIS
25038480  midimapzx.dat  288 Byte  UNDER ANALYSIS
25037320  smmhbsrv.sys  520 Byte  DAMAGED FILE (UNKNOWN)
25038481  WIN.INI  1.21 KB  UNDER ANALYSIS
25038482  xfztbmsn.sys  520 Byte  UNDER ANALYSIS
25038483  xsdjbbmp.sys  520 Byte  UNDER ANALYSIS
25038484  xzcsbhlp.sys  520 Byte  UNDER ANALYSIS
25038485  _uninsep.bat  180 Byte  UNDER ANALYSIS
4039214  tf0  0 Byte  KNOWN CLEAN
C里面启发的:
25038489 cedafb.dll 220.5 KB UNDER ANALYSIS
25038490 hfrdzx.dll 210 KB UNDER ANALYSIS
25038491 jfrwdh.dll 217 KB UNDER ANALYSIS
25038492 mfdesy.dll 227.5 KB UNDER ANALYSIS
25038493 midimapgj.dll 23.78 KB UNDER ANALYSIS
25038494 midimaptl.dll 20.78 KB UNDER ANALYSIS
25038495 wfrdvq.dll 227.5 KB UNDER ANALYSIS


[ 本帖最后由 HC303 于 2008-6-6 16:39 编辑 ]
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-12-16 23:42 , Processed in 0.157657 second(s), 20 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表