收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 网络安全(毒网分析) 还是缓存里面的,可能让360处理了,复制不出来~!
12下一页
返回列表 发新帖
查看: 3383|回复: 16
收起左侧

[已鉴定] 还是缓存里面的,可能让360处理了,复制不出来~!

 关闭 [复制链接]
jpzy
发表于 2008-6-6 16:23:11 | 显示全部楼层 |阅读模式
http://www.feifei110.cn/ms.exe

肯定不是好东西~~~
回复

举报

dbpe
发表于 2008-6-6 16:28:48 | 显示全部楼层
  1. 2008-06-06 16:25:28         
  2. C:\Documents and Settings\Administrator\桌面\ms.exe
  3. C:\WINDOWS\system32\net.exe
  4. stop "Security Center"
  5. ->禁止执行的系统程序->%windir%\system32\net*.exe


  8. 2008-06-06 16:25:28         
  9. C:\Documents and Settings\Administrator\桌面\ms.exe
  10. C:\WINDOWS\system32\net.exe
  11. stop "Windows Firewall/Internet Connection Sharing (ICS)"
  12. ->禁止执行的系统程序->%windir%\system32\net*.exe


  15. 2008-06-06 16:25:29         
  16. C:\Documents and Settings\Administrator\桌面\ms.exe
  17. C:\WINDOWS\system32\net.exe
  18. stop System Restore Service
  19. ->禁止执行的系统程序->%windir%\system32\net*.exe


  22. 2008-06-06 16:25:29         
  23. C:\Documents and Settings\Administrator\桌面\ms.exe
  24. C:\WINDOWS\system32\net.exe
  25. stop "Security Center"
  26. ->禁止执行的系统程序->%windir%\system32\net*.exe


  29. 2008-06-06 16:25:29         
  30. C:\Documents and Settings\Administrator\桌面\ms.exe
  31. C:\WINDOWS\system32\net.exe
  32. stop "Windows Firewall/Internet Connection Sharing (ICS)"
  33. ->禁止执行的系统程序->%windir%\system32\net*.exe


  36. 2008-06-06 16:25:30         
  37. C:\Documents and Settings\Administrator\桌面\ms.exe
  38. C:\WINDOWS\system32\net.exe
  39. stop System Restore Service
  40. ->禁止执行的系统程序->%windir%\system32\net*.exe


  43. 2008-06-06 16:25:35         
  44. C:\Sandbox\Administrator\DefaultBox\user\current\Local Settings\Temp\SETUP.EXE
  45. C:\WINDOWS\system32\cmd.exe
  46. /c c:\_uninsep.bat
  47. ->禁止执行的系统程序->*\cmd.exe


  50. 2008-06-06 16:25:35         
  51. C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe
  52. C:\WINDOWS\system32\cmd.exe
  53. /c ping "t" > c:\net.txt
  54. ->禁止执行的系统程序->*\cmd.exe


  57. 2008-06-06 16:25:35         
  58. C:\Sandbox\Administrator\DefaultBox\user\current\Local Settings\Temp\SETUP.EXE
  59. C:\WINDOWS\system32\cmd.exe
  60. /c c:\_uninsep.bat
  61. ->禁止执行的系统程序->*\cmd.exe


  64. 2008-06-06 16:25:38         
  65. C:\Documents and Settings\Administrator\桌面\ms.exe
  66. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe
  67. Debugger
  68. TASKMAN.EXE
  69. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  72. 2008-06-06 16:25:38         
  73. C:\Documents and Settings\Administrator\桌面\ms.exe
  74. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe
  75. Debugger
  76. TASKMAN.EXE
  77. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  80. 2008-06-06 16:25:38         
  81. C:\Documents and Settings\Administrator\桌面\ms.exe
  82. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\360safe.exe
  83. Debugger
  84. TASKMAN.EXE
  85. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  88. 2008-06-06 16:25:38         
  89. C:\Documents and Settings\Administrator\桌面\ms.exe
  90. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\360safe.exe
  91. Debugger
  92. TASKMAN.EXE
  93. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  96. 2008-06-06 16:25:38         
  97. C:\Documents and Settings\Administrator\桌面\ms.exe
  98. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\360safebox.exe
  99. Debugger
  100. TASKMAN.EXE
  101. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  104. 2008-06-06 16:25:38         
  105. C:\Documents and Settings\Administrator\桌面\ms.exe
  106. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\360safebox.exe
  107. Debugger
  108. TASKMAN.EXE
  109. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  112. 2008-06-06 16:25:38         
  113. C:\Documents and Settings\Administrator\桌面\ms.exe
  114. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\safeboxTray.exe
  115. Debugger
  116. TASKMAN.EXE
  117. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  120. 2008-06-06 16:25:38         
  121. C:\Documents and Settings\Administrator\桌面\ms.exe
  122. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\safeboxTray.exe
  123. Debugger
  124. TASKMAN.EXE
  125. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  128. 2008-06-06 16:25:38         
  129. C:\Documents and Settings\Administrator\桌面\ms.exe
  130. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe
  131. Debugger
  132. TASKMAN.EXE
  133. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  136. 2008-06-06 16:25:38         
  137. C:\Documents and Settings\Administrator\桌面\ms.exe
  138. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe
  139. Debugger
  140. TASKMAN.EXE
  141. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  144. 2008-06-06 16:25:38         
  145. C:\Documents and Settings\Administrator\桌面\ms.exe
  146. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\Rav.exe
  147. Debugger
  148. TASKMAN.EXE
  149. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  152. 2008-06-06 16:25:38         
  153. C:\Documents and Settings\Administrator\桌面\ms.exe
  154. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\Rav.exe
  155. Debugger
  156. TASKMAN.EXE
  157. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  160. 2008-06-06 16:25:38         
  161. C:\Documents and Settings\Administrator\桌面\ms.exe
  162. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavMon.exe
  163. Debugger
  164. TASKMAN.EXE
  165. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  168. 2008-06-06 16:25:38         
  169. C:\Documents and Settings\Administrator\桌面\ms.exe
  170. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavMon.exe
  171. Debugger
  172. TASKMAN.EXE
  173. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  176. 2008-06-06 16:25:38         
  177. C:\Documents and Settings\Administrator\桌面\ms.exe
  178. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavMonD.exe
  179. Debugger
  180. TASKMAN.EXE
  181. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  184. 2008-06-06 16:25:38         
  185. C:\Documents and Settings\Administrator\桌面\ms.exe
  186. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavMonD.exe
  187. Debugger
  188. TASKMAN.EXE
  189. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  192. 2008-06-06 16:25:38         
  193. C:\Documents and Settings\Administrator\桌面\ms.exe
  194. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\CCenter.exe
  195. Debugger
  196. TASKMAN.EXE
  197. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  200. 2008-06-06 16:25:38         
  201. C:\Documents and Settings\Administrator\桌面\ms.exe
  202. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\CCenter.exe
  203. Debugger
  204. TASKMAN.EXE
  205. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  208. 2008-06-06 16:25:38         
  209. C:\Documents and Settings\Administrator\桌面\ms.exe
  210. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavStub.exe
  211. Debugger
  212. TASKMAN.EXE
  213. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  216. 2008-06-06 16:25:38         
  217. C:\Documents and Settings\Administrator\桌面\ms.exe
  218. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavStub.exe
  219. Debugger
  220. TASKMAN.EXE
  221. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  224. 2008-06-06 16:25:38         
  225. C:\Documents and Settings\Administrator\桌面\ms.exe
  226. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavTask.exe
  227. Debugger
  228. TASKMAN.EXE
  229. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  232. 2008-06-06 16:25:38         
  233. C:\Documents and Settings\Administrator\桌面\ms.exe
  234. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\RavTask.exe
  235. Debugger
  236. TASKMAN.EXE
  237. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  240. 2008-06-06 16:25:38         
  241. C:\Documents and Settings\Administrator\桌面\ms.exe
  242. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\SmartUp.exe
  243. Debugger
  244. TASKMAN.EXE
  245. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  248. 2008-06-06 16:25:39         
  249. C:\Documents and Settings\Administrator\桌面\ms.exe
  250. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\SmartUp.exe
  251. Debugger
  252. TASKMAN.EXE
  253. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  256. 2008-06-06 16:25:39         
  257. C:\Documents and Settings\Administrator\桌面\ms.exe
  258. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\runiep.exe
  259. Debugger
  260. TASKMAN.EXE
  261. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  264. 2008-06-06 16:25:39         
  265. C:\Documents and Settings\Administrator\桌面\ms.exe
  266. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\runiep.exe
  267. Debugger
  268. TASKMAN.EXE
  269. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  272. 2008-06-06 16:25:39         
  273. C:\Documents and Settings\Administrator\桌面\ms.exe
  274. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwmain.exe
  275. Debugger
  276. TASKMAN.EXE
  277. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  280. 2008-06-06 16:25:39         
  281. C:\Documents and Settings\Administrator\桌面\ms.exe
  282. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwmain.exe
  283. Debugger
  284. TASKMAN.EXE
  285. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  288. 2008-06-06 16:25:39         
  289. C:\Documents and Settings\Administrator\桌面\ms.exe
  290. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwProxy.exe
  291. Debugger
  292. TASKMAN.EXE
  293. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  296. 2008-06-06 16:25:39         
  297. C:\Documents and Settings\Administrator\桌面\ms.exe
  298. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwProxy.exe
  299. Debugger
  300. TASKMAN.EXE
  301. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  304. 2008-06-06 16:25:39         
  305. C:\Documents and Settings\Administrator\桌面\ms.exe
  306. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwsrv.exe
  307. Debugger
  308. TASKMAN.EXE
  309. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  312. 2008-06-06 16:25:39         
  313. C:\Documents and Settings\Administrator\桌面\ms.exe
  314. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwsrv.exe
  315. Debugger
  316. TASKMAN.EXE
  317. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  320. 2008-06-06 16:25:39         
  321. C:\Documents and Settings\Administrator\桌面\ms.exe
  322. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwstub.exe
  323. Debugger
  324. TASKMAN.EXE
  325. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  328. 2008-06-06 16:25:39         
  329. C:\Documents and Settings\Administrator\桌面\ms.exe
  330. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwstub.exe
  331. Debugger
  332. TASKMAN.EXE
  333. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  336. 2008-06-06 16:25:39         
  337. C:\Documents and Settings\Administrator\桌面\ms.exe
  338. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwcfg.exe
  339. Debugger
  340. TASKMAN.EXE
  341. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  344. 2008-06-06 16:25:39         
  345. C:\Documents and Settings\Administrator\桌面\ms.exe
  346. HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\Image File Execution Options\rfwcfg.exe
  347. Debugger
  348. TASKMAN.EXE
  349. ->受保护的注册表->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*


  352. 2008-06-06 16:25:45         
  353. C:\Documents and Settings\Administrator\桌面\ms.exe
  354. C:\WINDOWS\system32\cmd.exe
  355. /c del C:\NTDUBECT.EXE
  356. ->禁止执行的系统程序->*\cmd.exe


  359. 2008-06-06 16:26:02         
  360. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\6.exe
  361. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  362. midimapms
  363. {4F4F0064-71E0-4f0d-0014-708476C7815F}
  364. ->自动运行->*\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad*


  367. 2008-06-06 16:26:06         
  368. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\6.exe
  369. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
  370. {4F4F0064-71E0-4f0d-0014-708476C7815F}
  371. ->资源管理器->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks*


  374. 2008-06-06 16:26:11         
  375. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\6.exe
  376. C:\WINDOWS\system32\cmd.exe
  377. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\71.tmp.bat
  378. ->禁止执行的系统程序->*\cmd.exe


  381. 2008-06-06 16:26:13         
  382. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\3.exe
  383. C:\WINDOWS\system32\cmd.exe
  384. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFD1553243.bat
  385. ->禁止执行的系统程序->*\cmd.exe


  388. 2008-06-06 16:26:15         
  389. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\4.exe
  390. C:\WINDOWS\system32\cmd.exe
  391. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFD1554355.bat
  392. ->禁止执行的系统程序->*\cmd.exe


  395. 2008-06-06 16:26:18         
  396. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\7.exe
  397. C:\WINDOWS\system32\cmd.exe
  398. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp.bat
  399. ->禁止执行的系统程序->*\cmd.exe


  402. 2008-06-06 16:26:20         
  403. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\8.exe
  404. C:\WINDOWS\system32\cmd.exe
  405. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\73.tmp.bat
  406. ->禁止执行的系统程序->*\cmd.exe


  409. 2008-06-06 16:26:31         
  410. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\11.exe
  411. C:\WINDOWS\system32\cmd.exe
  412. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\74.tmp.bat
  413. ->禁止执行的系统程序->*\cmd.exe


  416. 2008-06-06 16:26:44         
  417. C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\system32\14.exe
  418. C:\WINDOWS\system32\cmd.exe
  419. /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\75.tmp.bat
  420. ->禁止执行的系统程序->*\cmd.exe


  423. 2008-06-06 16:26:47         
  424. C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe
  425. C:\WINDOWS\system32\cmd.exe
  426. /c ping "t" > c:\net.txt
  427. ->禁止执行的系统程序->*\cmd.exe

复制代码

[ 本帖最后由 dbpe 于 2008-6-6 16:30 编辑 ]

Temp.rar

41.2 KB, 下载次数: 37

生产物

C.part01.rar

500 KB, 下载次数: 54

C.part02.rar

223.74 KB, 下载次数: 50
回复

举报

HC303
发表于 2008-6-6 16:29:33 | 显示全部楼层
红伞KILL掉。
When accessing data from the URL, "http://www.feifei110.cn/ms.exe"
a virus or unwanted program 'TR/Killav.TY.1' [trojan] was found.
Action taken: Ignored
回复

举报

HC303
发表于 2008-6-6 16:31:14 | 显示全部楼层
产物干掉2个。
Begin scan in 'C:\Documents and Settings\桌面\Temp'
C:\Documents and Settings\桌\Temp\Temp\SETUP.EXE
      [DETECTION] Is the Trojan horse TR/Downloader.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\桌面\Temp\Temp\~f70.tmp
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
回复

举报

aaad2008
发表于 2008-6-6 16:31:16 | 显示全部楼层
avast!都杀
回复

举报

woai_jolin
发表于 2008-6-6 16:32:06 | 显示全部楼层
2008-6-6 16:32:57        内核        文件 'G:\v\ms.exe' 已发送到 ESET 进行分析。
回复

举报

woai_jolin
发表于 2008-6-6 16:33:38 | 显示全部楼层
2008-6-6 16:33:46        HTTP 过滤器        文件        http://www.mm027.cn/p30.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:45        HTTP 过滤器        文件        http://www.mm027.cn/p29.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:44        HTTP 过滤器        文件        http://www.mm027.cn/p28.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:44        HTTP 过滤器        文件        http://www.mm027.cn/p27.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:43        HTTP 过滤器        文件        http://www.mm027.cn/p26.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:42        HTTP 过滤器        文件        http://www.mm027.cn/p25.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:41        HTTP 过滤器        文件        http://www.mm027.cn/p24.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:40        HTTP 过滤器        文件        http://www.mm027.cn/p22.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:39        HTTP 过滤器        文件        http://www.mm027.cn/p20.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:38        HTTP 过滤器        文件        http://www.mm027.cn/p19.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:38        HTTP 过滤器        文件        http://www.mm027.cn/p18.exe        Win32/PSW.OnLineGames.OAF 特洛伊木马        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:37        HTTP 过滤器        文件        http://www.mm027.cn/p16.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:36        HTTP 过滤器        文件        http://www.mm027.cn/p14.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:35        HTTP 过滤器        文件        http://www.mm027.cn/p13.exe        Win32/PSW.OnLineGames.OAF 特洛伊木马        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:34        HTTP 过滤器        文件        http://www.mm027.cn/p11.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:34        HTTP 过滤器        文件        http://www.mm027.cn/p10.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:32        HTTP 过滤器        文件        http://www.mm027.cn/p6.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:31        HTTP 过滤器        文件        http://www.mm027.cn/p5.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:30        HTTP 过滤器        文件        http://www.mm027.cn/p4.exe        可能是 Win32/Genetik 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:30        HTTP 过滤器        文件        http://www.mm027.cn/p3.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:29        HTTP 过滤器        文件        http://www.mm027.cn/p2.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:28        HTTP 过滤器        文件        http://www.mm027.cn/p1.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
2008-6-6 16:33:27        HTTP 过滤器        文件        http://www.mm027.cn/p1.exe        可能是 Win32/PSW.OnLineGames.NML 特洛伊木马 的变种        连接中断 - 已隔离        10C3F72C72244B2\Administrator        通过应用程序访问 web 时检测到威胁: C:\Sandbox\Administrator\DefaultBox\user\all\「开始」菜单\程序\启动\explorer.exe.
产物all kill
回复

举报

HC303
发表于 2008-6-6 16:33:44 | 显示全部楼层
其余的上报:
25038463  71.tmp.bat  89 Byte  UNDER ANALYSIS
25038464  72.tmp.bat  89 Byte  UNDER ANALYSIS
25038465  73.tmp.bat  89 Byte  UNDER ANALYSIS
25038466  74.tmp.bat  91 Byte  UNDER ANALYSIS
25038467  75.tmp.bat  91 Byte  UNDER ANALYSIS
25038468  76.tmp.bat  91 Byte  UNDER ANALYSIS
25038469  ~DFD1553243.bat  189 Byte  UNDER ANALYSIS
25038470  ~DFD1554355.bat  189 Byte  UNDER ANALYSIS
25038471  ~DFD1590907.bat  191 Byte  UNDER ANALYSIS
4039214  71.tmp  0 Byte  KNOWN CLEAN
4039214  72.tmp  0 Byte  KNOWN CLEAN
4039214  73.tmp  0 Byte  KNOWN CLEAN
4039214  74.tmp  0 Byte  KNOWN CLEAN
4039214  75.tmp  0 Byte  KNOWN CLEAN
4039214  76.tmp  0 Byte  KNOWN CLEAN
回复

举报

HC303
发表于 2008-6-6 16:35:54 | 显示全部楼层
C的那些
egin scan in 'C:\Documents and Settings\\桌面\a\C'
C:\Documents and Settings\\桌面\a\C\NTDUBECT.EXE
      [DETECTION] Is the Trojan horse TR/Killav.TY.1
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\0.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\1.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\10.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\11.exe
    --> Object
      [1] Archive type: RSRC
      --> Object
          [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.alhf
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\12.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\13.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\14.exe
      [DETECTION] Is the Trojan horse TR/Dropper.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\15.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\16.exe
    --> Object
      [1] Archive type: RSRC
      --> Object
          [DETECTION] Is the Trojan horse TR/PSW.Nilage.cnj
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\17.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\18.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\19.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\2.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\20.exe
      [DETECTION] Is the Trojan horse TR/Dropper.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\3.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\4.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\5.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\6.exe
    --> Object
      [1] Archive type: RSRC
      --> Object
          [DETECTION] Is the Trojan horse TR/PSW.Nilage.crs
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\7.exe
      [DETECTION] Is the Trojan horse TR/Dropper.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\8.exe
    --> Object
      [1] Archive type: RSRC
      --> Object
          [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.amvv
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\9.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\apzhbtde.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\cedafb.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '48acf6d6.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\hfrdzx.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '48baf6d8.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\hhrdxd.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\jfrwdh.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '49333a61.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\lpzhatde.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\mfdesy.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '48acf6d9.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\midimapgj.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '48acf6dc.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\midimapms.dll
      [DETECTION] Is the Trojan horse TR/PSW.Nilage.crs
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\midimapqn3.dll
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.alhf
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\midimaptl.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '48acf6dd.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\midimapwl.dll
      [DETECTION] Is the Trojan horse TR/PSW.Nilage.cnj
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\midimapzx.dll
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.amvv
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\mndhddwd.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\mnmhgsrv.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\pldhadwd.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\wfrdvq.dll
      [DETECTION] Contains suspicious code HEUR/Malware
      [NOTE]      The fund was classified as suspicious.
      [NOTE]      The file was moved to '48baf6db.qua'!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\wklsdd.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\ypdjfbmp.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\yxcschlp.dll
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\\桌面\a\C\WINDOWS\system32\zsdjabmp.exe
      [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!
回复

举报

HC303
发表于 2008-6-6 16:36:47 | 显示全部楼层
C余下的。
25037317  gpzhatde.sys  520 Byte  DAMAGED FILE (UNKNOWN)
25038473  gsdhadwd.sys  520 Byte  UNDER ANALYSIS
25038474  hhrdxd.dll.LoG  36 Byte  UNDER ANALYSIS
25038475  midimapgj.dat  288 Byte  UNDER ANALYSIS
25038476  midimapms.dat  288 Byte  UNDER ANALYSIS
25038477  midimapqn3.dat  288 Byte  UNDER ANALYSIS
25038478  midimaptl.dat  288 Byte  UNDER ANALYSIS
25038479  midimapwl.dat  288 Byte  UNDER ANALYSIS
25038480  midimapzx.dat  288 Byte  UNDER ANALYSIS
25037320  smmhbsrv.sys  520 Byte  DAMAGED FILE (UNKNOWN)
25038481  WIN.INI  1.21 KB  UNDER ANALYSIS
25038482  xfztbmsn.sys  520 Byte  UNDER ANALYSIS
25038483  xsdjbbmp.sys  520 Byte  UNDER ANALYSIS
25038484  xzcsbhlp.sys  520 Byte  UNDER ANALYSIS
25038485  _uninsep.bat  180 Byte  UNDER ANALYSIS
4039214  tf0  0 Byte  KNOWN CLEAN
C里面启发的:
25038489 cedafb.dll 220.5 KB UNDER ANALYSIS
25038490 hfrdzx.dll 210 KB UNDER ANALYSIS
25038491 jfrwdh.dll 217 KB UNDER ANALYSIS
25038492 mfdesy.dll 227.5 KB UNDER ANALYSIS
25038493 midimapgj.dll 23.78 KB UNDER ANALYSIS
25038494 midimaptl.dll 20.78 KB UNDER ANALYSIS
25038495 wfrdvq.dll 227.5 KB UNDER ANALYSIS


[ 本帖最后由 HC303 于 2008-6-6 16:39 编辑 ]
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-11-15 07:45 , Processed in 0.142712 second(s), 20 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表