可疑文件2只。

显示全部楼层 · 发表于 2008-9-3 21:32:28

IE最近老弹广告，在卡巴的程序规则里发现两个可疑文件。

不过卡巴没报，红伞扫描也Miss

[ 本帖最后由 loveyuwei 于 2008-9-3 21:33 编辑 ]

显示全部楼层 · 发表于 2008-9-3 21:35:23

金山 -

显示全部楼层 · 发表于 2008-9-3 21:39:00

kis2009第二个报了

显示全部楼层 · 发表于 2008-9-3 21:40:47

显示全部楼层 · 发表于 2008-9-3 21:41:47

C:\_TEMP.EXE
协议类型:TCP
本地地址:0.0.0.0
本地端口:3934
远端地址:219.148.34.7(河北·石家庄)
远端端口:80

发现未知木马，是否删除？
程序:
C:\_TEMP.EXE
木马程序生成以下文件:
1) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\WV6OCVW8\ZZZ[1].EXE
2) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\FVQ36.TMP
3) C:\WINDOWS\SYSTEM32\FBH0.DLL
4) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\OARTPZ75\P1[1].DLL
5) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\THR37.TMP
6) C:\WINDOWS\DOWNLOADED PROGRAM FILES\E1CAC.DLL
7) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\WV6OCVW8\MINIDLL[1].DLL
8) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\KQC3B.TMP
9) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\CML3C.TMP
10) C:\WINDOWS\DOWNLOADED PROGRAM FILES\E1CB.DLL
11) C:\WINDOWS\SYSTEM32\3BFD.EXE
12) C:\WINDOWS\DBDE.BMP
13) C:\WINDOWS\EBC5.EXE
14) C:\WINDOWS\5BB9.TXT
是否删除木马程序及其衍生物?

显示全部楼层 · 发表于 2008-9-3 21:43:28

第一个里面的ad文件夹里面的1.EXE可疑。

里面的index.html指向的是标题栏为pt的广告页面。

显示全部楼层 · 发表于 2008-9-3 21:44:46

Suspicious Files and Miscellaneous Uploads

Thank you for your submission. Below you can see the current status of the uploaded files.

We received the following archive files:
File ID    Filename Size (Byte) Result
25127220    _temp.rar 6.67 KB OK

A listing of files contained inside archives alongside their results can be found below:
File ID    Filename Size (Byte) Result
25127146    _temp.exe    24 KB    MALWARE

Please find a detailed report concerning each individual sample below:
Filename Result
_temp.exe    MALWARE

The file '_temp.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Dldr.Small.xdf. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection will be added to our virus definition file (VDF) with one of the next updates.
Please note that you will receive an email which will contain the results shown above. In case the final outcome of the analysis is not yet finished for all files the notification will be sent once ready.

Print this pagePrint this page

显示全部楼层 · 发表于 2008-9-3 21:46:33

The file '_temp.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Dldr.Small.xdf. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection will be added to our virus definition file (VDF) with one of the next updates.

显示全部楼层 · 发表于 2008-9-3 21:48:40

都是由它生成的

显示全部楼层 · 发表于 2008-9-3 22:28:27

2008/9/3 22:27:52 已清除木马程序 Trojan-Downloader.Win32.Agent.afcd G:\Temp\Virus\_temp.rar/_temp.exe

[病毒样本] 可疑文件2只。

回复 4楼 wangjay1980 的帖子

Avira

回复 6楼 loveyuwei 的帖子