求助!怀疑新病毒或木马

显示全部楼层 · 发表于 2009-9-22 10:27:07

局域网内多台PC出现经常死机现象,全部PC都安装了瑞星网络版,病毒库最新(别飞砖头过来,为什么用瑞星不是我能作的主,哈哈).
开机瑞星监测到一可疑进程"winrsc.exe",拒绝执行,进系统一会就会死机或重启.
中毒的机器,在机器上生成了几个文件:system32\sysdrv32.sys;system\winrsc.exe; 和一大堆??.scr文件(??为数字).插U盘到中毒
的PC,U盘上会生成一个"win.com"的文件.
中毒的机器会以穷举的形式向局域网内的其他机器445端口发送数据.
本贴附件为中毒机器上获取的文件,及瑞星的日志.
麻烦各位高手们帮忙看看.

显示全部楼层 · 发表于 2009-9-22 10:33:03

NIS杀掉~~~
报的是Trojan Horse 和Downloader

显示全部楼层 · 发表于 2009-9-22 10:40:20

瑞星2010
Trojan.Win32.Nodef.foi

显示全部楼层 · 发表于 2009-9-22 10:51:47

小a杀掉，终止连接

显示全部楼层 · 发表于 2009-9-22 11:23:06

Avira AntiVir
病毒资料.rar
[0] Archive type: RAR
--> ﾲﾡﾶﾾￗￊ￁ￏ\SYSDRV32.RAR
   [1] Archive type: RAR
   --> sysdrv32.sys
      [DETECTION] Is the TR/Hacktool.Tcpz.A Trojan
--> ﾲﾡﾶﾾￗￊ￁ￏ\SYSTEM32_scr.rar
   [1] Archive type: RAR
   --> 14.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 18.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 22.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 27.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 41.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 47.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 56.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 58.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 60.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 62.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 63.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 66.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 72.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 73.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 74.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 77.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 80.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 82.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 84.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 05.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 11.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> 12.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
--> ﾲﾡﾶﾾￗￊ￁ￏ\WINRSC.RAR
   [1] Archive type: RAR
   --> winrsc.exe
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
[NOTE]    A backup was created as '4ad8cbdd.qua'  ( QUARANTINE )
[NOTE]    The file was deleted!

显示全部楼层 · 发表于 2009-9-22 13:04:41

Multi Command-Line Scanner 扫描报告
-------------------------------------------------------------------------
E:\Sample\sysdrv32.sys
MD5 Hash: 0E219B74E2C68A34CA09D8FE114F6D11

A-squared ----- Worm.Win32.AutoRun!IK
Avast ----- Win32:Tcpz [Tool]
AntiVir V8 ----- TR/Hacktool.Tcpz.A
BitDefender ----- 无
Dr.Web V5 ----- 无
Eset V4 ----- Win32/TCPZ.A application
Jiangmin ----- Worm/AutoRun.fxy
Kaspersky ----- Worm.Win32.AutoRun.ftp
Kingsoft ----- Win32.Troj.agent.11656
Microsoft ----- HackTool:WinNT/Tcpz.A
Rising ----- Trojan.Win32.Nodef.foi

*** 11个引擎中9个检测到病毒 ***
-------------------------------------------------------------------------
E:\Sample\winrsc.exe
MD5 Hash: 0D9D766F1738B6986C0EA69A0E905FC4

A-squared ----- Worm.Win32.Pushbot!IK
Avast ----- Win32:Rootkit-gen [Rtk]
AntiVir V8 ----- TR/Dldr.Pher.QA
BitDefender ----- Backdoor.Bot.106342
Dr.Web V5 ----- Trojan.DownLoad.46043
Eset V4 ----- 无
Jiangmin ----- TrojanDownloader.Pher.d
Kaspersky ----- Trojan-Downloader.Win32.Pher.qa
Kingsoft ----- Win32.Troj.Injector.XV.35840
Microsoft ----- VirTool:Win32/Injector.gen!AD
Rising ----- 无

*** 11个引擎中9个检测到病毒 ***
-------------------------------------------------------------------------

任务完成于 2009-09-22 星期二 13:17:29.68
注意: 扫描结果可能与GUI版本不同

[ 本帖最后由 will 于 2009-9-22 13:19 编辑 ]

显示全部楼层 · 发表于 2009-9-22 13:51:43

Trojan horse C:\Documents and Settings\Administrator\桌面

显示全部楼层 · 发表于 2009-9-22 15:32:49

瑞星 Trojan.Win32.Nodef.foi

显示全部楼层 · 发表于 2009-9-22 15:38:22

Start of the scan: 2009年9月22日  15:37

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\病毒资料.rar'
C:\Documents and Settings\Administrator\桌面\病毒资料.rar
[0] Archive type: RAR
   --> ﾲﾡﾶﾾￗￊ￁ￏ\SYSDRV32.RAR
      [1] Archive type: RAR
      --> sysdrv32.sys
      [DETECTION] Is the TR/Hacktool.Tcpz.A Trojan
   --> ﾲﾡﾶﾾￗￊ￁ￏ\SYSTEM32_scr.rar
      [1] Archive type: RAR
      --> 14.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 18.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 22.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 27.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 41.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 47.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 56.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 58.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 60.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 62.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 63.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 66.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 72.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 73.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 74.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 77.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 80.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 82.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 84.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 05.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 11.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
      --> 12.scr
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
   --> ﾲﾡﾶﾾￗￊ￁ￏ\WINRSC.RAR
      [1] Archive type: RAR
      --> winrsc.exe
      [DETECTION] Is the TR/Dldr.Pher.QA Trojan
[WARNING] The file was ignored!

显示全部楼层 · 发表于 2009-9-22 15:39:05

幹...剛剛上面哪個誰誰誰...說貝殼殺毒如何如何猛的..毛都沒找到一根..暈...

[病毒样本] 求助!怀疑新病毒或木马

本帖子中包含更多资源