收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 原创工具区 求助木马程序 Trojan-Downloader.VBS.Small.bo
12345678910... 20下一页
返回列表 发新帖
楼主: hflcat
 收起左侧

求助木马程序 Trojan-Downloader.VBS.Small.bo

[复制链接]
hflcat
 楼主| 发表于 2007-3-16 22:29:54 | 显示全部楼层
删除了

已删除: 木马程序 Trojan-PSW.Win32.OnLineGames.es 文件: C:\WINNT\gz.exe/PE_Patch/UPack

卡巴还是在报警这个信息。。。是否要重启下重新扫个报告?
回复

举报

wangjay1980
发表于 2007-3-16 22:40:00 | 显示全部楼层
好的
回复

举报

hflcat
 楼主| 发表于 2007-3-16 22:41:10 | 显示全部楼层
  1. 2007-03-16,22:42:23
  2. System Repair Engineer 2.4.12.806
  3. Smallfrogs (http://www.KZTechs.com)
  4. Windows 2000 Professional Service Pack 4 (Build 2195) - 管理权限用户 - 完整功能
  5. 以下内容被选中:
  6.     所有的启动项目(包括注册表、启动文件夹、服务等)
  7.     浏览器加载项
  8.     正在运行的进程(包括进程模块信息)
  9.     文件关联
  10.     Winsock 提供者
  11.     Autorun.inf
  12.     HOSTS 文件

  14. 启动项目
  15. 注册表
  16. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  17.     <Synchronization Manager><mobsync.exe /logon>  [(Verified)Microsoft Windows 2000 Publisher]
  18.     <SoundMan><SOUNDMAN.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
  19.     <ATIPTA><C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe>  [ATI Technologies, Inc.]
  20.     <TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [RealNetworks, Inc.]
  21.     <StormCodec_Helper><"D:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti>  [N/A]
  22.     <kav><"D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe">  [Kaspersky Lab]
  23. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  24.     <shell><Explorer.exe>  [(Verified)Microsoft Windows 2000 Publisher]
  25.     <Userinit><C:\WINNT\system32\userinit.exe,>  [(Verified)Microsoft Windows 2000 Publisher]
  26. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
  27.     <WinlogonNotify: klogon><C:\WINNT\system32\klogon.dll>  [Kaspersky Lab]
  28. ==================================
  29. 启动文件夹
  30. [ADSL拨号王]
  31.   <C:\Documents and Settings\y\「开始」菜单\程序\启动\ADSL拨号王.lnk --> C:\PROGRA~1\HelloNet\HelloNet.exe [HelloNet]><N>
  32. ==================================
  33. 服务
  34. [Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
  35.   <C:\WINNT\system32\Ati2evxx.exe><ATI Technologies Inc.>
  36. [卡巴斯基反病毒6.0 / AVP][Running/Auto Start]
  37.   <"D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r><Kaspersky Lab>
  38. [Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
  39.   <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
  40. ==================================
  41. 驱动程序
  42. [Service for WDM 3D Audio Driver / ALCXSENS][Stopped/Manual Start]
  43.   <system32\drivers\ALCXSENS.SYS><Sensaura>
  44. [Service for Realtek AC97 Audio (WDM) / ALCXWDM][Stopped/Manual Start]
  45.   <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
  46. [ati2mtag / ati2mtag][Running/Manual Start]
  47.   <system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
  48. [AVG Anti-Spyware Driver / AVG Anti-Spyware Driver][Running/System Start]
  49.   <\??\d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
  50. [AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
  51.   <System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
  52. [HelloNet PPPoE 虚拟网卡 / BRPPPOE][Running/Manual Start]
  53.   <system32\DRIVERS\brpppoe.sys><N/A>
  54. [SoundFusion(tm) WDM Driver / cwrwdm][Stopped/Manual Start]
  55.   <system32\DRIVERS\cwrwdm.sys><Cirrus Logic Inc.>
  56. [dmboot / dmboot][Stopped/Disabled]
  57.   <System32\drivers\dmboot.sys><VERITAS Software Corp.>
  58. [Logical Disk Manager Driver / dmio][Running/Boot Start]
  59.   <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
  60. [dmload / dmload][Running/Boot Start]
  61.   <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
  62. [SoundFusion(tm) Joystick / gameenum][Stopped/Manual Start]
  63.   <system32\DRIVERS\gameenum.sys><N/A>
  64. [IdeBusDr / IdeBusDr][Running/Boot Start]
  65.   <\SystemRoot\system32\DRIVERS\IdeBusDr.sys><Intel Corporation>
  66. [Intel(R) Ultra ATA Controller / IdeChnDr][Running/Boot Start]
  67.   <\SystemRoot\system32\DRIVERS\IdeChnDr.sys><Intel Corporation>
  68. [kl1 / kl1][Running/Boot Start]
  69.   <\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
  70. [klif / klif][Running/System Start]
  71.   <\??\C:\WINNT\system32\drivers\klif.sys><Kaspersky Lab>
  72. [npkcrypt / npkcrypt][Running/Auto Start]
  73.   <\??\E:\Program Files\QQ\npkcrypt.sys><INCA Internet Co., Ltd.>
  74. [PfModNT / PfModNT][Running/Auto Start]
  75.   <\??\C:\WINNT\system32\PfModNT.sys><Creative Technology Ltd.>
  76. [Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  77.   <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
  78. [Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
  79.   <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
  80. [Sound Blaster AudioPCI Audio Driver (WDM) / sbpci][Stopped/Manual Start]
  81.   <system32\drivers\sbpci.sys><Creative Technology Ltd.>
  82. [TSP / TSP][Stopped/Manual Start]
  83.   <\??\C:\WINNT\system32\drivers\klif.sys><Kaspersky Lab>
  84. [World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
  85.   <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
  86. ==================================
  87. 浏览器加载项
  88. [NavigatMon Class]
  89.   {B69F34DD-F0F9-42DC-9EDD-957187DA688D} <E:\Program Files\360safe\safemon\safemon.dll, >
  90. [浩方对战平台]
  91.   {0A155D3C-68E2-4215-A47A-E800A446447A} <E:\Program Files\浩方对战平台\GameClient.exe, 上海浩方在线信息技术有限公司>
  92. [Web反病毒保护]
  93.   {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll, Kaspersky Lab>
  94. [QQ]
  95.   {c95fe080-8f5d-11d2-a20b-00aa003c157b} <E:\Program Files\QQ\QQ.EXE, TENCENT>
  96. [FlashGet]
  97.   {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <C:\PROGRA~1\FLASHGET\flashget.exe, Amaze Soft>
  98. [@msdxmLC.dll,-1@2052,电台(&R)]
  99.   {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
  100. [Edit Class]
  101.   {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} <C:\WINNT\system32\CMBEdit.dll, >
  102. [CKAVWebScan Object]
  103.   {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} <C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner Pro\kavwebscan.dll, Kaspersky Lab>
  104. [CEditCtrl Object]
  105.   {488A4255-3236-44B3-8F27-FA1AECAA8844} <C:\WINNT\system32\aliedit\AliEdit.dll, www.alipay.com>
  106. [AxInputControl Class]
  107.   {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} <C:\WINNT\DOWNLO~1\INPUTC~1.DLL, >
  108. [KSHScan Control]
  109.   {ACFE8232-03C5-4AEC-AF5E-42B806724096} <C:\WINNT\system32\kingsoft\ONLINE~1\KSHScan.ocx, kingsoft>
  110. [Shockwave Flash Object]
  111.   {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
  112. [Rising Web Scan Object]
  113.   {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} <C:\WINNT\Downloaded Program Files\OL2005.dll, Beijing Rising Technology Co., Ltd.>
  114. [上传到QQ网络硬盘]
  115.   <E:\Program Files\QQ\AddToNetDisk.htm, N/A>
  116. [使用网际快车下载]
  117.   <C:\Program Files\FlashGet\jc_link.htm, N/A>
  118. [使用网际快车下载全部链接]
  119.   <C:\Program Files\FlashGet\jc_all.htm, N/A>
  120. [添加到QQ自定义面板]
  121.   <E:\Program Files\QQ\AddPanel.htm, N/A>
  122. [添加到QQ表情]
  123.   <E:\Program Files\QQ\AddEmotion.htm, N/A>
  124. [用QQ彩信发送该图片]
  125.   <E:\Program Files\QQ\SendMMS.htm, N/A>
  126. ==================================
  127. 正在运行的进程
  128. [PID: 172][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.00.2195.6601]
  129. [PID: 200][\??\C:\WINNT\system32\csrss.exe]  [Microsoft Corporation, 5.00.2195.6601]
  130. [PID: 196][\??\C:\WINNT\system32\winlogon.exe]  [Microsoft Corporation, 5.00.2195.6997]
  131.     [C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2195.6673]
  132.     [C:\WINNT\system32\Ati2evxx.dll]  [ATI Technologies Inc., 6.14.10.4110]
  133.     [C:\WINNT\system32\klogon.dll]  [Kaspersky Lab, 6.0.0.299]
  134. [PID: 248][C:\WINNT\system32\services.exe]  [Microsoft Corporation, 5.00.2195.7035]
  135.     [C:\WINNT\system32\dmserver.dll]  [VERITAS Software Corp., 2195.6605.297.3]
  136. [PID: 260][C:\WINNT\system32\lsass.exe]  [Microsoft Corporation, 5.00.2195.7011]
  137. [PID: 368][C:\WINNT\system32\Ati2evxx.exe]  [ATI Technologies Inc., 6.14.10.4110]
  138.     [C:\WINNT\system32\Ati2edxx.dll]  [ATI Technologies, Inc., 6, 14, 10, 2495]
  139. [PID: 460][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
  140. [PID: 484][C:\WINNT\system32\spoolsv.exe]  [Microsoft Corporation, 5.00.2195.7059]
  141. [PID: 536][C:\WINNT\System32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
  142.     [C:\WINNT\System32\unimdm.tsp]  [Microsoft Corporation, 5.00.2195.6601]
  143.     [C:\WINNT\System32\kmddsp.tsp]  [Microsoft Corporation, 5.00.2150.1]
  144.     [C:\WINNT\System32\ndptsp.tsp]  [Microsoft Corporation, 5.00.2143.1]
  145.     [C:\WINNT\System32\ipconf.tsp]  [Microsoft Corporation, 5.00.2143.1]
  146.     [C:\WINNT\System32\h323.tsp]  [Microsoft Corporation, 5.00.2195.6901]
  147. [PID: 576][C:\WINNT\system32\MSTask.exe]  [Microsoft Corporation, 4.71.2195.6972]
  148. [PID: 680][C:\WINNT\System32\WBEM\WinMgmt.exe]  [Microsoft Corporation, 1.50.1085.0100]
  149. [PID: 696][C:\WINNT\system32\Ati2evxx.exe]  [ATI Technologies Inc., 6.14.10.4110]
  150.     [C:\WINNT\system32\Ati2edxx.dll]  [ATI Technologies, Inc., 6, 14, 10, 2495]
  151. [PID: 952][C:\WINNT\Explorer.EXE]  [Microsoft Corporation, 5.00.3700.6690]
  152.     [C:\WINNT\AppPatch\AcLayers.DLL]  [Microsoft Corporation, 5.00.2195.6717]
  153.     [C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2195.6673]
  154.     [C:\WINNT\system32\msacm32.drv]  [Microsoft Corporation, 5.00.2134.1]
  155.     [E:\Program Files\360safe\safemon\safemon.dll]  [, 3, 2, 0, 1001]
  156.     [C:\Program Files\Microsoft Office\Office10\msohev.dll]  [Microsoft Corporation, 10.0.2609]
  157.     [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
  158. [PID: 1192][C:\WINNT\SOUNDMAN.EXE]  [Realtek Semiconductor Corp., 5.1.0.24]
  159. [PID: 1208][C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe]  [ATI Technologies, Inc., 6.14.10.5134]
  160.     [C:\Program Files\ATI Technologies\ATI Control Panel\atipdsxx.dll]  [ATI Technologies, Inc., 6.14.10.5134]
  161.     [C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATRPUIXX.CHS]  [ATI Technologies, Inc., 6.14.10.5134]
  162.     [C:\Program Files\ATI Technologies\ATI Control Panel\atipdxxx.dll]  [ATI Technologies, Inc., 6.14.10.5134]
  163.     [C:\WINNT\system32\DINPUT8.dll]  [Microsoft Corporation, 5.1.2600.881 built by: Lab06_N(mmbuild)         ]
  164. [PID: 1216][C:\Program Files\Common Files\Real\Update_OB\realsched.exe]  [RealNetworks, Inc., 0.1.0.3249]
  165. [PID: 1304][C:\Program Files\HelloNet\HNMainUI.exe]  [, 2, 3, 0, 1]
  166.     [C:\Program Files\HelloNet\HNKernel.dll]  [HelloNet, 2.2.0.1]
  167.     [C:\Program Files\HelloNet\HNUtils.dll]  [, 2, 2, 0, 1]
  168.     [C:\Program Files\HelloNet\HNRes_0804.dll]  [, 2, 2, 0, 1]
  169.     [C:\Program Files\HelloNet\plugins\Diagnose.dll]  [HelloNet, 2.2.0.1]
  170. [PID: 1028][C:\Documents and Settings\y\桌面\iexplore.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
  171.     [E:\Program Files\360safe\safemon\safemon.dll]  [, 3, 2, 0, 1001]
  172.     [C:\Program Files\Microsoft Office\Office10\msohev.dll]  [Microsoft Corporation, 10.0.2609]
  173.     [C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2195.6673]
  174.     [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
  175.     [D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scr_ch_pg.dll]  [Kaspersky Lab, 1.0.6.299]
  176.     [C:\WINNT\system32\MSVCP60.dll]  [Microsoft Corporation, 6.00.8972.0]
  177.     [D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\klscav.dll]  [Kaspersky Lab, 6.0.0.299]
  178.     [D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\pr_remote.dll]  [Kaspersky Lab, 6.0.0.299]
  179.     [D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prloader.dll]  [Kaspersky Lab, 6.0.0.299]
  180.     [D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prkernel.ppl]  [Kaspersky Lab, 6.0.0.304]
  181.     [d:\program files\kaspersky lab\kaspersky anti-virus 6.0\params.ppl]  [Kaspersky Lab, 6.0.0.299]
  182.     [d:\program files\kaspersky lab\kaspersky anti-virus 6.0\pxstub.ppl]  [Kaspersky Lab, 6.0.0.299]
  183.     [d:\program files\kaspersky lab\kaspersky anti-virus 6.0\tempfile.ppl]  [Kaspersky Lab, 6.0.0.299]
  184.     [d:\program files\kaspersky lab\kaspersky anti-virus 6.0\nfio.ppl]  [Kaspersky Lab, 6.0.0.299]
  185.     [d:\program files\kaspersky lab\kaspersky anti-virus 6.0\fsdrvplgn.ppl]  [Kaspersky Lab, 6.0.0.299]
  186. [PID: 316][E:\SRE\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]
  187. ==================================
  188. 文件关联
  189. .TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
  190. .EXE  OK. ["%1" %*]
  191. .COM  OK. ["%1" %*]
  192. .PIF  OK. ["%1" %*]
  193. .REG  OK. [regedit.exe "%1"]
  194. .BAT  OK. ["%1" %*]
  195. .SCR  OK. ["%1" /S]
  196. .CHM  OK. ["C:\WINNT\hh.exe" %1]
  197. .HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
  198. .INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
  199. .INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
  200. .VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
  201. .JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
  202. .LNK  OK. [{00021401-0000-0000-C000-000000000046}]
  203. ==================================
  204. Winsock 提供者
  205. N/A
  206. ==================================
  207. Autorun.inf
  208. N/A
  209. ==================================
  210. HOSTS 文件
  211. 127.0.0.1       localhost
  212. ==================================
  213. API HOOK
  214. RVA  错误: LoadLibraryA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xB7AF8B25)
  215. RVA  错误: LoadLibraryExA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xB7AF8D67)
  216. RVA  错误: LoadLibraryExW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xB7AF8F0B)
  217. RVA  错误: LoadLibraryW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xB7AF8C49)
  218. RVA  错误: GetProcAddress (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0xB7AF8E8F)
  219. ==================================
  220. 隐藏进程
  221. N/A
  222. ==================================
复制代码


这是重启后新的扫描报告,另外,卡巴还是在报警
计算机重启后删除: 木马程序 Trojan-PSW.Win32.OnLineGames.es 文件: C:\WINNT\gz.exe/PE_Patch/UPack
感谢斑竹指点,同时能否告之哪里有SRE扫描分析教程,也想学习一下。
回复

举报

wangjay1980
发表于 2007-3-16 23:10:10 | 显示全部楼层
你可以用哪个删除工具删除C:\WINNT\gz.exe/PE_Patch/UPack,另外把桌面的IE删除。
回复

举报

hflcat
 楼主| 发表于 2007-3-16 23:24:08 | 显示全部楼层
C:\WINNT\gz.exe 可以被删除,但是会自动再生成

C:\WINNT\gz.exe/PE_Patch/UPack  目标文件不存在

现在卡巴一直在提示这个

计算机重启后删除: 木马程序 Trojan-PSW.Win32.OnLineGames.es 文件: C:\WINNT\gz.exe/PE_Patch/UPack

另外桌面IE删除了我在哪启动IE呢

[ 本帖最后由 hflcat 于 2007-3-16 23:32 编辑 ]
回复

举报

wangjay1980
发表于 2007-3-16 23:28:42 | 显示全部楼层
没事,可以自己在放个快捷方式
回复

举报

wangjay1980
发表于 2007-3-16 23:31:40 | 显示全部楼层
你有冰刃吗,用冰刃打开C:\WINNT\下看看有没有gz.exe
回复

举报

hflcat
 楼主| 发表于 2007-3-16 23:36:30 | 显示全部楼层
没有这个文件

有gz.exe文件夹,不过是空的。

另外,我只有桌面这个IE可以启动-。- 在哪可以重新设置快界方式?

[ 本帖最后由 hflcat 于 2007-3-16 23:40 编辑 ]
回复

举报

wangjay1980
发表于 2007-3-16 23:45:39 | 显示全部楼层
你去这里看看是不是有两个MSTask.exeC:\WINNT\system32\MSTask.exe。
回复

举报

hflcat
 楼主| 发表于 2007-3-16 23:47:37 | 显示全部楼层
只有一个,另外一个是MSTASK.DLL
回复

举报

下一页 »
12345678910... 20下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-12-22 21:02 , Processed in 0.086702 second(s), 15 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表