查看: 1912|回复: 6
收起左侧

[病毒样本] 高手进!

[复制链接]
okokqsj
发表于 2007-3-19 15:20:51 | 显示全部楼层 |阅读模式
2007-03-19,14:13:28

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)]
    <KVMON><F:\JiangMin\AntiVirus\KVMonXP.kxp>  [Jiangmin Co.Ltd]
    <PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)]
    <PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)]
    <UIHost><logonui.exe>  [(Verified)]

==================================
启动文件夹
N/A

==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[KVSrvXP / KVSrvXP][Running/Auto Start]
  <F:\JiangMin\AntiVirus\kvsrvxp.exe /Service><Jiangmin Co., Ltd.>
[KVWSC / KVWSC][Running/Auto Start]
  <"F:\JiangMin\AntiVirus\KVWSC.exe"><Jiangmin Co.,Ltd>

==================================
驱动程序
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Stopped/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[bootdrv / bootdrv][Stopped/Boot Start]
  <\SystemRoot\System32\Drivers\bootdrv.sys><N/A>
[BsDeamon / BsDeamon][Running/System Start]
  <\??\F:\JiangMin\ANTIVI~1\BsDeamon.sys><Jiangmin Co.,Ltd.>
[GMSIPCI / GMSIPCI][Stopped/Manual Start]
  <\??\G:\INSTALL\GMSIPCI.SYS><N/A>
[HdFw_slot / HdFw_slot][Running/Manual Start]
  <\??\F:\JiangMin\KVFW\HdFw.sys><Jiangmin Co., Ltd.>
[KAnalyser / KAnalyser][Stopped/System Start]
  <\??\F:\JiangMin\ANTIVI~1\KANALY~1.SYS><Jiangmin Co.,Ltd.>
[KPGuard / KPGuard][Running/System Start]
  <\??\F:\JiangMin\AntiVirus\KPGuard.sys><Jiangmin Co., Ltd.>
[KRegEx / KRegEx][Running/System Start]
  <\??\F:\JiangMin\ANTIVI~1\KRegEx.sys><Jiangmin Co. Ltd.>
[Jiangmin Antivirus Software / KSysCall][Running/System Start]
  <\??\F:\JiangMin\common\KSysCall.sys><Jiangmin Co.,  Ltd.>
[KSysMon / KSysMon][Running/System Start]
  <\??\F:\JiangMin\ANTIVI~1\KSysMon.sys><Jiangmin Co. Ltd.>
[KVDP / KVDP][Running/Manual Start]
  <\??\F:\JiangMin\AntiVirus\KVDP.sys><Jiangmin Co., Ltd.>
[KvMemon / KvMemon][Stopped/Manual Start]
  <\??\D:\KV2006\KvMemon.sys><N/A>
[KVRedir / KVRedir][Running/System Start]
  <\??\F:\JiangMin\AntiVirus\KVREDIR.SYS><Jiangmin Co., Ltd.>
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
  <system32\drivers\npf.sys><CACE Technologies>
[nv / nv][Running/Manual Start]
  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[PProtect / PProtect][Stopped/System Start]
  <\??\D:\KV2006\PProtect.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><N/A>

==================================
浏览器加载项
[BrowseHelper Class]
  {80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} <F:\JiangMin\AntiVirus\KVshell.dll, Jiangmin Co.Ltd>
[江民杀毒工具栏]
  {B5A34A93-D538-43A7-8371-864CB6148D12} <F:\JiangMin\AntiVirus\KVshell.dll, Jiangmin Co.Ltd>
[Rising Web Scan Object]
  {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} <C:\WINDOWS\Downloaded Program Files\OL2005.dll, Beijing Rising Technology Co., Ltd.>
[BrowseHelper Class]
  {80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} <F:\JiangMin\AntiVirus\KVshell.dll, Jiangmin Co.Ltd>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\macromed\flash\Flash.ocx, Macromedia, Inc.>
[&使用迅雷下载]
  <D:\迅雷\Program\geturl.htm, N/A>
[&使用迅雷下载全部链接]
  <D:\迅雷\Program\getallurl.htm, N/A>

==================================
正在运行的进程
[PID: 444][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 512][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 536][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 580][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 592][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 752][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1404][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [F:\JiangMin\AntiVirus\KVshell.dll]  [Jiangmin Co.Ltd, 1, 0, 7, 312]
    [C:\WINDOWS\system32\HiveBase.dll]  [Jiangmin Co., Ltd., 1, 0, 7, 226]
    [F:\JiangMin\AntiVirus\lang\kvxp0804.lng]  [N/A, ]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
[PID: 1504][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 356][C:\WINDOWS\system32\DllHost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [F:\JiangMin\common\ComUI.dll]  [Jiangmin Co,.Ltd, 1, 0, 7, 112]
    [F:\JiangMin\common\ComUIPS.dll]  [Jiangmin Co.Ltd, 1.0.0.808]
    [C:\WINDOWS\system32\HiveBase.dll]  [Jiangmin Co., Ltd., 1, 0, 7, 226]
    [F:\JiangMin\common\GUIEXT.DLL]  [Jiangmin Co.Ltd, 1, 0, 6, 1201]
    [F:\JiangMin\common\lang\guiext0804.lng]  [JiangMin Ltd., 7, 1, 0, 200]
[PID: 1636][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [F:\JiangMin\AntiVirus\KVshell.dll]  [Jiangmin Co.Ltd, 1, 0, 7, 312]
    [C:\WINDOWS\system32\HiveBase.dll]  [Jiangmin Co., Ltd., 1, 0, 7, 226]
    [F:\JiangMin\AntiVirus\lang\kvxp0804.lng]  [N/A, ]
    [C:\WINDOWS\system32\macromed\flash\Flash.ocx]  [Macromedia, Inc., 7,0,19,0]
[PID: 3848][C:\Documents and Settings\Administrator\My Documents\sreng2\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]

==================================
文件关联
.TXT  Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. [C:\WINDOWS\hh.exe %1]
.HLP  Error. [C:\WINDOWS\winhlp32.exe %1]
.INI  Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.INF  Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
N/A

==================================
API HOOK
N/A

==================================
隐藏进程
    [1481] F:\JiangMin\AntiVirus\KVMonXP.kxp
    [1797] F:\JiangMin\AntiVirus\kvsrvxp.exe

==================================

偶用了卡巴6.0和江民2007扫描电脑都没有问题!但是每次重起电脑后或刚开机打开IE浏览器随便点哪个网址就会转到http://d.qbbd.com/0.exe  然后马上转到你要去的网址!杀毒软件就扫描到trojan/psw.gamepass.cnl  这个病毒!系统还会弹出个框显示WINDOS找不到svchost.vbs!我用360查出1个3721助手!重起又是一样的!求高手帮忙解决一下啊!教教我怎么办!先谢谢了!该用的杀毒软件都用了!搞了2天了还是没好!到底有人会搞这个病毒吗?会的教下我!说仔细点!而且重新做系统并且重新分区了都没有用!来个高手指点下!不懂的就别来装懂了!怕这样的人了!
chenzheyun
发表于 2007-3-19 16:34:47 | 显示全部楼层
http://d.qbbd.com/0.exe


http://www.54699.com/0.exe
威金Worm.Win32.Viking


AntiVir         Found TR/Crypt.NSPM.Gen
ArcaVir         Found Trojan.Psw.Magania.Jm
Avast         Found Win32:Tibs-ADO
AVG Antivirus         Found Worm/Delf.BFG
BitDefender         Found Win32.Worm.Viking.LC
ClamAV         Found nothing
Dr.Web         Found Win32.HLLW.Gavir.54
F-Prot Antivirus         Found W32/Viking.CY
F-Secure Anti-Virus         Found Worm.Win32.Viking.ja
Fortinet         Found PossibleThreat
Kaspersky Anti-Virus         Found Worm.Win32.Viking.ja
NOD32         Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control         Found nothing
Panda Antivirus         Found W32/Viking.RH.drp
VirusBuster         Found Packed/NSPM
VBA32         Found MalwareScope.Worm.Viking.3

[ 本帖最后由 chenzheyun 于 2007-3-19 16:47 编辑 ]
chenzheyun
发表于 2007-3-19 16:35:45 | 显示全部楼层
拿个威金专杀查了在说吧
坐在墙头
发表于 2007-3-19 16:49:52 | 显示全部楼层
楼主有没有看看是哪个程序连到http://d.qbbd.com/0.exe 的没有?
chenzheyun
发表于 2007-3-19 16:53:18 | 显示全部楼层
这个毒..........格盘没用的

[ 本帖最后由 chenzheyun 于 2007-3-19 16:55 编辑 ]
gggh
发表于 2007-3-19 16:55:41 | 显示全部楼层
卡巴杀了
鼻耳盖子
发表于 2007-3-20 11:47:28 | 显示全部楼层

微点直接报已知

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-3-29 18:05 , Processed in 0.171159 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表