Trojan-Downloader.BAT.Ftp.ab 卡巴会报警，删掉了不知什么时候又会有

显示全部楼层 · 发表于 2007-3-29 17:53:45

Trojan-Downloader.BAT.Ftp.ab
怎么彻底删除啊

显示全部楼层 · 发表于 2007-3-29 19:35:33

扫报告

显示全部楼层 · 发表于 2007-3-29 19:44:17

我搜过关于这个病毒，格式化都删不掉的。

ijackThis_815汉化版扫描日志 V1.99.1
保存于    19:44:34, 日期 2007-3-29
操作系统：  Windows 2000 SP4 (WinNT 5.00.2195)
浏览器： Internet Explorer v6.00 SP1 (6.00.2800.1106)
当前运行的进程：
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINNT\system32\Internat.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\EditPlus 2\editplus.exe
F:\HijackThis1991汉化版\HijackThis1991zww.exe
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\Jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - IE工具栏增项: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - IE工具栏增项: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - IE工具栏增项: CyberArticle Express - {769A6A36-ED24-4376-BC7C-80225BF35698} - C:\Program Files\CyberArticle\CAExp.dll
O4 - 启动项HKLM\\Run: [Synchronization Manager] mobsync.exe /logon
O4 - 启动项HKLM\\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [Internat.exe] Internat.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - IE右键菜单中的新增项目: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - IE右键菜单中的新增项目: 保存: 完整网页... - c:\program files\cyberarticle\script\save.htm
O9 - 浏览器额外的按钮: Web反病毒保护 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - 浏览器额外的“工具”菜单项: Web反病毒保护 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - 浏览器额外的按钮: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - 浏览器额外的“工具”菜单项: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172965334268
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} (Submit Class) - https://pbank.95559.com.cn/personbank/ocx/safe.cab
O18 - 列举现有的协议: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - 列举现有的协议: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O23 - NT 服务: 卡巴斯基互联网安全套装 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - NT 服务: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - NT 服务: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - NT 服务: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

显示全部楼层 · 发表于 2007-3-29 20:20:52

用SRE扫

显示全部楼层 · 发表于 2007-3-29 20:48:17

Trojan-Downloader.BAT.Ftp.ab

被这个木马骚扰几天了，一直没找到解决方法，用卡巴可以检测并删除，但过几天又会出现，用过在安全模式下杀毒，用过卡巴、木马杀客、木马克星、AVG7.5 都彻底解决不了。格式化系统盘还有。用各大搜索引擎看了很多相关文章，发现没有彻底的解决办法，中过招的状况也大同小异。现将中招的各网上资料汇编，供高手参阅，盼卡饭论坛能合力解决这个问题。

一、大连IT论坛一网友的描述：
trojan-downloader.bat.ftp.ab这个病毒。这个病毒很奇特，使用windows中的CMD，模拟dos来指定到特定的网站特定位置下载病毒，而加载cmd的又是lsass系统进程，并且是在后台，所以说我试了多种杀毒软件，但是对其都无能为力。并且，它会通过网络攻击lsass，无法直接防御。卡巴斯基目前只能做到当它下载了病毒文件之后，杀掉那个木马后门文件，但是对它本身却是难以发觉。
   已经试过的杀毒软件：Kapasky，Norton，McAfee。
   已试过的木马专杀软件：木马杀客，木马克星，SpyBotDestroyer，Ewido。
   已试过的现实系统信息软件：HijackerThis，超级兔子魔法设置，windows油画大师，ProcessXpNt，IceSword。
   其中，Kapasky,Norton,McAfee,木马杀客以及Ewido均发现了下载下来的木马，但是没有一个发现原始后门。
   顺便说一下，目前这个病毒网上尚没有人能给出标准的清除方法。注册表中没有任何特殊信息。原始lsass.exe文件并未被修改。而且，这个病毒并不是每次开机上网后都会下载病毒，似乎和启动次数还有一定的关系。

二、百度贴吧的网友描述
这个病毒格式化重新分区也杀不掉，DOS下杀毒也不行，更别提什么安全模式了，我更卡巴的工程师合作了一个礼拜了，大家说的方法都用了，没用，这个木马很高级

三、赢政天下的网友描述
我的电脑中了Trojan-Downloader.BAT.Ftp.ab 木马，正版瑞星2006最新病毒库杀不了，卡巴最新病毒库也杀了不了，重启后电脑里还是有，重装N次系统，从2000到XP都没用，把整个硬盘删了，重新分驱再安装还是没用，我就不明白病毒藏在哪里。用Spy Emergency 2005c.2.0.320杀木马杀不出来。既然是木马，木马专杀工具也杀了

我自己也是了很多方法，还是不行。这个病毒不知道根源在什么地方，每次卡巴都能提示发现
已删除: 木马程序 Trojan-Downloader.BAT.Ftp.ab 文件: C:\WINNT\system32\tt

望卡饭论坛的正真高手出手，干掉这个害人的木马。

显示全部楼层 · 发表于 2007-3-29 22:16:41

扫报告，SRE的

显示全部楼层 · 发表于 2007-3-29 22:39:42

来自网络的消息：

1。这个毒会放毒在系统盘的System Volume Information里面，通过关闭系统还原来清除这个文件。
相关链接：http://bbs.btbbt.com/thread-837585-1-1.html

下面是卡巴俄罗斯官方的原文：（其实就是关闭系统还原后杀毒）
==原文===
Windows XP:
Пуск > Пpогpаммы > Стандаpтные > Пpоводник Windows. (Start > Programs > Accessories > Windows Explorer)
Кликнуть пpавой кнопкой мыши на "Мой компьютеp" (My Computer). Выбpать "Свойства" (Properties).
Вкладка "Восстановление системы" (System Restore). Поставить птичку на "Запpетить восстановление системных файлов на всех дисках" (Turn off System Restore on all drives)
Hажать "Пpименить" (Apply). Появится сообщение, пpедупpеждающее об удалении всех точек восстановления. Подтвеpдить, нажав "ОК".

显示全部楼层 · 发表于 2007-3-29 22:48:28

关闭系统还原
定位病毒文件,查询创建时间,找出同时创建的守护病毒体,删不掉的病毒用ICESWORD和UNLOCKER
安装防火墙

如果有可能弄个样本上来瞧瞧

显示全部楼层 · 发表于 2007-3-30 07:40:51

我的操作系统是 win2000 没有系统还原。这个病毒是可以删掉的，但重启后会再有。以下是我的SRE log

2007-03-30,07:37:02
System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)
Windows 2000 Professional Service Pack 4 (Build 2195) - 管理权限用户 - 完整功能
以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><Internat.exe>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><>  [N/A]
<run><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Synchronization Manager><mobsync.exe /logon>  [(Verified)Microsoft Windows 2000 Publisher]
<kis><"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe">  [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe>  [(Verified)Microsoft Windows 2000 Publisher]
<Userinit><C:\WINNT\system32\userinit.exe,>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll>  [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
<WinlogonNotify: klogon><C:\WINNT\system32\klogon.dll>  [Kaspersky Lab]
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><(无)>  [N/A]
==================================
启动文件夹
N/A
==================================
服务
[卡巴斯基互联网安全套装 6.0 / AVP][Running/Auto Start]
  <"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r><Kaspersky Lab>
[Diskeeper / Diskeeper][Stopped/Manual Start]
  <"C:\Program Files\Executive Software\Diskeeper\DkService.exe"><Executive Software International, Inc.>
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Messenger / Messenger][Stopped/Boot Start]
  <\SystemRoot\C:\WINNT\system32\services.exe><N/A>
[MSSQLSERVER / MSSQLSERVER][Stopped/Manual Start]
  <C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe><Microsoft Corporation>
[MSSQLServerADHelper / MSSQLServerADHelper][Stopped/Manual Start]
  <C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe><Microsoft Corporation>
[NVIDIA Driver Helper Service / NVSvc][Stopped/Manual Start]
  <C:\WINNT\system32\nvsvc32.exe><NVIDIA Corporation>
[SQLSERVERAGENT / SQLSERVERAGENT][Stopped/Manual Start]
  <C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe -i MSSQLSERVER><Microsoft Corporation>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
  <C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>
==================================
驱动程序
[Service for Avance AC'97 Audio (WDM) / ALCXWDM][Running/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Avance Logic, Inc.>
[AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
  <System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[dmboot / dmboot][Stopped/Disabled]
  <System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[IdeBusDr / IdeBusDr][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\IdeBusDr.sys><Intel Corporation>
[Intel(R) Ultra ATA Controller / IdeChnDr][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\IdeChnDr.sys><Intel Corporation>
[kl1 / kl1][Running/Boot Start]
  <\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Running/System Start]
  <\??\C:\WINNT\system32\drivers\klif.sys><Kaspersky Lab>
[npkcrypt / npkcrypt][Running/Auto Start]
  <\??\D:\qq2007\npkcrypt.sys><INCA Internet Co., Ltd.>
[nv / nv][Running/Manual Start]
  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[nv4 / nv4][Stopped/Manual Start]
  <system32\DRIVERS\nv4.sys><NVIDIA Corporation>
[Padus ASPI Shell / pfc][Stopped/Manual Start]
  <system32\drivers\pfc.sys><Padus, Inc.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[TSP / TSP][Stopped/Manual Start]
  <\??\C:\WINNT\system32\drivers\klif.sys><Kaspersky Lab>
[Virtual CD-ROM Device Driver / vcdrom][Running/System Start]
  <\??\F:\虚拟光驱\VCdRom.sys><Microsoft Corporation>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
  <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
==================================
浏览器加载项
[IeCatch5 Class]
  {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} <C:\Program Files\FlashGet\Jccatch.dll, FlashGet>
[Google Toolbar Helper]
  {AA58ED58-01DD-4d91-8333-CF10577473F7} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[Web反病毒保护]
  {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll, Kaspersky Lab>
[Sothink SWF Catcher]
  {E19ADC6E-3909-43E4-9A89-B7B676377EE3} <, N/A>
[@msdxmLC.dll,-1@2052,电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[&Google]
  {2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[CyberArticle Express]
  {769A6A36-ED24-4376-BC7C-80225BF35698} <C:\Program Files\CyberArticle\CAExp.dll, Wizissoft>
[Edit Class]
  {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} <C:\WINNT\system32\CMBEdit.dll, >
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINNT\system32\wuweb.dll, Microsoft Corporation>
[Submit Class]
  {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} <C:\WINNT\Downloaded Program Files\safein.dll, Beijing eChannels Century Technology Co.,Ltd>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[Sothink SWF Catcher]
  <C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm, N/A>
[使用网际快车下载]
  <C:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <C:\Program Files\FlashGet\jc_all.htm, N/A>
[保存: 完整网页...]
  <c:\program files\cyberarticle\script\save.htm, N/A>
==================================
正在运行的进程
[PID: 168][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.00.2195.6601]
[PID: 196][\??\C:\WINNT\system32\csrss.exe]  [Microsoft Corporation, 5.00.2195.6601]
[PID: 192][\??\C:\WINNT\system32\winlogon.exe]  [Microsoft Corporation, 5.00.2195.6997]
[C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2195.6673]
[C:\WINNT\system32\klogon.dll]  [Kaspersky Lab, 6.0.0.299]
[C:\WINNT\system32\msacm32.drv]  [Microsoft Corporation, 5.00.2134.1]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
[PID: 244][C:\WINNT\system32\services.exe]  [Microsoft Corporation, 5.00.2195.7035]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
[C:\WINNT\system32\dmserver.dll]  [VERITAS Software Corp., 2195.6605.297.3]
[PID: 256][C:\WINNT\system32\lsass.exe]  [Microsoft Corporation, 5.00.2195.7011]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
[PID: 448][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
[PID: 516][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
[C:\WINNT\system32\unimdm.tsp]  [Microsoft Corporation, 5.00.2195.6601]
[C:\WINNT\system32\kmddsp.tsp]  [Microsoft Corporation, 5.00.2150.1]
[C:\WINNT\system32\ndptsp.tsp]  [Microsoft Corporation, 5.00.2143.1]
[C:\WINNT\system32\ipconf.tsp]  [Microsoft Corporation, 5.00.2143.1]
[C:\WINNT\system32\h323.tsp]  [Microsoft Corporation, 5.00.2195.6901]
[PID: 544][C:\WINNT\system32\MSTask.exe]  [Microsoft Corporation, 4.71.2195.6972]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
[PID: 564][C:\WINNT\System32\WBEM\WinMgmt.exe]  [Microsoft Corporation, 1.50.1085.0100]
[PID: 600][C:\WINNT\system32\inetsrv\inetinfo.exe]  [Microsoft Corporation, 5.00.0984]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
[PID: 972][C:\WINNT\Explorer.EXE]  [Microsoft Corporation, 5.00.3700.6690]
[C:\WINNT\AppPatch\AcLayers.DLL]  [Microsoft Corporation, 5.00.2195.6717]
[C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2195.6673]
[C:\WINNT\system32\msacm32.drv]  [Microsoft Corporation, 5.00.2134.1]
[C:\Program Files\CyberArticle\CAExp.dll]  [Wizissoft, 1.0.0.1]
[C:\Program Files\CyberArticle\CyberArticleAPI.DLL]  [Wizissoft, 4.3.2005.819]
[C:\Program Files\CyberArticle\HTMLParser.DLL]  [N/A, ]
[c:\program files\google\googletoolbar1.dll]  [Google Inc., 4, 0, 1601, 4978]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
[C:\Program Files\FlashGet\Jccatch.dll]  [FlashGet, 1, 1, 5, 0]
[C:\WINNT\system32\msadp32.acm]  [Microsoft Corporation, 5.00.2134.1]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scr_ch_pg.dll]  [Kaspersky Lab, 1.0.6.299]
[C:\WINNT\system32\MSVCP60.dll]  [Microsoft Corporation, 6.00.8972.0]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\klscav.dll]  [Kaspersky Lab, 6.0.0.299]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\pr_remote.dll]  [Kaspersky Lab, 6.0.0.299]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\prloader.dll]  [Kaspersky Lab, 6.0.0.299]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\prkernel.ppl]  [Kaspersky Lab, 6.0.0.304]
[c:\program files\kaspersky lab\kaspersky internet security 6.0\params.ppl]  [Kaspersky Lab, 6.0.0.299]
[c:\program files\kaspersky lab\kaspersky internet security 6.0\pxstub.ppl]  [Kaspersky Lab, 6.0.0.299]
[c:\program files\kaspersky lab\kaspersky internet security 6.0\tempfile.ppl]  [Kaspersky Lab, 6.0.0.299]
[C:\WINNT\system32\msdmo.dll]  [, ]
[C:\Program Files\Real Alternative\RealMediaSplitter.ax]  [Gabest, 1, 0, 1, 1]
[c:\program files\kaspersky lab\kaspersky internet security 6.0\nfio.ppl]  [Kaspersky Lab, 6.0.0.299]
[c:\program files\kaspersky lab\kaspersky internet security 6.0\fsdrvplgn.ppl]  [Kaspersky Lab, 6.0.0.299]
[C:\WINNT\system32\SOGOUPY.IME]  [Sohu.com Inc., 2, 0, 0, 1]
[C:\WINNT\system32\dllMergeDict.dll]  [N/A, ]
[C:\Program Files\SogouInput\Plugin\SgImeWord.dll]  [, 1, 0, 0, 31]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll]  [Kaspersky Lab, 6.0.0.299]
[C:\Program Files\UltraISO\isoshell.dll]  [EZB Systems, Inc., 1, 0, 0, 1]
[C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll]  [GlobalSCAPE Texas, LP., 50, 6, 3, 2]
[C:\Program Files\7-Zip\7-zip.dll]  [N/A, ]
[PID: 1084][C:\WINNT\system32\Internat.exe]  [Microsoft Corporation, 5.00.2920.0000]
[PID: 1228][F:\sre\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
N/A
==================================
API HOOK
RVA  错误： LoadLibraryA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xBEA72B25)
RVA  错误： LoadLibraryExA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xBEA72D67)
RVA  错误： LoadLibraryExW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xBEA72F0B)
RVA  错误： LoadLibraryW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xBEA72C49)
RVA  错误： GetProcAddress (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0xBEA72E8F)
==================================
隐藏进程
N/A
==================================

[/CODE]

显示全部楼层 · 发表于 2007-3-30 09:59:08

我每天在用卡巴扫描 c:/winnt/system32 总有所得

现在把病毒文件打包：

[讨论] Trojan-Downloader.BAT.Ftp.ab 卡巴会报警，删掉了不知什么时候又会有

检验卡巴论坛技术成色的机会：帮我解决这个木马Trojan-Downloader.BAT.Ftp.ab