卡7飘过

zxkf

这支老是追住卡巴 又更新了 作者也算本事的了 但千机变 过了卡巴的监控扫描 但始终过不了卡巴的前摄防御

shjywxz

弱顿无法杀，真TMD弱.
微点斩了。

[ 本帖最后由 shjywxz 于 2007-5-27 17:45 编辑 ]

jlennon

Processes:
PID        ParentPID        User        Path       
--------------------------------------------------
1180        1764        MSEOSJD88JED:Administrator        C:\Documents and Settings\Administrator\桌面\6762\6762.exe       

Ports:
Port        PID        Type        Path       
--------------------------------------------------

Explorer Dlls:
DLL Path        Company Name        File Description       
--------------------------------------------------
No changes Found                       

IE Dlls:
DLL Path        Company Name        File Description       
--------------------------------------------------
No changes Found                       

Loaded Drivers:
Driver File        Company Name        Description       
--------------------------------------------------

Monitored RegKeys
Registry Key        Value       
--------------------------------------------------

Kernel31 Api Log
       
--------------------------------------------------
***** Installing Hooks *****       
71a270df     RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters)       
71a27cc4     RegOpenKeyExA (Protocol_Catalog9)       
71a2737e     RegOpenKeyExA (000000F3)       
71a2724d     RegOpenKeyExA (Catalog_Entries)       
71a278ea     RegOpenKeyExA (000000000001)       
71a278ea     RegOpenKeyExA (000000000002)       
71a278ea     RegOpenKeyExA (000000000003)       
71a278ea     RegOpenKeyExA (000000000004)       
71a278ea     RegOpenKeyExA (000000000005)       
71a278ea     RegOpenKeyExA (000000000006)       
71a278ea     RegOpenKeyExA (000000000007)       
71a278ea     RegOpenKeyExA (000000000008)       
71a278ea     RegOpenKeyExA (000000000009)       
71a278ea     RegOpenKeyExA (000000000010)       
71a278ea     RegOpenKeyExA (000000000011)       
71a278ea     RegOpenKeyExA (000000000012)       
71a278ea     RegOpenKeyExA (000000000013)       
71a22623     WaitForSingleObject(798,0)       
71a283c6     RegOpenKeyExA (NameSpace_Catalog5)       
71a2737e     RegOpenKeyExA (00000004)       
71a27f5b     RegOpenKeyExA (Catalog_Entries)       
71a280ef     RegOpenKeyExA (000000000001)       
71a280ef     RegOpenKeyExA (000000000002)       
71a280ef     RegOpenKeyExA (000000000003)       
71a22623     WaitForSingleObject(790,0)       
71a11afa     RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters)       
71a11996     GlobalAlloc()       
40e338     LoadLibraryA(KERNEL32.DLL)=7c800000       
7c80b689     ExitThread()       
40e338     LoadLibraryA(advapi32.dll)=77da0000       
40e338     LoadLibraryA(gdi32.dll)=77ef0000       
40e338     LoadLibraryA(shlwapi.dll)=77f40000       
40e338     LoadLibraryA(user32.dll)=77d10000       
402064     RegOpenKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE)       
4025d0     RegOpenKeyExA (HKLM\SOFTWARE\KasperskyLab\AVP6\environment\)       
402190     CreateFileA(C:\Documents and Settings\Administrator\桌面\6762\6762.exe)       
4021b7     ReadFile()       
402203     ReadFile()       
402ad5     Copy(C:\Documents and Settings\Administrator\桌面\6762\6762.exe->C:\Program Files\Internet Explorer\romdrivers.bak)       
7c8283f4     WriteFile(h=79c)       
401fba     CreateFileA(C:\Program Files\Internet Explorer\romdrivers.dll)       
401fe0     WriteFile(h=79c)       
402000     WriteFile(h=79c)       
15c800     LoadLibraryA(KERNEL32.DLL)=7c800000       
15c800     LoadLibraryA(advapi32.dll)=77da0000       
15c800     LoadLibraryA(gdi32.dll)=77ef0000       
15c800     LoadLibraryA(oleaut32.dll)=770f0000       
15c800     LoadLibraryA(shlwapi.dll)=77f40000       
15c800     LoadLibraryA(user32.dll)=77d10000       
15c800     LoadLibraryA(wininet.dll)=76680000       
152f2d     RegCreateKeyExA (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks,(null))       
152f38     RegDeleteValueA ({09B68AD9-FF66-3E63-636B-B693E62F6236})       
152f38     RegDeleteValueA ({754FB7D8-B8FE-4810-B363-A788CD060F1F})       
152f38     RegDeleteValueA ({A6011F8F-A7F8-49AA-9ADA-49127D43138F})       
152f38     RegDeleteValueA ({06A68AD9-FF56-6E73-937B-B893E72F6226})       
152f38     RegDeleteValueA ({AEB6717E-7E19-11d0-97EE-00C04FD91972})       
152f38     RegDeleteValueA ({99F1D023-7CEB-4586-80F7-BB1A98DB7602})       
152f38     RegDeleteValueA ({FEB94F5A-69F3-4645-8C2B-9E71D270AF2E})       
152f38     RegDeleteValueA ({923509F1-45CB-4EC0-BDE0-1DED35B8FD60})       
152f38     RegDeleteValueA ({42A612A4-4334-4424-4234-42261A31A236})       
152f38     RegDeleteValueA ({DE35052A-9E37-4827-A1EC-79BF400D27A4})       
152f38     RegDeleteValueA ({DD7D4640-4464-48C0-82FD-21338366D2D2})       
152f38     RegDeleteValueA ({B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5})       
152f38     RegDeleteValueA ({131AB311-16F1-F13B-1E43-11A24B51AFD1})       
152f38     RegDeleteValueA ({274B93C2-A6DF-485F-8576-AB0653134A76})       
152f38     RegDeleteValueA ({1496D5ED-7A09-46D0-8C92-B8E71A4304DF})       
152f38     RegDeleteValueA ({01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6})       
152f38     RegDeleteValueA ({06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8})       
152f38     RegDeleteValueA ({BC0ACA58-6A6F-51DA-9EFE-9D20F4F621BA})       
152fd8     RegOpenKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE)       
402bc3     LoadLibraryA(C:\Program Files\Internet Explorer\romdrivers.dll)=150000       
746826aa     GetVersionExA()       
746830a7     RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\Compatibility\6762.exe)       
746830a7     RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\SystemShared\)       
76bc183b     ReadProcessMemory(h=ffffffff)       
76bc185a     ReadProcessMemory(h=ffffffff)       
76bc1878     ReadProcessMemory(h=ffffffff)       
76bc211f     ReadProcessMemory(h=ffffffff)       
7468245b     CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)       
7468245b     CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)       
7468245b     CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)       
7468245b     CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)       
7468245b     CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)       
746830a7     RegOpenKeyExA (HKCU\Keyboard Layout\Toggle)       
7468260a     RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\)       
74684683     GetCurrentProcessId()=1180       
7468245b     CreateMutex(CTF.TimListCache.FMPDefaultS-1-5-21-1060284298-1214440339-682003330-500MUTEX.DefaultS-1-5-21-1060284298-1214440339-682003330-500)       
7469d232     WaitForSingleObject(774,1388)       
746b556a     GetCurrentProcessId()=1180       
7c816513     WaitForSingleObject(76c,64)       
73658f33     GetVersionExA()       
73665225     GetVersionExA()       
7365d4f4     LoadLibraryA(C:\windows\system32\ole32.dll)=76990000       
7c859c4a     GlobalAlloc()       
7c859cf9     CreateMutex(DBWinMutex)       
7c859e2f     WaitForSingleObject(760,ffffffff)       

DirwatchData
       
--------------------------------------------------
WatchDir Initilized OK       
Watching C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp       
Watching C:\windows       
Watching C:\Program Files       
Created: C:\Program Files\Internet Explorer       
Created: C:\Program Files\Internet Explorer\romdrivers.bak       
Modifed: C:\Program Files\Internet Explorer\romdrivers.bak       
Created: C:\Program Files\Internet Explorer\romdrivers.dll       
Modifed: C:\Program Files\Internet Explorer\romdrivers.dll       
Created: C:\windows\system32\drivers       
Created: C:\windows\system32\drivers\etc       
Created: C:\windows\system32\drivers\etc\hosts       
Modifed: C:\windows\system32\drivers\etc\hosts       
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JETEBD3.tmp       
Modifed: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JETEBD3.tmp       
Modifed: C:\windows\system32       
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFCEB0.tmp       
Modifed: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFCEB0.tmp       
Modifed: C:\windows\Debug\UserMode\userenv.log       
Modifed: C:\windows\Debug       
Modifed: C:\windows\Debug\UserMode       
Modifed: C:\Program Files\Internet Explorer       
Modifed: C:\windows\system32\drivers       
Modifed: C:\windows\system32\drivers\etc       
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFF1BD.tmp       
Modifed: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFF1BD.tmp       
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF5126.tmp       
Modifed: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF5126.tmp

seamonkey

deleted: virus Virus.Win32.Delf.bw        File: D:\virus\6762.rar/6762.exe//UPX

fanrubin

卡7 可以杀了

欠妳緈諨

原帖由 l784588 于 2007-5-27 16:20 发表
avast报了,是木马.

kns8028

FS

Virus.Win32.Delf.bw (病毒)
C:\Documents and Settings\ming\ddt\6762.rar\6762.exe

陈阳

bd 10 飘过

鼻耳盖子

\PROGRAM FILES\INTERNET EXPLORER\ROMDRIVERS.DLL I:\TEST\070527\34\6762\6762.EXE
:\PROGRAM FILES\INTERNET EXPLORER\ROMDRIVERS.BAK I:\TEST\070527\34\6762\6762.EXE

worker321

nod报

已扫描的磁盘，文件夹及文件：C:\Documents and Settings\Administrator\桌面\6762.rar
C:\Documents and Settings\Administrator\桌面\6762.rar >>RAR >>6762.exe - 可能是 Win32/PSW.Delf.NHI 木马 的一个变种
已扫描的文件数目：1
已发现的病毒数目：1