JM软件区的东东被绑定鸟鸽子

显示全部楼层 · 发表于 2007-5-30 12:55:14

我当然不会不高兴
知道你怕别人看见那个5楼的回复而已

显示全部楼层 · 发表于 2007-5-30 13:01:35

我不用红伞，也不是你指的用户，红伞也不是我做出来的，不知道你说我怕这句话是何从说起
心胸放开一点吧，除了费尔还是有很多好杀软的，不必这么执著

显示全部楼层 · 发表于 2007-5-30 13:02:35

重复样本锁帖，是我建议的，你忘记了？光辉

显示全部楼层 · 发表于 2007-5-30 13:04:18

Processes:
PID ParentPID User Path
--------------------------------------------------
464 1296 MSEOSJD88JED:Administrator C:\Documents and Settings\Administrator\桌面\系统漏洞维护小工具\系统漏洞维护小工具\系统漏洞维护小工具\sysupdate.exe
356 464 MSEOSJD88JED:Administrator C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\sysupdate.exe

Ports:
Port PID Type Path
--------------------------------------------------

Explorer Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found

IE Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found

Loaded Drivers:
Driver File Company Name Description
--------------------------------------------------

Monitored RegKeys
Registry Key Value
--------------------------------------------------
HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce wextract_cleanup0=rundll32.exe C:\windows\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\"

Kernel31 Api Log

--------------------------------------------------
***** Installing Hooks *****
71a270df    RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters)
71a27cc4    RegOpenKeyExA (Protocol_Catalog9)
71a2737e    RegOpenKeyExA (0000010C)
71a2724d    RegOpenKeyExA (Catalog_Entries)
71a278ea    RegOpenKeyExA (000000000001)
71a278ea    RegOpenKeyExA (000000000002)
71a278ea    RegOpenKeyExA (000000000003)
71a278ea    RegOpenKeyExA (000000000004)
71a278ea    RegOpenKeyExA (000000000005)
71a278ea    RegOpenKeyExA (000000000006)
71a278ea    RegOpenKeyExA (000000000007)
71a278ea    RegOpenKeyExA (000000000008)
71a278ea    RegOpenKeyExA (000000000009)
71a278ea    RegOpenKeyExA (000000000010)
71a278ea    RegOpenKeyExA (000000000011)
71a278ea    RegOpenKeyExA (000000000012)
71a278ea    RegOpenKeyExA (000000000013)
71a22623    WaitForSingleObject(7a0,0)
71a283c6    RegOpenKeyExA (NameSpace_Catalog5)
71a2737e    RegOpenKeyExA (00000004)
71a27f5b    RegOpenKeyExA (Catalog_Entries)
71a280ef    RegOpenKeyExA (000000000001)
71a280ef    RegOpenKeyExA (000000000002)
71a280ef    RegOpenKeyExA (000000000003)
71a22623    WaitForSingleObject(798,0)
71a11afa    RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters)
71a11996    GlobalAlloc()
7c80b689    ExitThread()
100649a    GetCurrentProcessId()=464
10063ef    GetCommandLineA()
10048c9    GetVersionExA()
1004533    CreateFileA(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP)
1006294    LoadLibraryA(C:\windows\system32\advapi32.dll)=77da0000
759d4e03    GlobalAlloc()
77e7fb8e    RegOpenKeyExA (HKLM\Software\Microsoft\Rpc)
746826aa    GetVersionExA()
746830a7    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\Compatibility\sysupdate.exe)
746830a7    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\SystemShared\)
7468245b    CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)
7468245b    CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)
7468245b    CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)
7468245b    CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)
7468245b    CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)
746830a7    RegOpenKeyExA (HKCU\Keyboard Layout\Toggle)
7468260a    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\)
74684683    GetCurrentProcessId()=464
7468245b    CreateMutex(CTF.TimListCache.FMPDefaultS-1-5-21-1060284298-1214440339-682003330-500MUTEX.DefaultS-1-5-21-1060284298-1214440339-682003330-500)
7469d232    WaitForSingleObject(740,1388)
746b556a    GetCurrentProcessId()=464
7c816513    WaitForSingleObject(738,64)
73658f33    GetVersionExA()
73665225    GetVersionExA()
7365d4f4    LoadLibraryA(C:\windows\system32\ole32.dll)=76990000
7c810655    CreateRemoteThread(h=ffffffff, start=5d1903e1)
7c810655    CreateRemoteThread(h=ffffffff, start=1005190)
7469d232    WaitForSingleObject(74c,1388)
5d190420    WaitForSingleObject(72c,1004)
1003285    GlobalAlloc()
7469d232    WaitForSingleObject(758,1388)
10041aa    CreateFileA(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\sysupdate.exe)
10030b0    WriteFile(h=70c)
73fbae76    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback)
10041aa    CreateFileA(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\svchost.exe)
10030b0    WriteFile(h=708)
746830a7    RegOpenKeyExA (HKCU\SOFTWARE\Microsoft\CTF\LangBarAddIn\)
746830a7    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\LangBarAddIn\)
7468245b    CreateMutex(MSCTF.Shared.MUTEX.ADF)
7469d232    WaitForSingleObject(704,1388)
5d1908ad    WaitForSingleObject(730,ffffffff)
1001f03    RegOpenKeyExA (HKLM\System\CurrentControlSet\Control\Session Manager)
1001b18    RegCreateKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce,(null))
751d309d    GetCurrentProcessId()=464
751cc24e    RegOpenKeyExA (HKLM\Software\Microsoft\Advanced INF Setup)
1001bc4    LoadLibraryA(C:\windows\system32\advpack.dll)=751c0000
1001ccf    RegSetValueExA (wextract_cleanup0)
1004d01    CreateProcessA((null),C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\sysupdate.exe,0,(null))
7c819154    LoadLibraryA(advapi32.dll)=77da0000
10001e25    LoadLibraryA(psapi.dll)=76bc0000
10001e66    GetCurrentProcessId()=464
76bc183b    ReadProcessMemory(h=72c)
76bc185a    ReadProcessMemory(h=72c)
76bc1878    ReadProcessMemory(h=72c)
76bc17bb    ReadProcessMemory(h=72c)
***** Injecting C:\iDEFENSE\SysAnalyzer\api_log.dll into new process
***** OpenProcess Handle=72c
***** Remote Allocation base: 150000
***** WriteProcessMemory=1 BufLen=23  BytesWritten:23
***** LoadLibraryA=7c801d77
***** CreateRemoteThread=730
1004d13    WaitForSingleObject(724,ffffffff)
71a22623    WaitForSingleObject(6c,0)
71a22623    WaitForSingleObject(74,0)
413708    LoadLibraryA(ADVAPI32.dll)=77da0000
413708    LoadLibraryA(COMCTL32.dll)=77180000
413708    LoadLibraryA(MFC42.DLL)=73d30000
413708    LoadLibraryA(MSVCRT.dll)=77be0000
413708    LoadLibraryA(NETAPI32.dll)=5fdd0000
413708    LoadLibraryA(ole32.dll)=76990000
413708    LoadLibraryA(OLEAUT32.dll)=770f0000
413708    LoadLibraryA(SHELL32.dll)=7d590000
413708    LoadLibraryA(USER32.dll)=77d10000
73d3d01b    LoadLibraryA(COMCTL32.DLL)=77180000
73dc812f    LoadLibraryA(COMCTL32.dll)=77180000
74684683    GetCurrentProcessId()=356
7469d232    WaitForSingleObject(90,1388)
746b556a    GetCurrentProcessId()=356
7c816513    WaitForSingleObject(98,64)
5addef89    GetCurrentProcessId()=356
77183f9f    LoadLibraryA(UxTheme.dll)=5adc0000
77183f9f    LoadLibraryA(IMM32.dll)=76300000
771bc5bd    GlobalAlloc()
771bc5fe    GlobalAlloc()
77f48b26    RegOpenKeyExA (HKCU\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced)
77f48d24    RegOpenKeyExA (HKLM\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced)
7719a491    GetCurrentProcessId()=356
5fdd8d9a    LoadLibraryA(SAMLIB.dll)=71b70000
402629    RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Control\Lsa)
402629    RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced)
402629    RegOpenKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system)
73dbead2    GetVersionExA()
7469d232    WaitForSingleObject(84,1388)
7469d232    WaitForSingleObject(68,1388)
7469d232    WaitForSingleObject(cc,1388)
77c09d45    ExitProcess()
74681d36    GetCurrentProcessId()=356
74682056    GetCurrentProcessId()=356
***** Injected Process Terminated *****
7d5f6a01    GetCurrentProcessId()=356
1004d01    CreateProcessA((null),C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\svchost.exe,0,(null))
76d74cd7    LoadLibraryA(VERSION.dll)=77bd0000
76bc183b    ReadProcessMemory(h=6f4)
76bc185a    ReadProcessMemory(h=6f4)
76bc1878    ReadProcessMemory(h=6f4)
76bc17bb    ReadProcessMemory(h=6f4)
***** OpenProcess Handle=6f4
***** Remote Allocation base: 140000
***** CreateRemoteThread=724
1004d13    WaitForSingleObject(708,ffffffff)
71a22623    WaitForSingleObject(98,0)
71a22623    WaitForSingleObject(a0,0)
4c72e3    LoadLibraryA(KERNEL32.DLL)=7c800000
4c72e3    LoadLibraryA(USER32.DLL)=77d10000
4c72e3    LoadLibraryA(ADVAPI32.DLL)=77da0000
4c72e3    LoadLibraryA(OLEAUT32.DLL)=770f0000
4c72e3    LoadLibraryA(MPR.DLL)=71a90000
4c72e3    LoadLibraryA(VERSION.DLL)=77bd0000
4c72e3    LoadLibraryA(GDI32.DLL)=77ef0000
4c72e3    LoadLibraryA(COMCTL32.DLL)=5d170000
4c72e3    LoadLibraryA(SHELL32.DLL)=7d590000
4c72e3    LoadLibraryA(WININET.DLL)=76680000
4c72e3    LoadLibraryA(WSOCK32.DLL)=71a40000
4c72e3    LoadLibraryA(WINMM.DLL)=76b10000
4c72e3    LoadLibraryA(AVICAP32.DLL)=73af0000
4c72e3    LoadLibraryA(MSACM32.DLL)=77bb0000
4c72e3    LoadLibraryA(WS2_32.DLL)=71a20000
406a28    GetCommandLineA()
40603b    RegOpenKeyExA (HKCU\Software\Borland\Locales)
406059    RegOpenKeyExA (HKLM\Software\Borland\Locales)
406077    RegOpenKeyExA (HKCU\Software\Borland\Delphi\Locales)
40d333    GetVersionExA()
44313a    GetCurrentProcessId()=1464
442d83    LoadLibraryA(imm32.dll)=76300000
746830a7    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\Compatibility\svchost.exe)
74684683    GetCurrentProcessId()=1464
7469d232    WaitForSingleObject(c8,1388)
746b556a    GetCurrentProcessId()=1464
7c816513    WaitForSingleObject(d0,64)
45514b    RegOpenKeyExA (HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0040804)
458f9d    GetVersionExA()
472677    LoadLibraryA(ntdll.dll)=7c920000
4749e9    GetVersionExA()
49f7d3    GetVersionExA()
406df7    CreateMutex(Hacker.com.cn_MUTEX)
4033e8    CreateFileA(C:\windows\bootstat.dat)
403055    ReadFile()
4033e8    CreateFileA(C:\windows\cmaudio.dat)
4033e8    CreateFileA(C:\windows\cmijack.dat)
4a1fd1    Copy(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\svchost.exe->C:\windows\servicesc.exe)
7c828823    ReadFile()
7c82885c    WriteFile(h=fc)
77db5f5e    WaitForSingleObject(fc,2bf20)
77db5f5e    WaitForSingleObject(100,2bf20)
77db5f5e    WaitForSingleObject(104,2bf20)
4588b9    RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp)
4589fe    RegDeleteValueA (NoRealMode)
402e31    CreateFileA(C:\windows\uninstal.bat)
402d5c    WriteFile(h=104)
4a1660    CreateProcessA((null),C:\windows\uninstal.bat,0,(null))
10001e66    GetCurrentProcessId()=1464
76bc183b    ReadProcessMemory(h=104)
76bc185a    ReadProcessMemory(h=104)
76bc1878    ReadProcessMemory(h=104)
76bc17bb    ReadProcessMemory(h=104)
***** OpenProcess Handle=104
***** CreateRemoteThread=108
4a20e7    ExitProcess()
74681d36    GetCurrentProcessId()=1464
74682056    GetCurrentProcessId()=1464
7d5f6a01    GetCurrentProcessId()=1464
1001a85    RegOpenKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce)
1001a97    RegDeleteValueA (wextract_cleanup0)
1006456    ExitProcess()
74681d36    GetCurrentProcessId()=464
74682056    GetCurrentProcessId()=464
71a22623    WaitForSingleObject(7c,0)
4ad085a4    ReadFile()

DirwatchData

--------------------------------------------------
WatchDir Initilized OK
Watching C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
Watching C:\windows
Watching C:\Program Files
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP
Deteled: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP
Modifed: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\sysupdate.exe
Modifed: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\sysupdate.exe
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\svchost.exe
Modifed: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\svchost.exe
Modifed: C:\windows\Prefetch\SYSANALYZER.EXE-25AE12E4.pf
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JETB2CB.tmp
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JETB.tmp
Deteled: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JETB.tmp
Deteled: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JETB2CB.tmp
Created: C:\windows\servicesc.exe
Modifed: C:\windows\servicesc.exe
Modifed: C:\windows\system32\config\system.LOG
Modifed: C:\windows\system32\wbem\Logs\wbemess.log
Created: C:\windows\uninstal.bat
Modifed: C:\windows\uninstal.bat
Deteled: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\svchost.exe
Deteled: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\sysupdate.exe
Deteled: C:\windows\uninstal.bat
Modifed: C:\windows\Prefetch\CMD.EXE-087B4001.pf
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFBC5.tmp
Modifed: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFBC5.tmp
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF10AE.tmp
Modifed: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF10AE.tmp
Modifed: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFBC95.tmp
Deteled: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFBC95.tmp

显示全部楼层 · 发表于 2007-5-30 13:04:49

除了费尔还是有很多好杀软的
你上面这句话是对的，到底换不换或者换什么，有个人的喜好问题。
我只是看不惯那些红伞FANS说的那些话，成天说NOD，有点嘲笑的意思。你不用NOD就算了，还那么多话。

显示全部楼层 · 发表于 2007-5-30 13:08:39

不知道你是不是心里有毛病，还是真地对红伞这么忌惮到自己心里见鬼
这个帖子，和你指的会员，从头到尾都没有提到NOD32半句，就只有你自己一个人在...
其他的不说了...

叫你不要做多情了，你就是...

[ 本帖最后由 solcroft 于 2007-5-30 14:40 编辑 ]

显示全部楼层 · 发表于 2007-5-30 13:10:32

心里有毛病的也许是你，你经常和M一唱一合的说NOD，你当我没看见啊。

显示全部楼层 · 发表于 2007-5-30 13:12:36

我说过的话有什么不对，随时非常欢迎你纠正指教

至于你自己心里见鬼嘛，我可就帮不上忙了，我是工程系的，不是心理医生...

显示全部楼层 · 发表于 2007-5-30 13:12:51

可以锁鸟，再不锁就又会引起一场。。。。。。

我还是挺喜欢你们的

显示全部楼层 · 发表于 2007-5-30 13:13:31

请问jlennon :您使用的是什么测试软件?能介绍一下吗?非常感谢!

JM软件区的东东被绑定鸟鸽子

回复 #10 solcroft 的帖子

回复 #11 aoyang 的帖子

回复 #11 aoyang 的帖子

回复 #12 solcroft 的帖子

回复 #15 aoyang 的帖子

回复 #16 solcroft 的帖子

回复 #17 aoyang 的帖子