| [Question] [Tường thuật & Hỏi] về 1 topic Virus |
22/08/2008 22:43:38 (+0700) | #1 | 148190 |
![[Avatar]](/hvaonline/images/avatar/0cc8f7bf8a8d56980414a6e4bc69cdc6.png "[Avatar]")
|
kamikazeq
Member
![[Minus]](/hvaonline/templates/viet/images/minus.gif "[Minus]") |
0 |
![[Plus]](/hvaonline/templates/viet/images/plus.gif "[Plus]")
|
|
Joined: 04/07/2006 03:20:53
Messages: 837
Location: Panic Malware Planet
Offline
|
|
Đây là tình trạng máy tính của chủ Topic này. /hvaonline/posts/list/24124.html
----------
_Tình hình thì cứ 10 giây BKAV tự bắt 1 em gì đó (sau này mới biết là 2 em exe ngẫu nhiên) mà không xóa được (access deny).
_Vào thấy liền AntiVirus giả dạng từ SPY. Mình liền quét dọn hết đống đó.
_Trong lúc đấy thì Taskmanager đang bị khóa cả 2 kiểu (disable by Admin và tắt theo tên).
_Regedit, Hidden, Cmd vẫn chạy ổn.
_Dùng ProcessManager coi thì thấy có 2 em .exe đang lấp ló trong \System32\ với 2 tên lạ.
_ http://www.box.net/shared/kgyhlexv3g, những em exe có tên lạ.
_EndTask 2 ẻm thì 1 lát sau lại gặp 2 em khác với tên ngẫu nhiên khác.
_Dùng ProcessMonitor thì thấy C:\Windows\System32\svchost.exe đang hướng tới đường dẫn của 2 process kia với rất nhiều tên ngẫu nhiên (dường như là đang tạo tên cho 2 process đó). Và những tên ngẫu nhiên ấy hầu như anh Gúgồ chưa hề biết.
_Và log đây:
Code:
.
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ahyyga.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alach.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\anlorb.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bqsike.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\btlb.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bwuqxj.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bylfs.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\clef.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\crsf.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cthxg.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cytcui.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dpfaa.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\drvw.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eblm.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\efbij.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ennjvg.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fecbj.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flmbn.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fyeykq.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gqvlfm.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gtbif.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hgrbcv.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhgsd.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hkeg.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hwog.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hxuw.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\idls.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ikmgw.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ioeem.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ityw.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iuoltj.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ixpi.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\krapf.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kseci.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ldejy.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\leuepp.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lpaxn.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lsnl.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mabxut.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\macelb.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\magl.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mhphw.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mkdn.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mrten.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mvmppx.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mxosw.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ndbv.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nrliu.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsby.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ogifq.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ojkq.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ojmbre.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\okyrl.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\opmia.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\otikb.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pbwxhh.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\peubth.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\phoi.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ppgr.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qgjr.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qtww.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rbwluo.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rkcvu.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rmsu.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ryeny.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\siwyf.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sqqo.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sypsh.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\txho.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uacfiv.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uvdigc.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uxpef.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vckas.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vjbid.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wbho.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winasfi.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winasrn.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winavff.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbaonrc.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbbsukh.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbcsn.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbinccr.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbkou.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbyesaa.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wincecdp.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wincmjk.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wincmpt.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wincqpfst.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wincqvfnm.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wincqycsw.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wincumxql.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windboog.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winddwokg.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windofgmd.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windoymmy.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windpruck.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windwmcf.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winejypb.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winenwhe.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfebh.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfhku.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfkfcl.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfqal.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfrhcn.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wingdhjyv.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wingeymtv.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winglwfhc.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wingteumy.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wingxvgqw.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winhdgpdm.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winhdrgrr.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winhdssb.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winhhthp.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winhkmk.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winhxes.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winifnjem.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winiwfrh.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winixjyqb.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjgon.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjwsjln.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkditkx.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkdqmq.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkjouwy.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkkmp.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winklknw.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkmtm.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlcxjj.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winldovea.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlfkg.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlfsxx.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlgtn.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winligcy.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winmhoqd.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winmjljr.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winmrcf.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winmritxd.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winneof.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winnqdxuk.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winnssdf.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winnwmwgx.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winobkfby.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winoeoeo.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winogdoh.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winonqs.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winoujdi.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winqmnmsb.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winqmupj.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winqutmn.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winqyqp.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winreet.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winrlndp.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winsply.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winsvmlj.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintfsmoj.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintggcb.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintljele.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintljyt.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintneqf.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintorp.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintrel.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winttdbqo.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winttuah.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winuapjj.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winuavmv.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winubfh.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winudjasc.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winuifnb.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winunlrkl.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winuocxxy.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winuunsm.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvbbyvf.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwinl.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwodonl.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwuvaiw.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwuxnk.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwwmu.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winxgobi.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winybak.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyjtmqf.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyqanj.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyrco.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyrghku.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wphv.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wtijf.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuhevn.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wyrmbv.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xgjfrg.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xiir.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xqevl.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xymc.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yfeh.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yfpb.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ytfgpe.exe
svchost.exe:884 OPEN C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yyykv.exe
_Ngồi KillTask và Del file 1 hồi nhưng cục diện vẫn không thay đổi.
_Có lúc trong Task xuất hiện C:\Windows\System32\Notepad.exe hoặc WinMine.exe hoặc cả 2. Xuất hiện 1 lúc lại biến mất. (Và có điều lạ là dù 2 process Notepad và Winmine có trong task nhưng chả thấy ứng dụng đó đâu ..?)
_Dùng GMER Kill Del 1 hồi thì thấy có hiện tượng HighLight như hình.
_Dùng Gmer Scan toàn bộ thì thấy có 1 em nghi ngờ ljlnpn.sys trong \System32\drivers\ (em này dù mở superhidden hoặc dùng Winrar cũng không thấy được). Xóa không được.
_Trong khoảng thời gian dài chờ để có thể xóa file sys ấy ngoài DOS, mình thử cài nhìu Anti như: BIT, AVG, KAS, ... Trình nào vào cũng bị nó vô hiệu hóa.
_Riêng trình Antivir Personal (mình phải đổi tên file cài thì mới cài được đấy  ), chạy lên quét được 3 em (không biết 3 em này đóng vai trò gì) xong là die vĩnh viễn. Bị Virus cho vào "White" list  .
_Và log đây:
C:\WINDOWS\system32\kdlns.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4909749f.qua'!
C:\WINDOWS\system32\wpx77.cpx
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
[NOTE] The file was moved to '491574d1.qua'!
C:\WINDOWS\system32\dmserver.dll
[DETECTION] Is the TR/Patched.BU.6 Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK lib.
[NOTE] The file was moved to '4b7390a7.qua'!
_Dòng màu hồng có nghĩa gì nhỉ ?
_Và 2 dòng màu vàng, sao Del ko dc rồi lại Del dc ta ?
_Xài ProcessManager 1 hồi, tắt mở lại thì thấy lỗi ko mở được. Kiểm tra thì thấy file chạy bị tăng kích thước.
_ProcessMonitor, RegistryMonitor cũng chung số phận.
_Chỉ có FileMonitor là còn ngon lành.
_ http://www.box.net/shared/fa36bpa5n5, 2 chtrình bị nó làm tăng kích thước.
_Vài ngày sau (khi chưa có dịp Del file ljlnpn.sys ngoài DOS), tự dưng mình Del được nó trong Win (thiệt lạ).
_Rồi cũng không thấy gì đặc biệt, cũng chưa tiến triển gì.
_Lại mở ProcessMonitor lên. Và log lần này lại khác.
_Svchost.exe không tạo tên như trước nữa, mà nó làm gì ấy nhỉ ? Song song đó thì 1 trong 2 em exe có tên Random đang làm gì kà !? (xem log)
Code:
svchost.exe C:\WINDOWS\Prefetch\PROCESS MONITORING.EXE-04BF1700.pf 852 CreateFile NAME NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM
svchost.exe C:\WINDOWS\system32\browser.dll 852 ReadFile SUCCESS Offset: 46,080, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
svchost.exe C:\WINDOWS\system32\config\SOFTWARE.LOG 852 SetEndOfFileInformationFile SUCCESS EndOfFile: 12,288
svchost.exe C:\WINDOWS\system32\config\SOFTWARE.LOG 852 SetEndOfFileInformationFile SUCCESS EndOfFile: 12,288
svchost.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\LastTraceFailure 852 RegSetValue SUCCESS Type: REG_DWORD, Length: 4, Data: 4
svchost.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 852 RegSetValue SUCCESS Type: REG_DWORD, Length: 4, Data: 23
svchost.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful 852 RegSetValue SUCCESS Type: REG_DWORD, Length: 4, Data: 5
svchost.exe HKLM\Software\Policies\Microsoft\Netlogon\Parameters 852 RegOpenKey NAME NOT FOUND Desired Access: Query Value
svchost.exe HKLM\Software\Policies\Microsoft\System\DNSClient 896 RegOpenKey NAME NOT FOUND Desired Access: Query Value
svchost.exe HKLM\Software\Policies\Microsoft\Windows NT\DnsClient 896 RegOpenKey NAME NOT FOUND Desired Access: Read
svchost.exe HKLM\System\CurrentControlSet\Services\DnsCache\Parameters 896 RegOpenKey SUCCESS Desired Access: Read
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters 896 RegCloseKey SUCCESS
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\AdapterTimeoutLimit 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\AllowUnqualifiedQuery 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\AppendToMultiLabelName 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\DnsTest 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\FilterClusterIp 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MaxCachedSockets 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MaxCacheSize 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MaxCacheTtl 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MaxNegativeCacheTtl 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MulticastListenLevel 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MulticastSendLevel 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\PrioritizeRecordData 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\QueryAdapterName 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\QueryIpMatching 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegisterAdapterName 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegisterPrimaryName 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegisterReverseLookup 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegisterWanAdapters 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegistrationEnabled 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegistrationMaxAddressCount 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegistrationRefreshInterval 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegistrationTtl 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\ScreenBadTlds 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\ScreenUnreachableServers 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\ServerPriorityTimeLimit 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UpdateSecurityLevel 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UpdateTopLevelDomainZones 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UpdateZoneExcludeFile 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UseDomainNameDevolution 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UseEdns 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UseHostsFile 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\WaitForNameErrorOnAll 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 852 RegOpenKey SUCCESS Desired Access: Query Value
svchost.exe HKLM\System\CurrentControlSet\Services\Netlogon\Parameters 852 RegCloseKey SUCCESS
svchost.exe HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\ExpectedDialupDelay 852 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Linkage\Bind 852 RegQueryValue SUCCESS Type: REG_MULTI_SZ, Length: 226, Data: \Device\{FE27390F-4C1E-4FA7-A6F8-1125B4401526}, \Device\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}, \Device\NdisWanIp
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Linkage\Bind 896 RegQueryValue SUCCESS Type: REG_MULTI_SZ, Length: 226, Data: \Device\{FE27390F-4C1E-4FA7-A6F8-1125B4401526}, \Device\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}, \Device\NdisWanIp
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters 896 RegCreateKey SUCCESS Desired Access: Read
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters 896 RegCloseKey SUCCESS
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\AllowUnqualifiedQuery 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DefaultRegistrationTTL 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableAdapterDomainName 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableReverseAddressRegistrations 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableWanDynamicUpdate 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain 896 RegQueryValue SUCCESS Type: REG_SZ, Length: 2, Data:
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableAdapterDomainNameRegistration 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF} 896 RegOpenKey SUCCESS Desired Access: Read
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\AddressType 896 RegQueryValue SUCCESS Type: REG_DWORD, Length: 4, Data: 0
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\DhcpDomain 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\DhcpServer 896 RegQueryValue SUCCESS Type: REG_SZ, Length: 24, Data: 192.168.1.1
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\DisableAdapterDomainName 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\Domain 896 RegQueryValue SUCCESS Type: REG_SZ, Length: 2, Data:
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\EnableDHCP 896 RegQueryValue SUCCESS Type: REG_DWORD, Length: 4, Data: 1
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\IPAutoconfigurationEnabled 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\LeaseObtainedTime 896 RegQueryValue SUCCESS Type: REG_DWORD, Length: 4, Data: 1218529532
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\LeaseTerminatesTime 896 RegQueryValue SUCCESS Type: REG_DWORD, Length: 4, Data: 1218533132
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\MaxNumberOfAddressesToRegister 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\NameServer 896 RegQueryValue SUCCESS Type: REG_SZ, Length: 26, Data: 199.2.252.10
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\QueryAdapterName 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\RegisterAdapterName 896 RegQueryValue SUCCESS Type: REG_DWORD, Length: 4, Data: 0
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\RegistrationEnabled 896 RegQueryValue SUCCESS Type: REG_DWORD, Length: 4, Data: 1
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45525DFB-8F71-4F12-92AF-8B0EEFE77CEF}\RegistrationMaxAddressCount 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\MaxNumberOfAddressesToRegister 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PrioritizeRecordData 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SearchList 896 RegQueryValue SUCCESS Type: REG_SZ, Length: 2, Data:
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\UpdateSecurityLevel 896 RegQueryValue NAME NOT FOUND Length: 144
svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution 896 RegQueryValue SUCCESS Type: REG_DWORD, Length: 4, Data: 1
svchost.exe 716 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0000000
winxtxkw.exe C:\Documents and Settings\Administrator\Local Settings\Temp 1704 CloseFile SUCCESS
winxtxkw.exe C:\Documents and Settings\Administrator\Local Settings\Temp\winxtxkw.exe 1704 QueryDirectory SUCCESS Filter: winxtxkw.exe, 1: winxtxkw.exe
winxtxkw.exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat 1704 QueryStandardInformationFile SUCCESS AllocationSize: 32,768, EndOfFile: 32,768, NumberOfLinks: 1, DeletePending: False, Directory: False
winxtxkw.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial 1704 RegQueryValue SUCCESS Type: REG_DWORD, Length: 4, Data: 0
winxtxkw.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline 1704 RegSetValue SUCCESS Type: REG_DWORD, Length: 4, Data: 0
winxtxkw.exe HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA 1704 RegOpenKey NAME NOT FOUND Desired Access: Read
winxtxkw.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\195.24.77.223 1704 RegOpenKey NAME NOT FOUND Desired Access: Read
winxtxkw.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults 1704 RegCloseKey SUCCESS
winxtxkw.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http 1704 RegQueryValue SUCCESS Type: REG_DWORD, Length: 4, Data: 3
winxtxkw.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass 1704 RegQueryValue SUCCESS Type: REG_DWORD, Length: 4, Data: 1
winxtxkw.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA 1704 RegOpenKey NAME NOT FOUND Desired Access: Read
winxtxkw.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\195.24.77.223 1704 RegOpenKey NAME NOT FOUND Desired Access: Read
_Con này đặc biệt là nó giữ khư khư cái TaskManager.
_Thế nhưng sau mấy ngày quạy quạy những động tác như trên, nó đã cho mở.
_Nhưng mỗi lần vào WIN thì phải chạy file Phục hồi lại Task thì mới vô Task được. Và dù trong Task đang có 2 em exe tên Random thì nó cũng không chiếm cái Task !? (thật lạ )
_Mấy chtrình Monitor và ProcessXP kia vẫn bị tăng kích thước sau mỗi lần hồi phục.
_Dùng chức năng "Find Handle or DLL" của ProcessXP thì thấy như sau:
Process của virus đang làm gì với mấy process của System thế ?
_Mình lụm MD5 của files bên máy Virus so sánh với MD5 máy sạch, thì nó ra thế này:
(Màu đỏ là những file máy sạch có mà khác MD5 với máy dính Virus, màu Đen là những file bên máy Virus mà máy sạch không có).
-----------------
Trên đây là tất cả những gì mình đã làm mà chưa hạ được nó .
Mời mấy bác vào cùng thảo luận để mình có thể rút ra được điều gì từ lần này. |
|
| IDM 5.18 http://tinyurl.com/pl2ejj | Quick Remove Malware http://tinyurl.com/lbbm9x - http://tinyurl.com/arna6g |
|
 |
|
| [Question] Re: [Tường thuật & Hỏi] về 1 topic Virus |
23/08/2008 03:30:21 (+0700) | #2 | 148235 |
![[Avatar]](/hvaonline/images/avatar/6d0ca076f7fea67c6f6512a9153230ed.jpg "[Avatar]")
|
kenshin8x
Member
|
|
0 |
|
|
Joined: 29/11/2006 20:45:54
Messages: 195
Location: ĐH CNTT
Offline
|
|
Con vius dạng PE này diệt khá mệt đây! các file EXE của bạn có lẽ tiêu hết rồi chắc phải cài lại quá  |
|
|
|
|
| [Question] Re: [Tường thuật & Hỏi] về 1 topic Virus |
23/08/2008 03:37:08 (+0700) | #3 | 148238 |
![[Avatar]](/hvaonline/images/avatar/6d8fd617dbf3e2c1e12be59585cdb1f9.jpg "[Avatar]")
|
tmd
Member
|
|
0 |
|
|
Joined: 28/06/2006 03:39:48
Messages: 2951
Offline
|
|
| Nhìn vào là phân biệt ngay, nó là thứ gì trong các nhóm worm,trojan,pe virus,... THứ này là worm không phải PE virus. |
|
| 3 giai đoạn của con... người, ban đầu dek biết gì thì phải thăm dò, sau đó biết rồi thì phải thân thiết, sau cùng khi quá thân thiết rồi thì phải tình thương mến thương. Nhưng mà không thương được thì ... |
|
|
|
| [Question] Re: [Tường thuật & Hỏi] về 1 topic Virus |
23/08/2008 05:43:25 (+0700) | #4 | 148255 |
|
kamikazeq
Member
|
|
0 |
|
|
Joined: 04/07/2006 03:20:53
Messages: 837
Location: Panic Malware Planet
Offline
|
|
Ở trường hợp này, mình thấy con này nó núp theo kiểu Rootkit. Và nó còn "làm hư" các file exe dll và 1 số định dạng khác.
Cho mình hỏi, với file exe, nó làm tăng dung lượng thế. Khi mình thực thì file exe đó thì báo lỗi. Vậy mục đích nó là làm hư, chèn code để mã độc được load, hay là gì ?
----
Thực sự mình còn mơ hồ về cách phân biệt. (Trojan thì ko lây mà chỉ núp. Worm và PE thì lây nhưng khác nhau !?  )
Bác tmd nói rõ hơn về vấn đề này cho e tường tận hen (lấy trường hợp của bài này cho tiện).
----
Còn chức năng "Find Handle or DLL" của ProcessXP với 2 hình kia thì mình chưa hiểu rõ ý nghĩa lắm. Các bác giải thích hộ mình hen.
@kenshin8x:
À, thấy mấy file exe của hệ thống nó chả đá động tới (VD: explorer.exe , svchost.exe, ...). Và có exe thì nó lây, có exe nó lại không lây. |
|
| IDM 5.18 http://tinyurl.com/pl2ejj | Quick Remove Malware http://tinyurl.com/lbbm9x - http://tinyurl.com/arna6g |
|
|
|
| [Question] Re: [Tường thuật & Hỏi] về 1 topic Virus |
09/09/2008 07:38:25 (+0700) | #5 | 150414 |
shinichi_zz
Member
|
|
0 |
|
|
Joined: 23/02/2007 16:19:13
Messages: 14
Offline
|
|
KIS báo là con "SpamTool.Win32.Agent.km"
@kamikazeq: Bro up lên box.net sao không ZIP rồi SET pass cho nó.Đang tìm hiểu về Process nên khoái cái này... (Lại phải Google vậy)
|
|
|
| Users currently in here |
|
1 Anonymous
|
|
Powered by JForum - Extended by HVAOnline
hvaonline.net | hvaforum.net | hvazone.net | hvanews.net | vnhacker.org
1999 - 2013 ©
v2012|0504|218|
|
|
![[Rule]](/hvaonline/templates/viet/images/icon_mini_rule.gif "[Rule]"){kind=icon}
![[Home]](/hvaonline/templates/viet/images/icon_mini_groups.gif "[Home]"){kind=icon}
![[Portal]](/hvaonline/templates/viet/images/icon_mini_portal.gif "[Portal]"){kind=icon}
![[Members]](/hvaonline/templates/viet/images/icon_mini_members.gif "[Members]"){kind=icon}
![[Statistics]](/hvaonline/templates/viet/images/icon_mini_stats.gif "[Statistics]"){kind=icon}
![[Search]](/hvaonline/templates/viet/images/icon_mini_search.gif "[Search]"){kind=icon}
![[Reading Room]](/hvaonline/templates/viet/images/icon_mini_book.gif "[Reading Room]"){kind=icon}
![[Register]](/hvaonline/templates/viet/images/icon_mini_register.gif "[Register]"){kind=icon}
Register![[Login]](/hvaonline/templates/viet/images/icon_mini_login.gif "[Login]"){kind=icon}
Login [
Thảo luận virus, trojan, spyware, worm...
![[Profile]](/hvaonline/templates/viet/images/en_US/icon_profile.gif "[Profile]"){kind=icon}
![[PM]](/hvaonline/templates/viet/images/en_US/icon_pm.gif "[PM]"){kind=icon}
![[Yahoo!]](/hvaonline/templates/viet/images/icon_yim.gif "[YIM]"){kind=icon}
![[Up]](/hvaonline/templates/viet/images/en_US/icon_up.gif "[Up]"){kind=icon}
![[Print Copy]](/hvaonline/templates/viet/images/en_US/icon_print.gif "[Print Copy]"){kind=icon}
![[digg]](/hvaonline/templates/viet/images/digg.gif "[digg]")
![[delicious]](/hvaonline/templates/viet/images/delicious.gif "[delicious]")
![[google]](/hvaonline/templates/viet/images/google.gif "[google]")
![[yahoo]](/hvaonline/templates/viet/images/yahoo.gif "[yahoo]")
![[technorati]](/hvaonline/templates/viet/images/technorati.gif "[technorati]")
![[reddit]](/hvaonline/templates/viet/images/reddit.gif "[reddit]")
![[stumbleupon]](/hvaonline/templates/viet/images/stumbleupon.gif "[stumbleupon]")