Re: [求救] 連上網路就會中毒

看板AntiVirus (防毒)作者miamodo時間16年前 (2010/04/28 19:01)推噓3(3推 0噓 11→)

留言14則, 5人參與討論串3/3 (看更多)

在劍盟找到樣本: http://bbs.janmeng.com/thread-910006-1-1.html 以下是自已在沙盤(降權,阻止連網)中運行後的一些資訊,僅供參考。 1.創建、修改文件: + C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl .exe ~ C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe + C:\Program Files\Common Files\Adobe\ARM\1.0\adobearm .exe ~ C:\Program Files\Common Files\Adobe\ARM\1.0\adobearm.exe + C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\cintlcfg .exe ~ C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\cintlcfg .exe + C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\tintlcfg .exe ~ C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\tintlcfg .exe + C:\Program Files\Common Files\Real\Update_OB\realsched .exe ~ C:\Program Files\Common Files\Real\Update_OB\realsched.exe + C:\Program Files\internet explorer\wmpscfgs.exe + C:\Program Files\Sandboxie\sbiectrl .exe ~ C:\Program Files\Sandboxie\sbiectrl.exe + C:\WINDOWS\ime\IMJP8_1\imjpmig .exe ~ C:\WINDOWS\ime\IMJP8_1\imjpmig.exe + C:\WINDOWS\system32\ctfmon .exe ~ C:\WINDOWS\system32\ctfmon.exe + E:\VirusTest\091222345\alcmtr .exe + E:\VirusTest\091222345\alcmtr.exe ......................省略 + C:\Documents and Settings\user\Local Settings\temp\wmpscfgs.exe + C:\Documents and Settings\user\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat + C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\51VPBOHG\httpErrorPagesScripts[1] .......................省略 2.注冊表部分創建啟動項:machine\software\microsoft\Windows\CurrentVersion\Run = 修改一些ie相關數據....省略 3.Detailed report of suspicious malware actions: Defined file type modified or overwritten: C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe Defined file type modified or overwritten: C:\Program Files\Common Files\Adobe\ARM\1.0\adobearm.exe Defined file type modified or overwritten: C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\cintlcfg.exe Defined file type modified or overwritten: C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\tintlcfg.exe Defined file type modified or overwritten: C:\Program Files\Common Files\Real\Update_OB\realsched.exe Defined file type modified or overwritten: C:\Program Files\Sandboxie\sbiectrl.exe Defined file type copied to Windows folder: C:\WINDOWS\ime\IMJP8_1\imjpmig .exe Defined file type modified or overwritten: C:\WINDOWS\ime\IMJP8_1\imjpmig.exe Defined file type copied to Windows folder: C:\WINDOWS\system32\ctfmon .exe Defined file type modified or overwritten: C:\WINDOWS\system32\ctfmon.exe Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run = created registry key IE settings change: software\microsoft\internet explorer\main IE settings change: software\microsoft\internet explorer\main -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 220.137.139.183