一位网友的电脑在开机时自动弹出一个空的记事本窗口。通过使用HijackThis和ProcView扫描,发现可疑进程,并进一步确认其中一个文件被多种杀毒软件标记为恶意软件。
endurer 原创
2006-10-27 第1版
有位网友的电脑最近开机时自动弹出一个空的记事本窗口,让偶帮忙检查看看。
到 http://endurer.ys168.com 下载 HijackThis 和 ProcView。
先用 HijackThis 扫描log,发现如下可疑项目:
/------
Logfile of HijackThis v1.99.1
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:/windows/system32/wincfgs.exe
C:/WINDOWS/KB20060111.exe
F3 - REG:win.ini: load=C:/windows/system32/wincfgs.exe
------/
运行ProcView,让进程按修改时间逆序排列,发现:
C:/WINDOWS/KB20060111.exe 排在第 1 位,修改时间为:2006-10-27 20:47,图标与Windows自带的记事本相同。
c:/windows/system32/wincfgs.exe 排在第 3 位,修改时间为:2006-10-27 20:47,图标为一个黄色问号。
c:/windows/system32/wincfgs.exe,文件大小为 47,104 字节,上传在线扫描,都报了:
File: wincfgs.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 07adddef653a702b9a11edbcee07e82b
Packers detected: UPX
Scanner results
| AntiVir | Found Worm/Delf.AJ.1 |
| ArcaVir | Found Worm.Delf.Aj |
| Avast | Found Win32:Trojan-gen. |
| AVG Antivirus | Found Downloader.Generic2.RPB |
| BitDefender | Found Trojan.Agent.AAE |
| ClamAV | Found Worm.Delf-21 |
| Dr.Web | Found Trojan.MulDrop.3780 |
| F-Prot Antivirus | Found W32/Sillyworm.RE |
| Fortinet | Found W32/Delf.AJ!worm |
| Kaspersky Anti-Virus | Found Worm.Win32.Delf.aj |
| NOD32 | Found Win32/Delf.AJ |
| Norman Virus Control | Found W32/Delf.OMO |
| VirusBuster | Found Worm.Delf.AZX |
| VBA32 | Found Worm.Win32.Delf.aj |
c:/windows/KB20060111.exe 则 不见红。
STATUS: FINISHED
Complete scanning result of "KB20060111.exe", received in VirusTotal at 10.27.2006, 15:34:30 (CET).
| Antivirus | Version | Update | Result |
| AntiVir | 7.2.0.34 | 10.27.2006 | no virus found |
| Authentium | 4.93.8 | 10.27.2006 | no virus found |
| Avast | 4.7.892.0 | 10.27.2006 | no virus found |
| AVG | 386 | 10.27.2006 | no virus found |
| BitDefender | 7.2 | 10.27.2006 | no virus found |
| CAT-QuickHeal | 8.00 | 10.27.2006 | no virus found |
| ClamAV | devel-20060426 | 10.27.2006 | no virus found |
| DrWeb | 4.33 | 10.27.2006 | no virus found |
| eTrust-InoculateIT | 23.73.38 | 10.27.2006 | no virus found |
| eTrust-Vet | 30.3.3162 | 10.27.2006 | no virus found |
| Ewido | 4.0 | 10.27.2006 | no virus found |
| Fortinet | 2.82.0.0 | 10.27.2006 | no virus found |
| F-Prot | 3.16f | 10.27.2006 | no virus found |
| F-Prot4 | 4.2.1.29 | 10.27.2006 | no virus found |
| Ikarus | 0.2.65.0 | 10.27.2006 | no virus found |
| Kaspersky | 4.0.2.24 | 10.27.2006 | no virus found |
| McAfee | 4882 | 10.26.2006 | no virus found |
| Microsoft | 1.1609 | 10.26.2006 | no virus found |
| NOD32v2 | 1.1841 | 10.27.2006 | no virus found |
| Norman | 5.80.02 | 10.27.2006 | no virus found |
| Panda | 9.0.0.4 | 10.27.2006 | no virus found |
| Sophos | 4.10.0 | 10.26.2006 | no virus found |
| TheHacker | 6.0.1.106 | 10.26.2006 | no virus found |
| UNA | 1.83 | 10.27.2006 | no virus found |
| VBA32 | 3.11.1 | 10.26.2006 | no virus found |
| VirusBuster | 4.3.15:9 | 10.27.2006 | no virus found |
Aditional Information
File size: 66560 bytes
MD5: 89fe32de8587b0dfd76efce00396eb56
SHA1: 1572b3c4d3dd39832ae500abccc1d2df27ef1b8c
扫一扫
139
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
