瑞星卡卡安全论坛

首页 » 技术交流区 » 可疑文件交流 » mfpmp.exe进程作用?木马?
oyo2009 - 2009-9-8 15:50:00
有时候可发现他在进程中,有时不在。在时结束他wmplayer.exe也会随之结束,为何?
sinoer - 2009-9-8 15:51:00
用winrar压缩样本文件,通过附件方式提交上来,不要重复发帖了
oyo2009 - 2009-9-8 15:53:00


引用:
原帖由 sinoer 于 2009-9-8 15:51:00 发表
用winrar压缩样本文件,通过附件方式提交上来,不要重复发帖了
是这样操作,传不了。
oyo2009 - 2009-9-8 15:55:00
样本,还有可疑DLL。狗屎。
 附件: 您所在的用户组无法下载或查看附件
oyo2009 - 2009-9-8 16:13:00
另外卡卡,一个月前扫描时“已收录”,一个月后还是“已收录”,难道这么久还没分析出来,上传的可疑文件和启动项问题?
 附件: 您所在的用户组无法下载或查看附件
sinoer - 2009-9-9 9:09:00
样本文件呢
oyo2009 - 2009-9-10 9:02:00


引用:
原帖由 sinoer 于 2009-9-9 9:09:00 发表
样本文件呢
是否论坛给的权限不够?请版主回复。我传不了rar,大小符合要求的,仅能传jpg.zip等;另外arswp扫描可疑mfc。

附件: mf.zip

附件: mfc.part1.zip

附件: mfc.part2.zip

附件: mfc.part3.zip

附件: mfc.part4.zip
oyo2009 - 2009-9-10 9:26:00
我的winmail常收到垃圾邮件,在线扫描结果:

文件 WinMail.exe 接收于 2009.09.10 01:21:08 (UTC)
当前状态: 完成
结果: 1/41 (2.44%)



[img=14,14]https://www.virustotal.com/img/compress-icon.png[/img] 格式化文本
打印结果 [img=14,14]https://www.virustotal.com/img/print-icon.png[/img]




[tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,]
反病毒引擎版本最后更新扫描结果
a-squared4.5.0.242009.09.10-
AhnLab-V35.0.0.22009.09.09-
AntiVir7.9.1.142009.09.09-
Antiy-AVL2.0.3.72009.09.09-
Authentium5.1.2.42009.09.09-
Avast4.8.1351.02009.09.09-
AVG8.5.0.4122009.09.10-
BitDefender7.22009.09.10-
CAT-QuickHeal10.002009.09.09-
ClamAV0.94.12009.09.10-
Comodo22682009.09.10-
DrWeb5.0.0.121822009.09.10-
eSafe7.0.17.02009.09.09-
eTrust-Vet31.6.67282009.09.09-
F-Prot4.5.1.852009.09.09-
F-Secure8.0.14470.02009.09.10-
Fortinet3.120.0.02009.09.10-
GData192009.09.10-
IkarusT3.1.1.72.02009.09.10-
Jiangmin11.0.8002009.09.09-
K7AntiVirus7.10.8402009.09.09-
Kaspersky7.0.0.1252009.09.10-
McAfee57362009.09.09-
McAfee+Artemis57362009.09.09-
McAfee-GW-Edition6.8.52009.09.09Heuristic.BehavesLike.Win32.Virus.I
Microsoft1.50052009.09.10-
NOD3244122009.09.10-
Norman6.01.092009.09.09-
nProtect2009.1.8.02009.09.09-
Panda10.0.2.22009.09.09-
PCTools4.4.2.02009.09.09-
Prevx3.02009.09.10-
Rising21.46.24.002009.09.09-
Sophos4.45.02009.09.10-
Sunbelt3.2.1858.22009.09.10-
Symantec1.4.4.122009.09.10-
TheHacker6.3.4.3.3992009.09.09-
TrendMicro8.950.0.10942009.09.09-
VBA323.12.10.102009.09.09-
ViRobot2009.9.9.19252009.09.09-
VirusBuster4.6.5.02009.09.09-
[tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,]
附加信息
File size: 397312 bytes
MD5...: 7e6ea9cb72b5de84a5d700bed877e5f9
SHA1..: 85b6aa429350333343db149eb2198e7fc38c3e4f
SHA256: 8261b7c2a776f59baefabeeaf8e9425cb0f4d3700ef63caa7095398368ed3c6e
ssdeep: 6144:ymCXOFm/RN8T2z9lwr1R6XdU9qRRN8T2z9lwr1R6XdU9q23ts1m8QXLbyOg
4H:ymCn/RN8T2v2sXdpRN8T2v2sXd41M
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5981
timedatestamp.....: 0x47918ed8 (Sat Jan 19 05:47:04 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5f8a 0x6000 6.07 200624c7a91ad4d689bcdbb9a8bfe5c7
.data 0x7000 0x418 0x200 0.69 e44a48b864e361ffed4fb98d1036b46d
.tls 0x8000 0x9 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rsrc 0x9000 0x59bd8 0x59c00 6.80 c3f901eba381fcbc9edb9985072fdde7
.reloc 0x63000 0xa98 0xc00 3.01 23900d239de18248641951843cf86073

( 9 imports )
> ADVAPI32.dll: TraceEvent, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsA, UnregisterTraceGuids, RegCloseKey, RegSetValueW, RegOpenKeyExW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegDeleteKeyW
> KERNEL32.dll: FreeLibrary, LoadLibraryA, lstrlenW, GetFileAttributesW, GetFileAttributesA, GetLastError, ReleaseMutex, CloseHandle, WaitForSingleObject, CreateMutexW, GetCurrentProcess, GetModuleHandleA, ExpandEnvironmentStringsW, GetExitCodeProcess, CreateProcessW, GetModuleHandleW, HeapSetInformation, GetVersionExA, SetFileAttributesW, DeleteFileW, FindFirstFileExW, FindClose, FindNextFileW, FindFirstFileW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetShortPathNameW, CreateDirectoryW, InterlockedCompareExchange, GetTickCount, QueryPerformanceCounter, SetUnhandledExceptionFilter, GetStartupInfoW, Sleep, InterlockedExchange, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, GetProcAddress, SetConsoleCtrlHandler, GetCurrentThreadId
> USER32.dll: SetWindowsHookExA, GetGUIThreadInfo, IsChild, UnhookWindowsHookEx, GetLastActivePopup, GetPropW, GetParent, CallNextHookEx, SendMessageW, IsDialogMessageW, SetPropW, FindWindowW, GetWindowThreadProcessId, AllowSetForegroundWindow, SetForegroundWindow, SendMessageTimeoutA, MessageBoxW, LoadStringW
> msvcrt.dll: _vsnwprintf, _controlfp, _except_handler4_common, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _amsg_exit, _initterm, _wcmdln, exit, _XcptFilter, _exit, _cexit, __wgetmainargs, memset
> MSOERT2.dll: CopyRegistry
> COMCTL32.dll: -
> ole32.dll: CoUninitialize, CoFreeAllLibraries, CoTaskMemFree, CoInitializeEx, CoCreateInstance, OleInitialize, CoFreeUnusedLibraries, CoFreeUnusedLibrariesEx, OleUninitialize
> SHELL32.dll: SHCreateItemFromParsingName, SHGetSpecialFolderPathW, SHSetLocalizedName, SHGetSpecialFolderLocation, SHChangeNotify
> SHLWAPI.dll: -, PathFindFileNameW, PathCombineW, SHRegGetPathW, SHRegGetValueA, StrStrIW, SHDeleteValueW, SHRegGetBoolUSValueA, PathRemoveBlanksW, PathRemoveFileSpecW, PathAddExtensionW, PathAppendW, -, StrCmpW, StrCmpNIW, SHDeleteKeyW, SHSetValueW, SHRegGetValueW, StrCmpIW, SHGetValueW

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)


[img=14,14]https://www.virustotal.com/img/notice-icon.png[/img] 注意: VirusTotal 是 Hispasec Sistemas 提供的免费服务. 我们不保证任何该服务的可用性和持续性. 尽管使用多种反病毒引擎所提供的检测率优于使用单一产品, 但这些结果并不保证文件无害. 目前来说, 没有任何一种解决方案可以提供 100% 的病毒和恶意软件检测率. 如果您购买了一款声称具有此能力的产品, 那么您可能已经成为受害者
如何清除?


附件: WinMail.zip
oyo2009 - 2009-9-10 9:33:00
arswp扫描有问题的主要dll,MFC42LOC.dll

附件: MFC42LOC.zip
oyo2009 - 2009-9-10 10:13:00
扫描我的explorer.exe:

文件 explorer.exe 接收于 2009.09.10 01:48:11 (UTC)
当前状态: 完成
结果: 0/41 (0%)



[img=14,14]https://www.virustotal.com/img/compress-icon.png[/img] 格式化文本
打印结果 [img=14,14]https://www.virustotal.com/img/print-icon.png[/img]




[tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,]
反病毒引擎版本最后更新扫描结果
a-squared4.5.0.242009.09.10-
AhnLab-V35.0.0.22009.09.09-
AntiVir7.9.1.142009.09.09-
Antiy-AVL2.0.3.72009.09.09-
Authentium5.1.2.42009.09.09-
Avast4.8.1351.02009.09.09-
AVG8.5.0.4122009.09.10-
BitDefender7.22009.09.10-
CAT-QuickHeal10.002009.09.09-
ClamAV0.94.12009.09.10-
Comodo22682009.09.10-
DrWeb5.0.0.121822009.09.10-
eSafe7.0.17.02009.09.09-
eTrust-Vet31.6.67282009.09.09-
F-Prot4.5.1.852009.09.09-
F-Secure8.0.14470.02009.09.10-
Fortinet3.120.0.02009.09.10-
GData192009.09.10-
IkarusT3.1.1.72.02009.09.10-
Jiangmin11.0.8002009.09.09-
K7AntiVirus7.10.8402009.09.09-
Kaspersky7.0.0.1252009.09.10-
McAfee57362009.09.09-
McAfee+Artemis57362009.09.09-
McAfee-GW-Edition6.8.52009.09.09-
Microsoft1.50052009.09.10-
NOD3244122009.09.10-
Norman6.01.092009.09.09-
nProtect2009.1.8.02009.09.09-
Panda10.0.2.22009.09.09-
PCTools4.4.2.02009.09.09-
Prevx3.02009.09.10-
Rising21.46.24.002009.09.09-
Sophos4.45.02009.09.10-
Sunbelt3.2.1858.22009.09.10-
Symantec1.4.4.122009.09.10-
TheHacker6.3.4.3.3992009.09.09-
TrendMicro8.950.0.10942009.09.09-
VBA323.12.10.102009.09.09-
ViRobot2009.9.9.19252009.09.09-
VirusBuster4.6.5.02009.09.09-
[tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,][tr=rgb(226,]
附加信息
File size: 2927104 bytes
MD5...: 4f554999d7d5f05daaebba7b5ba1089d
SHA1..: e509a42554cc0e5888ac8bf494d3c02223238609
SHA256: 178d20aaecbd408dffda71ae4d70ad61c278229b4cd7dcd7b854a9a8404ca657
ssdeep: 24576:RJxr/smirDRnW+7pGYCW5uXSA7jTeFadRsxKb/g/J/ulZ:R3DsmiZLC8A7
/eFw33l
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x271b3
timedatestamp.....: 0x4907e242 (Wed Oct 29 04:10:42 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6bea5 0x6c000 6.42 01efa0ddb451b63dd0bfb396b1d576ab
.data 0x6d000 0x215c 0x2000 0.84 7f3a4ccfbf6b5dd627231a22b6ee6f12
.rsrc 0x70000 0x2566a0 0x256800 7.04 bc9643f9701a6c8da708d2bd5b751ff2
.reloc 0x2c7000 0x5a34 0x5c00 6.74 a246e27f509144adabfb479ba70f67ce

( 19 imports )
> ADVAPI32.dll: RegCloseKey, RegCreateKeyW, RegGetValueW, RegOpenKeyExW, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsW, UnregisterTraceGuids, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, EventWrite, EventEnabled, GetLengthSid, GetTokenInformation, OpenProcessToken, EventUnregister, EventRegister, GetUserNameW, RegDeleteValueW, RegEnumKeyExW, RegQueryInfoKeyW, TraceMessage, RegOpenKeyW, RegEnumKeyW, RegEnumValueW, CloseServiceHandle, OpenServiceW, OpenSCManagerW, QueryServiceStatus, CheckTokenMembership, ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, ConvertSidToStringSidW, StartServiceW, CreateWellKnownSid
> KERNEL32.dll: GetSystemTime, GetFileAttributesW, FindClose, FindNextFileW, FindFirstFileW, GetLocalTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, FlushInstructionCache, RaiseException, GetSystemWindowsDirectoryW, SetLastError, ReadFile, GetFileSize, CreateFileW, InterlockedCompareExchange, LoadLibraryA, SystemTimeToFileTime, ExpandEnvironmentStringsW, GlobalGetAtomNameW, MultiByteToWideChar, GetEnvironmentVariableW, GetCurrentProcessId, GetModuleHandleW, lstrlenW, OpenEventW, SetEvent, GetBinaryTypeW, EnterCriticalSection, LeaveCriticalSection, GetSystemTimeAsFileTime, CompareFileTime, GlobalFree, GetTickCount, MulDiv, GetUserDefaultLangID, GetPrivateProfileIntW, GetCurrentThread, GetThreadPriority, GetCurrentThreadId, SetThreadPriority, CompareStringOrdinal, lstrcmpiW, HeapSetInformation, SetErrorMode, CreateMutexW, ReleaseMutex, GetTimeZoneInformation, SetFilePointer, SetProcessShutdownParameters, GetSystemDirectoryW, CreateEventW, SetTermsrvAppInstallMode, RegisterApplicationRestart, ExitProcess, GetModuleFileNameW, GetPrivateProfileStringW, HeapDestroy, InitializeCriticalSection, DeleteCriticalSection, GetCurrentProcess, GetProcessHeap, HeapAlloc, QueryPerformanceFrequency, GetFileAttributesExW, QueueUserWorkItem, GetLongPathNameW, GetProcessTimes, TerminateThread, GetProcessId, CreateIoCompletionPort, GetQueuedCompletionStatus, GetWindowsDirectoryW, FormatMessageW, QueryFullProcessImageNameW, GlobalAlloc, DuplicateHandle, GetCurrentDirectoryW, WideCharToMultiByte, WriteFile, DeactivateActCtx, ActivateActCtx, ReleaseActCtx, CreateActCtxW, FindResourceExW, LoadResource, LockResource, GetUserDefaultUILanguage, LoadLibraryW, GetProcAddress, FreeLibrary, WaitForSingleObject, CreateProcessW, GetCommandLineW, GetStartupInfoW, CreateThread, AssignProcessToJobObject, ResumeThread, Sleep, QueryInformationJobObject, LocalAlloc, LocalFree, CloseHandle, OpenProcess, SetPriorityClass, GetPriorityClass, CreateJobObjectW, SetInformationJobObject, GetLastError, InterlockedDecrement, InterlockedIncrement, HeapFree, UnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, InterlockedExchange, VirtualAlloc, VirtualFree, DelayLoadFailureHook
> GDI32.dll: GetStockObject, CombineRgn, GetLayout, CreatePatternBrush, OffsetViewportOrgEx, GdiAlphaBlend, GetTextExtentPoint32W, ExtTextOutW, SetWindowOrgEx, GetPixel, PatBlt, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, GetBkColor, CreateCompatibleBitmap, OffsetWindowOrgEx, SetBkColor, GetTextExtentPointW, GetClipBox, CreateDIBSection, CreateRectRgnIndirect, SetTextColor, SetBkMode, GetTextMetricsW, CreateFontIndirectW, CreateSolidBrush, GetObjectW, DeleteObject, CreateCompatibleDC, SelectObject, BitBlt, DeleteDC, GetDeviceCaps
> USER32.dll: GetDlgItem, LoadCursorW, RegisterClassW, IsChild, SetTimer, MonitorFromRect, SetWindowTextW, SetClassLongW, GetClassInfoW, GetClassLongW, KillTimer, GetClassInfoExW, IsWindowEnabled, GetShellWindow, GetIconInfo, SetScrollInfo, GetLastActivePopup, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, IsWindowVisible, IsWindow, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, BeginDeferWindowPos, DeferWindowPos, EndDeferWindowPos, SetFocus, SetForegroundWindow, LoadMenuW, SetMenuInfo, SetMenuDefaultItem, GetSubMenu, TrackPopupMenuEx, LoadImageW, InsertMenuItemW, DestroyIcon, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharUpperBuffW, PostQuitMessage, LoadStringW, ShutdownBlockReasonCreate, GetWindowLongA, SetWindowLongW, UnregisterDeviceNotification, RegisterDeviceNotificationW, RegisterWindowMessageW, SetWindowPos, RegisterClassExW, GetDesktopWindow, UpdateWindow, InvalidateRect, BeginPaint, LoadBitmapW, SetLayeredWindowAttributes, EndPaint, ShowWindow, DefWindowProcW, MoveWindow, DestroyWindow, UnregisterClassW, SetProcessDPIAware, PeekMessageW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, GetKeyboardLayout, ActivateKeyboardLayout, IsProcessDPIAware, PrintWindow, GetDCEx, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, GetDlgCtrlID, ChildWindowFromPointEx, GetCapture, GetGUIThreadInfo, SetWindowLongA, CharUpperW, GetWindowDC, RegisterClipboardFormatW, UnhookWinEvent, SetWinEventHook, ReleaseCapture, GetUserObjectInformationW, GetProcessWindowStation, FlashWindowEx, GetForegroundWindow, PostMessageW, CreatePopupMenu, GetWindowThreadProcessId, MsgWaitForMultipleObjectsEx, CharPrevW, CharNextW, DispatchMessageW, TranslateMessage, GetMessageW, EqualRect, UnionRect, MapWindowPoints, GetClientRect, EnumWindows, EndTask, SetThreadDesktop, GetThreadDesktop, GetMenuItemID, IsHungAppWindow, DrawTextW, GetSysColor, TrackPopupMenu, SendMessageCallbackW, DeregisterShellHookWindow, EndDialog, IsDlgButtonChecked, LoadIconW, GetSysColorBrush, CloseDesktop, OpenInputDesktop, SetActiveWindow, IsRectEmpty, GetAsyncKeyState, RegisterShellHookWindow, FillRect, GetCursorPos, SetPropW, CopyRect, LockSetForegroundWindow, MonitorFromPoint, InflateRect, GetClassNameW, SubtractRect, RedrawWindow, EnumDisplayMonitors, OffsetRect, IntersectRect, SetWindowRgn, GetMenuState, GhostWindowFromHungWindow, HungWindowFromGhostWindow, GetWindowPlacement, RemovePropW, SendMessageTimeoutW, UnregisterHotKey, RegisterHotKey, InsertMenuW, ModifyMenuW, ClientToScreen, ScreenToClient, GetMenuItemCount, GetFocus, GetScrollInfo, InternalGetWindowText, GetKeyState, ChangeDisplaySettingsW, GetWindowLongW, EnumChildWindows, SendMessageW, GetWindow, GetWindowRect, PtInRect, SetCursor, ChildWindowFromPoint, SetCursorPos, GetMessagePos, LoadAcceleratorsW, WaitMessage, TranslateAcceleratorW, GetWindowRgnBox, GetActiveWindow, MessageBeep, SetWindowPlacement, SetRect, SendNotifyMessageW, UpdateLayeredWindow, GetLastInputInfo, SendDlgItemMessageW, AllowSetForegroundWindow, RemoveMenu, SetParent, CallWindowProcW, EnableWindow, GetDlgItemInt, SetDlgItemInt, CheckDlgButton, CopyIcon, DrawFocusRect, NotifyWinEvent, ExitWindowsEx, DrawEdge, WindowFromPoint, GetDoubleClickTime, SetCapture, TrackMouseEvent, LockWorkStation, AppendMenuW, GetParent, SetScrollPos, SetRectEmpty, AdjustWindowRectEx, BringWindowToTop, CascadeWindows, GetSystemMetrics, SystemParametersInfoW, FindWindowW, ReleaseDC, GetDC, DestroyMenu, GetMenuDefaultItem, TileWindows, GetAncestor, SwitchToThisWindow, CheckMenuItem, ShowWindowAsync
> msvcrt.dll: memset, _unlock, _ftol2_sse, _except_handler4_common, __set_app_type, memcpy, free, memmove, realloc, __dllonexit, _lock, _onexit, _terminate@@YAXXZ, _controlfp, _vsnwprintf, malloc, __wgetmainargs, _cexit, _exit, __p__fmode, _XcptFilter, exit, _wcmdln, _initterm, _amsg_exit, __setusermatherr, _adjust_fdiv, __p__commode
> ntdll.dll: NtOpenThreadToken, NtOpenProcessToken, RtlGetProductInfo, NtQueryInformationToken, NtClose, NtQueryInformationProcess, NtSetInformationProcess, WinSqmAddToStream, NtSetSystemInformation
> SHLWAPI.dll: PathGetDriveNumberW, -, -, PathRemoveFileSpecW, -, -, SHRegGetUSValueW, -, StrDupW, PathQuoteSpacesW, -, -, -, -, StrChrIW, -, -, -, SHRegOpenUSKeyW, SHRegQueryUSValueW, StrCmpW, AssocQueryStringW, -, -, -, -, -, AssocQueryKeyW, PathParseIconLocationW, PathIsPrefixW, -, PathRemoveExtensionW, SHOpenRegStream2W, PathFileExistsW, -, -, -, -, PathFindExtensionW, SHQueryInfoKeyW, -, -, -, -, -, -, -, -, SHDeleteKeyW, PathAppendW, SHDeleteValueW, -, -, -, PathRemoveArgsW, PathRemoveBlanksW, StrCmpNIW, PathFindFileNameW, -, SHSetValueW, SHGetValueW, SHCreateThreadRef, SHSetThreadRef, -, -, PathCombineW, SHRegGetValueW, StrToIntW, -, -, -, PathGetArgsW, StrChrW, -, -, -, -, SHStrDupW, -, -, -, -, -, StrRetToBufW, -, -, -, -, -, -, StrRetToStrW, -, -, StrStrIW, -, -, PathMatchSpecW, PathIsRootW, PathIsNetworkPathW, SHQueryValueExW, AssocCreate, StrCmpIW, -, -, -, StrCmpNW, -, -, StrPBrkW, -, -, -, PathStripToRootW, -, PathIsDirectoryW, -
> SHELL32.dll: -, -, -, -, -, -, -, -, SHGetDesktopFolder, -, SHBindToFolderIDListParent, -, -, -, -, -, -, SHGetIDListFromObject, -, -, -, -, -, -, SHCreateShellItemArrayFromIDLists, -, -, SHCreateItemFromIDList, SHCreateShellItemArrayFromShellItem, -, -, SHBindToFolderIDListParentEx, SHChangeNotify, SHAddToRecentDocs, DuplicateIcon, -, -, -, ShellExecuteW, -, -, SHGetPathFromIDListA, SHUpdateRecycleBinIcon, SHGetKnownFolderIDList, SHGetFolderPathEx, SHFileOperationW, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -, -, -, -, -, -, -, ExtractIconExW, -, -, -, -, SHGetSpecialFolderLocation, -, -, SHBindToParent, Shell_NotifyIconW, SHGetFolderPathAndSubDirW, Shell_GetCachedImageIndexW, SHGetFolderPathW, -, SHEvaluateSystemCommandTemplate, -, -, -, -, -, -, -, -, -, -, -, SHBindToObject, -, ShellExecuteExW, -, -, SHGetSpecialFolderPathW, -, SHParseDisplayName, -, SHGetFolderLocation, -, -, -, -, -
> ole32.dll: CoTaskMemFree, CoCreateInstance, CoRegisterClassObject, CoRevokeClassObject, CoGetClassObject, OleInitialize, OleUninitialize, CoGetObject, StringFromGUID2, CoUninitialize, CoInitialize, RevokeDragDrop, RegisterDragDrop, CoRegisterMessageFilter, CoMarshalInterThreadInterfaceInStream, CoGetInterfaceAndReleaseStream, CoTaskMemAlloc, CoCreateFreeThreadedMarshaler, DoDragDrop, CoInitializeEx, CreateBindCtx, CoFreeUnusedLibraries, PropVariantClear
> OLEAUT32.dll: -, -, -, -, -, -
> SHDOCVW.dll: -, -
> UxTheme.dll: IsCompositionActive, IsAppThemed, GetThemeMargins, GetThemeRect, IsThemePartDefined, GetThemeBackgroundRegion, DrawThemeTextEx, GetThemeFont, GetThemeColor, GetThemeBool, GetThemeInt, SetWindowTheme, DrawThemeText, GetThemeTextExtent, DrawThemeBackground, CloseThemeData, OpenThemeData, DrawThemeParentBackground, GetThemePartSize, GetThemeMetric, GetThemeBackgroundContentRect
> POWRPROF.dll: GetPwrCapabilities
> dwmapi.dll: DwmIsCompositionEnabled, -, DwmSetWindowAttribute, DwmEnableBlurBehindWindow, DwmQueryThumbnailSourceSize, DwmGetColorizationColor, DwmUpdateThumbnailProperties, DwmRegisterThumbnail, DwmUnregisterThumbnail
> gdiplus.dll: GdiplusShutdown, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdiplusStartup, GdipCreateFromHDC, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipGetImageHeight, GdipGetImageWidth, GdipDisposeImage, GdipLoadImageFromFileICM, GdipLoadImageFromFile, GdipDeleteGraphics, GdipFree, GdipAlloc, GdipSetCompositingMode
> slc.dll: SLGetWindowsInformationDWORD
> RPCRT4.dll: RpcBindingFree, RpcStringFreeW, RpcBindingFromStringBindingW, NdrClientCall2, RpcStringBindingComposeW, I_RpcExceptionFilter, RpcBindingSetAuthInfoExW
> PROPSYS.dll: PSGetPropertyKeyFromName, PSPropertyKeyFromString, PSGetPropertyDescription, PSGetNameFromPropertyKey, VariantToBooleanWithDefault, VariantToInt32WithDefault, VariantToStringWithDefault, PSCreateMemoryPropertyStore, VariantToStringAlloc, PropVariantToStringAlloc
> BROWSEUI.dll: -, -

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=4f554999d7d5f05daaebba7b5ba1089d' target='_blank'>http://www.threatexpert.com/report.aspx?md5=4f554999d7d5f05daaebba7b5ba1089d<;/a>


[img=14,14]https://www.virustotal.com/img/notice-icon.png[/img] 注意: VirusTotal 是 Hispasec Sistemas 提供的免费服务. 我们不保证任何该服务的可用性和持续性. 尽管使用多种反病毒引擎所提供的检测率优于使用单一产品, 但这些结果并不保证文件无害. 目前来说, 没有任何一种解决方案可以提供 100% 的病毒和恶意软件检测率. 如果您购买了一款声称具有此能力的产品, 那么您可能已经成为受害者.


为何有http://www.threatexpert.com/report.aspx?这个链接?什么意思?


附件: explorer.zip
oyo2009 - 2009-9-10 10:22:00
把觉得可疑的一并放上来:C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_04e021df
C:\Windows\System32
C:\Program Files\IDT\WDM
三个文件分别在上面三个目录。

附件: keyi.zip
sinoer - 2009-9-10 11:05:00
explorer.exe是正常文件,md5验证结果看下面
http://file.ikaka.com/Info/FileInfo.aspx?FileID=3165999
mfpmp.exe是正常文件,md5验证结果看下面
http://file.ikaka.com/Info/FileInfo.aspx?FileID=4910166
winmail.exe是正常文件,md5验证结果看下面
http://file.ikaka.com/Info/FileInfo.aspx?FileID=1234419
Mfc42loc.dll是正常文件,md5验证结果看下面
http://file.ikaka.com/Info/FileInfo.aspx?FileID=1188308
其他的lz自己去测试吧
sinoer - 2009-9-10 11:07:00
lz可以用md5验证工具先测试下,然后到卡卡网里测试下,刚测试了几个样本,都是正常系统文件
oyo2009 - 2009-9-10 11:12:00


引用:
原帖由 sinoer 于 2009-9-10 11:05:00 发表
explorer.exe是正常文件,md5验证结果看下面
http://file.ikaka.com/Info/FileInfo.aspx?FileID=3165999
mfpmp.exe是正常文件,md5验证结果看下面
[url]http://file.ikaka.com/Info/FileInfo.aspx?Fil......
谢谢!我想知道这些可执行文件在在线扫描分析结果中有McAfee-GW-Edition扫winmail.exe报毒啊.
sinoer - 2009-9-10 11:18:00
这个就需要问在线扫描的网站和McAfee了
oyo2009 - 2009-9-10 11:26:00
谢谢sinoer!
oyo2009 - 2009-9-10 22:02:00
1.windows\temp路径下0字节的文件是什么程序产生的?有什么工具可查看其程序?关闭一切应用程序在管理员权限下del /s/f 不能删除它们,重启后就可以删除,为何?2.联网,比如该论坛常有附图情形,木马作怪?请注意浏览器右侧两个滚动条,左侧的IP被我firewall阻止了。
 附件: 您所在的用户组无法下载或查看附件

附件: tmp.zip
sinoer - 2009-9-11 9:14:00
:kaka6: 临时文件检测结果有什么意义呢,又不能定位到原始文件,如果怀疑机器有异常,建议上报sreng日志到论坛反病毒区。
下载SRENG工具然后扫描日志,看这贴2楼:http://bbs.ikaka.com/showtopic-8442813.aspx
日志文件以附件形式发来
点击贴子右下角的“编辑”,然后就知道怎么发附件了

另外,防火墙拦截的地址,怀疑是触发的防火墙的相关规则导致,不一定代表网页有木马,而且目前也没有反馈卡卡论坛被挂马了
oyo2009 - 2009-9-11 9:51:00


引用:
原帖由 sinoer 于 2009-9-11 9:14:00 发表
:kaka6: 临时文件检测结果有什么意义呢,又不能定位到原始文件,如果怀疑机器有异常,建议上报sreng日志到论坛反病毒区。
下载SRENG工具然后扫描日志,看这贴2楼:http://bbs.ikaka.com/showtopic-8442813.aspx
日志文件以附件形式发来
点击贴子右下角的“编辑”,然后就知道怎么发附件了

另外,防火墙拦截的地址,怀疑是触


就是想知道如何定位是什么程序创建的这些临时文件,有什么工具呢?
早前就发过日志到反病毒区,没人回复。我不是说瑞星网站被挂马,浏览器被感染也可能连图中IP吧?且其端口怪异啊4022.算了中毒大不了恢复系统,不管了。
oyo2009 - 2009-9-11 10:01:00
网上搜到这个:http://www.error8.cn/network/2009/0509/article_33.html
1
查看完整版本: mfpmp.exe进程作用?木马?
© 2000 - 2025 Rising Corp. Ltd.