Messages posted by: huyhoang152

Mình có fixcheck các thông tin như bạn nói rồi. Cái này lả của chương trình backup. Hôm h mình thầy tình hình không ổn. Các máy client minh đã diệt hết. Chỉ còn trên DC. Mình mới Build lại DC mới. Chỉ kịp copy 2 file như bạn nói thôi. Sory b0lzano nha. Công việc nhiều nên ko update thường xuyên cho anh,em được. Thông tin về DC mình chỉ có vậy thôi. Mình có copy lại thêm các file explorer.exe.

up lên cho bạn xem.

http://www.mediafire.com/?nciurtdtrmd

best regards,

Minh up 2 file dns.exe và wins.exe cho các bạn phân tích. Mà phân tích 2 file này như thế nào vậy bạn, và dùng chương trình j phân tích vậy bạn có thể hướng dẫn chi tiết được hok? smilie

http://www.mediafire.com/?yijnndng2gm

best regards,

Mình có dùng các tools conficker của microsoft, bitdefender, kaspersky, fsecure mà chẳng phát hiện em conficker nào hết. Nhưng trên các máy client có triệu chứng giống DC thì phát hiện được... có cách nào giúp mình phân tích được sự hoạt động của nó không? Chương trình nào có thể nhận biết các dấu hiệu của virus vậy các bro. Hôm h mình cũng tìm tòi mọi cách như trên các diễn đàn mà hẻm có được... Thiệt là nguy hiểm quá đi... smilie

Best regards,

thanks bolzano nhiu. Mình nghĩ chắc là bi con cònlicker rổi. smilie

Nhưng con này rất nhiều biến thể. Hi vọng mọi người có thể thảo luận để diệt triệt để con này.

best regards,

Thêm 1 list process của DC bi lỗi nữa, Các bro tham khảo giúp.
///////////////////////////////////////////////////////////////////////////
StartupList report, 3/30/2009, 6:51:57 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows 2003 SP2 (WinNT 5.02.3790)
Detected: Internet Explorer v7.00 (7.00.6000.16791)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\WINDOWS\system32\certsrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\Symantec\Backup Exec\NT\dlomaintsvcu.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ibmasrex.exe
C:\WINDOWS\system32\IBMHPASV.EXE
C:\WINDOWS\system32\ibmsmbus.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lserver.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\Dfsr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray = C:\PROGRA~1\SYMANT~1\VPTray.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

Ad-Aware Update (Weekly).job

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

/////////////////////////////////////////////////////////////
Uninstall list.

HijackThis 2.0.2
LiveUpdate 3.1 (Symantec Corporation)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB947864)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Server 2003 (KB921503)
Security Update for Windows Server 2003 (KB925902)
Security Update for Windows Server 2003 (KB926122)
Security Update for Windows Server 2003 (KB929123)
Security Update for Windows Server 2003 (KB930178)
Security Update for Windows Server 2003 (KB931784)
Security Update for Windows Server 2003 (KB932168)
Security Update for Windows Server 2003 (KB933729)
Security Update for Windows Server 2003 (KB933854)
Security Update for Windows Server 2003 (KB935839)
Security Update for Windows Server 2003 (KB935840)
Security Update for Windows Server 2003 (KB935966)
Security Update for Windows Server 2003 (KB936021)
Security Update for Windows Server 2003 (KB936782)
Security Update for Windows Server 2003 (KB938464)
Security Update for Windows Server 2003 (KB941202)
Security Update for Windows Server 2003 (KB941568)
Security Update for Windows Server 2003 (KB941569)
Security Update for Windows Server 2003 (KB941644)
Security Update for Windows Server 2003 (KB941672)
Security Update for Windows Server 2003 (KB941693)
Security Update for Windows Server 2003 (KB942830)
Security Update for Windows Server 2003 (KB942831)
Security Update for Windows Server 2003 (KB943055)
Security Update for Windows Server 2003 (KB943460)
Security Update for Windows Server 2003 (KB943484)
Security Update for Windows Server 2003 (KB943485)
Security Update for Windows Server 2003 (KB944653)
Security Update for Windows Server 2003 (KB945553)
Security Update for Windows Server 2003 (KB946026)
Security Update for Windows Server 2003 (KB948590)
Security Update for Windows Server 2003 (KB948745)
Security Update for Windows Server 2003 (KB948881)
Security Update for Windows Server 2003 (KB949014)
Security Update for Windows Server 2003 (KB950760)
Security Update for Windows Server 2003 (KB950762)
Security Update for Windows Server 2003 (KB950974)
Security Update for Windows Server 2003 (KB951066)
Security Update for Windows Server 2003 (KB951698)
Security Update for Windows Server 2003 (KB951746)
Security Update for Windows Server 2003 (KB951748)
Security Update for Windows Server 2003 (KB952069)
Security Update for Windows Server 2003 (KB952954)
Security Update for Windows Server 2003 (KB953839)
Security Update for Windows Server 2003 (KB954211)
Security Update for Windows Server 2003 (KB954600)
Security Update for Windows Server 2003 (KB955069)
Security Update for Windows Server 2003 (KB956391)
Security Update for Windows Server 2003 (KB956802)
Security Update for Windows Server 2003 (KB956803)
Security Update for Windows Server 2003 (KB956841)
Security Update for Windows Server 2003 (KB957095)
Security Update for Windows Server 2003 (KB957097)
Security Update for Windows Server 2003 (KB958644)
Security Update for Windows Server 2003 (KB958687)
Security Update for Windows Server 2003 (KB958690)
Security Update for Windows Server 2003 (KB960225)
Security Update for Windows Server 2003 (KB960715)
Security Update for Windows Server 2003 (KB961063)
Security Update for Windows Server 2003 (KB961064)
Symantec AntiVirus
Symantec Backup Exec DLO Maintenance Service
Symantec Backup Exec Remote Agent for Windows Systems
Symantec Backup Exec Remote Agent for Windows Systems
Update for Windows Server 2003 (KB927891)
Update for Windows Server 2003 (KB931836)
Update for Windows Server 2003 (KB933360)
Update for Windows Server 2003 (KB936357)
Update for Windows Server 2003 (KB942763)
Update for Windows Server 2003 (KB948496)
Update for Windows Server 2003 (KB951072-v2)
Update for Windows Server 2003 (KB955839)
Update for Windows Server 2003 (KB967715)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VNC 4.0
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Support Tools

Và port viewer trên DC minh kem theo file sau:
http://www.mediafire.com/?lwanmzjwkzk

thanks các bro giúp đỡ.

Chào các bro, Mình bị dính 1 con virus ma` ko biết virus j cứ đăng nhập account admin liên tục, làm cho account bị disable. Khoảng 15-30 phút là bị một lần. Bị ngay trên con DC luôn. Mình xem log thì thấy login fail IP: 127.0.0.1. Các process của server mình post cho các bro chi giúp.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:23 AM, on 3/30/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\WINDOWS\system32\certsrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\Symantec\Backup Exec\NT\dlomaintsvcu.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ibmasrex.exe
C:\WINDOWS\system32\IBMHPASV.EXE
C:\WINDOWS\system32\ibmsmbus.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lserver.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\Dfsr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\oobechk.exe
C:\WINDOWS\system32\mshta.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Backup Exec DLO Maintenance Service (DLOMaintenanceSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\NT\dlomaintsvcu.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: IBM Automatic Server Restart Executable (ibmasrex) - Unknown owner - C:\WINDOWS\system32\ibmasrex.exe
O23 - Service: IBM Active PCI Alert Service (IBMHPS) - IBM Corporation - C:\WINDOWS\system32\IBMHPASV.EXE
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\system32\ibmsmbus.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

best regards,