收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 貌似是下载者,请高手分析
1234下一页
返回列表 发新帖
楼主: 释然的心
 收起左侧

[病毒样本] 貌似是下载者,请高手分析

  [复制链接]
Nocria
发表于 2012-4-8 11:43:40 | 显示全部楼层
AVG kill
回复

举报

firefox3
发表于 2012-4-8 12:14:45 | 显示全部楼层
20120408 041337        在 "C:\Users\zzzzzz\AppData\Roaming\SogouExplorer\Download\temp\dl_949E.tmp.$p4p$\pagefile/pagefile.exe" 中检测到 病毒/间谍软件 'Mal/TinyDL-T' 。
回复

举报

xiuzhiguo
发表于 2012-4-8 12:32:12 | 显示全部楼层

卡巴斯基安全部队
2012
拒绝访问
无法访问该网页

请求对象位于网址:

http://bbs.kafan.cn/forum.php?mod=
attachment&aid=MTU5NjE0MXw2NDllMDE5ZXwxM
zMzODU5NTAxfDY1Mjk3MHwxMjYzNDkx

检测到威胁:

对象已感染病毒Worm.Win32.AutoRun.ehs
发生时间: 12:31:57
回复

举报

蓝天二号
发表于 2012-4-8 12:32:32 | 显示全部楼层
卡巴

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

ywsuda
发表于 2012-4-8 12:36:20 | 显示全部楼层
完整路径: c:\users\ww\desktop\pagefile\pagefile.exe
威胁: W32.Imautorun
____________________________
____________________________
在电脑上的创建时间 2012/4/8 ( 11:58:39 )
上次使用时间 2012/4/8 ( 11:58:39 )
启动项目 否
已启动 否
____________________________
____________________________
未知
诺顿社区中使用此文件的用户数量: 未知
____________________________
未知
此文件版本当前未知。
____________________________

此文件具有高风险。
____________________________
威胁详细信息
威胁类型: 病毒。 将自身插入或附加到其他程序、文件或电脑区域以感染这些媒介的程序。
____________________________

____________________________
文件操作
文件: c:\users\ww\desktop\pagefile\pagefile.exe
已阻止
____________________________
文件指纹 - SHA:
7c17e17c1dd6ef87b183cd760f5b20a16a0956003879b797c916b8185ff18f44
____________________________
文件指纹 - MD5:
f7e8702e1cd903f82df556ec45a91944
____________________________
回复

举报

liwnpin
发表于 2012-4-8 12:43:56 | 显示全部楼层
金山微点都杀
回复

举报

XMonster
发表于 2012-4-8 12:57:30 | 显示全部楼层
PCA

trj
回复

举报

xyc5238207
发表于 2012-4-8 17:12:57 | 显示全部楼层
gdata

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

聪b
发表于 2012-4-8 18:02:33 | 显示全部楼层
[AutoRun]
shell\open=打开(&O)
shell\open\Command=w3wp.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=w3wp.exe
回复

举报

聪b
发表于 2012-4-8 18:06:12 | 显示全部楼层
这东西很多生成物啊

• File Info
Name        Value
Size        59655
MD5        f7e8702e1cd903f82df556ec45a91944
SHA1        8180a178506301e1adfa0583a3bf004beac69218
SHA256        7c17e17c1dd6ef87b183cd760f5b20a16a0956003879b797c916b8185ff18f44
Process        Exited
• Keys Created
Name        Last Write Time
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiU.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AoYun.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appdllman.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastU3.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvU3Launcher.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cross.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Discovery.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghost.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guangd.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\irsetup.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernelwind32.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logogo.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.pif        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe        2009.01.09 10:54:27.312
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorMain.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSC.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanU3.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDGames.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SelfUpdate.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\servet.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sos.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngPS.EXE        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TNT.Exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TxoMoU.Exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UFO.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wsyscheck.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XDelBox.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XP.exe        2009.01.09 10:54:27.328
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zjb.exe        2009.01.09 10:54:27.296
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows\CurrentVersion\policies\explorer        2009.01.09 10:54:27.343
LM\Software\Microsoft\Windows\CurrentVersion\policies\explorer\run        2009.01.09 10:54:29.234
• Keys Changed
• Keys Deleted
Name        Last Write Time
LM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}        2008.08.01 08:03:19.265
LM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}        2008.08.01 08:03:19.265
• Values Created
Name        Type        Size        Value
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiU.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AoYun.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appdllman.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastU3.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvU3Launcher.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cross.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Discovery.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghost.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guangd.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\irsetup.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernelwind32.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logogo.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.pif\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorMain.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSC.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanU3.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDGames.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SelfUpdate.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\servet.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sos.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngPS.EXE\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TNT.Exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TxoMoU.Exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UFO.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wsyscheck.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XDelBox.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XP.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zjb.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe\Debugger        REG_SZ        16        "ntsd -d"
LM\Software\Microsoft\Windows\CurrentVersion\policies\explorer\NoDriveTypeAutoRun        REG_DWORD        4        0x91
LM\Software\Microsoft\Windows\CurrentVersion\policies\explorer\run\pagefile.exe        REG_SZ        66        "C:\WINDOWS\system32\pagefile.exe"
LM\Software\Microsoft\Windows\CurrentVersion\policies\explorer\run\w3wp.exe        REG_SZ        58        "C:\WINDOWS\system32\w3wp.exe"
LM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations        REG_MULTI_SZ        592        "\??\C:\WINDOWS\system32\vdswho.dll"
• Values Changed
Name        Type        Size        Value
CU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden        REG_DWORD/REG_DWORD        4/4        0x1/0x0
LM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Type        REG_SZ/REG_SZ        18/20        "checkbox"/"checkbox2"
LM\System\CurrentControlSet\Services\helpsvc\Start        REG_DWORD/REG_DWORD        4/4        0x2/0x4
LM\System\CurrentControlSet\Services\SharedAccess\Start        REG_DWORD/REG_DWORD        4/4        0x2/0x4
LM\System\CurrentControlSet\Services\wscsvc\Start        REG_DWORD/REG_DWORD        4/4        0x2/0x4
LM\System\CurrentControlSet\Services\wuauserv\Start        REG_DWORD/REG_DWORD        4/4        0x2/0x4
• Values Deleted
Name        Type        Size        Value
LM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue        REG_DWORD        4        0x1
LM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\        REG_SZ        20        "DiskDrive"
LM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\        REG_SZ        20        "DiskDrive"
• Directories Created
• Directories Changed
• Directories Deleted
• Files Created
Name        Size        Last Write Time        Creation Time        Last Access Time        Attr
C:\autorun.inf        145        2009.01.09 10:54:29.234        2009.01.09 10:54:29.234        2009.01.09 10:54:29.234        0x6
C:\w3wp.exe        59655        2009.01.09 10:54:20.718        2009.01.09 10:54:29.234        2009.01.09 10:54:29.234        0x26
C:\WINDOWS\system32\pagefile.exe        59655        2009.01.09 10:54:20.718        2009.01.09 10:54:23.296        2009.01.09 10:54:23.296        0x6
C:\WINDOWS\system32\pagefile.inf        145        2009.01.09 10:54:29.234        2009.01.09 10:54:29.234        2009.01.09 10:54:29.234        0x6
C:\WINDOWS\system32\vdswho.dll        59655        2007.07.27 12:00:00.000        2007.07.27 12:00:00.000        2008.08.08 09:57:33.718        0x80
C:\WINDOWS\system32\vdswho.nls        59655        2007.07.27 12:00:00.000        2007.07.27 12:00:00.000        2008.08.08 09:57:33.718        0x80
C:\WINDOWS\system32\w3wp.exe        59655        2009.01.09 10:54:20.718        2009.01.09 10:54:23.328        2009.01.09 10:54:23.328        0x6
• Files Changed
Name        Size        Last Write Time        Creation Time        Last Access Time        Attr
C:\WINDOWS\system32\config\software        8912896/8912896        2009.01.09 10:43:20.500/2009.01.09 10:54:27.343        2008.08.01 07:59:59.062/2008.08.01 07:59:59.062        2009.01.09 10:43:20.500/2009.01.09 10:43:20.500        0x20/0x20
• Files Deleted
Name        Size        Last Write Time        Creation Time        Last Access Time        Attr
C:\TEST\sample.exe        59655        2009.01.09 10:54:20.718        2009.01.09 10:53:58.578        2009.01.09 10:53:58.578        0x20
• Directories Hidden
• Files Hidden
• Drivers Loaded
• Drivers Unloaded
• Processes Created
PId        Process Name        Image Name
0xdc        pagefile.exe        C:\WINDOWS\system32\pagefile.exe
0xf8        w3wp.exe        C:\WINDOWS\system32\w3wp.exe
• Processes Terminated
• Threads Created
PId        Process Name        TId        Start        Start Mem        Win32 Start        Win32 Start Mem
0xdc        pagefile.exe        0x94        0x7c810856        MEM_IMAGE        0x40d380        MEM_IMAGE
0xdc        pagefile.exe        0xb8        0x7c810856        MEM_IMAGE        0x40aa78        MEM_IMAGE
0xdc        pagefile.exe        0xec        0x7c810867        MEM_IMAGE        0x401018        MEM_IMAGE
0xdc        pagefile.exe        0x7e4        0x7c810856        MEM_IMAGE        0x408acc        MEM_IMAGE
0xf8        w3wp.exe        0xfc        0x7c810867        MEM_IMAGE        0x401018        MEM_IMAGE
0xf8        w3wp.exe        0x100        0x7c810856        MEM_IMAGE        0x408edc        MEM_IMAGE
0xf8        w3wp.exe        0x104        0x7c810856        MEM_IMAGE        0x40afb4        MEM_IMAGE
0x348        svchost.exe        0x784        0x7c810856        MEM_IMAGE        0x7c910760        MEM_IMAGE
• Modules Loaded
• Windows Api Calls
PId        Image Name        Address        Function ( Parameters ) | Return Value
0xd8        C:\TEST\sample.exe        0x41104f        CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\WINDOWS\system32\pagefile.exe", bFailIfExists: 0x0)|0x1
0xd8        C:\TEST\sample.exe        0x411097        CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\WINDOWS\system32\w3wp.exe", bFailIfExists: 0x0)|0x1
0xf8        C:\WINDOWS\system32\w3wp.exe        0x40971f        CopyFileA(lpExistingFileName: "C:\WINDOWS\system32\w3wp.exe", lpNewFileName: "C:\WINDOWS\system32\vdswho.dll", bFailIfExists: 0x0)|0x1
0xf8        C:\WINDOWS\system32\w3wp.exe        0x409767        CopyFileA(lpExistingFileName: "C:\WINDOWS\system32\w3wp.exe", lpNewFileName: "C:\WINDOWS\system32\vdswho.nls", bFailIfExists: 0x0)|0x1
0xf8        C:\WINDOWS\system32\w3wp.exe        0x40cca5        CopyFileA(lpExistingFileName: "C:\WINDOWS\system32\w3wp.exe", lpNewFileName: "c:\w3wp.exe", bFailIfExists: 0x0)|0x1
• DNS Queries
• HTTP Queries
• Verdict
Auto Analysis Verdict
Suspicious++
• Description
Suspicious Actions Detected
Copies self to other locations
Creates autorun file
Creates files in windows system directory
Deletes self
• Mutexes Created or Opened
PId        Image Name        Address        Mutex Name
0xdc        C:\WINDOWS\system32\pagefile.exe        0x4047db        SCLF
0xf8        C:\WINDOWS\system32\w3wp.exe        0x4047db        QCNF
0xf8        C:\WINDOWS\system32\w3wp.exe        0x771ba3ae        _!MSFTHISTORY!_
0xf8        C:\WINDOWS\system32\w3wp.exe        0x771d9710        c:!documents and settings!user!cookies!
0xf8        C:\WINDOWS\system32\w3wp.exe        0x771d9710        c:!documents and settings!user!local settings!history!history.ie5!
0xf8        C:\WINDOWS\system32\w3wp.exe        0x771d9710        c:!documents and settings!user!local settings!temporary internet files!content.ie5!
• Events Created or Opened
PId        Image Name        Address        Event Name
0xd8        C:\TEST\sample.exe        0x77a89422        Global\crypt32LogoffEvent
0xdc        C:\WINDOWS\system32\pagefile.exe        0x77a89422        Global\crypt32LogoffEvent
0xf8        C:\WINDOWS\system32\w3wp.exe        0x77a89422        Global\crypt32LogoffEvent
回复

举报

下一页 »
1234下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-9-25 05:28 , Processed in 0.108694 second(s), 14 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表