学校教室讲台电脑抓的

luxiao200888

蜘蛛报下载者

allinwonderi

su-tt

已解决的威胁数:
Suspicious.AH.11
类型: 异常
风险: 中 (中 隐蔽性，中 清除，中 性能，中 隐私)
类别: 启发式病毒
状态: 完全解决
-----------
1 文件
c:\documents and settings\administrator\桌面\userinit.exe - 已删除

leonfg

ESET
C:\Documents and Settings\GUNDAM\桌面\1.rar » RAR » userinit.exe - probably unknown NewHeur_PE virus

hudeg632

2008-12-5 20:44:13        c:\windows\explorer.exe        创建新进程        c:\documents and settings\administrator\桌面\1\userinit.exe        允许        [应用程序]*        "C:\Documents and Settings\Administrator\桌面\1\userinit.exe"
2008-12-5 20:45:15        c:\documents and settings\administrator\桌面\1\userinit.exe        创建文件        C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\08AWT6BP\xx[1].exe        允许        [文件组]所有执行文件 -> [文件]*; *.exe       
2008-12-5 20:46:54        c:\windows\explorer.exe        创建新进程        c:\documents and settings\administrator\桌面\1\userinit.exe        允许        [应用程序]*        "C:\Documents and Settings\Administrator\桌面\1\userinit.exe"
2008-12-5 20:47:03        c:\documents and settings\administrator\桌面\1\userinit.exe        修改文件        C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\08AWT6BP\xx[1].exe        允许        [文件组]所有执行文件 -> [文件]*; *.exe       
2008-12-5 20:47:17        c:\documents and settings\administrator\桌面\1\userinit.exe        创建文件        C:\sytem        允许        [文件]?:\       
2008-12-5 20:47:35        c:\documents and settings\administrator\桌面\1\userinit.exe        创建新进程        c:\sytem        允许        [应用程序]*        C:\sytem
2008-12-5 20:48:10        c:\sytem        删除文件        C:\WINDOWS\system32\mfc71.dll        允许        [文件组]系统执行文件 -> [文件]c:\windows\*; *.dll       
2008-12-5 20:48:23        c:\sytem        修改系统时间                允许        [应用程序]*       
2004-12-5 20:48:28        c:\sytem        创建新进程        c:\windows\system32\cacls.exe        允许        [应用程序]*        "C:\WINDOWS\system32\cacls.exe" c:\windows\system32\packet.dll /e /p everyone:f
2004-12-5 20:48:44        c:\sytem        创建新进程        c:\windows\system32\cacls.exe        允许        [应用程序]*        "C:\WINDOWS\system32\cacls.exe" c:\windows\system32\npptools.dll /e /p everyone:f
2004-12-5 20:48:50        c:\sytem        创建新进程        c:\windows\system32\cacls.exe        允许        [应用程序]*        "C:\WINDOWS\system32\cacls.exe" c:\Documents and Settings\All Users\「开始」菜单\程序\启动 /e /p everyone:f
2004-12-5 20:49:06        c:\sytem        修改文件        C:\WINDOWS\system32\Drivers\beep.sys        允许        [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys       
2004-12-5 20:49:18        c:\windows\system32\services.exe        加载驱动程序        c:\windows\system32\drivers\beep.sys        允许        [应用程序]c:\windows\system32\services.exe

hudeg632

Begin scan in 'C:\'
C:\pagefile.sys
    [WARNING]   The file could not be opened!
C:\sytem
    [DETECTION] Is the TR/Crypt.FKM.Gen Trojan
    [NOTE]      A backup was created as '49ad3d39.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\ttmm.tep
    [DETECTION] Is the TR/Crypt.FKM.Gen Trojan
    [NOTE]      A backup was created as '49a63d34.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\ZGZN.PIF
    [DETECTION] Is the TR/Crypt.FKM.Gen Trojan
    [NOTE]      A backup was created as '49933d07.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\Documents and Settings\99.pif
    [DETECTION] Contains HEUR/Crypted suspicious code
    [NOTE]      The detection was classified as suspicious.
    [NOTE]      A backup was created as '49673cf9.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\08AWT6BP\fzl[1].htm
    [DETECTION] Contains recognition pattern of the HTML/Shellcode.Gen HTML script virus
    [NOTE]      A backup was created as '49a53d40.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\08AWT6BP\xx[1].exe
    [DETECTION] Is the TR/Crypt.FKM.Gen Trojan
    [NOTE]      A backup was created as '49943d40.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\1B74QD05\1[2].exe
      [DETECTION] Is the TR/Crypt.XDR.Gen Trojan
    [NOTE]      A backup was created as '496b3d24.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\1B74QD05\9[1].exe
    [DETECTION] Contains HEUR/Crypted suspicious code
    [NOTE]      The detection was classified as suspicious.
    [NOTE]      A backup was created as '496a3d24.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6CHSZI24\xx[1].exe
    [DETECTION] Is the TR/Crypt.NSPM.Gen Trojan
    [NOTE]      A backup was created as '49943d48.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LNHOJB1T\1[1].exe
      [DETECTION] Is the TR/Crypt.XDR.Gen Trojan
    [NOTE]      A backup was created as '496a3d2e.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LNHOJB1T\9[1].exe
    [DETECTION] Contains HEUR/Crypted suspicious code
    [NOTE]      The detection was classified as suspicious.
    [NOTE]      A backup was created as '496a3d2f.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\Documents and Settings\Administrator\桌面\1\userinit.exe
      [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE]      A backup was created as '499e3d4b.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\Program Files\zzToolBar\ToolBand.dll
    [DETECTION] Contains recognition pattern of the ADSPY/ZzToolbar.B adware or spyware
    [NOTE]      A backup was created as '49a83d79.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\Program Files\zzToolBar\Toolbar_bho.dll
    [DETECTION] Contains recognition pattern of the ADSPY/ZzToolbar.C adware or spyware
    [NOTE]      A backup was created as '48338812.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\RECYCLER\S-1-5-21-776561741-492894223-1417001333-500\Dc81.exe
    [DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
    [NOTE]      A backup was created as '49713d6e.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\WINDOWS\system32\asg.exe
      [DETECTION] Is the TR/Crypt.XDR.Gen Trojan
    [NOTE]      A backup was created as '49a03d97.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\WINDOWS\system32\conime.exe
      [DETECTION] Contains HEUR/Malware suspicious code
    [NOTE]      A backup was created as '49a73d96.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\WINDOWS\system32\ftp.exe
    [WARNING]   The file could not be opened!
C:\WINDOWS\system32\spoolsv.exe
    [DETECTION] Is the TR/Crypt.FKM.Gen Trojan
    [NOTE]      A backup was created as '49a83db0.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\WINDOWS\system32\userinit.exe
      [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE]      A backup was created as '499e3db6.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\WINDOWS\system32\wacldlt.exe
    [DETECTION] Is the TR/Crypt.NSPM.Gen Trojan
    [NOTE]      A backup was created as '499c3da5.qua'  ( QUARANTINE )
    [NOTE]      The file was successfully wiped!
    [NOTE]      The file was deleted!
C:\WINDOWS\system32\dllcache\spoolsv.exe
    [WARNING]   The file could not be opened!
C:\WINDOWS\system32\drivers\beep.sys
    [WARNING]   The file could not be opened!


End of the scan: 2008年12月5日  22:41
Used time: 03:28 Minute(s)

The scan has been done completely.

    958 Scanning directories
  10162 Files were scanned
     16 viruses and/or unwanted programs were found
      4 Files were classified as suspicious:
     20 files were deleted
      0 files were repaired
     20 files were moved to quarantine
      0 files were renamed
      4 Files cannot be scanned
  10138 Files not concerned
      0 Archives were scanned
      4 Warnings
     20 Notes

DistanceLove

看图说话

Firewall

eset报未查明的 NewHeur_PE 病毒
已上报

VISN

Access to the data has been denied!
Warning: A virus or unwanted program has been found in the HTTP Data.

Requested URL:  http://x.wuc7.com/xx.exe
Information:  Is the TR/Crypt.FKM.Gen Trojan  


--------------------------------------------------------------------------------
Generated by AntiVir WebGuard 8.0.15.0, AVE 8.2.0.42, VDF 7.1.0.195

yangpoquan

就是一个病毒的温床