好牛的家伙，就3个杀软报

显示全部楼层 · 发表于 2009-6-22 08:28:47

创建文件:
%SystemRoot%\svchost.exe
%SystemRoot%\system\svchost.exe
%SystemRoot%\zhoutun.txt

添加注册表启动项：
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\svchost.exe1:"%SystemRoot%\svchost.exe"
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\svchost.exe2:"%SystemRoot%\system\svchost.exe"

修改注册表破坏显隐藏文件:
\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001

修改注册表破坏显示文件后缀功能：
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt

创建注册表禁用cmd：
Software\Policies\Microsoft\Windows\System\DisableCMD:0x00000002

修改注册表修改了多种文件类型的默认图标全部指向了%SystemRoot%\system\svchost.exe：
SOFTWARE\Classes\batfile\DefaultIcon
SOFTWARE\Classes\cmdfile\DefaultIcon
SOFTWARE\Classes\comfile\DefaultIcon
SOFTWARE\Classes\dllfile\DefaultIcon
SOFTWARE\Classes\inffile\DefaultIcon
SOFTWARE\Classes\regfile\DefaultIcon
SOFTWARE\Classes\txtfile\DefaultIcon
SOFTWARE\Classes\chm.file\DefaultIcon
SOFTWARE\Classes\Excel.CSV\DefaultIcon
SOFTWARE\Classes\exefile\DefaultIcon
SOFTWARE\Classes\icofile\DefaultIcon
SOFTWARE\Classes\jpegfile\DefaultIcon
SOFTWARE\Classes\Paint.Picture\DefaultIcon
SOFTWARE\Classes\PowerPoint.Show.8\DefaultIcon
SOFTWARE\Classes\SoundRec\DefaultIcon
SOFTWARE\Classes\stormplayer.acc\DefaultIcon
SOFTWARE\Classes\stormplayer.mp4\DefaultIcon
SOFTWARE\Classes\stormplayer.rm\DefaultIcon
SOFTWARE\Classes\stormplayer.rmvb\DefaultIcon
SOFTWARE\Classes\WinRAR\DefaultIcon
SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon
SOFTWARE\Classes\icofile\DefaultIcon
SOFTWARE\Classes\jpegfile\DefaultIcon
SOFTWARE\Classes\Paint.Picture\DefaultIcon
SOFTWARE\Classes\PowerPoint.Show.8\DefaultIcon
SOFTWARE\Classes\SoundRec\DefaultIcon
SOFTWARE\Classes\stormplayer.acc\DefaultIcon
SOFTWARE\Classes\stormplayer.mp4\DefaultIcon
SOFTWARE\Classes\stormplayer.rm\DefaultIcon
SOFTWARE\Classes\stormplayer.rmvb\DefaultIcon
SOFTWARE\Classes\WinRAR\DefaultIcon
SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon
SOFTWARE\Classes\Word.Document.8\DefaultIcon
SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon
SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon
SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\DefaultIcon
SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon

各分区搜索文件夹建立同名文件夹.exe并在所有文件夹内释放desktop.ini文件并隐藏一级目录下的所有文件夹

显示全部楼层 · 发表于 2009-6-22 08:34:31

有动作了.哪就不是什么好鸟了..TO AVIRA

显示全部楼层 · 发表于 2009-6-22 08:43:04

金山启发报毒！

显示全部楼层 · 发表于 2009-6-22 08:59:24

小红伞居然没报！我怒！！！

显示全部楼层 · 发表于 2009-6-22 09:53:53

E盾不让打开，解压后表面看是个文件夹，实际是个exe执行文件

显示全部楼层 · 发表于 2009-6-22 09:59:00

Virus: Gen:Trojan.Heur.F0916EEBEB (Engine A)

Virus found while downloading Web content.

Address: bbs.kafan.cn

显示全部楼层 · 发表于 2009-6-22 10:13:50

允許執行ProgramsAI_Boy.exe.其餘阻止
再以MicroWorld Antivirus Toolkit 11.0.48db掃瞄~~
哇洌>>>過OSS

MicroWorld Antivirus Toolkit 11.0.48db報告~~~
22 六月 2009 09:45:46 - ***** Scanning Registry and File system for Adware/Spyware *****
22 六月 2009 09:45:47 - ERROR!!! Unable to make directory C:\WINDOWS\system32\runouce.exe!
22 六月 2009 09:45:48 - Loading Spyware Signatures from new External Database [Name: C:\DOCUME~1\said411f\LOCALS~1\Temp\spydb.avs, Size: 906042]...
22 六月 2009 09:45:48 - Indexed Spyware Databases Successfully Created...

22 六月 2009 09:45:50 - Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\malwareremover.com !!!
22 六月 2009 09:45:50 - Deleting Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\malwareremover.com
22 六月 2009 09:45:50 - Object "MalwareScanner Corrupted Adware/Spyware" found in File System! Action Taken: Entries Removed.

22 六月 2009 09:45:51 - Offending file found: C:\WINDOWS\svchost.exe
22 六月 2009 09:45:51 - System found infected with combo Spyware/Adware (svchost.exe)! Action taken: Entries Removed.
22 六月 2009 09:45:52 - Offending file found: C:\Documents and Settings\said411f\Local Settings\Temporary Internet Files\Content.IE5\X7K332CM\redirect[1].htm
22 六月 2009 09:45:52 - System found infected with combo Spyware/Adware (redirect[1].htm)! Action taken: Entries Removed.
22 六月 2009 09:45:53 - Few files will be deleted *ONLY* on reboot...
22 六月 2009 09:45:53 - Offending file found: C:\Autorun.inf
22 六月 2009 09:45:53 - System found infected with combo Spyware/Adware (C:\Autorun.inf)! Action taken: Entries Removed.

22 六月 2009 09:45:59 - Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".conf". Action Taken: Entries Removed.
22 六月 2009 09:46:01 - Scanning HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\command
22 六月 2009 09:46:01 - Scanning File C:\Program Files\Internet Explorer\iexplore.exe [**XX**]
22 六月 2009 09:46:01 - ** Possible invalid line [127.0.0.1 www.download-mcafee.com] in HOSTS file!
22 六月 2009 09:46:01 - ** Renamed C:\WINDOWS\system32\drivers\etc\hosts to C:\WINDOWS\system32\drivers\etc\hosts.10281352
22 六月 2009 09:46:01 - Clearing Temporary sub-folders as Spyware/Adware found in system...
22 六月 2009 09:46:01 - Few files will be deleted *ONLY* on reboot...

显示全部楼层 · 发表于 2009-6-22 10:15:37

BitDefender 2009

This web page has been blocked by BitDefender Antivirus Real-time Protection!

The blocked web page included objects that were either infected or likely to be infected with a virus. Your system has NOT been infected.
Gen:Trojan.Heur.F0916EEBEB

显示全部楼层 · 发表于 2009-6-22 10:51:09

那个怎么杀啊？

显示全部楼层 · 发表于 2009-6-22 10:56:19

to comodo

[病毒样本] 好牛的家伙，就3个杀软报

评分

OSS