soft.yingzheng.com赢政网页被挂马

绅博周幸

AntiVir	Found TR/Hijack.Explor.2047
ArcaVir	Found Heur.Win32
Avast	Found nothing
AVG Antivirus	Found nothing
BitDefender	Found BehavesLike:Win32.ExplorerHijack (probable variant)
ClamAV	Found nothing
Dr.Web	Found Trojan.DownLoader.16639
F-Prot Antivirus	Found nothing
F-Secure Anti-Virus	Found nothing
Fortinet	Found nothing
Kaspersky Anti-Virus	Found Trojan-Downloader.Win32.Agent.bgm
NOD32	Found nothing
Norman Virus Control	Found nothing
VirusBuster	Found novirus:Packed/Upack
VBA32	Found nothing

七少

费尔报

紫外线

版主给的网页进8去了，自动转到首页

马力

驱逐舰报杀

ALEXBLAIR

恶心的东西
会修改系统的启动和关机脚本
当你开机和关机的时候运行和启动维护。
抢在非服务级别的杀毒软件之前启动（不过现在基本都是服务级别了 ）

下面是调试日志（使用SSM）
Parent process:
   Path: C:\WINDOWS\explorer.exe
   PID: 1704
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
   Information: Windows Explorer (Microsoft Corporation)
Child process:
   Path: Z:\123\123.exe
   Command line:"Z:\123\123.exe"
Process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Registry Group: Winlogon
Object:
   Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
Process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Registry Group: Winlogon
Object:
   Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
   Registry value: Asynchronous
      Type: REG_DWORD
      Value: 00000001
Process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Registry Group: Winlogon
Object:
   Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
   Registry value: Impersonate
      Type: REG_DWORD
      Value: 00000001
Process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Registry Group: Winlogon
Object:
   Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
   Registry value: DllName
      Type: REG_SZ
      Value: msgcom.dll
Process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Registry Group: Winlogon
Object:
   Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
   Registry value: Logoff
      Type: REG_SZ
      Value: StopProcessAtWinLogoff
Process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Registry Group: Winlogon
Object:
   Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
   Registry value: Logon
      Type: REG_SZ
      Value: StartProcessAtWinLogon
Process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Registry Group: Winlogon
Object:
   Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
   Registry value: Startup
      Type: REG_SZ
      Value: StartProcessAtStartup
Process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Registry Group: Winlogon
Object:
   Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
   Registry value: iniurl
      Type: REG_SZ
      Value: iuuq;00xxx/274dw/dpn0wjq0274dw/uyu
Process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Registry Group: Winlogon
Object:
   Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
   Registry value: upurl
      Type: REG_SZ
      Value: iuuq;00xxx/274dw/dpn0wjq0274dw/emm
Process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Registry Group: Winlogon
Object:
   Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
   Registry value: lineurl
      Type: REG_SZ
      Value: iuuq;00tjbobbb/dpnbb/dnb
Process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Registry Group: Winlogon
Object:
   Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
   Registry value: timer
      Type: REG_SZ
      Value: 3
Process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Object:
   Path: C:\WINDOWS\explorer.exe
   Information: Windows Explorer (Microsoft Corporation)
This function is used to modify the virtual memory of another program, potentially changing its behaviour.
Process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Object:
   Path: C:\WINDOWS\explorer.exe
   Information: Windows Explorer (Microsoft Corporation)
This function is used to modify the virtual memory of another program, potentially changing its behaviour.
Parent process:
   Path: Z:\123\123.exe
   PID: 1828
   User name: [email=MINI@Administrator]MINI@Administrator[/email]
Child process:
   Path: C:\WINDOWS\system32\cmd.exe
   Information: Windows Command Processor (Microsoft Corporation)
   Command line:cmd /c C:\WINDOWS\system32\del.bat

不要怕

东方微点：
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\123.EXE
木马程序生成以下文件:
1) C:\WINDOWS\SYSTEM32\MSGCOM.DLL
删除木马程序及其衍生物!
处理结果:成功清除!

九尾野狐

NOD32  没报  

已经上报了

九尾野狐

用今天早上的病毒库没查出

升级了下病毒库后立马在下载前报警

鼻耳盖子

有生成物
\WINNT\SYSTEM32\MSGCOM.DLL I:\TEST\070210\12\123\123.EXE

pamier2001

周版。。。
赢政现在的域名是winzheng,不是yingzheng