过主防的IE劫持病毒

显示全部楼层 · 发表于 2009-11-18 16:31:22

诺顿扫描没反应，但我没双击这两个病毒，不知道后面诺顿会有什么动作。

显示全部楼层 · 发表于 2009-11-18 16:42:52

as risk tools to VB / ESET / PA

显示全部楼层 · 发表于 2009-11-18 17:34:09

试试这个吧，完美恢复：http://bbs.kafan.cn/thread-591371-1-1.html 另外把C:\Program Files\Internet Explorer\Intenet Exploer.exe 这个手动删除了吧，留着没什么用。

显示全部楼层 · 发表于 2009-11-18 20:47:13

简单好用的病毒

显示全部楼层 · 发表于 2009-11-18 21:08:22

to Avira

显示全部楼层 · 发表于 2009-11-18 21:17:21

DefenseWall

显示全部楼层 · 发表于 2009-11-18 21:21:10

18/11/2009 21:21:28 Detected Trojan program Trojan.Win32.StartPage.exq High Exact C:\Documents and Settings\kato\桌面\最新网址.exe
18/11/2009 21:21:54 Detected Trojan program Trojan.Win32.StartPage.exq High Exact C:\Documents and Settings\kato\桌面\寻找老大.exe

to ll,comodo

https://www.virustotal.com/anali ... 26ca383a-1258550652

https://www.virustotal.com/anali ... e0550e58-1258550639

[ 本帖最后由 sam.to 于 2009-11-18 21:27 编辑 ]

显示全部楼层 · 发表于 2009-11-18 22:07:09

McAfee 报了2个可疑月神

显示全部楼层 · 发表于 2009-11-18 22:23:01

寻找老大.exe

·键值创建
[td]HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
Value："\??\C:\DOCUME~1\User\LOCALS~1\Temp\qzone.exe"

·键值更改
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Count

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Time

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

·创建目录
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012009011220090113
C:\Documents and Settings\User\Local Settings\Temp\nse4.tmp

·删除目录
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012008082720080828

·创建文件
C:\Documents and Settings\User\Favorites\°Щ¶И.url
C:\Documents and Settings\User\Favorites\°Щ¶ИТ»ПВЈ¬ДгѕНЦЄµА.url
C:\Documents and Settings\User\Favorites\ИнјюПВФШ.url
C:\Documents and Settings\User\Favorites\НшХѕЦ®јТ.url
C:\Documents and Settings\User\Favorites\НшЦ·µјєЅ.url
C:\Documents and Settings\User\Favorites\НшЦ·Ц®јТ.url
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012009011220090113\index.dat
C:\Documents and Settings\User\Local Settings\Temp\nsd3.tmp
C:\Documents and Settings\User\Local Settings\Temp\nse4.tmp\FindProcDLL.dll
C:\Documents and Settings\User\Local Settings\Temp\nse4.tmp\ns7.tmp
C:\Documents and Settings\User\Local Settings\Temp\nse4.tmp\nsExec.dll
C:\Documents and Settings\User\Local Settings\Temp\nse4.tmp\System.dll
C:\Documents and Settings\User\Local Settings\Temp\nse4.tmp\UserInfo.dll
C:\Documents and Settings\User\Local Settings\Temp\qzone.exe
C:\Documents and Settings\User\Local Settings\Temp\regini.ini
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\2OADB2SC\136s[1].htm
C:\WINDOWS\system32\qzone.dll

·删除文件
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat

·进程
qzone.exe　C:\DOCUME~1\User\LOCALS~1\Temp\qzone.exe
IEXPLORE.EXE　C:\Program Files\Internet Explorer\iexplore.exe
ns5.tmp　C:\DOCUME~1\User\LOCALS~1\Temp\nse4.tmp\ns5.tmp

最新网址.exe
键值修改和文件创建同于“寻找老大.exe”
·删除目录
C:\Documents and Settings\User\Local Settings\Temp\nsu4.tmp

[ 本帖最后由 fengtaks 于 2009-11-18 22:32 编辑 ]

显示全部楼层 · 发表于 2009-11-18 23:07:59

觉得对付这类型的东西，那个QQKAV很好用

[病毒样本] 过主防的IE劫持病毒

本帖子中包含更多资源