qd.exe及db1.exe (此帖已完,1394楼有新帖子的地址)

显示全部楼层 · 发表于 2010-9-20 12:08:48

本帖最后由 sam.to 于 2010.9.20 13:08 编辑

ec655b445126e7bfbcdced58c674c061 db1.ex2e
75a39d4cc62d4f2b39dc886606038d85 qd.exe2

to kl,ll,mcafee

Hello,

db1.ex2e - Trojan-Dropper.Win32.Agent.dbgr,
qd.exe2 - Trojan-Dropper.Win32.Agent.dbgs

New malicious software was found in these files. Detection will be included in the next update. Thank you for your help.

Please quote all when answering.
The answer is relevant to the latest bases from update sources.

Please quote all when answering.
-----------------
Regards, Kirill Kruglov
Virus Analyst, Kaspersky Lab.

显示全部楼层 · 发表于 2010-9-20 12:10:30

441L
eset kill 2
2010/9/20 12:09:26 文件系统实时防护文件 C:\Users\Desktop\750089-441\qd.exe2 Win32/Adware.WSearch.AN 应用程序的变种通过删除清除 - 已隔离在应用程序新建的文件上发生事件: C:\Program Files\WinRAR\WinRAR.exe.
2010/9/20 12:09:26 文件系统实时防护文件 C:\Users\Desktop\750089-441\db1.ex2e Win32/Adware.WSearch.AN 应用程序的变种通过删除清除 - 已隔离在应用程序新建的文件上发生事件: C:\Program Files\WinRAR\WinRAR.exe.

显示全部楼层 · 发表于 2010-9-20 12:41:09

MSE报

显示全部楼层 · 发表于 2010-9-20 13:03:46

觉得很奇怪，为什么扫描文件夹的时候红伞漏一个，打开文件夹，再进行手动扫描文件的时候确可以扫出，看来又是一个BUG。

显示全部楼层 · 发表于 2010-9-20 13:06:14

瑞星 KILL

显示全部楼层 · 发表于 2010-9-20 13:15:17

Avira kill all

显示全部楼层 · 发表于 2010-9-20 17:31:57

本帖最后由 sam.to 于 2010.9.20 19:02 编辑

75e7b3ce9bb1ffea43f380412f467b2d qd.exe1
befe1a747eee9552a904637c29fe5a0a db1.exe1

to kl,ll,mcafee

db1.exe1 - Trojan-Dropper.Win32.Agent.dbhz
qd.exe1 - Trojan-Dropper.Win32.Agent.dbib

New malicious software was found in these files. Detection will be included in the next update. Thank you for your help.

显示全部楼层 · 发表于 2010-9-20 17:55:57

447L
ESET kill 2
C:\Users\Desktop\750089-447\db1.exe1 - Win32/Adware.WSearch.AN 应用程序的变种
C:\Users\Desktop\750089-447\qd.exe1 - Win32/Adware.WSearch.AN 应用程序的变种

显示全部楼层 · 发表于 2010-9-20 19:46:26

手杀病毒。。.!，不过此病毒不是底层活动啊！

显示全部楼层 · 发表于 2010-9-20 19:51:04

Installation Report: ase
Generated by InCtrl5, version 1.0.0.0
Install program: E:\downloads\750089-447\qd.exe
9-20-2010 5:51 PM

------------------------------------------------------------
Registry
********

Keys ignored: 0
---------------
* (none)

Keys added: 43
--------------
HKEY_CLASSES_ROOT\AppID\{FFC8DBFF-519D-4F3B-A541-98A0807DD801}
HKEY_CLASSES_ROOT\AppID\BHO.DLL
HKEY_CLASSES_ROOT\BHO.MsnPlayer
HKEY_CLASSES_ROOT\BHO.MsnPlayer\CLSID
HKEY_CLASSES_ROOT\BHO.MsnPlayer\CurVer
HKEY_CLASSES_ROOT\BHO.MsnPlayer.1
HKEY_CLASSES_ROOT\BHO.MsnPlayer.1\CLSID
HKEY_CLASSES_ROOT\CLSID\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4}
HKEY_CLASSES_ROOT\CLSID\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4}\ProgID
HKEY_CLASSES_ROOT\CLSID\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4}\Programmable
HKEY_CLASSES_ROOT\CLSID\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4}\VersionIndependentProgID
HKEY_CLASSES_ROOT\Interface\{B1A1E850-6F97-4FAF-AADA-FB15F8951391}
HKEY_CLASSES_ROOT\Interface\{B1A1E850-6F97-4FAF-AADA-FB15F8951391}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{B1A1E850-6F97-4FAF-AADA-FB15F8951391}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{B1A1E850-6F97-4FAF-AADA-FB15F8951391}\TypeLib
HKEY_CLASSES_ROOT\TypeLib\{FFC8DBFF-519D-4F3B-A541-98A0807DD801}
HKEY_CLASSES_ROOT\TypeLib\{FFC8DBFF-519D-4F3B-A541-98A0807DD801}\1.0
HKEY_CLASSES_ROOT\TypeLib\{FFC8DBFF-519D-4F3B-A541-98A0807DD801}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{FFC8DBFF-519D-4F3B-A541-98A0807DD801}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{FFC8DBFF-519D-4F3B-A541-98A0807DD801}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{FFC8DBFF-519D-4F3B-A541-98A0807DD801}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDLEA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDLEA\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDLEA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Mdlea
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mdlea
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mdlea\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mdlea\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_8086&DEV_2445&SUBSYS_4730414C&REV_05#3&13C0B0C5&0&FD#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\r
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\r
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\r
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lanmanserver\Shares\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDLEA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDLEA\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDLEA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Mdlea
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdlea
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdlea\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdlea\Security

Keys deleted: 5
---------------
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_8086&DEV_2445&SUBSYS_4730414C&REV_05#3&13C0B0C5&0&FD#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\S
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\x
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\x
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\x
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lanmanserver\Shares\S

Values added: 68
----------------
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "E:\downloads\750089-447\qd.exe"
Type: REG_SZ
Data: ase
HKEY_CLASSES_ROOT\AppID\{FFC8DBFF-519D-4F3B-A541-98A0807DD801} "(Default)"
Type: REG_SZ
Data: BHO
HKEY_CLASSES_ROOT\AppID\BHO.DLL "AppID"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\BHO.MsnPlayer "(Default)"
Type: REG_SZ
Data: CMsnPlayer Object
HKEY_CLASSES_ROOT\BHO.MsnPlayer\CLSID "(Default)"
Type: REG_SZ
Data: {94F3CE47-FC4B-4DCC-B623-99C0569C96B4}
HKEY_CLASSES_ROOT\BHO.MsnPlayer\CurVer "(Default)"
Type: REG_SZ
Data: BHO.MsnPlayer.1
HKEY_CLASSES_ROOT\BHO.MsnPlayer.1 "(Default)"
Type: REG_SZ
Data: CMsnPlayer Object
HKEY_CLASSES_ROOT\BHO.MsnPlayer.1\CLSID "(Default)"
Type: REG_SZ
Data: {94F3CE47-FC4B-4DCC-B623-99C0569C96B4}
HKEY_CLASSES_ROOT\CLSID\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4} "(Default)"
Type: REG_SZ
Data: CMsnPlayer Object
HKEY_CLASSES_ROOT\CLSID\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4} "AppID"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\CLSID\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4}\InprocServer32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\system32\8a7o.dll
HKEY_CLASSES_ROOT\CLSID\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4}\InprocServer32 "ThreadingModel"
Type: REG_SZ
Data: apartment
HKEY_CLASSES_ROOT\CLSID\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4}\ProgID "(Default)"
Type: REG_SZ
Data: BHO.MsnPlayer.1
HKEY_CLASSES_ROOT\CLSID\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4}\TypeLib "(Default)"
Type: REG_SZ
Data: {FFC8DBFF-519D-4F3B-A541-98A0807DD801}
HKEY_CLASSES_ROOT\CLSID\{94F3CE47-FC4B-4DCC-B623-99C0569C96B4}\VersionIndependentProgID "(Default)"
Type: REG_SZ
Data: BHO.MsnPlayer
HKEY_CLASSES_ROOT\Interface\{B1A1E850-6F97-4FAF-AADA-FB15F8951391} "(Default)"
Type: REG_SZ
Data: IMsnPlayer
HKEY_CLASSES_ROOT\Interface\{B1A1E850-6F97-4FAF-AADA-FB15F8951391}\ProxyStubClsid "(Default)"
Type: REG_SZ
Data: {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{B1A1E850-6F97-4FAF-AADA-FB15F8951391}\ProxyStubClsid32 "(Default)"
Type: REG_SZ
Data: {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{B1A1E850-6F97-4FAF-AADA-FB15F8951391}\TypeLib "(Default)"
Type: REG_SZ
Data: {FFC8DBFF-519D-4F3B-A541-98A0807DD801}
HKEY_CLASSES_ROOT\Interface\{B1A1E850-6F97-4FAF-AADA-FB15F8951391}\TypeLib "Version"
Type: REG_SZ
Data: 1.0
HKEY_CLASSES_ROOT\TypeLib\{FFC8DBFF-519D-4F3B-A541-98A0807DD801}\1.0 "(Default)"
Type: REG_SZ
Data: BHO 1.0 Type Library
HKEY_CLASSES_ROOT\TypeLib\{FFC8DBFF-519D-4F3B-A541-98A0807DD801}\1.0\0\win32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\system32\8a7o.dll
HKEY_CLASSES_ROOT\TypeLib\{FFC8DBFF-519D-4F3B-A541-98A0807DD801}\1.0\FLAGS "(Default)"
Type: REG_SZ
Data: 0
HKEY_CLASSES_ROOT\TypeLib\{FFC8DBFF-519D-4F3B-A541-98A0807DD801}\1.0\HELPDIR "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\system32\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager "PendingFileRenameOperations"
Type: REG_MULTI_SZ
Data: (data too large: 545 bytes)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDLEA "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDLEA\0000 "Class"
Type: REG_SZ
Data: LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDLEA\0000 "ClassGUID"
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDLEA\0000 "ConfigFlags"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDLEA\0000 "DeviceDesc"
Type: REG_SZ
Data: Mdlea
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDLEA\0000 "Legacy"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDLEA\0000 "Service"
Type: REG_SZ
Data: Mdlea
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDLEA\0000\Control "*NewlyCreated*"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDLEA\0000\Control "ActiveService"
Type: REG_SZ
Data: Mdlea
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Mdlea "EventMessageFile"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\a77d.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Mdlea "TypesSupported"
Type: REG_DWORD
Data: 07, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mdlea "DisplayName"
Type: REG_SZ
Data: Mdlea
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mdlea "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mdlea "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\a77d.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mdlea "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mdlea "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mdlea "Type"
Type: REG_DWORD
Data: 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mdlea\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_MDLEA\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mdlea\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mdlea\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mdlea\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager "PendingFileRenameOperations"
Type: REG_MULTI_SZ
Data: (data too large: 545 bytes)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDLEA "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDLEA\0000 "Class"
Type: REG_SZ
Data: LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDLEA\0000 "ClassGUID"
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDLEA\0000 "ConfigFlags"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDLEA\0000 "DeviceDesc"
Type: REG_SZ
Data: Mdlea
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDLEA\0000 "Legacy"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDLEA\0000 "Service"
Type: REG_SZ
Data: Mdlea
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDLEA\0000\Control "*NewlyCreated*"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDLEA\0000\Control "ActiveService"
Type: REG_SZ
Data: Mdlea
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Mdlea "EventMessageFile"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\a77d.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Mdlea "TypesSupported"
Type: REG_DWORD
Data: 07, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdlea "DisplayName"
Type: REG_SZ
Data: Mdlea
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdlea "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdlea "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\a77d.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdlea "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdlea "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdlea "Type"
Type: REG_DWORD
Data: 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdlea\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_MDLEA\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdlea\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdlea\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mdlea\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00

Values changed: 6
-----------------
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections "SavedLegacySettings"
Old type: REG_BINARY
New type: REG_BINARY
Old data: 3C, 00, 00, 00, 60, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 10, D4, 39, DD, 53, 4D, CB, 01, 01, 00, 00, 00, C0, A8, 00, 66, 00, 00, 00, 00, 00, 00, 00, 00
New data: 3C, 00, 00, 00, 61, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 10, D4, 39, DD, 53, 4D, CB, 01, 01, 00, 00, 00, C0, A8, 00, 66, 00, 00, 00, 00, 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed"
Old type: REG_BINARY
New type: REG_BINARY
Old data: 11, 6E, EA, F9, B0, C6, 7E, 84, 14, 01, D8, 81, B7, 81, 39, C2, 9C, 18, 43, D3, BA, AD, 09, 8E, E0, 1E, AF, 48, 4C, A6, 7A, 86, 8B, D9, 35, FB, 01, F4, 79, 68, 1E, 70, D9, BD, 2B, 96, 2E, 95, D9, 45, F7, 75, E3, 18, 2E, 1D, D5, 86, ED, 41, 76, A6, C0, F1, 41, 2E, C0, CB, E2, 25, 42, 29, 24, D1, 2B, D6, 8F, 55, E8, AC
New data: C4, 5B, 30, FC, EE, 80, 78, FF, 0D, C9, 09, 75, EF, 0B, 70, 5B, D9, 9F, 75, B9, 45, 8E, 45, B4, 40, 5B, AB, F1, 19, 45, A3, 92, 54, 2C, F6, C3, 0A, 03, EC, 35, 66, 91, CD, 14, 31, 6C, 05, 5B, C9, 0E, 65, 67, 79, 52, 73, 56, 95, 8F, 43, 35, B7, 72, AD, BF, 94, A2, 34, DB, 48, BD, E1, F1, E5, 42, CB, A8, 18, 00, 37, 7E
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent "(Default)"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 0A, 00, 00, 00
New data: 0B, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application "Sources"
Old type: REG_MULTI_SZ
New type: REG_MULTI_SZ
Old data: (data too large: 699 bytes)
New data: (data too large: 705 bytes)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent "(Default)"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 0A, 00, 00, 00
New data: 0B, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application "Sources"
Old type: REG_MULTI_SZ
New type: REG_MULTI_SZ
Old data: (data too large: 699 bytes)
New data: (data too large: 705 bytes)
------------------------------------------------------------
Disk contents
*************

Drives tracked: 3
-----------------
* c:\
* d:\
* e:\

Folders added: 3
----------------
c:\Documents and Settings\Administrator\Local Settings\Temp\h8gi24o8
c:\Documents and Settings\All Users\Application Data\t
c:\Documents and Settings\All Users\Application Data\t\ad

Files added: 14
---------------
c:\WINDOWS\8fad.exe
Date: 9-20-2010 5:51 PM
Size: 67,584 bytes
c:\WINDOWS\b8fd.flv
Date: 9-20-2010 1:46 PM
Size: 98,816 bytes
c:\WINDOWS\fa0u.bmp
Date: 9-20-2010 5:51 PM
Size: 271,872 bytes
c:\WINDOWS\Prefetch\A77D.EXE-0A8A9FB7.pf
Date: 9-20-2010 5:51 PM
Size: 15,200 bytes
c:\WINDOWS\Prefetch\QD.EXE-11C062DB.pf
Date: 9-20-2010 5:51 PM
Size: 27,454 bytes
c:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf
Date: 9-20-2010 5:51 PM
Size: 19,064 bytes
c:\WINDOWS\Prefetch\RUNDLL32.EXE-13DBD163.pf
Date: 9-20-2010 5:51 PM
Size: 22,160 bytes
c:\WINDOWS\Prefetch\RUNDLL32.EXE-1D7622E9.pf
Date: 9-20-2010 5:51 PM
Size: 19,974 bytes
c:\WINDOWS\system32\08b
Date: 9-20-2010 5:51 PM
Size: 68 bytes
c:\WINDOWS\system32\-71-3210-4
Date: 9-20-2010 5:51 PM
Size: 30 bytes
c:\WINDOWS\system32\8a7o.dll
Date: 9-20-2010 5:51 PM
Size: 67,584 bytes
c:\WINDOWS\system32\8f1e.dll
Date: 9-20-2010 5:51 PM
Size: 271,872 bytes
c:\WINDOWS\system32\a77d.exe
Date: 9-20-2010 1:46 PM
Size: 98,816 bytes
c:\WINDOWS\Tasks\ms.job
Date: 9-20-2010 5:51 PM
Size: 260 bytes

Files changed: 12
-----------------
c:\Documents and Settings\Administrator\ntuser.dat.LOG
Old date: 9-20-2010 5:50 PM
New date: 9-20-2010 5:51 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\Documents and Settings\Administrator\Cookies\index.dat
Old date: 9-20-2010 5:47 PM
New date: 9-20-2010 5:51 PM
Old size: 32,768 bytes
New size: 32,768 bytes
c:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Old date: 9-20-2010 5:47 PM
New date: 9-20-2010 5:51 PM
Old size: 32,768 bytes
New size: 32,768 bytes
c:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Old date: 9-20-2010 5:47 PM
New date: 9-20-2010 5:51 PM
Old size: 1,343,488 bytes
New size: 1,343,488 bytes
c:\Program Files\Kingsoft\webshield\kse\kse_wfsdata\KSWebShield_tmpa0.dat
Old date: 9-20-2010 5:51 PM
New date: 9-20-2010 5:51 PM
Old size: 0 bytes
New size: 0 bytes
c:\Program Files\Kingsoft\webshield\webui\icon\btbg.gif
Old date: 9-20-2010 5:51 PM
New date: 9-20-2010 5:51 PM
Old size: 1,050 bytes
New size: 1,050 bytes
c:\WINDOWS\system32\config\SECURITY
Old date: 9-20-2010 5:47 PM
New date: 9-20-2010 5:51 PM
Old size: 262,144 bytes
New size: 262,144 bytes
c:\WINDOWS\system32\config\SECURITY.LOG
Old date: 9-20-2010 5:48 PM
New date: 9-20-2010 5:51 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\WINDOWS\system32\config\software.LOG
Old date: 9-20-2010 5:50 PM
New date: 9-20-2010 5:51 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\WINDOWS\system32\config\system
Old date: 9-20-2010 5:47 PM
New date: 9-20-2010 5:51 PM
Old size: 2,621,440 bytes
New size: 2,621,440 bytes
c:\WINDOWS\system32\config\system.LOG
Old date: 9-20-2010 5:49 PM
New date: 9-20-2010 5:51 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\WINDOWS\system32\wbem\Logs\wbemess.log
Old date: 9-20-2010 5:49 PM
New date: 9-20-2010 5:51 PM
Old size: 2,052 bytes
New size: 2,147 bytes
------------------------------------------------------------
INI file
********

Ini files tracked: 4
--------------------
* C:\boot.ini
* c:\windows\control.ini
* c:\windows\system.ini
* c:\windows\win.ini
------------------------------------------------------------
Text file
*********

Text files tracked: 2
---------------------
* c:\windows\system32\autoexec.nt
* c:\windows\system32\config.nt
------------------------------------------------------------
InCtrl5, Copyright ?2000 by Ziff Davis Media, Inc.
Written by Neil J. Rubenking
First published in PC Magazine, December 5, 2000.

[病毒样本] qd.exe及db1.exe (此帖已完,1394楼有新帖子的地址)