卡饭论坛被挂网马样本

显示全部楼层 · 发表于 2011-5-11 11:55:15

金山卫士抢在红伞前杀了

显示全部楼层 · 发表于 2011-5-11 12:05:31

显示全部楼层 · 发表于 2011-5-11 13:05:32

Installation Report: rj1
Generated by InCtrl5, version 1.0.0.0
Install program: E:\DownLoads\rj1\rj1.exe
5-11-2011 11:54 AM

------------------------------------------------------------

Keys added: 125
---------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AoYun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appdllman.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cross.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Discovery.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guangd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernelwind32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logogo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.pif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.Exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.Exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDGames.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\servet.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sos.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TNT.Exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TxoMoU.Exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UFO.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wsyscheck.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XP.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\FDC\GENERIC_FLOPPY_DRIVE\5&345fbd89&0&0\DeviceDesc

Values added: 126
-----------------
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "dsfghjgj"
Type: REG_SZ
Data: (data too large: 2036 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run "TXMouie"
Type: REG_SZ
Data: C:\WINDOWS\system32\keepSafe.exe 駧?       点击这个按钮开始加速安装过程。    !徢       点击这个按钮开始加速安装过程。    Q徢       点击这个按钮开始加速安装过程。    亸?       点击这个按钮开始加速安装过程。    睆?       点击这个按钮开
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.exe "Debugger"
Type: REG_SZ
Data: C:\WINDOWS\system32\keepSafe.exe 駧?       点击这个按钮开始加速安装过程。    !徢       点击这个按钮开始加速安装过程。    Q徢       点击这个按钮开始加速安装过程。    亸?       点击这个按钮开始加速安装过程。    睆?       点击这个按钮开
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe "Debugger"
Type: REG_SZ
Data: C:\WINDOWS\system32\keepSafe.exe 駧?       点击这个按钮开始加速安装过程。    !徢       点击这个按钮开始加速安装过程。    Q徢       点击这个按钮开始加速安装过程。    亸?       点击这个按钮开始加速安装过程。    睆?       点击这个按钮开
      ... ...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe "Debugger"
Type: REG_SZ
Data: C:\WINDOWS\system32\keepSafe.exe 駧?       点击这个按钮开始加速安装过程。    !徢       点击这个按钮开始加速安装过程。    Q徢       点击这个按钮开始加速安装过程。    亸?       点击这个按钮开始加速安装过程。    睆?       点击这个按钮开

Values changed: 6
-----------------
HKEY_CURRENT_USER\SessionInformation "ProgramCount"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 03, 00, 00, 00
New data: 02, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 01, 00, 00, 00
New data: 02, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections "SavedLegacySettings"
Old type: REG_BINARY
New type: REG_BINARY
Old data: 46, 00, 00, 00, 50, 01, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00, 00, 00, 00, 00, 00, C0, 4F, CE, 11, 98, 96, CB, 01, 01, 00, 00, 00, C0, A8, 00, 70, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
New data: 46, 00, 00, 00, 52, 01, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00, 00, 00, 00, 00, 00, C0, 4F, CE, 11, 98, 96, CB, 01, 01, 00, 00, 00, C0, A8, 00, 70, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager "Preferences"
Old type: REG_BINARY
New type: REG_BINARY
Old data: (data too large: 668 bytes)
New data: (data too large: 668 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed"
Old type: REG_BINARY
New type: REG_BINARY
Old data: DB, 45, 79, 53, 04, 27, CE, CD, 9D, C2, 82, DC, 83, 0E, 9E, 81, F9, 15, C3, B2, 95, 30, 80, 12, 78, F3, 9F, 02, A7, BB, 59, 14, C1, 97, 26, A5, A1, 04, E8, 37, 3E, 88, 0B, 5D, BC, 89, 98, 88, 4F, 68, 36, 2B, D0, D1, FE, 2E, A5, 0F, 00, 63, B4, AC, 78, 34, 96, 55, C6, 1D, D7, 6C, D8, CF, 44, F3, 59, 33, 0F, 6A, E7, D9
New data: 17, 8F, C7, 81, 9D, 8C, 71, 5C, 5E, 06, 03, 59, 3A, 43, 9E, 05, A6, 98, AC, 16, C5, C1, 71, 65, 4E, 27, E0, 01, 9E, 5D, 6C, E4, EC, F7, 05, A9, D4, EE, 81, B2, 98, CE, 1B, 35, F6, 36, 49, 88, 57, 7F, 50, 9B, F0, 72, C7, 6E, 0C, 5E, 70, B5, DC, 25, 86, 2B, DA, 96, F1, 93, 59, 17, 07, EF, 83, 98, AA, 36, C6, 3C, 01, 3F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL "CheckedValue"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 01, 00, 00, 00
New data: 00, 00, 00, 00
------------------------------------------------------------
Files added :
c:\WINDOWS\system32\keepSafe.exe
Date: 5-11-2011 9:32 AM
Size: 35,361 bytes

显示全部楼层 · 发表于 2011-5-11 13:13:02

中毒症状:
   1. 系统任务管理器打不开;
   2.修改设置:

3. 映像劫持一大堆:

显示全部楼层 · 发表于 2011-5-11 13:33:04

诺顿杀

显示全部楼层 · 发表于 2011-5-11 14:51:05

本帖最后由小飞侠.net 于 2011-5-11 14:52 编辑

可疑文件扫描报告┊2011-4-24 8:00┊

┊360杀毒 2.0.0.2033 ┊
扫描选项--指定目录扫描
----------------------
扫描所有文件：是
扫描压缩包：是
发现病毒处理方式：通知用户
扫描系统内存：是
扫描磁盘引导区：是
扫描 Rootkit：是
使用QVM启发式引擎：是
升级设置：定时升级，每天--16：24
=======================
┊安天防线v7.2.2.3184 ┊
--指定目录扫描
----------------------
云安全：yes
扫描文件类型：所有文件
扫描压缩包：yes
扫描Cookies：yes
扫描Rootkit：yes
启发式：yes
升级设置：打开后在线自动升级

Windows XP SP3┊Google Chrome 11┊7-Zip┊7z
----------------------
文件名: D:\mp4\0509星期一\rj1.rar
文件大小: 34792 字节 (33.98 KB)
修改日期: 2011-05-11 14:38
MD5: f7f50c46f2bc442b4e3d1f1dc5184447
SHA1: 69a74f3583641fe59c821b2ad0416d0a98549636
SHA256: 92ce12ace02dc0dae680980cb3c5a6e3f58e6afd645f74417ec6dff03f1f85c3
CRC32: 3aaae057

----------------------
360杀毒2：
病毒扫描结果
----------------------
D:\mp4\0509星期一\rj1.rar=>j1.rar=>rj1.exe 木马(Win32/Trojan.QQ.b48) 未处理
=======================
安天防线7：上报。。。

----------------------
本地病毒库最后更新时间：2011-5-11 14:40

在线多引擎扫描：
Status: Scan finished. 19 out of 20 scanners reported malware.
h~ttp://virusscan.jotti.org/en/scanresult/e68fdbcf8468ff97cc10084d07487951ad30b2d2

显示全部楼层 · 发表于 2011-5-11 17:01:45

BitDefender 2011

此网页已被BitDefender反病毒实时防护拦截！

被BitDefender拦截的网页包含（可能）已被病毒感染的对象。您的系统未被感染。

显示全部楼层 · 发表于 2011-5-11 17:27:02

日志太多了····

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: c:\windows\system32\notepad.exe
消息: WM_CLOSE
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\tencent\qq\bin\qq.exe
消息: WM_CLOSE
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\tencent\qq\bin\qq.exe
消息: WM_DESTROY
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\tencent\qq\bin\qq.exe
消息: WM_QUIT
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\tencent\qq\bin\qq.exe
消息: 0x0118
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\mozilla firefox\firefox.exe
消息: WM_CLOSE
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\mozilla firefox\firefox.exe
消息: WM_DESTROY
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\mozilla firefox\firefox.exe
消息: WM_QUIT
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\mozilla firefox\firefox.exe
消息: 0x0118
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\tencent\qq\bin\qq.exe
消息: WM_CLOSE
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\tencent\qq\bin\qq.exe
消息: WM_DESTROY
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\tencent\qq\bin\qq.exe
消息: WM_QUIT
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\tencent\qq\bin\qq.exe
消息: 0x0118
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\mozilla firefox\firefox.exe
消息: WM_CLOSE
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\mozilla firefox\firefox.exe
消息: WM_DESTROY
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\mozilla firefox\firefox.exe
消息: WM_QUIT
规则: [应用程序组]●研磨

2011-5-11 17:21:27 向其他进程发送消息阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: f:\program files\mozilla firefox\firefox.exe
消息: 0x0118
规则: [应用程序组]●研磨

2011-5-11 17:21:27 创建注册表项阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
规则: [应用程序组]●研磨 -> [注册表组]注册表保护 -> [注册表]*\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution*

2011-5-11 17:21:27 创建注册表项阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
规则: [应用程序组]●研磨 -> [注册表组]注册表保护 -> [注册表]*\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution*

2011-5-11 17:21:27 创建文件阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: C:\WINDOWS\system32\keepSafe.exe
规则: [应用程序组]●研磨 -> [文件组]文件保护 -> [文件]c:\windows\system32\*

2011-5-11 17:21:27 创建文件阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: C:\WINDOWS\system32\keepSafe.exe
规则: [应用程序组]●研磨 -> [文件组]文件保护 -> [文件]c:\windows\system32\*

2011-5-11 17:21:27 创建文件阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: C:\WINDOWS\system32\keepSafe.exe
规则: [应用程序组]●研磨 -> [文件组]文件保护 -> [文件]c:\windows\system32\*

2011-5-11 17:21:27 创建注册表项阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
规则: [应用程序组]●研磨 -> [注册表组]注册表保护 -> [注册表]*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies*

2011-5-11 17:21:27 创建注册表项阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
规则: [应用程序组]●研磨 -> [注册表组]注册表保护 -> [注册表]*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies*

2011-5-11 17:21:27 修改注册表值阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dsfghjgj
值: C:\WINDOWS\system32\keepSafe.exe
规则: [应用程序组]●研磨 -> [注册表组]注册表保护 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Run*

2011-5-11 17:21:27 创建注册表项阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
规则: [应用程序组]●研磨 -> [注册表组]注册表保护 -> [注册表]*\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution*

2011-5-11 17:21:27 创建注册表项阻止
进程: d:\我的文档\virus test\rj1\rj1.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
规则: [应用程序组]●研磨 -> [注册表组]注册表保护 -> [注册表]*\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution*

显示全部楼层 · 发表于 2011-5-11 23:07:51

趋势kill 1 virus~~
~

显示全部楼层 · 发表于 2011-5-11 23:37:23

解压报了

[病毒样本] 卡饭论坛被挂网马样本

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

评分

浏览过的版块