- 听众
- 收听
- 积分
- 2999
- 主题
- 回帖
- 0
- 精华
注册时间2006-7-29
最后登录1970-1-1
该用户从未签到
|
(作者:Greysign)
一、
病毒标签:
病毒名称: Trojan-PSW.Win32.OnLineGames.alsf
病毒类型:
下载者/木马
文件大小 :
|
24420 byte
|
文件类型 :
|
MS-DOS executable (EXE)
|
MD5 :
|
2087197e0474b9bc5365b76f88e4ee86
|
SHA1 :
|
83a9e23f79c70f894c176d97c5969684a7cf6154
|
危害等级:C
加壳类型:WinUpack 0.39 final 壳
命名对照:
IKARUS
|
T3.1.01.26
|
2008.06.02.70857
|
2008-06-02
|
Win32.SuspectCrc
|
2.754
|
Microsoft
|
1.3604
|
2008.06.03
|
2008-06-03
|
TrojanDropper:Win32/Idicaf.A
|
7.415
|
二、
病毒描述:
三、
行为分析
连接网络读取http://txt.sonuher6.info/tt/1.txt下载病毒:
[DOWN]
1=http://xxx.dfasdaqwd.cn/cao/aa1.exe
2=http://xxx.dfasdaqwd.cn/cao/aa2.exe
3=http://xxx.dfasdaqwd.cn/cao/aa3.exe
4=http://5.gexiub38.info/cao/aa4.exe
5=http://5.gexiub38.info/cao/aa5.exe
6=http://5.gexiub38.info/cao/aa6.exe
7=http://5.gexiub38.info/cao/aa7.exe
8=http://xxx.dfasdaqwd.cn/cao/aa8.exe
9=http://xxx.dfasdaqwd.cn/cao/aa9.exe
10=http://111.dfasdaqwd.cn/cao/aa10.exe
11=http://111.dfasdaqwd.cn/cao/aa11.exe
12=http://111.dfasdaqwd.cn/cao/aa12.exe
13=http://111.dfasdaqwd.cn/cao/aa13.exe
14=http://111.dfasdaqwd.cn/cao/aa14.exe
15=http://222.dfasdaqwd.cn/cao/aa15.exe
16=http://222.dfasdaqwd.cn/cao/aa16.exe
17=http://222.dfasdaqwd.cn/cao/aa17.exe
18=http://222.dfasdaqwd.cn/cao/aa18.exe
19=http://222.dfasdaqwd.cn/cao/aa19.exe
20=http://333.dfasdaqwd.cn/cao/aa20.exe
21=http://333.dfasdaqwd.cn/cao/aa21.exe
22=http://333.dfasdaqwd.cn/cao/aa22.exe
23=http://333.dfasdaqwd.cn/cao/aa23.exe
24=http://444.dfasdaqwd.cn/cao/aa24.exe
25=http://444.dfasdaqwd.cn/cao/aa25.exe
30=http://444.dfasdaqwd.cn/cao/aa111.exe
增加启动项目:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25FD6584-698F-BCD2-602C-698745210352} "(Default)"
Type: REG_SZ
Data: rijxbkin.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35671234-7890-ABCD-CDEF-567801237653} "(Default)"
Type: REG_SZ
Data: yxcschlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37AC9076-C898-B098-D098-A18319080973} "(Default)"
Type: REG_SZ
Data: nhmxcjkl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4629FF4F-ACDB-5C90-A098-FACB3456A264} "(Default)"
Type: REG_SZ
Data: mpmydapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C648541-1025-9650-9057-6541258720C4} "(Default)"
Type: REG_SZ
Data: mndhddwd.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67FD640A-158F-48AC-FD14-1597F14A9776} "(Default)"
Type: REG_SZ
Data: mndsfsrv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07} "(Default)"
Type: REG_SZ
Data: ypcqfhlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C8D1401-A58D-A81C-CD24-A5915C4517C7} "(Default)"
Type: REG_SZ
Data: mnmhgsrv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{25FD6584-698F-BCD2-602C-698745210352}"
Type: REG_SZ
Data: rijxbkin.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{35671234-7890-ABCD-CDEF-567801237653}"
Type: REG_SZ
Data: yxcschlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{37AC9076-C898-B098-D098-A18319080973}"
Type: REG_SZ
Data: nhmxcjkl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{4629FF4F-ACDB-5C90-A098-FACB3456A264}"
Type: REG_SZ
Data: mpmydapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{4C648541-1025-9650-9057-6541258720C4}"
Type: REG_SZ
Data: mndhddwd.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{67FD640A-158F-48AC-FD14-1597F14A9776}"
Type: REG_SZ
Data: mndsfsrv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{70AF1289-F140-A140-D012-C1458759FC07}"
Type: REG_SZ
Data: ypcqfhlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{7C8D1401-A58D-A81C-CD24-A5915C4517C7}"
Type: REG_SZ
Data: mnmhgsrv.dll
进行映象劫持:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~OllyDBG.EXE "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~OllyICE.EXE "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.exe "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.exe "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegTool.exe "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe "Debugger"
Type: REG_SZ
Data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "Debugger"
Type: REG_SZ
Data: ntsd –d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe "Debugger"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Program Files\Common Files\Microsoft Shared\vqvjats.exe
New data: ntsd –d
释放以下文件:
c:\WINDOWS\system32\cedafb.dll
Date: 6-5-2008 8:34 PM
Size: 225,792 bytes
c:\WINDOWS\system32\ddbzwx.exe
Date: 6-5-2008 8:32 PM
Size: 12,356 bytes
c:\WINDOWS\system32\erjxakin.sys
Date: 8-8-2004 8:34 PM
Size: 520 bytes
c:\WINDOWS\system32\gsdhadwd.sys
Date: 8-8-2004 8:33 PM
Size: 520 bytes
c:\WINDOWS\system32\hfrdzx.dll
Date: 6-5-2008 8:33 PM
Size: 215,040 bytes
c:\WINDOWS\system32\hhrdxd.dll
Date: 6-5-2008 8:33 PM
Size: 232,960 bytes
c:\WINDOWS\system32\isdsasrv.exe
Date: 8-8-2004 8:34 PM
Size: 14,979 bytes
c:\WINDOWS\system32\ismhasrv.exe
Date: 8-8-2004 8:33 PM
Size: 17,476 bytes
c:\WINDOWS\system32\jdsaex.dll
Date: 6-5-2008 8:34 PM
Size: 215,040 bytes
c:\WINDOWS\system32\jdsaex.dll.LoG
Date: 6-5-2008 8:34 PM
Size: 40 bytes
c:\WINDOWS\system32\jdywt.exe
Date: 6-5-2008 8:33 PM
Size: 26,144 bytes
c:\WINDOWS\system32\jfrwdh.dll
Date: 6-5-2008 8:34 PM
Size: 222,208 bytes
c:\WINDOWS\system32\jhrcar.dll
Date: 6-5-2008 8:34 PM
Size: 218,624 bytes
c:\WINDOWS\system32\lpmxajkl.exe
Date: 8-8-2004 8:34 PM
Size: 15,656 bytes
c:\WINDOWS\system32\midimaptl.dat
Date: 6-5-2001 8:33 PM
Size: 288 bytes
c:\WINDOWS\system32\midimaptl.dll
Date: 6-5-2001 8:33 PM
Size: 20,768 bytes
c:\WINDOWS\system32\midimapwd.dat
Date: 6-5-2001 8:33 PM
Size: 148 bytes
c:\WINDOWS\system32\midimapwd.dll
Date: 6-5-2001 8:33 PM
Size: 1,071,252 bytes
c:\WINDOWS\system32\midimapzx.dat
Date: 6-5-2001 8:33 PM
Size: 288 bytes
c:\WINDOWS\system32\midimapzx.dll
Date: 6-5-2001 8:33 PM
Size: 23,328 bytes
c:\WINDOWS\system32\mndhddwd.dll
Date: 8-8-2004 8:33 PM
Size: 536,072 bytes
c:\WINDOWS\system32\mndsfsrv.dll
Date: 8-8-2004 8:34 PM
Size: 533,512 bytes
c:\WINDOWS\system32\mnmhgsrv.dll
Date: 8-8-2004 8:33 PM
Size: 538,120 bytes
c:\WINDOWS\system32\mpmydapi.dll
Date: 8-8-2004 8:33 PM
Size: 535,560 bytes
c:\WINDOWS\system32\ngjxakin.sys
Date: 6-5-2008 8:34 PM
Size: 24 bytes
c:\WINDOWS\system32\nhmxcjkl.dll
Date: 8-8-2004 8:34 PM
Size: 535,560 bytes
c:\WINDOWS\system32\pedadt.dll
Date: 6-5-2008 8:34 PM
Size: 225,792 bytes
c:\WINDOWS\system32\pldhadwd.exe
Date: 8-8-2004 8:33 PM
Size: 16,344 bytes
c:\WINDOWS\system32\rijxbkin.dll
Date: 8-8-2004 8:34 PM
Size: 536,072 bytes
c:\WINDOWS\system32\rnmxajkl.sys
Date: 8-8-2004 8:34 PM
Size: 520 bytes
c:\WINDOWS\system32\rpkbw.exe
Date: 6-5-2008 8:33 PM
Size: 23,280 bytes
c:\WINDOWS\system32\rspnk.exe
Date: 6-5-2008 8:33 PM
Size: 28,168 bytes
c:\WINDOWS\system32\sgrefg.dll
Date: 6-5-2008 8:33 PM
Size: 218,624 bytes
c:\WINDOWS\system32\simyaapi.exe
Date: 8-8-2004 8:33 PM
Size: 15,959 bytes
c:\WINDOWS\system32\smdsbsrv.sys
Date: 8-8-2004 8:34 PM
Size: 520 bytes
c:\WINDOWS\system32\smmhbsrv.sys
Date: 8-8-2004 8:33 PM
Size: 520 bytes
c:\WINDOWS\system32\spmybapi.sys
Date: 8-8-2004 8:33 PM
Size: 520 bytes
c:\WINDOWS\system32\stjxakin.exe
Date: 8-8-2004 8:34 PM
Size: 15,942 bytes
c:\WINDOWS\system32\SysDaJcHv.dll
Date: 6-5-2008 8:33 PM
Size: 21,507 bytes
c:\WINDOWS\system32\SysWmWacz.dll
Date: 6-5-2008 8:33 PM
Size: 18,711 bytes
c:\WINDOWS\system32\SysWoWaVip.dll
Date: 6-5-2008 8:33 PM
Size: 23,561 bytes
c:\WINDOWS\system32\wininnet.nls
Date: 6-5-2008 8:32 PM
Size: 32,768 bytes
c:\WINDOWS\system32\wrqszl.dll
Date: 6-5-2008 8:34 PM
Size: 225,792 bytes
c:\WINDOWS\system32\wymxajkl.sys
Date: 6-5-2008 8:34 PM
Size: 24 bytes
c:\WINDOWS\system32\xscqbhlp.sys
Date: 8-8-2004 8:34 PM
Size: 520 bytes
c:\WINDOWS\system32\xzcsbhlp.sys
Date: 8-8-2004 8:34 PM
Size: 520 bytes
c:\WINDOWS\system32\ypcqfhlp.dll
Date: 8-8-2004 8:34 PM
Size: 538,632 bytes
c:\WINDOWS\system32\yxcschlp.dll
Date: 8-8-2004 8:34 PM
Size: 533,512 bytes
c:\WINDOWS\system32\zdesfx.dll
Date: 6-5-2008 8:33 PM
Size: 218,624 bytes
c:\WINDOWS\system32\zgfdet.dll
Date: 6-5-2008 8:33 PM
Size: 232,960 bytes
c:\WINDOWS\system32\zscqahlp.exe
Date: 8-8-2004 8:34 PM
Size: 18,514 bytes
c:\WINDOWS\system32\zxcsahlp.exe
Date: 8-8-2004 8:34 PM
Size: 14,915 bytes
解决方案:
删除文件:
c:\WINDOWS\system32\cedafb.dll
c:\WINDOWS\system32\ddbzwx.exe
c:\WINDOWS\system32\erjxakin.sys
c:\WINDOWS\system32\gsdhadwd.sys
c:\WINDOWS\system32\hfrdzx.dll
c:\WINDOWS\system32\hhrdxd.dll
c:\WINDOWS\system32\isdsasrv.exe
c:\WINDOWS\system32\ismhasrv.exe
c:\WINDOWS\system32\jdsaex.dll
c:\WINDOWS\system32\jdsaex.dll.LoG
c:\WINDOWS\system32\jdywt.exe
c:\WINDOWS\system32\jfrwdh.dll
c:\WINDOWS\system32\jhrcar.dll
c:\WINDOWS\system32\lpmxajkl.exe
c:\WINDOWS\system32\midimaptl.dat
c:\WINDOWS\system32\midimaptl.dll
c:\WINDOWS\system32\midimapwd.dat
c:\WINDOWS\system32\midimapwd.dll
c:\WINDOWS\system32\midimapzx.dat
c:\WINDOWS\system32\midimapzx.dll
c:\WINDOWS\system32\mndhddwd.dll
c:\WINDOWS\system32\mndsfsrv.dll
c:\WINDOWS\system32\mnmhgsrv.dll
c:\WINDOWS\system32\mpmydapi.dll
c:\WINDOWS\system32\ngjxakin.sys
c:\WINDOWS\system32\nhmxcjkl.dll
c:\WINDOWS\system32\pedadt.dll
c:\WINDOWS\system32\pldhadwd.exe
c:\WINDOWS\system32\rijxbkin.dll
c:\WINDOWS\system32\rnmxajkl.sys
c:\WINDOWS\system32\rpkbw.exe
c:\WINDOWS\system32\rspnk.exe
c:\WINDOWS\system32\sgrefg.dll
c:\WINDOWS\system32\simyaapi.exe
c:\WINDOWS\system32\smdsbsrv.sys
c:\WINDOWS\system32\smmhbsrv.sys
c:\WINDOWS\system32\spmybapi.sys
c:\WINDOWS\system32\stjxakin.exe
c:\WINDOWS\system32\SysDaJcHv.dll
c:\WINDOWS\system32\SysWmWacz.dll
c:\WINDOWS\system32\SysWoWaVip.dll
c:\WINDOWS\system32\wininnet.nls
c:\WINDOWS\system32\wrqszl.dll
c:\WINDOWS\system32\wymxajkl.sys
c:\WINDOWS\system32\xscqbhlp.sys
c:\WINDOWS\system32\xzcsbhlp.sys
c:\WINDOWS\system32\ypcqfhlp.dll
c:\WINDOWS\system32\yxcschlp.dll
c:\WINDOWS\system32\zdesfx.dll
c:\WINDOWS\system32\zgfdet.dll
c:\WINDOWS\system32\zscqahlp.exe
c:\WINDOWS\system32\zxcsahlp.exe
删除注册表项目:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25FD6584-698F-BCD2-602C-698745210352} "(Default)"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35671234-7890-ABCD-CDEF-567801237653} "(Default)"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37AC9076-C898-B098-D098-A18319080973} "(Default)"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4629FF4F-ACDB-5C90-A098-FACB3456A264} "(Default)"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C648541-1025-9650-9057-6541258720C4} "(Default)"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67FD640A-158F-48AC-FD14-1597F14A9776} "(Default)"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07} "(Default)"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C8D1401-A58D-A81C-CD24-A5915C4517C7} "(Default)"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{25FD6584-698F-BCD2-602C-698745210352}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{35671234-7890-ABCD-CDEF-567801237653}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{37AC9076-C898-B098-D098-A18319080973}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{4629FF4F-ACDB-5C90-A098-FACB3456A264}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{4C648541-1025-9650-9057-6541258720C4}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{67FD640A-158F-48AC-FD14-1597F14A9776}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{70AF1289-F140-A140-D012-C1458759FC07}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{7C8D1401-A58D-A81C-CD24-A5915C4517C7}"
注:%System32%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:\Winnt\System32,windows95/98/me中默认的安装路径是C:\Windows\System,windowsXP中默认的安装路径是C:\Windows\System32。
%Temp% = C:\Documents and Settings\AAAAA\Local Settings\Temp 当前用户TEMP缓存变量
%Windir%\ WINDODWS所在目录
%DriveLetter%\ 逻辑驱动器根目录
%ProgramFiles%\ 系统程序默认安装目录
%HomeDrive% = C:\ 当前启动的系统的所在分区
%Documents and Settings%\ 当前用户文档根目录
A级
大面积感染流行,并具有以下条件中的任意一个给网络造成严重压力、开有后门、反制AV技术。
B级
有一定的感染流行面积,或者有鲜明的技术特点值得进一步关注,或为既往A级蠕虫比较成熟的变种
C级
有少量感染流行,或虽然有一定感染流行面积,但是既往B级蠕虫变种。
D级
有极少量感染流行,但有一定潜在威胁。
E级
没有发现感染流行。 |
|
IP卡
狗仔卡
发表于 2008-6-15 12:06:31
提升卡
置顶卡
喧嚣卡
变色卡
抢沙发
显身卡