附件:
您所在的用户组无法下载或查看附件 附件:
您所在的用户组无法下载或查看附件上报号码RS20100205103320859161
实机运行分析简述
劫持浏览器指向假冒的迅雷浏览器。劫持主页,替换我的电脑。
瑞星可报未知木马,目前尚未发现有效的自动修复工具。
文件行为
文件名 创建者
C:\WINDOWS\SYSTEM32\MSTL.IME C:\PROGRAM FILES\THUNDER BROWSER\COMMON.EXE
C:\WINDOWS\SYSTEM32\DESKTOP.EXE C:\PROGRAM FILES\THUNDER BROWSER\COMMON.EXE
C:\WINDOWS\SYSTEM32\MSPOS.IME C:\PROGRAM FILES\THUNDER BROWSER\COMMON.EXE
C:\WINDOWS\SYSTEM32\ODEXL.EXE C:\PROGRAM FILES\THUNDER BROWSER\COMMON.EXE
C:\PROGRAM FILES\THUNDER BROWSER\UPDATE\IEUPDATE.EXE C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\PROGRAM FILES\THUNDER BROWSER\COMMON.EXE C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\PROGRAM FILES\THUNDER BROWSER\BAIDUSEARCHTOOL.EXE C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\PROGRAM FILES\THUNDER BROWSER\INNO.EXE C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\PROGRAM FILES\THUNDER BROWSER\THUNDER BROWSER.EXE C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\PROGRAM FILES\THUNDER BROWSER\UNINS000.EXE C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-82IBG.TMP\_ISETUP\_SHFOLDR.DLL C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP C:\DOCUMENTS AND SETTINGS\心潮澎湃\桌面\MUSETUP.EXE
C:\DOCUMENTS AND SETTINGS\心潮澎湃\桌面\MUSETUP.EXE C:\WINDOWS\EXPLORER.EXE
注册表行为
键 名称 原数据 新数据 创建者
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ UNLOCK PSUNLOCK C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ LOCK PSLOCK C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ STARTSHELL PSCREATESHELL C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ SHUTDOWN PSSHUTDOWN C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ STARTUP PSSTARTUP C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ STOPSCREENSAVER PSSTOPSCREENSAVER C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ STARTSCREENSAVER PSSTARTSCREENSAVER C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ LOGOFF PSLOGOFF C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ LOGON PSLOGON C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ DLLNAME PSNOTIFY.DLL C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\ SHELL EXPLORER.EXE EXPLORER.EXE C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\TXTFILE\SHELL\OPEN\COMMAND\ (DEFAULT) C:\WINDOWS\NOTEPAD.EXE %1 C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\EXEFILE\SHELL\OPEN\COMMAND\ (DEFAULT) "%1" %* C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\TXTFILE\SHELL\OPEN\COMMAND\ (DEFAULT) C:\WINDOWS\NOTEPAD.EXE %1 C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\EXEFILE\SHELL\OPEN\COMMAND\ (DEFAULT) "%1" %* C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\ SHELL EXPLORER.EXE EXPLORER.EXE C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\TXTFILE\SHELL\OPEN\COMMAND\ (DEFAULT) C:\WINDOWS\NOTEPAD.EXE %1 C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\EXEFILE\SHELL\OPEN\COMMAND\ (DEFAULT) "%1" %* C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\TXTFILE\SHELL\OPEN\COMMAND\ (DEFAULT) C:\WINDOWS\NOTEPAD.EXE %1 C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\EXEFILE\SHELL\OPEN\COMMAND\ (DEFAULT) "%1" %* C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\ SHELL EXPLORER.EXE EXPLORER.EXE C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\TXTFILE\SHELL\OPEN\COMMAND\ (DEFAULT) C:\WINDOWS\NOTEPAD.EXE %1 C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\EXEFILE\SHELL\OPEN\COMMAND\ (DEFAULT) "%1" %* C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\TXTFILE\SHELL\OPEN\COMMAND\ (DEFAULT) C:\WINDOWS\NOTEPAD.EXE %1 C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\EXEFILE\SHELL\OPEN\COMMAND\ (DEFAULT) "%1" %* C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ CTFMON.EXE C:\WINDOWS\SYSTEM32\CTFMON.EXE C:\WINDOWS\SYSTEM32\CTFMON.EXE C:\WINDOWS\SYSTEM32\CTFMON.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ KERNELFAULTCHECK %SYSTEMROOT%\SYSTEM32\DUMPREP 0 -K C:\WINDOWS\SYSTEM32\SAVEDUMP.EXE
用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; QQPinyin 686; QQPinyin 689; CIBA; TheWorld)