瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 【求助】关于将可执行文件图标变为winrar图标的病毒

12   1  /  2  页   跳转

[求助] 【求助】关于将可执行文件图标变为winrar图标的病毒

【求助】关于将可执行文件图标变为winrar图标的病毒

这两天电脑中毒了,病毒把以前下的好的.exe可执行文件(一般都是软件的安装包文件)图标变成4色的winrar压缩文件图标,运行后程序便再也运行不起来了,即便重装系统后也如此,同时它还删除系统正常启动的系统加载项,仅在msconfig的启动内剩下其余非系统加载项,同时运行IE也变得极其缓慢。
    请问这是什么病毒?要如何彻底清除?清除后的软件安装包还能用吗?

用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; QQDownload 598; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
With love
分享到:
gototop
 

回复:【求助】关于将可执行文件图标变为winrar图标的病毒

将存在一定数量的这样情况的文件夹,整体打包压缩发来
百年以后,你的墓碑旁 刻着的名字不是我
gototop
 

回复 2F 天月来了 的帖子

好的。
不知道是什么病毒……
With love
gototop
 

[病毒]请帮忙分析这个病毒

附件的文件本是从微软下的进行正版验证的工具,结果被感染了,现病毒已扩散.
由于无法安装winrar,故只能将此染毒的文件拓展名从exe更改成rar了。下载分析时请注意改过来。
对这种病毒如何清除?用什么工具?谢谢!

用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

附件附件:

下载次数:264
文件类型:application/octet-stream
文件大小:
上传时间:2010-5-4 12:41:28
描述:染毒文件

With love
gototop
 

回复: [病毒]请帮忙分析这个病毒

病毒现象在http://bbs.ikaka.com/showtopic-8712856.aspx已述.
下面是SRENG扫描日志: [code]2010-05-04,12:39:14
System Repair Engineer 2.8.2.1321
Smallfrogs (http://www.KZTechs.com)
Windows Vista Ultimate Edition Service Pack 2 (Build 6002) - 管理权限用户 - 完整功能
以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件
    进程特权扫描
    计划任务
    Windows 安全更新检查
    API HOOK
    隐藏进程

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <Sidebar><C:\Program Files\Windows Sidebar\sidebar.exe /autoRun>  [(Verified)Microsoft Windows]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <Windows Defender><%ProgramFiles%\Windows Defender\MSASCui.exe -hide>  [(Verified)Microsoft Windows]
    <IgfxTray><C:\Windows\system32\igfxtray.exe>  [(Verified)Intel Corporation]
    <HotKeysCmds><C:\Windows\system32\hkcmd.exe>  [(Verified)Intel Corporation]
    <Persistence><C:\Windows\system32\igfxpers.exe>  [(Verified)Intel Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><explorer.exe>  [(Verified)Microsoft Windows]
    <Userinit><C:\Windows\system32\userinit.exe,>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <WebCheck><C:\Windows\system32\webcheck.dll>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    <WinlogonNotify: igfxcui><igfxdev.dll>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\Windows\system32\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><C:\Windows\system32\ie4uinit.exe -UserIconConfig>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    <Browser Customizations><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Windows Mail 7><"%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    <Windows Desktop Update><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    <Internet Explorer><C:\Windows\system32\ie4uinit.exe -BaseSettings>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
    <N/A><C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install>  [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\Windows\system32\logon.scr>  [(Verified)Microsoft Windows]
==================================
启动文件夹
N/A
==================================
服务
[Remote Packet Capture Protocol v.0 (experimental) / rpcapd][Stopped/Manual Start]
  <"C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini"><CACE Technologies, Inc.>
==================================
驱动程序
[adp94xx / adp94xx][Stopped/Disabled]
  <\SystemRoot\system32\drivers\adp94xx.sys><Adaptec, Inc.>
[adpahci / adpahci][Stopped/Disabled]
  <\SystemRoot\system32\drivers\adpahci.sys><Adaptec, Inc.>
[adpu160m / adpu160m][Stopped/Disabled]
  <\SystemRoot\system32\drivers\adpu160m.sys><Adaptec, Inc.>
[adpu320 / adpu320][Stopped/Disabled]
  <\SystemRoot\system32\drivers\adpu320.sys><Adaptec, Inc.>
[aic78xx / aic78xx][Stopped/Disabled]
  <\SystemRoot\system32\drivers\djsvs.sys><Adaptec, Inc.>
[aliide / aliide][Stopped/Disabled]
  <\SystemRoot\system32\drivers\aliide.sys><Acer Laboratories Inc.>
[arc / arc][Stopped/Disabled]
  <\SystemRoot\system32\drivers\arc.sys><Adaptec, Inc.>
[arcsas / arcsas][Stopped/Disabled]
  <\SystemRoot\system32\drivers\arcsas.sys><Adaptec, Inc.>
[Brother USB Mass-Storage Lower Filter Driver / BrFiltLo][Stopped/Manual Start]
  <\SystemRoot\system32\drivers\brfiltlo.sys><Brother Industries, Ltd.>
[Brother USB Mass-Storage Upper Filter Driver / BrFiltUp][Stopped/Manual Start]
  <\SystemRoot\system32\drivers\brfiltup.sys><Brother Industries, Ltd.>
[Brother MFC Serial Port Interface Driver (WDM) / Brserid][Stopped/Disabled]
  <\SystemRoot\system32\drivers\brserid.sys><Brother Industries Ltd.>
[Brother WDM Serial driver / BrSerWdm][Stopped/Disabled]
  <\SystemRoot\system32\drivers\brserwdm.sys><Brother Industries Ltd.>
[Brother MFC USB Fax Only Modem / BrUsbMdm][Stopped/Disabled]
  <\SystemRoot\system32\drivers\brusbmdm.sys><Brother Industries Ltd.>
[Brother MFC USB Serial WDM Driver / BrUsbSer][Stopped/Manual Start]
  <\SystemRoot\system32\drivers\brusbser.sys><Brother Industries Ltd.>
[cmdide / cmdide][Stopped/Disabled]
  <\SystemRoot\system32\drivers\cmdide.sys><CMD Technology, Inc.>
[Intel(R) PRO/1000 NDIS 6 Adapter Driver / E1G60][Stopped/Manual Start]
  <system32\DRIVERS\E1G60I32.sys><Intel Corporation>
[elxstor / elxstor][Stopped/Disabled]
  <\SystemRoot\system32\drivers\elxstor.sys><Emulex>
[HpCISSs / HpCISSs][Stopped/Disabled]
  <\SystemRoot\system32\drivers\hpcisss.sys><Hewlett-Packard Company>
[Intel RAID Controller Vista / iaStorV][Stopped/Disabled]
  <\SystemRoot\system32\drivers\iastorv.sys><Intel Corporation>
[igfx / igfx][Running/Manual Start]
  <system32\DRIVERS\igdkmd32.sys><Intel Corporation>
[iirsp / iirsp][Stopped/Disabled]
  <\SystemRoot\system32\drivers\iirsp.sys><Intel Corp./ICP vortex GmbH>
[IP in IP Tunnel Driver / IpInIp][Stopped/Manual Start]
  <system32\DRIVERS\ipinip.sys><N/A>
[ITEATAPI_Service_Install / iteatapi][Stopped/Disabled]
  <\SystemRoot\system32\drivers\iteatapi.sys><Integrated Technology Express, Inc.>
[ITERAID_Service_Install / iteraid][Stopped/Disabled]
  <\SystemRoot\system32\drivers\iteraid.sys><Integrated Technology Express, Inc.>
[LSI_FC / LSI_FC][Stopped/Disabled]
  <\SystemRoot\system32\drivers\lsi_fc.sys><LSI Logic>
[LSI_SAS / LSI_SAS][Stopped/Disabled]
  <\SystemRoot\system32\drivers\lsi_sas.sys><LSI Logic>
[LSI_SCSI / LSI_SCSI][Stopped/Disabled]
  <\SystemRoot\system32\drivers\lsi_scsi.sys><LSI Logic>
[megasas / megasas][Stopped/Disabled]
  <\SystemRoot\system32\drivers\megasas.sys><LSI Corporation>
[MegaSR / MegaSR][Stopped/Disabled]
  <\SystemRoot\system32\drivers\megasr.sys><LSI Corporation, Inc.>
[Mraid35x / Mraid35x][Stopped/Disabled]
  <\SystemRoot\system32\drivers\mraid35x.sys><LSI Logic Corporation>
[nfrd960 / nfrd960][Stopped/Disabled]
  <\SystemRoot\system32\drivers\nfrd960.sys><IBM Corporation>
[NetGroup Packet Filter Driver / NPF][Running/Auto Start]
  <system32\drivers\npf.sys><CACE Technologies, Inc.>
[N-trig HID Tablet Driver / ntrigdigi][Stopped/Disabled]
  <\SystemRoot\system32\drivers\ntrigdigi.sys><N-trig Innovative Technologies>
[NVIDIA nForce RAID Driver    / nvraid][Stopped/Disabled]
  <\SystemRoot\system32\drivers\nvraid.sys><NVIDIA Corporation>
[nvstor / nvstor][Stopped/Disabled]
  <\SystemRoot\system32\drivers\nvstor.sys><NVIDIA Corporation>
[IPX Traffic Filter Driver / NwlnkFlt][Stopped/Manual Start]
  <system32\DRIVERS\nwlnkflt.sys><N/A>
[IPX Traffic Forwarder Driver / NwlnkFwd][Stopped/Manual Start]
  <system32\DRIVERS\nwlnkfwd.sys><N/A>
[QLogic Fibre Channel Miniport Driver / ql2300][Stopped/Disabled]
  <\SystemRoot\system32\drivers\ql2300.sys><QLogic Corporation>
[QLogic iSCSI Miniport Driver / ql40xx][Stopped/Disabled]
  <\SystemRoot\system32\drivers\ql40xx.sys><QLogic Corporation>
[SiSRaid4 / SiSRaid4][Stopped/Disabled]
  <\SystemRoot\system32\drivers\sisraid4.sys><Silicon Integrated Systems>
[Symc8xx / Symc8xx][Stopped/Disabled]
  <\SystemRoot\system32\drivers\symc8xx.sys><LSI Logic>
[Sym_hi / Sym_hi][Stopped/Disabled]
  <\SystemRoot\system32\drivers\sym_hi.sys><LSI Logic>
[Sym_u3 / Sym_u3][Stopped/Disabled]
  <\SystemRoot\system32\drivers\sym_u3.sys><LSI Logic>
[uliahci / uliahci][Stopped/Disabled]
  <\SystemRoot\system32\drivers\uliahci.sys><ULi Electronics Inc.>
[UlSata / UlSata][Stopped/Disabled]
  <\SystemRoot\system32\drivers\ulsata.sys><Promise Technology, Inc.>
[ulsata2 / ulsata2][Stopped/Disabled]
  <\SystemRoot\system32\drivers\ulsata2.sys><Promise Technology, Inc.>
[viaide / viaide][Stopped/Disabled]
  <\SystemRoot\system32\drivers\viaide.sys><VIA Technologies, Inc.>
[vsmraid / vsmraid][Stopped/Disabled]
  <\SystemRoot\system32\drivers\vsmraid.sys><VIA Technologies Inc.,Ltd>
[NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller / yukonwlh][Running/Manual Start]
  <system32\DRIVERS\yk60x86.sys><Marvell>
==================================
浏览器加载项
[PasswdEditX Control]
  {305C213C-780C-432D-8417-23E53F2EE830} <C:\Windows\System32\PasswdEditXControl1.ocx, >
[]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <, >
[XML HTTP Request]
  {ED8C108E-4349-11D2-91A4-00C04F7969E8} <%SystemRoot%\System32\msxml3.dll, (Signed) N/A>
==================================
With love
gototop
 

回复:[病毒]请帮忙分析这个病毒

正在运行的进程
[PID: 428 / SYSTEM][\SystemRoot\System32\smss.exe]  [(Verified) Microsoft Corporation, 6.0.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 560 / SYSTEM][C:\Windows\system32\csrss.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 604 / SYSTEM][C:\Windows\system32\wininit.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 616 / SYSTEM][C:\Windows\system32\csrss.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 648 / SYSTEM][C:\Windows\system32\services.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 660 / SYSTEM][C:\Windows\system32\lsass.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 668 / SYSTEM][C:\Windows\system32\lsm.exe]  [(Verified) Microsoft Corporation, 6.0.6001.18000 (longhorn_rtm.080118-1840)]
[PID: 764 / SYSTEM][C:\Windows\system32\winlogon.exe]  [(Verified) Microsoft Corporation, 6.0.6001.18000 (longhorn_rtm.080118-1840)]
[PID: 856 / SYSTEM][C:\Windows\system32\svchost.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 916 / NETWORK SERVICE][C:\Windows\system32\svchost.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
    [C:\Windows\system32\TcpIPDogL.dll]  [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 952 / SYSTEM][C:\Windows\System32\svchost.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 1044 / LOCAL SERVICE][C:\Windows\System32\svchost.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 1068 / SYSTEM][C:\Windows\System32\svchost.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
    [C:\Windows\system32\TcpIPDogL.dll]  [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 1080 / SYSTEM][C:\Windows\system32\svchost.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
    [C:\Windows\system32\TcpIPDogL.dll]  [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 1292 / NETWORK SERVICE][C:\Windows\system32\SLsvc.exe]  [(Verified) Microsoft Corporation, 6.0.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 1356 / LOCAL SERVICE][C:\Windows\system32\svchost.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 1492 / NETWORK SERVICE][C:\Windows\system32\svchost.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 1636 / SYSTEM][C:\Windows\System32\spoolsv.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
    [C:\Windows\system32\TcpIPDogL.dll]  [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 1660 / LOCAL SERVICE][C:\Windows\system32\svchost.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
    [C:\Windows\system32\TcpIPDogL.dll]  [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 1920 / NETWORK SERVICE][C:\Windows\system32\svchost.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 2004 / LOCAL SERVICE][C:\Windows\system32\svchost.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 208 / SYSTEM][C:\Windows\System32\svchost.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 344 / SYSTEM][C:\Windows\system32\SearchIndexer.exe]  [(Verified) Microsoft Corporation, 7.00.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 840 / SYSTEM][C:\Windows\system32\taskeng.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 2064 / YPing][C:\Windows\system32\taskeng.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
    [C:\Windows\system32\igfxTMM.dll]  [Intel Corporation, 7.14.10.1666]
[PID: 2108 / YPing][C:\Windows\system32\Dwm.exe]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
    [C:\Windows\system32\igdumdx32.dll]  [Intel Corporation, 7.15.10.1666]
    [C:\Windows\system32\igdumd32.dll]  [Intel Corporation, 7.15.10.1666]
[PID: 2184 / YPing][C:\Windows\Explorer.EXE]  [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
    [C:\Windows\system32\igfxpph.dll]  [Intel Corporation, 7.14.10.1666]
    [C:\Windows\system32\hccutils.DLL]  [Intel Corporation, 7.14.10.1666]
    [C:\Windows\system32\igfxsrvc.dll]  [Intel Corporation, 7.14.10.1666]
    [C:\Windows\system32\igfxrCHS.lrc]  [Intel Corporation, 7.14.10.1666]
[PID: 2352 / YPing][C:\Program Files\Windows Defender\MSASCui.exe]  [Microsoft Corporation, 1.1.1600.0]
    [C:\Windows\system32\TcpIPDogL.dll]  [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 2364 / YPing][C:\Windows\System32\igfxtray.exe]  [Intel Corporation, 7.14.10.1666]
    [C:\Windows\System32\hccutils.DLL]  [Intel Corporation, 7.14.10.1666]
    [C:\Windows\system32\igfxsrvc.dll]  [Intel Corporation, 7.14.10.1666]
    [C:\Windows\system32\igfxrCHS.lrc]  [Intel Corporation, 7.14.10.1666]
    [C:\Windows\System32\igfxress.dll]  [Intel Corporation, 7.14.10.1666]
[PID: 2376 / YPing][C:\Windows\System32\hkcmd.exe]  [Intel Corporation, 7.14.10.1666]
    [C:\Windows\System32\hccutils.DLL]  [Intel Corporation, 7.14.10.1666]
    [C:\Windows\system32\igfxsrvc.dll]  [Intel Corporation, 7.14.10.1666]
    [C:\Windows\system32\igfxrCHS.lrc]  [Intel Corporation, 7.14.10.1666]
[PID: 2404 / YPing][C:\Windows\System32\igfxpers.exe]  [Intel Corporation, 7.14.10.1666]
    [C:\Windows\system32\igfxsrvc.dll]  [Intel Corporation, 7.14.10.1666]
[PID: 2420 / YPing][C:\Program Files\Windows Sidebar\sidebar.exe]  [Microsoft Corporation, 6.0.6001.18000 (longhorn_rtm.080118-1840)]
    [C:\Windows\system32\icm32.dll]  [Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
    [C:\Windows\system32\igdumdx32.dll]  [Intel Corporation, 7.15.10.1666]
    [C:\Windows\system32\igdumd32.dll]  [Intel Corporation, 7.15.10.1666]
[PID: 2520 / YPing][C:\Windows\system32\igfxsrvc.exe]  [Intel Corporation, 7.14.10.1666]
    [C:\Windows\system32\igfxsrvc.dll]  [Intel Corporation, 7.14.10.1666]
    [C:\Windows\system32\igfxdev.dll]  [Intel Corporation, 7.14.10.1666]
[PID: 3884 / SYSTEM][C:\Windows\system32\wbem\wmiprvse.exe]  [(Verified) Microsoft Corporation, 6.0.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 1796 / YPing][D:\软件备份\wrar392sc.exe]  [N/A, ]
    [C:\Windows\system32\TcpIPDogL.dll]  [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 3176 / YPing][D:\软件备份\wrar392sc.exe]  [N/A, ]
    [C:\Windows\system32\TcpIPDogL.dll]  [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 2836 / YPing][D:\软件备份\wrar392sc.exe]  [N/A, ]
    [C:\Windows\system32\TcpIPDogL.dll]  [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 2788 / YPing][D:\软件备份\wrar392sc.exe]  [N/A, ]
    [C:\Windows\system32\TcpIPDogL.dll]  [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 3712 / YPing][C:\Program Files\深圳大学网络认证客户端\ishare_user.exe]  [城市热点有限公司, 3, 73, 4, 3700]
    [C:\Windows\system32\packet.dll]  [CACE Technologies, Inc., 4.1.0.1753]
    [C:\Windows\system32\TcpIPDogL.dll]  [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 2800 / NETWORK SERVICE][C:\Windows\system32\wbem\wmiprvse.exe]  [(Verified) Microsoft Corporation, 6.0.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 3728 / YPing][C:\Windows\system32\conime.exe]  [(Verified) Microsoft Corporation, 6.0.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 3188 / YPing][C:\Program Files\Internet Explorer\ieuser.exe]  [Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 3036 / YPing][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 7.00.6000.16386 (vista_rtm.061101-2205)]
    [C:\Windows\system32\TcpIPDogL.dll]  [城市热点资讯有限公司, 1, 0, 0, 164]
    [C:\Windows\system32\igdumdx32.dll]  [Intel Corporation, 7.15.10.1666]
    [C:\Windows\system32\igdumd32.dll]  [Intel Corporation, 7.15.10.1666]
[PID: 828 / SYSTEM][C:\Windows\system32\SearchProtocolHost.exe]  [(Verified) Microsoft Corporation, 7.00.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 1228 / SYSTEM][C:\Windows\system32\SearchFilterHost.exe]  [(Verified) Microsoft Corporation, 7.00.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 2252 / SYSTEM][C:\Windows\servicing\TrustedInstaller.exe]  [(Verified) Microsoft Corporation, 6.0.6001.18000 (longhorn_rtm.080118-1840)]
[PID: 1404 / YPing][C:\Users\YPing\AppData\Local\Temp\Temp1_sreng2.zip\SREngLdr.EXE]  [Smallfrogs Studio, 2.8.2.1321]
[PID: 436 / YPing][C:\Users\YPing\AppData\Local\Temp\Temp1_sreng2.zip\SRE7ab5c406.EXE]  [Smallfrogs Studio, 2.8.2.1321]
    [C:\Windows\system32\TcpIPDogL.dll]  [城市热点资讯有限公司, 1, 0, 0, 164]
==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["%SystemRoot%\hh.exe" %1]
.HLP  OK. [%SystemRoot%\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. ["%SystemRoot%\System32\WScript.exe" "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
Dr.COM Client over [MSAFD Tcpip [TCP/IP]]
    C:\Windows\system32\TcpIPDogL.dll(城市热点资讯有限公司, TcpIPDogL)
Dr.COM Client over [MSAFD Tcpip [UDP/IP]]
    C:\Windows\system32\TcpIPDogL.dll(城市热点资讯有限公司, TcpIPDogL)
Dr.COM Client over [RSVP TCP 服务提供商]
    C:\Windows\system32\TcpIPDogL.dll(城市热点资讯有限公司, TcpIPDogL)
Dr.COM Client over [RSVP UDP 服务提供商]
    C:\Windows\system32\TcpIPDogL.dll(城市热点资讯有限公司, TcpIPDogL)
Dr.COM Client
    C:\Windows\system32\TcpIPDogL.dll(城市热点资讯有限公司, TcpIPDogL)
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1      localhost
::1            localhost
==================================
进程特权扫描
N/A
==================================
计划任务
[已禁用] \Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)
        N/A
[已启用] \Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)
        N/A
[已启用] \Microsoft\Windows\Bluetooth\UninstallDeviceTask
        BthUdTask.exe $(Arg0)
[已启用] \Microsoft\Windows\CertificateServicesClient\SystemTask
        N/A
[已启用] \Microsoft\Windows\CertificateServicesClient\UserTask
        N/A
[已启用] \Microsoft\Windows\CertificateServicesClient\UserTask-Roam
        N/A
[已启用] \Microsoft\Windows\Customer Experience Improvement Program\Consolidator
        %SystemRoot%\System32\wsqmcons.exe
[已启用] \Microsoft\Windows\Customer Experience Improvement Program\OptinNotification
        %SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0
[已启用] \Microsoft\Windows\Defrag\ScheduledDefrag
        %windir%\system32\defrag.exe -c -i
[已启用] \Microsoft\Windows\Media Center\ehDRMInit
        %SystemRoot%\ehome\ehPrivJob.exe /DRMInit
[已启用] \Microsoft\Windows\Media Center\mcupdate
        %SystemRoot%\ehome\mcupdate $(Arg0) -gc
[已启用] \Microsoft\Windows\Media Center\OCURActivate
        %SystemRoot%\ehome\ehPrivJob.exe /OCURActivate
[已启用] \Microsoft\Windows\Media Center\OCURDiscovery
        %SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery
[已启用] \Microsoft\Windows\Media Center\UpdateRecordPath
        %SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)
[已启用] \Microsoft\Windows\MobilePC\HotStart
        N/A
[已启用] \Microsoft\Windows\MobilePC\TMM
        N/A
[已启用] \Microsoft\Windows\MUI\LPRemove
        %windir%\system32\lpremove.exe
[已启用] \Microsoft\Windows\Multimedia\SystemSoundsService
        N/A
[已启用] \Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
        N/A
[已启用] \Microsoft\Windows\Shell\CrawlStartPages
        N/A
[已禁用] \Microsoft\Windows\SideShow\AutoWake
        N/A
[已启用] \Microsoft\Windows\SideShow\GadgetManager
        N/A
[已禁用] \Microsoft\Windows\SideShow\SessionAgent
        N/A
[已禁用] \Microsoft\Windows\SideShow\SystemDataProviders
        N/A
[已启用] \Microsoft\Windows\SystemRestore\SR
        %windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation
[已启用] \Microsoft\Windows\Tcpip\IpAddressConflict1
        rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem
[已启用] \Microsoft\Windows\Tcpip\IpAddressConflict2
        rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem
[已启用] \Microsoft\Windows\UPnP\UPnPHostConfig
        sc.exe config upnphost start= auto
[已启用] \Microsoft\Windows\Windows Error Reporting\QueueReporting
        %windir%\system32\wermgr.exe -queuereporting
[已启用] \Microsoft\Windows\Wired\GatherWiredInfo
        %windir%\system32\gatherWiredInfo.vbs
[已启用] \Microsoft\Windows\Wireless\GatherWirelessInfo
        %windir%\system32\gatherWirelessInfo.vbs
==================================
Windows 安全更新检查
KB932926,  BitLocker 和 EFS 增强
KB933713,  Windows DreamScene
KB949479,  Windows 声音方案
KB954320,  Microsoft Tinker 提供的 Ultimate Extras Sounds
KB954955,  Microsoft Tinker
KB928439,  用于 Windows Vista 的 Windows PowerShell 1.0 (KB928439)
KB961501,  Windows Vista 安全更新程序 (KB961501) MS09-022
KB970238,  Windows Vista 安全更新程序 (KB970238) MS09-026
KB943729,  用于 Windows Vista 的组策略首选项客户端扩展 (KB943729)
KB951847,  Microsoft .NET Framework 3.5 Service Pack 1 和 .NET Framework 3.5 Family Update (KB951847) x86
KB971183,  阿拉伯语语言包
KB971183,  保加利亚语语言包
KB971183,  克罗地亚语语言包
KB971183,  捷克语语言包
KB971183,  丹麦语语言包
KB971183,  英语语言包
KB971183,  爱沙尼亚语语言包
KB971183,  芬兰语语言包
KB971183,  法语语言包
KB971183,  德语语言包
KB971183,  希腊语语言包
KB971183,  希伯来语语言包
KB971183,  匈牙利语语言包
KB971183,  意大利语语言包
KB971183,  西班牙语语言包
KB971183,  繁体中文语言包
KB971183,  荷兰语语言包
KB971183,  日语语言包
KB971183,  朝鲜语语言包
KB971183,  拉脱维亚语语言包
KB971183,  立陶宛语语言包
KB971183,  挪威语语言包
KB971183,  波兰语语言包
KB971183,  葡萄牙语(巴西)语言包
KB971183,  葡萄牙语(葡萄牙)语言包
KB971183,  罗马尼亚语语言包
KB971183,  俄语语言包
KB971183,  塞尔维亚语(拉丁语)语言包
KB971183,  斯洛伐克语语言包
KB971183,  斯洛文尼亚语语言包
KB971183,  瑞典语语言包
KB971183,  泰语语言包
KB971183,  土耳其语语言包
KB971183,  乌克兰语语言包
KB968389,  Windows Vista 更新程序 (KB968389)
KB973540,  Windows Vista 安全更新程序 (KB973540) MS09-037
KB956744,  Windows Vista 安全更新程序 (KB956744) MS09-044
KB973507,  Windows Vista 安全更新程序 (KB973507) MS09-037
KB971657,  Windows Vista 安全更新程序 (KB971657) MS09-041
KB973768,  Windows Vista 安全更新程序 (KB973768) MS09-037
KB967723,  Windows Vista 安全更新程序 (KB967723) MS09-048
KB970710,  Windows Vista 安全更新程序 (KB970710) MS09-049
KB971961,  用于 Windows Vista 的 Jscript 5.7 的安全更新程序 (KB971961) MS09-045
KB968816,  用于 Windows Vista 的 Windows Media Format Runtime 11 的安全更新程序 (KB968816) MS09-047
KB974470,  用于 Windows Vista Service Pack 2 和 Windows Server 2008 Service Pack 2 的 Microsoft .NET Framework 2.0 Service Pack 2 安全更新程序 (KB974470) MS09-061
KB975467,  Windows Vista 安全更新程序 (KB975467) MS09-059
KB954155,  用于 Windows Vista 的 Windows Media Format Runtime 11 的安全更新程序 (KB954155) MS09-051
KB974571,  Windows Vista 安全更新程序 (KB974571) MS09-056
KB974306,  Media Center for Windows Vista 累积更新程序 (KB974306)
KB975517,  Windows Vista 安全更新程序 (KB975517) MS09-050
KB972145,  Windows Vista 更新程序 (KB972145)
KB971644,  Windows Vista 平台更新程序 (KB971644)
KB969947,  Windows Vista 安全更新程序 (KB969947) MS09-065
KB973565,  Windows Vista 安全更新程序 (KB973565) MS09-063
KB973687,  Windows Vista 更新程序 (KB973687)
KB976470,  Windows Vista 更新程序 (KB976470)
KB974318,  Windows Vista 安全更新程序 (KB974318) MS09-071
KB972270,  Windows Vista 安全更新程序 (KB972270) MS10-001
KB975560,  Windows Vista 安全更新程序 (KB975560) MS10-013
KB978262,  用于 Windows Vista 的 ActiveX Killbit 累积安全更新程序 (KB978262) MS10-008
KB971468,  Windows Vista 安全更新程序 (KB971468) MS10-012
KB975929,  Windows Vista 更新程序 (KB975929)
KB976264,  Windows Vista 更新程序 (KB976264)
KB979306,  Windows Vista 更新程序 (KB979306)
KB979099,  Update for Rights Management Services Client for Windows Vista (KB979099)
KB975561,  用于 Windows Vista 的 Movie Maker 6.0 的安全更新程序 (KB975561) MS10-016
KB944036,  用于 Windows Vista 的 Internet Explorer 8
KB980182,  用于 Windows Vista 的 Internet Explorer 7 累积安全更新程序 (KB980182) MS10-018
KB973917,  Windows Vista 更新程序 (KB973917)
KB980232,  Windows Vista 安全更新程序 (KB980232) MS10-020
KB977816,  Windows Vista 安全更新程序 (KB977816) MS10-026
KB979309,  Windows Vista 安全更新程序 (KB979309) MS10-019
KB978338,  Windows Vista 安全更新程序 (KB978338) MS10-029
KB905866,  Windows Mail 垃圾邮件筛选器更新程序 [2010 年 4 月] (KB905866)
KB979683,  Windows Vista 安全更新程序 (KB979683) MS10-021
KB890830,  Windows 恶意软件删除工具 - 2010 年 4 月 (KB890830)
KB981349,  Windows Vista 安全更新程序 (KB981349) MS10-022
KB978601,  Windows Vista 安全更新程序 (KB978601) MS10-019
KB980248,  Windows Vista 更新程序 (KB980248)
KB915597,  Definition Update for Windows Defender - KB915597 (Definition 1.81.874.0)
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================[/code]
With love
gototop
 

回复:[病毒]请帮忙分析这个病毒

VirSCAN.org Scanned Report :
Scanned time  : 2010/05/04 13:09:57 (CST)
Scanner results: 全部的杀毒软件报告没有发现病毒!
File Name      : genuinecheck.rar
File Size      : 27648 byte
File Type      : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5            : 1cbafb0c00fdca7291bdecc9421b4346
SHA1          : 7245b265db23ce5b17040c91813c905f7105816f
Online report  : http://virscan.org/report/50fd2f688376043a8e72eb666b428106.html

Scanner        Engine Ver      Sig Ver          Sig Date    Time  Scan result
a-squared      4.5.0.8        20100504020432    2010-05-04  6.12  -
安博士V3      2010.05.04.01  2010.05.04        2010-05-04  1.27  -
AntiVir        8.2.1.224      7.10.7.22        2010-05-03  0.27  -
安天          2.0.18          20100429.4301541  2010-04-29  0.02  -
Arcavir        2009            201005020249      2010-05-02  0.07  -
Authentium    5.1.1          201005032220      2010-05-03  1.32  -
AVAST!        4.7.4          100503-1          2010-05-03  0.01  -
AVG            8.5.793        271.1.1/2852      2010-05-04  0.25  -
BitDefender    7.81008.5733016 7.31496          2010-05-04  3.70  -
ClamAV        0.95.3          10904            2010-05-04  0.01  -
Comodo        3.13.579        4756              2010-05-04  0.93  -
CP Secure      1.3.0.5        2010.05.04        2010-05-04  0.04  -
Dr.Web        5.0.2.3300      2010.05.04        2010-05-04  6.92  -
F-Prot        4.4.4.56        20100503          2010-05-03  1.32  -
F-Secure      7.02.73807      2010.05.04.01    2010-05-04  11.22  -
飞塔          4.0.14          11.770            2010-05-03  0.21  -
GData          21.89/21.28    20100504          2010-05-04  7.09  -
ViRobot        20100503        2010.05.03        2010-05-03  0.41  -
Ikarus        T3.1.01.80      2010.05.04.75774  2010-05-04  5.96  -
江民杀毒      13.0.900        2010.05.03        2010-05-03  1.19  -
卡巴斯基      5.5.10          2010.05.03        2010-05-03  0.15  -
金山毒霸      2009.2.5.15    2010.5.4.9        2010-05-04  0.66  -
迈克菲        5400.1158      5971              2010-05-03  0.02  -
Microsoft      1.5703          2010.05.03        2010-05-03  6.75  -
Norman        6.04.12        6.04.00          2010-05-03  4.01  -
熊猫卫士      9.05.01        2010.05.03        2010-05-03  1.98  -
趋势科技      9.120-1004      7.146.03          2010-05-03  0.04  -
Quick Heal    10.00          2010.05.03        2010-05-03  1.59  -
瑞星          20.0            22.45.04.03      2010-04-30  1.23  -
Sophos        3.06.0          4.52              2010-05-04  3.66  -
Sunbelt        3.9.2421.2      6258              2010-05-03  8.44  -
赛门铁克      1.3.0.24        20100503.002      2010-05-03  0.05  -
nProtect      20100503.01    8056188          2010-05-03  10.67  -
The Hacker    6.5.2.0        v00275            2010-05-03  1.07  -
VBA32          3.12.12.4      20100502.0849    2010-05-02  2.58  -
VirusBuster    4.5.11.10      10.126.13/2003635 2010-05-04  2.40  -


等瑞星升级病毒库吧
gototop
 

回复:[病毒]请帮忙分析这个病毒

上报文件成功!
查询编号:RS20100504130914828335
查询地址:http://mailcenter.rising.com.cn/FileCheck/Default.aspx
gototop
 

回复:[病毒]请帮忙分析这个病毒

上报文件成功!
查询编号:RS20100504130945140091
为查询文件分析结果,请记录此编号。谢谢您的参与!
gototop
 

回复 1F 胡人2 的帖子

gototop
 
12   1  /  2  页   跳转
页面顶部
Powered by Discuz!NT