发表于: 2010-02-05 12:42 | 显示全部 短消息 资料
字号: 1楼

请求人工复核病毒(假冒的迅雷浏览器)


 附件: 您所在的用户组无法下载或查看附件

 附件: 您所在的用户组无法下载或查看附件

上报号码RS20100205103320859161

实机运行分析简述
劫持浏览器指向假冒的迅雷浏览器。劫持主页,替换我的电脑。

瑞星可报未知木马,目前尚未发现有效的自动修复工具。

文件行为

  文件名                              创建者
C:\WINDOWS\SYSTEM32\MSTL.IME C:\PROGRAM FILES\THUNDER BROWSER\COMMON.EXE
C:\WINDOWS\SYSTEM32\DESKTOP.EXE C:\PROGRAM FILES\THUNDER BROWSER\COMMON.EXE
C:\WINDOWS\SYSTEM32\MSPOS.IME C:\PROGRAM FILES\THUNDER BROWSER\COMMON.EXE
C:\WINDOWS\SYSTEM32\ODEXL.EXE C:\PROGRAM FILES\THUNDER BROWSER\COMMON.EXE
C:\PROGRAM FILES\THUNDER BROWSER\UPDATE\IEUPDATE.EXE C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\PROGRAM FILES\THUNDER BROWSER\COMMON.EXE C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\PROGRAM FILES\THUNDER BROWSER\BAIDUSEARCHTOOL.EXE C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\PROGRAM FILES\THUNDER BROWSER\INNO.EXE C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\PROGRAM FILES\THUNDER BROWSER\THUNDER BROWSER.EXE C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\PROGRAM FILES\THUNDER BROWSER\UNINS000.EXE C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-82IBG.TMP\_ISETUP\_SHFOLDR.DLL C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP
C:\DOCUMENTS AND SETTINGS\心潮澎湃\LOCAL SETTINGS\TEMP\IS-1HAGA.TMP\MUSETUP.TMP C:\DOCUMENTS AND SETTINGS\心潮澎湃\桌面\MUSETUP.EXE
C:\DOCUMENTS AND SETTINGS\心潮澎湃\桌面\MUSETUP.EXE C:\WINDOWS\EXPLORER.EXE


注册表行为

键 名称 原数据          新数据                      创建者
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ UNLOCK  PSUNLOCK C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ LOCK  PSLOCK C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ STARTSHELL  PSCREATESHELL C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ SHUTDOWN  PSSHUTDOWN C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ STARTUP  PSSTARTUP C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ STOPSCREENSAVER  PSSTOPSCREENSAVER C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ STARTSCREENSAVER  PSSTARTSCREENSAVER C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ LOGOFF  PSLOGOFF C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ LOGON  PSLOGON C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PSNOTIFY\ DLLNAME  PSNOTIFY.DLL C:\WINDOWS\SYSTEM32\SHADOW\POWERREMIND.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\ SHELL EXPLORER.EXE EXPLORER.EXE C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\TXTFILE\SHELL\OPEN\COMMAND\ (DEFAULT)  C:\WINDOWS\NOTEPAD.EXE %1 C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\EXEFILE\SHELL\OPEN\COMMAND\ (DEFAULT)  "%1" %* C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\TXTFILE\SHELL\OPEN\COMMAND\ (DEFAULT)  C:\WINDOWS\NOTEPAD.EXE %1 C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\EXEFILE\SHELL\OPEN\COMMAND\ (DEFAULT)  "%1" %* C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\ SHELL EXPLORER.EXE EXPLORER.EXE C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\TXTFILE\SHELL\OPEN\COMMAND\ (DEFAULT)  C:\WINDOWS\NOTEPAD.EXE %1 C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\EXEFILE\SHELL\OPEN\COMMAND\ (DEFAULT)  "%1" %* C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\TXTFILE\SHELL\OPEN\COMMAND\ (DEFAULT)  C:\WINDOWS\NOTEPAD.EXE %1 C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\EXEFILE\SHELL\OPEN\COMMAND\ (DEFAULT)  "%1" %* C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\ SHELL EXPLORER.EXE EXPLORER.EXE C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\TXTFILE\SHELL\OPEN\COMMAND\ (DEFAULT)  C:\WINDOWS\NOTEPAD.EXE %1 C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\EXEFILE\SHELL\OPEN\COMMAND\ (DEFAULT)  "%1" %* C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\TXTFILE\SHELL\OPEN\COMMAND\ (DEFAULT)  C:\WINDOWS\NOTEPAD.EXE %1 C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCR\EXEFILE\SHELL\OPEN\COMMAND\ (DEFAULT)  "%1" %* C:\PROGRAM FILES\TENCENT\TM2009\BIN\TM.EXE
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ CTFMON.EXE C:\WINDOWS\SYSTEM32\CTFMON.EXE C:\WINDOWS\SYSTEM32\CTFMON.EXE C:\WINDOWS\SYSTEM32\CTFMON.EXE
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ KERNELFAULTCHECK  %SYSTEMROOT%\SYSTEM32\DUMPREP 0 -K C:\WINDOWS\SYSTEM32\SAVEDUMP.EXE

用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; QQPinyin 686; QQPinyin 689; CIBA; TheWorld)
感染不是你的错
不能修复就是你的不对了
遇到问题请附截图和sreng日志