查看完整版本: 遭遇DOWNLOADER!

小行 2008-7-5 17:14

遭遇DOWNLOADER!

本文原创作者为:lg560852
来自:动物家园计算机咨询中心


       1、   今早一时心血来潮,去老早前的一个论坛看看不想鼠标一下子忙,偶就感觉不妙!开进程管理器,果然,2个未知进程出现!杀之,为时已晚。毒中上了。EXPLORER自动关闭,结束浏览器,结果什么也打不开了,只能用快捷键调出进程管理器,而且用进程管理器运行啥都不行(同时管理器也被关闭),用进程管理器查看关键文件夹内容,将几个新建的文件c:\windows\cguu4.exe等等的移动到其他文件夹内,尽量减少损失。


      2、    无奈进入安全模式,还好,没破坏。但是结果一样,光秃秃的一个桌面,进程管理器能调出,但是连CMD啥的也打不开,执行命令也无效。突然发现个问题:EXPLORER被替换了,而且有个pinyinup.exe进程占CPU100%,结束。又在SYSTEM32文件夹下看了看,发现还有个EXPLORER.EXE,属性里带签名的,看来这个是正品了!移动其到windows文件夹下,用任务管理器打开仍然失败。倒是那个pinyinup.exe又出现了(后来考虑,这个不是搜狗的问题就是被病毒利用了)!


         3、这个倒是奇怪的很,不过一个念头涌现出来:我将explorer更名为pinyinup.exe放到搜狗的那个文件夹下,将pinyinup.exe更名,稍微一等,呵呵,资源管理器就出来了!但是还是不能打开任何东西(一开就结束),只能浏览文件。所以我就把wsyscheck更名放进来,过了一会也成功自动执行了。wsyscheck的功能在安全模式下受限,而且为了留下纪念,偶就把sreng更名移动了过来,执行后,扫描一份日志【见2楼】,这下偶就可以安心的清理病毒了。


删除了这三个
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{7C8D1401-A58D-A81C-CD24-A5915C4517C7}><C:\WINDOWS\system32\mnmhgsrv.dll>  []
    <{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}><C:\WINDOWS\system32\hhrdxd.dll>  []
    <{4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4}><C:\WINDOWS\system32\tdggrz.dll>  []
删除了浏览器加载项
[]
  {7C8D1401-A58D-A81C-CD24-A5915C4517C7} <C:\WINDOWS\system32\mnmhgsrv.dll, N/A>
搞定重启,许久不见的EXPLORER终于回来了o(∩_∩)o...
进入系统后,按修改时间看了看几个关键文件夹下的文件,囧了,C盘下有个tmp.dat
内容是:
[oo]
c0=http://121.14.154.193/1.exe
c1=http://121.14.154.193/2.exe
c2=http://121.14.154.193/3.exe
c3=http://121.14.154.193/4.exe
c4=http://121.14.154.193/5.exe
c5=http://121.14.154.193/6.exe
c6=http://121.14.154.193/7.exe
c7=http://121.14.154.193/8.exe
c8=http://121.14.154.193/9.exe
c9=http://121.14.154.193/10.exe
c10=http://121.14.154.193/11.exe
c11=http://121.14.154.193/12.exe
c12=http://121.14.154.193/13.exe
c13=http://121.14.154.193/14.exe
c14=http://121.14.154.193/15.exe
c15=http://121.14.154.193/16.exe
c16=http://121.14.154.193/17.exe
c17=http://121.14.154.193/18.exe
c18=http://121.14.154.193/19.exe
c19=http://121.14.154.193/20.exe
c20=http://121.14.154.194/21.exe
c21=http://121.14.154.194/22.exe
c22=http://121.14.154.194/23.exe
c23=http://121.14.154.194/24.exe
c24=http://121.14.154.194/25.exe
c25=http://121.14.154.194/26.exe
c26=http://121.14.154.194/27.exe
c27=http://121.14.154.194/28.exe
c28=http://121.14.154.194/29.exe
c29=http://121.14.154.194/30.exe
c30=http://121.14.154.194/31.exe
c31=http://121.14.154.194/32.exe
c32=http://121.14.154.194/33.exe
c33=http://121.14.154.194/34.exe
c34=http://121.14.154.194/35.exe
c35=http://121.14.154.194/36.exe
c36=http://121.14.154.194/37.exe
c37=http://121.14.154.194/38.exe
c38=http://121.14.154.194/39.exe
c39=http://121.14.154.194/40.exe
c40=http://121.14.154.194/41.exe

         4、看了看偶的临时文件夹,只DOWN了5个,还算好。再用WINDOWS清理助手扫描下,清理了些病毒残留项,至此,整个过程告一段落。呃,这次问题的出现是由于偶没装杀软(组策略也坏了)而且上了很可能有问题的网站(那个BBS以前被挂过马,而且现在鲜有人去),处理过程很简单,就是有点曲折。语文不好,希望大家不要嫌文章无味,仅作参考。



病毒样本偶都留下了,没处理掉,发到样本区去,看看有无达人玩玩。
最后囧一个,为何偶碰上的病毒都是DOWNLOADER?

小行 2008-7-5 17:17

附:中毒后安全模式下的日志(这可是偶拼命留下的啊!)
复制内容到剪贴板代码:
2008-07-05,11:12:37
System Repair Engineer 2.6.11.992
Smallfrogs ([url]http://www.KZTechs.com[/url])
Windows Server 2003 Enterprise Edition Service Pack 2 (Build 3790) - 管理权限用户 - 完整功能
以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件
    进程特权扫描

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><%SystemRoot%\system32\logonui.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{7C8D1401-A58D-A81C-CD24-A5915C4517C7}><C:\WINDOWS\system32\mnmhgsrv.dll>  []
    <{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}><C:\WINDOWS\system32\hhrdxd.dll>  []
    <{4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4}><C:\WINDOWS\system32\tdggrz.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <WebCheck><%SystemRoot%\system32\webcheck.dll>  [(Verified)Microsoft Windows Component Publisher]
    <SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
    <WinlogonNotify: dimsntfy><dimsntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\WINDOWS\INF\unregmp2.exe /HideWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
    <浏览器自定义组件><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    <Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    <Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
    <%IEHARDENADMIN_BASE_DESC%><%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
    <%IEHARDENUSER_DESC%><%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><; C:\WINDOWS\system32\CTFMON.EXE>  [(Verified)Microsoft Windows Component Publisher]
    <TM2008><; "d:\Program Files\Tencent\TM2008\Bin\TM.exe" /background>  [(Verified)Tencent Technology(Shenzhen) Company Limited]
==================================
启动文件夹
[Microsoft Office]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~1\Office\OSA9.EXE [Microsoft Corporation]><N>
==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
==================================
驱动程序
[Intel(R) PRO Adapter Driver / E100B][Stopped/Manual Start]
  <system32\DRIVERS\e100b325.sys><Intel Corporation>
[Fujitsu FUJ02B1 Device Driver / FUJ02B1][Running/Manual Start]
  <system32\DRIVERS\FUJ02B1.sys><FUJITSU LIMITED>
[i81x / i81x][Stopped/Manual Start]
  <system32\DRIVERS\i81xnt5.sys><Intel(R) Corporation>
[iAimFP0 / iAimFP0][Stopped/Manual Start]
  <system32\DRIVERS\wADV01nt.sys><Intel(R) Corporation>
[iAimFP1 / iAimFP1][Stopped/Manual Start]
  <system32\DRIVERS\wADV02NT.sys><Intel(R) Corporation>
[iAimFP2 / iAimFP2][Stopped/Manual Start]
  <system32\DRIVERS\wADV05NT.sys><Intel(R) Corporation>
[iAimFP3 / iAimFP3][Stopped/Manual Start]
  <system32\DRIVERS\wSiINTxx.sys><Intel(R) Corporation>
[iAimFP4 / iAimFP4][Stopped/Manual Start]
  <system32\DRIVERS\wVchNTxx.sys><Intel(R) Corporation>
[iAimFP5 / iAimFP5][Stopped/Manual Start]
  <system32\DRIVERS\wADV07nt.sys><Intel(R) Corporation>
[iAimFP6 / iAimFP6][Stopped/Manual Start]
  <system32\DRIVERS\wADV08nt.sys><Intel(R) Corporation>
[iAimFP7 / iAimFP7][Stopped/Manual Start]
  <system32\DRIVERS\wADV09nt.sys><Intel(R) Corporation>
[iAimTV0 / iAimTV0][Stopped/Manual Start]
  <system32\DRIVERS\wATV01nt.sys><Intel(R) Corporation>
[iAimTV1 / iAimTV1][Stopped/Manual Start]
  <system32\DRIVERS\wATV02NT.sys><Intel(R) Corporation>
[iAimTV3 / iAimTV3][Stopped/Manual Start]
  <system32\DRIVERS\wATV04nt.sys><Intel(R) Corporation>
[iAimTV4 / iAimTV4][Stopped/Manual Start]
  <system32\DRIVERS\wCh7xxNT.sys><Intel(R) Corporation>
[iAimTV5 / iAimTV5][Stopped/Manual Start]
  <system32\DRIVERS\wATV10nt.sys><Intel(R) Corporation>
[iAimTV6 / iAimTV6][Stopped/Manual Start]
  <system32\DRIVERS\wATV06nt.sys><Intel(R) Corporation>
[IP in IP Tunnel Driver / IpInIp][Stopped/Manual Start]
  <system32\DRIVERS\ipinip.sys><N/A>
[Intel(r) 82801 Audio Driver Install Service (WDM) / mnich][Stopped/Manual Start]
  <system32\drivers\ac97intc.sys><Intel Corporation>
[Direct Parallel Link Driver / Ptilink][Stopped/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
==================================
浏览器加载项
[ThunderAtOnce Class]
  {01443AEC-0FD1-40fd-9C87-E93D1494C233} <D:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
[]
  {7C8D1401-A58D-A81C-CD24-A5915C4517C7} <C:\WINDOWS\system32\mnmhgsrv.dll, N/A>
[Thunder Browser Helper]
  {889D2FEB-5411-4565-8998-1DD2C5261283} <D:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
[ThunderAtOnce Class]
  {01443AEC-0FD1-40FD-9C87-E93D1494C233} <D:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
[HtmlDlgSafeHelper Class]
  {3050F819-98B5-11CF-BB82-00AA00BDCE0B} <C:\WINDOWS\system32\mshtmled.dll, Microsoft Corporation>
[Thunder Agent Class]
  {485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <D:\Program Files\Thunder\ComDlls\ThunderAgent_Now.dll, Thunder Networking Technologies,LTD>
[Thunder Browser Helper]
  {889D2FEB-5411-4565-8998-1DD2C5261283} <D:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx, Adobe Systems, Inc.>
[XML HTTP Request]
  {ED8C108E-4349-11D2-91A4-00C04F7969E8} <C:\WINDOWS\system32\msxml3.dll, Microsoft Corporation>
[XML HTTP]
  {F6D90F16-9C73-11D3-B32E-00C04F990BB4} <C:\WINDOWS\system32\msxml3.dll, Microsoft Corporation>
[使用迅雷下载]
  <D:\Program Files\Thunder\Program\geturl.htm, N/A>
[使用迅雷下载全部链接]
  <D:\Program Files\Thunder\Program\getallurl.htm, N/A>
==================================
正在运行的进程
[PID: 156][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 208][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 232][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
    [C:\WINDOWS\system32\sfc_os.dll]  [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
    [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.3790.3959 (srv03_sp2_rtm.070216-1710)]
    [C:\WINDOWS\system32\SOGOUPY.IME]  [Sogou.com Inc., 3.5.0.0]
[PID: 280][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 292][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 476][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 540][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 588][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
    [c:\windows\system32\sfc_os.dll]  [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 1744][C:\Program Files\SogouInput\PinyinUp.exe]  [Smallfrogs Studio, 2.6.11.992]
[PID: 1752][C:\Program Files\SogouInput\SREf37c4196.EXE]  [Smallfrogs Studio, 2.6.11.992]
    [C:\WINDOWS\system32\SOGOUPY.IME]  [Sogou.com Inc., 3.5.0.0]
    [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.3790.3959 (srv03_sp2_rtm.070216-1710)]
    [C:\WINDOWS\system32\sfc_os.dll]  [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
    [C:\Program Files\SogouInput\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]
==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1       localhost
==================================
进程特权扫描
N/A
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================

蓝色冰雨 2008-7-5 20:49

分析的不错

小辛 2008-7-5 22:50

我就奇怪我怎么就不会轻易中毒呢

sunvhao 2008-7-11 10:36

资料很详细^_^
辛苦了

lg560852 2008-7-14 12:57

文章有点面熟,楼主也有点面熟:100bq

wsnlbb 2008-7-25 08:39

俺看了似懂非懂!特别是reg的那部分

ww05241987 2008-7-25 09:39

不错就是 我不是高手不是很懂

永远的小千 2008-8-1 16:20

哇塞,高手诶~~......。临危不乱...要是我恐怕已经把机子砸了......~~然后大喊救命......~~
页: [1]
查看完整版本: 遭遇DOWNLOADER!