【求助】关于将可执行文件图标变为winrar图标的病毒 bbs.ikaka.com

胡人2 - 2010-5-1 21:16:00

这两天电脑中毒了，病毒把以前下的好的.exe可执行文件（一般都是软件的安装包文件）图标变成4色的winrar压缩文件图标，运行后程序便再也运行不起来了，即便重装系统后也如此，同时它还删除系统正常启动的系统加载项，仅在msconfig的启动内剩下其余非系统加载项，同时运行IE也变得极其缓慢。
请问这是什么病毒？要如何彻底清除？清除后的软件安装包还能用吗？

用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; QQDownload 598; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

天月来了 - 2010-5-1 21:28:00

将存在一定数量的这样情况的文件夹，整体打包压缩发来

胡人2 - 2010-5-2 12:16:00

好的。
不知道是什么病毒……

胡人2 - 2010-5-4 12:41:00

附件的文件本是从微软下的进行正版验证的工具,结果被感染了,现病毒已扩散.
由于无法安装winrar，故只能将此染毒的文件拓展名从exe更改成rar了。下载分析时请注意改过来。
对这种病毒如何清除？用什么工具？谢谢！

用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

附件: genuinecheck.rar

胡人2 - 2010-5-4 12:50:00

病毒现象在http://bbs.ikaka.com/showtopic-8712856.aspx已述.
下面是SRENG扫描日志: [code]2010-05-04,12:39:14
System Repair Engineer 2.8.2.1321
Smallfrogs (http://www.KZTechs.com)
Windows Vista Ultimate Edition Service Pack 2 (Build 6002) - 管理权限用户 - 完整功能
以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
进程特权扫描
计划任务
Windows 安全更新检查
API HOOK
隐藏进程

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Sidebar><C:\Program Files\Windows Sidebar\sidebar.exe /autoRun> [(Verified)Microsoft Windows]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Windows Defender><%ProgramFiles%\Windows Defender\MSASCui.exe -hide> [(Verified)Microsoft Windows]
<IgfxTray><C:\Windows\system32\igfxtray.exe> [(Verified)Intel Corporation]
<HotKeysCmds><C:\Windows\system32\hkcmd.exe> [(Verified)Intel Corporation]
<Persistence><C:\Windows\system32\igfxpers.exe> [(Verified)Intel Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><explorer.exe> [(Verified)Microsoft Windows]
<Userinit><C:\Windows\system32\userinit.exe,> [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<WebCheck><C:\Windows\system32\webcheck.dll> [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
<WinlogonNotify: igfxcui><igfxdev.dll> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
<{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
<Microsoft Windows Media Player><C:\Windows\system32\unregmp2.exe /ShowWMP> [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer><C:\Windows\system32\ie4uinit.exe -UserIconConfig> [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
<Browser Customizations><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP> [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Windows Mail 7><"%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI> [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
<Windows Desktop Update><regsvr32.exe /s /n /i:U shell32.dll> [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
<Internet Explorer><C:\Windows\system32\ie4uinit.exe -BaseSettings> [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
<N/A><C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install> [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><C:\Windows\system32\logon.scr> [(Verified)Microsoft Windows]
==================================
启动文件夹
N/A
==================================
服务
[Remote Packet Capture Protocol v.0 (experimental) / rpcapd][Stopped/Manual Start]
<"C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini"><CACE Technologies, Inc.>
==================================
驱动程序
[adp94xx / adp94xx][Stopped/Disabled]
<\SystemRoot\system32\drivers\adp94xx.sys><Adaptec, Inc.>
[adpahci / adpahci][Stopped/Disabled]
<\SystemRoot\system32\drivers\adpahci.sys><Adaptec, Inc.>
[adpu160m / adpu160m][Stopped/Disabled]
<\SystemRoot\system32\drivers\adpu160m.sys><Adaptec, Inc.>
[adpu320 / adpu320][Stopped/Disabled]
<\SystemRoot\system32\drivers\adpu320.sys><Adaptec, Inc.>
[aic78xx / aic78xx][Stopped/Disabled]
<\SystemRoot\system32\drivers\djsvs.sys><Adaptec, Inc.>
[aliide / aliide][Stopped/Disabled]
<\SystemRoot\system32\drivers\aliide.sys><Acer Laboratories Inc.>
[arc / arc][Stopped/Disabled]
<\SystemRoot\system32\drivers\arc.sys><Adaptec, Inc.>
[arcsas / arcsas][Stopped/Disabled]
<\SystemRoot\system32\drivers\arcsas.sys><Adaptec, Inc.>
[Brother USB Mass-Storage Lower Filter Driver / BrFiltLo][Stopped/Manual Start]
<\SystemRoot\system32\drivers\brfiltlo.sys><Brother Industries, Ltd.>
[Brother USB Mass-Storage Upper Filter Driver / BrFiltUp][Stopped/Manual Start]
<\SystemRoot\system32\drivers\brfiltup.sys><Brother Industries, Ltd.>
[Brother MFC Serial Port Interface Driver (WDM) / Brserid][Stopped/Disabled]
<\SystemRoot\system32\drivers\brserid.sys><Brother Industries Ltd.>
[Brother WDM Serial driver / BrSerWdm][Stopped/Disabled]
<\SystemRoot\system32\drivers\brserwdm.sys><Brother Industries Ltd.>
[Brother MFC USB Fax Only Modem / BrUsbMdm][Stopped/Disabled]
<\SystemRoot\system32\drivers\brusbmdm.sys><Brother Industries Ltd.>
[Brother MFC USB Serial WDM Driver / BrUsbSer][Stopped/Manual Start]
<\SystemRoot\system32\drivers\brusbser.sys><Brother Industries Ltd.>
[cmdide / cmdide][Stopped/Disabled]
<\SystemRoot\system32\drivers\cmdide.sys><CMD Technology, Inc.>
[Intel(R) PRO/1000 NDIS 6 Adapter Driver / E1G60][Stopped/Manual Start]
<system32\DRIVERS\E1G60I32.sys><Intel Corporation>
[elxstor / elxstor][Stopped/Disabled]
<\SystemRoot\system32\drivers\elxstor.sys><Emulex>
[HpCISSs / HpCISSs][Stopped/Disabled]
<\SystemRoot\system32\drivers\hpcisss.sys><Hewlett-Packard Company>
[Intel RAID Controller Vista / iaStorV][Stopped/Disabled]
<\SystemRoot\system32\drivers\iastorv.sys><Intel Corporation>
[igfx / igfx][Running/Manual Start]
<system32\DRIVERS\igdkmd32.sys><Intel Corporation>
[iirsp / iirsp][Stopped/Disabled]
<\SystemRoot\system32\drivers\iirsp.sys><Intel Corp./ICP vortex GmbH>
[IP in IP Tunnel Driver / IpInIp][Stopped/Manual Start]
<system32\DRIVERS\ipinip.sys><N/A>
[ITEATAPI_Service_Install / iteatapi][Stopped/Disabled]
<\SystemRoot\system32\drivers\iteatapi.sys><Integrated Technology Express, Inc.>
[ITERAID_Service_Install / iteraid][Stopped/Disabled]
<\SystemRoot\system32\drivers\iteraid.sys><Integrated Technology Express, Inc.>
[LSI_FC / LSI_FC][Stopped/Disabled]
<\SystemRoot\system32\drivers\lsi_fc.sys><LSI Logic>
[LSI_SAS / LSI_SAS][Stopped/Disabled]
<\SystemRoot\system32\drivers\lsi_sas.sys><LSI Logic>
[LSI_SCSI / LSI_SCSI][Stopped/Disabled]
<\SystemRoot\system32\drivers\lsi_scsi.sys><LSI Logic>
[megasas / megasas][Stopped/Disabled]
<\SystemRoot\system32\drivers\megasas.sys><LSI Corporation>
[MegaSR / MegaSR][Stopped/Disabled]
<\SystemRoot\system32\drivers\megasr.sys><LSI Corporation, Inc.>
[Mraid35x / Mraid35x][Stopped/Disabled]
<\SystemRoot\system32\drivers\mraid35x.sys><LSI Logic Corporation>
[nfrd960 / nfrd960][Stopped/Disabled]
<\SystemRoot\system32\drivers\nfrd960.sys><IBM Corporation>
[NetGroup Packet Filter Driver / NPF][Running/Auto Start]
<system32\drivers\npf.sys><CACE Technologies, Inc.>
[N-trig HID Tablet Driver / ntrigdigi][Stopped/Disabled]
<\SystemRoot\system32\drivers\ntrigdigi.sys><N-trig Innovative Technologies>
[NVIDIA nForce RAID Driver / nvraid][Stopped/Disabled]
<\SystemRoot\system32\drivers\nvraid.sys><NVIDIA Corporation>
[nvstor / nvstor][Stopped/Disabled]
<\SystemRoot\system32\drivers\nvstor.sys><NVIDIA Corporation>
[IPX Traffic Filter Driver / NwlnkFlt][Stopped/Manual Start]
<system32\DRIVERS\nwlnkflt.sys><N/A>
[IPX Traffic Forwarder Driver / NwlnkFwd][Stopped/Manual Start]
<system32\DRIVERS\nwlnkfwd.sys><N/A>
[QLogic Fibre Channel Miniport Driver / ql2300][Stopped/Disabled]
<\SystemRoot\system32\drivers\ql2300.sys><QLogic Corporation>
[QLogic iSCSI Miniport Driver / ql40xx][Stopped/Disabled]
<\SystemRoot\system32\drivers\ql40xx.sys><QLogic Corporation>
[SiSRaid4 / SiSRaid4][Stopped/Disabled]
<\SystemRoot\system32\drivers\sisraid4.sys><Silicon Integrated Systems>
[Symc8xx / Symc8xx][Stopped/Disabled]
<\SystemRoot\system32\drivers\symc8xx.sys><LSI Logic>
[Sym_hi / Sym_hi][Stopped/Disabled]
<\SystemRoot\system32\drivers\sym_hi.sys><LSI Logic>
[Sym_u3 / Sym_u3][Stopped/Disabled]
<\SystemRoot\system32\drivers\sym_u3.sys><LSI Logic>
[uliahci / uliahci][Stopped/Disabled]
<\SystemRoot\system32\drivers\uliahci.sys><ULi Electronics Inc.>
[UlSata / UlSata][Stopped/Disabled]
<\SystemRoot\system32\drivers\ulsata.sys><Promise Technology, Inc.>
[ulsata2 / ulsata2][Stopped/Disabled]
<\SystemRoot\system32\drivers\ulsata2.sys><Promise Technology, Inc.>
[viaide / viaide][Stopped/Disabled]
<\SystemRoot\system32\drivers\viaide.sys><VIA Technologies, Inc.>
[vsmraid / vsmraid][Stopped/Disabled]
<\SystemRoot\system32\drivers\vsmraid.sys><VIA Technologies Inc.,Ltd>
[NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller / yukonwlh][Running/Manual Start]
<system32\DRIVERS\yk60x86.sys><Marvell>
==================================
浏览器加载项
[PasswdEditX Control]
{305C213C-780C-432D-8417-23E53F2EE830} <C:\Windows\System32\PasswdEditXControl1.ocx, >
[]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <, >
[XML HTTP Request]
{ED8C108E-4349-11D2-91A4-00C04F7969E8} <%SystemRoot%\System32\msxml3.dll, (Signed) N/A>
==================================

胡人2 - 2010-5-4 12:50:00

正在运行的进程
[PID: 428 / SYSTEM][\SystemRoot\System32\smss.exe] [(Verified) Microsoft Corporation, 6.0.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 560 / SYSTEM][C:\Windows\system32\csrss.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 604 / SYSTEM][C:\Windows\system32\wininit.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 616 / SYSTEM][C:\Windows\system32\csrss.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 648 / SYSTEM][C:\Windows\system32\services.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 660 / SYSTEM][C:\Windows\system32\lsass.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 668 / SYSTEM][C:\Windows\system32\lsm.exe] [(Verified) Microsoft Corporation, 6.0.6001.18000 (longhorn_rtm.080118-1840)]
[PID: 764 / SYSTEM][C:\Windows\system32\winlogon.exe] [(Verified) Microsoft Corporation, 6.0.6001.18000 (longhorn_rtm.080118-1840)]
[PID: 856 / SYSTEM][C:\Windows\system32\svchost.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 916 / NETWORK SERVICE][C:\Windows\system32\svchost.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[C:\Windows\system32\TcpIPDogL.dll] [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 952 / SYSTEM][C:\Windows\System32\svchost.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 1044 / LOCAL SERVICE][C:\Windows\System32\svchost.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 1068 / SYSTEM][C:\Windows\System32\svchost.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[C:\Windows\system32\TcpIPDogL.dll] [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 1080 / SYSTEM][C:\Windows\system32\svchost.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[C:\Windows\system32\TcpIPDogL.dll] [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 1292 / NETWORK SERVICE][C:\Windows\system32\SLsvc.exe] [(Verified) Microsoft Corporation, 6.0.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 1356 / LOCAL SERVICE][C:\Windows\system32\svchost.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 1492 / NETWORK SERVICE][C:\Windows\system32\svchost.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 1636 / SYSTEM][C:\Windows\System32\spoolsv.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[C:\Windows\system32\TcpIPDogL.dll] [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 1660 / LOCAL SERVICE][C:\Windows\system32\svchost.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[C:\Windows\system32\TcpIPDogL.dll] [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 1920 / NETWORK SERVICE][C:\Windows\system32\svchost.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 2004 / LOCAL SERVICE][C:\Windows\system32\svchost.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 208 / SYSTEM][C:\Windows\System32\svchost.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 344 / SYSTEM][C:\Windows\system32\SearchIndexer.exe] [(Verified) Microsoft Corporation, 7.00.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 840 / SYSTEM][C:\Windows\system32\taskeng.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 2064 / YPing][C:\Windows\system32\taskeng.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[C:\Windows\system32\igfxTMM.dll] [Intel Corporation, 7.14.10.1666]
[PID: 2108 / YPing][C:\Windows\system32\Dwm.exe] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[C:\Windows\system32\igdumdx32.dll] [Intel Corporation, 7.15.10.1666]
[C:\Windows\system32\igdumd32.dll] [Intel Corporation, 7.15.10.1666]
[PID: 2184 / YPing][C:\Windows\Explorer.EXE] [(Verified) Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[C:\Windows\system32\igfxpph.dll] [Intel Corporation, 7.14.10.1666]
[C:\Windows\system32\hccutils.DLL] [Intel Corporation, 7.14.10.1666]
[C:\Windows\system32\igfxsrvc.dll] [Intel Corporation, 7.14.10.1666]
[C:\Windows\system32\igfxrCHS.lrc] [Intel Corporation, 7.14.10.1666]
[PID: 2352 / YPing][C:\Program Files\Windows Defender\MSASCui.exe] [Microsoft Corporation, 1.1.1600.0]
[C:\Windows\system32\TcpIPDogL.dll] [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 2364 / YPing][C:\Windows\System32\igfxtray.exe] [Intel Corporation, 7.14.10.1666]
[C:\Windows\System32\hccutils.DLL] [Intel Corporation, 7.14.10.1666]
[C:\Windows\system32\igfxsrvc.dll] [Intel Corporation, 7.14.10.1666]
[C:\Windows\system32\igfxrCHS.lrc] [Intel Corporation, 7.14.10.1666]
[C:\Windows\System32\igfxress.dll] [Intel Corporation, 7.14.10.1666]
[PID: 2376 / YPing][C:\Windows\System32\hkcmd.exe] [Intel Corporation, 7.14.10.1666]
[C:\Windows\System32\hccutils.DLL] [Intel Corporation, 7.14.10.1666]
[C:\Windows\system32\igfxsrvc.dll] [Intel Corporation, 7.14.10.1666]
[C:\Windows\system32\igfxrCHS.lrc] [Intel Corporation, 7.14.10.1666]
[PID: 2404 / YPing][C:\Windows\System32\igfxpers.exe] [Intel Corporation, 7.14.10.1666]
[C:\Windows\system32\igfxsrvc.dll] [Intel Corporation, 7.14.10.1666]
[PID: 2420 / YPing][C:\Program Files\Windows Sidebar\sidebar.exe] [Microsoft Corporation, 6.0.6001.18000 (longhorn_rtm.080118-1840)]
[C:\Windows\system32\icm32.dll] [Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[C:\Windows\system32\igdumdx32.dll] [Intel Corporation, 7.15.10.1666]
[C:\Windows\system32\igdumd32.dll] [Intel Corporation, 7.15.10.1666]
[PID: 2520 / YPing][C:\Windows\system32\igfxsrvc.exe] [Intel Corporation, 7.14.10.1666]
[C:\Windows\system32\igfxsrvc.dll] [Intel Corporation, 7.14.10.1666]
[C:\Windows\system32\igfxdev.dll] [Intel Corporation, 7.14.10.1666]
[PID: 3884 / SYSTEM][C:\Windows\system32\wbem\wmiprvse.exe] [(Verified) Microsoft Corporation, 6.0.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 1796 / YPing][D:\软件备份\wrar392sc.exe] [N/A, ]
[C:\Windows\system32\TcpIPDogL.dll] [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 3176 / YPing][D:\软件备份\wrar392sc.exe] [N/A, ]
[C:\Windows\system32\TcpIPDogL.dll] [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 2836 / YPing][D:\软件备份\wrar392sc.exe] [N/A, ]
[C:\Windows\system32\TcpIPDogL.dll] [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 2788 / YPing][D:\软件备份\wrar392sc.exe] [N/A, ]
[C:\Windows\system32\TcpIPDogL.dll] [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 3712 / YPing][C:\Program Files\深圳大学网络认证客户端\ishare_user.exe] [城市热点有限公司, 3, 73, 4, 3700]
[C:\Windows\system32\packet.dll] [CACE Technologies, Inc., 4.1.0.1753]
[C:\Windows\system32\TcpIPDogL.dll] [城市热点资讯有限公司, 1, 0, 0, 164]
[PID: 2800 / NETWORK SERVICE][C:\Windows\system32\wbem\wmiprvse.exe] [(Verified) Microsoft Corporation, 6.0.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 3728 / YPing][C:\Windows\system32\conime.exe] [(Verified) Microsoft Corporation, 6.0.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 3188 / YPing][C:\Program Files\Internet Explorer\ieuser.exe] [Microsoft Corporation, 6.0.6000.16386 (vista_rtm.061101-2205)]
[PID: 3036 / YPing][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 7.00.6000.16386 (vista_rtm.061101-2205)]
[C:\Windows\system32\TcpIPDogL.dll] [城市热点资讯有限公司, 1, 0, 0, 164]
[C:\Windows\system32\igdumdx32.dll] [Intel Corporation, 7.15.10.1666]
[C:\Windows\system32\igdumd32.dll] [Intel Corporation, 7.15.10.1666]
[PID: 828 / SYSTEM][C:\Windows\system32\SearchProtocolHost.exe] [(Verified) Microsoft Corporation, 7.00.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 1228 / SYSTEM][C:\Windows\system32\SearchFilterHost.exe] [(Verified) Microsoft Corporation, 7.00.6002.18005 (lh_sp2rtm.090410-1830)]
[PID: 2252 / SYSTEM][C:\Windows\servicing\TrustedInstaller.exe] [(Verified) Microsoft Corporation, 6.0.6001.18000 (longhorn_rtm.080118-1840)]
[PID: 1404 / YPing][C:\Users\YPing\AppData\Local\Temp\Temp1_sreng2.zip\SREngLdr.EXE] [Smallfrogs Studio, 2.8.2.1321]
[PID: 436 / YPing][C:\Users\YPing\AppData\Local\Temp\Temp1_sreng2.zip\SRE7ab5c406.EXE] [Smallfrogs Studio, 2.8.2.1321]
[C:\Windows\system32\TcpIPDogL.dll] [城市热点资讯有限公司, 1, 0, 0, 164]
==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["%SystemRoot%\hh.exe" %1]
.HLP OK. [%SystemRoot%\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. ["%SystemRoot%\System32\WScript.exe" "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
Dr.COM Client over [MSAFD Tcpip [TCP/IP]]
C:\Windows\system32\TcpIPDogL.dll(城市热点资讯有限公司, TcpIPDogL)
Dr.COM Client over [MSAFD Tcpip [UDP/IP]]
C:\Windows\system32\TcpIPDogL.dll(城市热点资讯有限公司, TcpIPDogL)
Dr.COM Client over [RSVP TCP 服务提供商]
C:\Windows\system32\TcpIPDogL.dll(城市热点资讯有限公司, TcpIPDogL)
Dr.COM Client over [RSVP UDP 服务提供商]
C:\Windows\system32\TcpIPDogL.dll(城市热点资讯有限公司, TcpIPDogL)
Dr.COM Client
C:\Windows\system32\TcpIPDogL.dll(城市热点资讯有限公司, TcpIPDogL)
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1 localhost
::1 localhost
==================================
进程特权扫描
N/A
==================================
计划任务
[已禁用] \Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)
N/A
[已启用] \Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)
N/A
[已启用] \Microsoft\Windows\Bluetooth\UninstallDeviceTask
BthUdTask.exe $(Arg0)
[已启用] \Microsoft\Windows\CertificateServicesClient\SystemTask
N/A
[已启用] \Microsoft\Windows\CertificateServicesClient\UserTask
N/A
[已启用] \Microsoft\Windows\CertificateServicesClient\UserTask-Roam
N/A
[已启用] \Microsoft\Windows\Customer Experience Improvement Program\Consolidator
%SystemRoot%\System32\wsqmcons.exe
[已启用] \Microsoft\Windows\Customer Experience Improvement Program\OptinNotification
%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0
[已启用] \Microsoft\Windows\Defrag\ScheduledDefrag
%windir%\system32\defrag.exe -c -i
[已启用] \Microsoft\Windows\Media Center\ehDRMInit
%SystemRoot%\ehome\ehPrivJob.exe /DRMInit
[已启用] \Microsoft\Windows\Media Center\mcupdate
%SystemRoot%\ehome\mcupdate $(Arg0) -gc
[已启用] \Microsoft\Windows\Media Center\OCURActivate
%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate
[已启用] \Microsoft\Windows\Media Center\OCURDiscovery
%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery
[已启用] \Microsoft\Windows\Media Center\UpdateRecordPath
%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)
[已启用] \Microsoft\Windows\MobilePC\HotStart
N/A
[已启用] \Microsoft\Windows\MobilePC\TMM
N/A
[已启用] \Microsoft\Windows\MUI\LPRemove
%windir%\system32\lpremove.exe
[已启用] \Microsoft\Windows\Multimedia\SystemSoundsService
N/A
[已启用] \Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
N/A
[已启用] \Microsoft\Windows\Shell\CrawlStartPages
N/A
[已禁用] \Microsoft\Windows\SideShow\AutoWake
N/A
[已启用] \Microsoft\Windows\SideShow\GadgetManager
N/A
[已禁用] \Microsoft\Windows\SideShow\SessionAgent
N/A
[已禁用] \Microsoft\Windows\SideShow\SystemDataProviders
N/A
[已启用] \Microsoft\Windows\SystemRestore\SR
%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation
[已启用] \Microsoft\Windows\Tcpip\IpAddressConflict1
rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem
[已启用] \Microsoft\Windows\Tcpip\IpAddressConflict2
rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem
[已启用] \Microsoft\Windows\UPnP\UPnPHostConfig
sc.exe config upnphost start= auto
[已启用] \Microsoft\Windows\Windows Error Reporting\QueueReporting
%windir%\system32\wermgr.exe -queuereporting
[已启用] \Microsoft\Windows\Wired\GatherWiredInfo
%windir%\system32\gatherWiredInfo.vbs
[已启用] \Microsoft\Windows\Wireless\GatherWirelessInfo
%windir%\system32\gatherWirelessInfo.vbs
==================================
Windows 安全更新检查
KB932926, BitLocker 和 EFS 增强
KB933713, Windows DreamScene
KB949479, Windows 声音方案
KB954320, Microsoft Tinker 提供的 Ultimate Extras Sounds
KB954955, Microsoft Tinker
KB928439, 用于 Windows Vista 的 Windows PowerShell 1.0 (KB928439)
KB961501, Windows Vista 安全更新程序 (KB961501) MS09-022
KB970238, Windows Vista 安全更新程序 (KB970238) MS09-026
KB943729, 用于 Windows Vista 的组策略首选项客户端扩展 (KB943729)
KB951847, Microsoft .NET Framework 3.5 Service Pack 1 和 .NET Framework 3.5 Family Update (KB951847) x86
KB971183, 阿拉伯语语言包
KB971183, 保加利亚语语言包
KB971183, 克罗地亚语语言包
KB971183, 捷克语语言包
KB971183, 丹麦语语言包
KB971183, 英语语言包
KB971183, 爱沙尼亚语语言包
KB971183, 芬兰语语言包
KB971183, 法语语言包
KB971183, 德语语言包
KB971183, 希腊语语言包
KB971183, 希伯来语语言包
KB971183, 匈牙利语语言包
KB971183, 意大利语语言包
KB971183, 西班牙语语言包
KB971183, 繁体中文语言包
KB971183, 荷兰语语言包
KB971183, 日语语言包
KB971183, 朝鲜语语言包
KB971183, 拉脱维亚语语言包
KB971183, 立陶宛语语言包
KB971183, 挪威语语言包
KB971183, 波兰语语言包
KB971183, 葡萄牙语（巴西）语言包
KB971183, 葡萄牙语（葡萄牙）语言包
KB971183, 罗马尼亚语语言包
KB971183, 俄语语言包
KB971183, 塞尔维亚语（拉丁语）语言包
KB971183, 斯洛伐克语语言包
KB971183, 斯洛文尼亚语语言包
KB971183, 瑞典语语言包
KB971183, 泰语语言包
KB971183, 土耳其语语言包
KB971183, 乌克兰语语言包
KB968389, Windows Vista 更新程序 (KB968389)
KB973540, Windows Vista 安全更新程序 (KB973540) MS09-037
KB956744, Windows Vista 安全更新程序 (KB956744) MS09-044
KB973507, Windows Vista 安全更新程序 (KB973507) MS09-037
KB971657, Windows Vista 安全更新程序 (KB971657) MS09-041
KB973768, Windows Vista 安全更新程序 (KB973768) MS09-037
KB967723, Windows Vista 安全更新程序 (KB967723) MS09-048
KB970710, Windows Vista 安全更新程序 (KB970710) MS09-049
KB971961, 用于 Windows Vista 的 Jscript 5.7 的安全更新程序 (KB971961) MS09-045
KB968816, 用于 Windows Vista 的 Windows Media Format Runtime 11 的安全更新程序 (KB968816) MS09-047
KB974470, 用于 Windows Vista Service Pack 2 和 Windows Server 2008 Service Pack 2 的 Microsoft .NET Framework 2.0 Service Pack 2 安全更新程序 (KB974470) MS09-061
KB975467, Windows Vista 安全更新程序 (KB975467) MS09-059
KB954155, 用于 Windows Vista 的 Windows Media Format Runtime 11 的安全更新程序 (KB954155) MS09-051
KB974571, Windows Vista 安全更新程序 (KB974571) MS09-056
KB974306, Media Center for Windows Vista 累积更新程序 (KB974306)
KB975517, Windows Vista 安全更新程序 (KB975517) MS09-050
KB972145, Windows Vista 更新程序 (KB972145)
KB971644, Windows Vista 平台更新程序 (KB971644)
KB969947, Windows Vista 安全更新程序 (KB969947) MS09-065
KB973565, Windows Vista 安全更新程序 (KB973565) MS09-063
KB973687, Windows Vista 更新程序 (KB973687)
KB976470, Windows Vista 更新程序 (KB976470)
KB974318, Windows Vista 安全更新程序 (KB974318) MS09-071
KB972270, Windows Vista 安全更新程序 (KB972270) MS10-001
KB975560, Windows Vista 安全更新程序 (KB975560) MS10-013
KB978262, 用于 Windows Vista 的 ActiveX Killbit 累积安全更新程序 (KB978262) MS10-008
KB971468, Windows Vista 安全更新程序 (KB971468) MS10-012
KB975929, Windows Vista 更新程序 (KB975929)
KB976264, Windows Vista 更新程序 (KB976264)
KB979306, Windows Vista 更新程序 (KB979306)
KB979099, Update for Rights Management Services Client for Windows Vista (KB979099)
KB975561, 用于 Windows Vista 的 Movie Maker 6.0 的安全更新程序 (KB975561) MS10-016
KB944036, 用于 Windows Vista 的 Internet Explorer 8
KB980182, 用于 Windows Vista 的 Internet Explorer 7 累积安全更新程序 (KB980182) MS10-018
KB973917, Windows Vista 更新程序 (KB973917)
KB980232, Windows Vista 安全更新程序 (KB980232) MS10-020
KB977816, Windows Vista 安全更新程序 (KB977816) MS10-026
KB979309, Windows Vista 安全更新程序 (KB979309) MS10-019
KB978338, Windows Vista 安全更新程序 (KB978338) MS10-029
KB905866, Windows Mail 垃圾邮件筛选器更新程序 [2010 年 4 月] (KB905866)
KB979683, Windows Vista 安全更新程序 (KB979683) MS10-021
KB890830, Windows 恶意软件删除工具 - 2010 年 4 月 (KB890830)
KB981349, Windows Vista 安全更新程序 (KB981349) MS10-022
KB978601, Windows Vista 安全更新程序 (KB978601) MS10-019
KB980248, Windows Vista 更新程序 (KB980248)
KB915597, Definition Update for Windows Defender - KB915597 (Definition 1.81.874.0)
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================[/code]

byxxdrls - 2010-5-4 13:12:00

VirSCAN.org Scanned Report :
Scanned time : 2010/05/04 13:09:57 (CST)
Scanner results: 全部的杀毒软件报告没有发现病毒!
File Name : genuinecheck.rar
File Size : 27648 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 1cbafb0c00fdca7291bdecc9421b4346
SHA1 : 7245b265db23ce5b17040c91813c905f7105816f
Online report : http://virscan.org/report/50fd2f688376043a8e72eb666b428106.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100504020432 2010-05-04 6.12 -
安博士V3 2010.05.04.01 2010.05.04 2010-05-04 1.27 -
AntiVir 8.2.1.224 7.10.7.22 2010-05-03 0.27 -
安天 2.0.18 20100429.4301541 2010-04-29 0.02 -
Arcavir 2009 201005020249 2010-05-02 0.07 -
Authentium 5.1.1 201005032220 2010-05-03 1.32 -
AVAST! 4.7.4 100503-1 2010-05-03 0.01 -
AVG 8.5.793 271.1.1/2852 2010-05-04 0.25 -
BitDefender 7.81008.5733016 7.31496 2010-05-04 3.70 -
ClamAV 0.95.3 10904 2010-05-04 0.01 -
Comodo 3.13.579 4756 2010-05-04 0.93 -
CP Secure 1.3.0.5 2010.05.04 2010-05-04 0.04 -
Dr.Web 5.0.2.3300 2010.05.04 2010-05-04 6.92 -
F-Prot 4.4.4.56 20100503 2010-05-03 1.32 -
F-Secure 7.02.73807 2010.05.04.01 2010-05-04 11.22 -
飞塔 4.0.14 11.770 2010-05-03 0.21 -
GData 21.89/21.28 20100504 2010-05-04 7.09 -
ViRobot 20100503 2010.05.03 2010-05-03 0.41 -
Ikarus T3.1.01.80 2010.05.04.75774 2010-05-04 5.96 -
江民杀毒 13.0.900 2010.05.03 2010-05-03 1.19 -
卡巴斯基 5.5.10 2010.05.03 2010-05-03 0.15 -
金山毒霸 2009.2.5.15 2010.5.4.9 2010-05-04 0.66 -
迈克菲 5400.1158 5971 2010-05-03 0.02 -
Microsoft 1.5703 2010.05.03 2010-05-03 6.75 -
Norman 6.04.12 6.04.00 2010-05-03 4.01 -
熊猫卫士 9.05.01 2010.05.03 2010-05-03 1.98 -
趋势科技 9.120-1004 7.146.03 2010-05-03 0.04 -
Quick Heal 10.00 2010.05.03 2010-05-03 1.59 -
瑞星 20.0 22.45.04.03 2010-04-30 1.23 -
Sophos 3.06.0 4.52 2010-05-04 3.66 -
Sunbelt 3.9.2421.2 6258 2010-05-03 8.44 -
赛门铁克 1.3.0.24 20100503.002 2010-05-03 0.05 -
nProtect 20100503.01 8056188 2010-05-03 10.67 -
The Hacker 6.5.2.0 v00275 2010-05-03 1.07 -
VBA32 3.12.12.4 20100502.0849 2010-05-02 2.58 -
VirusBuster 4.5.11.10 10.126.13/2003635 2010-05-04 2.40 -

等瑞星升级病毒库吧

香橙香橙 - 2010-5-4 13:16:00

上报文件成功！
查询编号：RS20100504130914828335
查询地址：http://mailcenter.rising.com.cn/FileCheck/Default.aspx

networkedition - 2010-5-4 13:17:00

上报文件成功！
查询编号：RS20100504130945140091
为查询文件分析结果，请记录此编号。谢谢您的参与！

baohe - 2010-5-5 14:47:00

http://bbs.ikaka.com/showtopic-8713643.aspx

胡人2 - 2010-5-23 13:15:00

这个病毒太讨厌了……

11716754 - 2010-5-23 16:50:00

安装虚拟机（保证虚拟机内没有任何病毒），安装filemon监视文件夹写入修改行为，然后对注册表做个快照，别忘了将结果上传到论坛上，然后找个高手根据病毒行为编写一个专杀工具

卡斯基巴 - 2010-5-23 22:19:00

修改文件关联不行吗？
cmd下：
assoc .exe=exefile

瑞星卡卡安全论坛