发表于: 2007-09-29 19:20 | 显示全部 短消息 资料
字号: 1楼

日志区开始流行PegeFile.pif了,大家注意

生成但不限于以下病毒

c:\program files\internet explorer\plugins\winsys84.sys
c:\program files\internet explorer\plugins\newtemp.dll
c:\windows\system32\drivers\scvhost.exe
c:\program files\common files\system\yifdeml.exe
c:\windows\system32\sidjazy.dll
c:\windows\system32\drivers\svchost.exe
c:\windows\avpsrv.exe
c:\docume~1\admini~1\locals~1\temp\a17.exe
c:\windows\msimms32.exe
c:\windows\upxdnd.exe
c:\program files\common files\microsoft shared\tiqrpep.exe
c:\windows\system32a2.sys
c:\windows\\systemroot\system32\drivers\kimejg.sys

此程序进行映像劫持
c:\program files\common files\microsoft shared\tiqrpep.exe

HOSTS文件被改得乱七八糟
127.0.0.1      localhost
0.0.0.0 182838.com
0.0.0.0 204.177.92.68
0.0.0.0 asiafriendfinder.com
0.0.0.0 asqin123.51.net
0.0.0.0 babe520.5188.org
0.0.0.0 music.feifa.com
0.0.0.0 music.v111.com
0.0.0.0 www.jpbeauty.com
0.0.0.0 beautishow.com
0.0.0.0 goodmovies88.com
0.0.0.0 hothack.home.chinaren.com
0.0.0.0 hualiao.net
0.0.0.0 iplus.allyes.com
0.0.0.0 jjkafei.longcity.net
0.0.0.0 kaomm.8m.cn
0.0.0.0 l3iaoliao.com
0.0.0.0 lingaonbvm.myrice.com
0.0.0.0 lovejava.boy.net.cn
0.0.0.0 love7liao.com
0.0.0.0 asqin123.51.net
0.0.0.0 babe520.5188.org
0.0.0.0 music.feifa.com
0.0.0.0 jjkafei.longcity.net
0.0.0.0 kaomm.8m.cn
0.0.0.0 l3iaoliao.com
0.0.0.0 l3iaoliao.com
0.0.0.0 lingaonbvm.myrice.com
0.0.0.0 lovejava.boy.net.cn
0.0.0.0 love7liao.com
0.0.0.0 babe520.5188.org
0.0.0.0 music.feifa.com
0.0.0.0 music.v111.com
0.0.0.0 babe520.5188.org
0.0.0.0 music.feifa.com
0.0.0.0 jjkafei.longcity.net
0.0.0.0 kaomm.8m.cn
0.0.0.0 l3iaoliao.com
0.0.0.0 l3iaoliao.com
0.0.0.0 lingaonbvm.myrice.com
0.0.0.0 lovejava.boy.net.cn
0.0.0.0 love7liao.com
0.0.0.0 babe520.5188.org
0.0.0.0 music.feifa.com
0.0.0.0 music.v111.com
219.153.32.215 auto.search.msn.com

每个盘下有以下文件
bpvrgut.exe
PegeFile.pif

病毒搞出几个隐藏进程
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TIQRPEP.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TIQRPEP.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\SCVHOST.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\SCVHOST.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\YIFDEML.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\YIFDEML.EXE
C:\PROGRAM FILES\THUNDER\PROGRAM\THUNDER5.EXE

winsock又被强奸了
C:\WINDOWS\system32\msrav.dll
最后编辑2007-10-03 14:05:55