或許你看過一些 Windows XP,很神奇的,他能夠免除掉安裝中所有的問答項目,
直接安裝到完畢為止,這並不是"高手"去改了Windows 的安裝程式,
而是採用了所謂的 Unattended 安裝方式,
當然了,使用別人所製作的這種自動安裝光碟很方便,
但是畢竟裡面都是制式化的應答,無法個性化自己所需,
如果我們能夠自己做到屬於自己的 Unattended Windows XP,那不是很好嗎...?
其實關於這部份的製作相當簡單,校長相信你在看完本文後,也一定能夠做出屬於自己的自動安裝光碟
所謂的自動安裝,只不過是事先將安裝過程的應答以檔案的方式存進光碟,
待安裝之際,便自動提取該檔中的應答項目,完成 Unattended 安裝,
而這個檔案,置放的就是在安裝光碟中的 i386 目錄下, 檔名為 winnt.sif
當然了,或許你會說,這樣有一點麻煩,能不能在安裝之際,用軟碟的方式導入該檔,
答案是可以的....,但相對的你要付出的代價就是使用軟碟開機安裝
而這軟碟不是 98 開機片,而是安裝 XP 的專用開機片,共六片.
相較於慢慢使用安裝軟碟開機安裝,不如將 winnt.sif 寫入光碟中,
帶安裝完畢後再來做細部調整
下載後我們將他用 WinRAR 解壓縮,裡面有兩個檔案是我們這次所需要的工具
一個是 setupmgr.exe 這東西是安裝管理員, 另一個是 ref.chm 是說明檔
其實,說明檔有沒有並不重要,當然了如果你有興趣,你可以更進一步的參考 ref.chm 中的各項說明
接著,我們將運行 setupmgr.exe 創建 Unattended 應答檔
接著按照步驟把一些資料填入最後
將會生成一個檔名為 unattended.txt 的文字檔
我們再將它改檔名 winnt.sif 存放到 Windows 安裝光碟中的 i386 目錄內即可
工具
http://download.microsoft.com/download/f/b...oyTools-CHT.cab
Saturday, August 20, 2011
建立一張簡易的無人值守 Windows XP 安裝光碟
Saturday, July 02, 2011
iphone用4.1固件降級4.2.1現3194錯誤
iphone用4.1固件降級4.2.1現3194錯誤:
在c:\windows\system32\drivers\etc,找到HOSTS文件,用記事本打開;在最後一行,
新加 74.208.10.249 gs.apple.com。重新打開iTUNES 和 iPhone。
Wednesday, June 15, 2011
To fix Duke.Nukem.Forever slow issue:
To fix Duke.Nukem.Forever slow issue:
put following system.ini in System folder
http://dl.dropbox.com/u/390922/Duke.Nukem.Forever/system.ini
or:
Sunday, December 12, 2010
【轉】 用 vc6.0 創建一個使用 wpcap.dll 的應用程式,遇到的問題
【轉】 用 vc6.0 創建一個使用 wpcap.dll 的應用程式,遇到的問題
轉載請注明出處 http://hi.baidu.com/handt03
===========================================
首先拿官方的示例來編譯,遇到的問題有:
1.pcap-stdinc.h(76) : error C2054: expected '(' to follow '_W64
error C2085: 'uintptr_t' : not in formal parameter list
error C2628: '_W64' followed by 'int' is illegal (did you forget a ';'?)
解決辦法:
在pcap.h 檔頭增加如下定義:
#define _W64
#include <pcap/pcap.h>
也就是在#include <pcap/pcap.h>定義前面加上#define _W64
2.鏈結的時候出現問題:
LINK : fatal error LNK1104: cannot open file "Iphlpapi.lib "
解決:在自己的電腦上搜索 iphlpapi.lib(這個是iphelp的庫,在windows的platform SDK中) 文件,然後 copy 到 vc 中設置的 library file 選項包含的檔夾中。比如 \vc98\lib 下。
參考:
Winpcap _W64 Er : http://blog.csdn.net/linkyang/archive/2009/08/07/4423500.aspx
關於winpcap 的問題 http://topic.csdn.net/u/20070817/15/6c01ae14-16c6-480c-a633-38b36a6b2f07.html
Sunday, September 12, 2010
Macbook 裝xp 聲音變小解決
Macbook 裝xp 聲音變小解決
方法是國外一牛人的博客中寫到的(http://www.stuffedcow.net/macbook_audio),他自己重寫了音效卡的驅動(牛人。。)。。所以我在這只是教下大家如何使用而已
博客裏放出了如下zip包: CirrusAudioXP_Macbook_b.zip (33 K)
CirrusAudioXP_Macbook_c.zip (33 K)
第二個是比較新的。具體哪個有用估計要看自己的電腦了。但是我自己測試能用的是第一個,也就是b包,C包反而沒效果
不囉嗦,開始裝驅動:
首先下載上面的2個附件,要安裝哪個就先將哪個解壓到桌面吧
(注:如果其中一個按下面的方法安裝後問題還是沒解決,就將解壓了的檔全部刪掉,然後將另外一個附件解壓到桌面,再按下面方法安裝一次)
右鍵點擊我的電腦,選擇內容,然後選擇硬體,最後點擊裝置管理員
然後展開“聲音、視頻和遊戲控制器”點擊紅圈中的羅技音效卡(在這時,你的音效卡名字會和我的圖片裏的不一樣,因為我已經安裝這個驅動了,名字才不同)
點擊驅動程式,然後再點擊更新驅動程式
選擇“不,現在不要”,然後點擊下一步
選擇“從清單或指定位置安裝”,然後下一步
選擇“不要搜尋,我要自己選擇要安裝的驅動程式”,然後下一步
直接點擊“從磁片安裝” (不要管我圖中列表中的驅動,因為我已經安裝測試了幾個驅動了)
找到你解壓在桌面的驅動檔夾的路徑,然後打開圖中紅圈文件
然後回到了驅動選擇列表,選擇下圖一項
這時候會彈出警告,無視掉,點擊“繼續安裝”
裝完後——————重啟······
重啟後,你就用 QQ語音設置裏看看安裝後有沒有效果,如果沒有解決問題,就安裝另外一個驅動。
如果2個都沒效果,那我也沒轍。你就繼續關注這個牛人,看他會不會更新出後續驅動來
關於ZIP包裏的2個不同驅動不用途:
Cirrus Logic High Definition Audio [Macbook]----------這個驅動只解決win系統下,外置揚聲器聲音過小的問題
Cirrus Logic High Definition Audio [Macbook, No S/PDIF Out]------這個既解決聲音過小問題,也解決耳機孔紅光問題,關閉了數字輸入。
-
Saturday, May 02, 2009
Sunday, April 26, 2009
那是個思考題!題目是這樣的:
那是個思考題!題目是這樣的:有一家4口,必須在17分鐘內過河,如沒有在限定的時間內過到對岸,那他們所處的地方就會爆炸。河邊有艘小船,每次只能承載2個人。他們劃船的速度是一一爸爸:1分鐘、媽媽:2分鐘、兒子:5分鐘 & 女兒:10分鐘。如果爸爸跟兒子先過河的話,那他們劃船到對岸的速度將會花費5分鐘(劃船速度將依據比較慢的那個),而爸爸回到原地需再花費1分鐘。他們如何能在17分鐘之內過河呢?
1) 1+2 過河, 1回來 (2+1)
(2) 10+5過河, 2回來 (10+2)
(3) 1+2過河 (2)
=> 17
txt2pdf,etc.
Enumerate Installed Devices Using Setup API
http://69.10.233.10/KB/system/EnumDevices.aspx
Scan2PDF
http://www.codeproject.com/KB/applications/Scan2PDF.aspx
Text2PDF
http://www.codeproject.com/KB/applications/Text2PDF.aspx
Smart Translator
http://www.codeproject.com/KB/applications/smarttranslator.aspx
WebReplay - an automated software testing tool for Web applications
http://www.codeproject.com/KB/applications/Web_Replay.aspx
Updater
http://www.codeproject.com/KB/applications/updater.aspx
WaterMarker
msn virii remove
MSN 中毒的最大特徵就是自己的帳號會不受控地 forward 毒檔或毒連結給人,甚至有更多不明的問題。以下簡述其解決方法:
情況1:收到朋友send來的連結,不慎click了入去:
通常這些網站都係誘騙你登入自己的帳戶及密碼,如乜乜.info等網站。黑客得知後,便可利用程式控制你的帳號並繼續作傳播。不過這些網站相信不會留下病毒在你電腦內的。
補救方法:儘快到官方網站更改帳戶密碼,看看防火牆及防毒有否被關上,清空所有Temporary Internet Files 及 cookies。不過如果你只是登入網站而沒有輸入任何資料,相信不會受影響的。
情況2:透過接收檔案而中毒:
/*********** 鑑別種類 ***********/
由於近來出現了一款新特徵的病毒,其毒檔名稱是一串隨機英文字母,特性有別於傳統的MSN病毒,但病徵卻是一樣,我暫且稱它們為「隨機型」MSN病毒。所以如果你確實中了毒,在閱讀下文前,先要知道是中了「傳統型」還是「隨機型」:
基本步驟:
開始 > 執行 > 輸入 services.msc,按一按欄位的「名稱」來排序,查看有沒有一個名為Print Spooler Service 的服務項,留意不是Print Spooler 啊!不過,病毒開始有變種跡象,其服務項的名稱還發現有:
Ati HotKey
Aventail VPN Client
BlueSoleilCS
BT Modem Lock
CMG Shield
Cognos ReportNet
CommServer
Compaq DMI Web Agent
Creative Labs Licensing
DigiCtrl
DQLWinService
Electronic Arts Licensing Service
SolidWorks Licensing Service
如果有,請看「隨機型MSN病毒」一文;沒有則參閱「傳統型MSN病毒」一文。
/*********** 「隨機型」MSN病毒 ***********/
步驟一:登入服務 (開始 > 執行 > 輸入 services.msc)
即是你剛才登入的地方,右鍵按剛才找到的服務項 > 內容 > 在「一般」下,你會看見「執行檔所在路徑」,它所指著的檔案便是作惡的病毒檔案了!請記下它,因為每一個個案都不同的,例如C:\Windows\system32\ppldji.exe,並且在「啟動類型」選「已停用」> 確定。但要注意如果你中了多於一個msn毒,則未必能在這裏找出來的,但在步驟二裏多數可找到線索。
步驟二:登入regedit (開始 > 執行 > 輸入 regedit)
1. 分別到
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices],檢查右邊有沒有剛才出現過的古怪名稱,例如ppldji,有則刪除。
步驟三:重新啟動電腦。
步驟四:刪除那個位於C:\Windows\System32入面的古怪檔案,例如ppldji.exe,以及你不小心下載回來的zip檔。
步驟五:下載SREng http://www.kztechs.com/sreng/download.html
開啟後,選啟動專案 > 服務 > Win32 服務應用程式 > 在服務名下查看有沒有以上提及的服務項名稱,有則點選該項目 > 刪除服務 > 否,然後重新啟動電腦。
步驟六,檢查剛才的步驟,確保機碼及檔案已不存在,便可以開啟msn了!
/*********** 「傳統型」MSN病毒 ***********/
步驟一:登入regedit (開始 > 執行 > 輸入 regedit)
1. 先尋找以下位置:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
檢查右邊的機碼有沒有以下任何一個 (多數是早期的msn毒):
antivirus
modems
mjd
printers
prodigy1
prodigy323
prodigys323
rdshost
rdfhost
rdihost
syshosts
system32
systrays (不要刪除systray)
version1
w32s
= 一串CLSID
如果有,先抄下那串CLSID,以及它指向的檔案,然後刪除個機碼。如果沒有,則略過 (2)。
2. 刪除 [HKEY_CLASSES_ROOT\CLSID\{你剛才抄下的CLSID}]
3. 到[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
檢查右邊的機碼有沒有以下任何一個,沒有則略過:
Application Layer Gateway Service
Application Layer Services
Audio Device Manager
cdspeed.exe
chcp.exe
Client Server Runtime Process
ehSched
Firefox Plugin Manager
jucheck
kfh
Local Security Authority Service
Logical Disk Detection
Machine Debug Mgr
Memory Allocation Server
MicrosoftService
MicrosoftServicer
Microsoft Genuine Logon
Microsoft Internet Explorer
Microsoft Spooler
Microsoft Visual Application
mono.exe
MSN
MSn Client Cfg
MSN Software
MSN UPNP
Mss Vc
nVidia Display Driver
perfmon.exe
rcimlby.exe
Remote Terminal Service
Server Runtime Server Subsystem
setpoint.exe
sndrec.exe
Spooler SubSystem App
sy
Syncronization
System Services Monitor
User Sharing Wizard
Userfile Sharing Server
usnsvc.exe
Volume Shadow Configuration
wab.exe
wdrmgf.exe
Winamp Agent (留心有空格的,並非WinampAgent)
Windows Audio Control
Windows Audio Startup
Windows Bool Service
Windows Boot
Windows Config
Windows Explorer
Windows Explorer Key
Windows Live Msgs
Windows Live Messenger
Windows Live Servicer
Windows Logon Application
Windows Lsass Services
Windows Messenger Share
Windwos MSN Updates
Windows Network Firewall
Windows Network Service
Windows Pool Manager
Windows Pool Setup
Windows Population Logger
Windows Remote Launcher
Windows Section Event
Windows Terminal Manager
Windows Video Input
Windows Volume Control
winfp.exe
winlogon
若發現存在,請先記下該機碼指向的檔案,然後將整個機碼刪除。
4. 如果你中了一個VBS型的病毒,那麼會經常有個警告彈出,寫著C:\abc.vbs之類的字眼。這時你需要刪除 [HKEY_CLASSES_ROOT\abc] 整個"abc" 機碼。
步驟二:跳出registry並重新啟動電腦。
步驟三:到控制台 > 資料項選項 > 檢視 > 點選 顯示所有檔案和資料夾 及不選 隱藏受保護的作業系統檔案 > 確定。
步驟四:刪除你剛才抄下的檔案
1.如在C:\下發現以下檔案,請刪除:
?rsss.exe ? 為任意一個英文字母
smsss.exe
pif.exe
autorun.inf
a.bat
abc.vbs
cba.vbs
1.txt
2.txt
f uckrav.com
2. 如在C:\Documents and Settings\用戶名\下發現以下檔案,請刪除:
auto.txt
new.txt
一個6位隨機字母數字.exe
3. 如在C:\Windows\下發現以下檔案,請刪除:
你不心下載回來的zip檔(如img301.zip、img1756.zip),以及你剛才在步驟一第3項抄下來的檔案,它們可能是
ati3evx.exe
cdspeed.exe
chcp.exe
firefoxpgm.exe
install.exe
jitbv.exe
livemessenger.com
logon.exe
mono.exe
msn.com
msnmsg.exe
msnmsgr.exe
msnmsgs.exe
mysexpic.exe
perfmon.exe
rcimlby.exe
sdfax.exe
service52.exe
setpoint.exe
sfhgj.exe
svchost.exe (記住真正的svchost.exe是在C:\Windows\system32入面,一般會有5-6個在運行。)
system.exe
usnshare.exe
usnsvc.exe
vpcrtf.exe
wab.exe
wdfmgr.exe
winbool32.exe
windrivers.exe
winfp.exe
winlog32.exe
winpo32.exe
winsyshp.exe
wkssvr.exe
wndxp.exe
wnpmcs.exe
xaudiodev.exe
4. 如在C:\Windows\System\下發現以下檔案,請刪除:
ehsched.exe
explorer.exe
lsass.exe (真正的lsass.exe是在system32入面的!)
csrss.exe (真正的csrss.exe是在system32入面的!)
5. 如在C:\Windows\System32\下發現以下檔案,請刪除:
algs.exe
asrsvc.exe
audise.exe
ciserv.exe
csrs.exe
explorer.exe
firewall.exe
firewallav.dll
hs4viewer.dll
iexplore.exe
intlprinters.exe
isass.exe
kfh.exe
libcinet.exe
libweb.dll
libcintles2.dll
libcintles3.dll
logon.exe
lssas.exe
mdesvc.exe
mdn.exe
mrisvc.exe
msn.exe
msn.dll
msnclicfg.exe
msnfix.exe
msnlive.exe
msnsoftware.exe
msnupnp.exe
mssvc.exe
msync.exe
newsystem25.dll
nndsvc.exe
notiffy.dll
notice.dll
nvsvc64.exe
ongsvc.exe
poolmc.exe
poolsc.exe
ppnsvc.exe
prcsvc.exe
printers.exe
prodigy323.dll
prodigys323.dll
rdfhost.dll
rdihost.dll
rmbsvc.exe
rndsvc.exe
rpmsvc.exe
sdrec32.exe
service.exe
servicer.exe
sntsvc.exe
spooisv.exe
spoolsvc.exe
syshelps.dll
syshosts.dll
systrays.dll
sysprinters.dll
usnserv.exe
usnshare.exe
usnsrv.exe
usrserv.exe
vbmsvc.exe
viwsvc.exe
w32_mjd.dll
win422.dll
winamp.exe
winboot.exe
winconfig.exe
winlog32.dll
winiogon.exe
wkssvc.exe
wlivemsg.exe
wmssvc.exe
wnd32.exe
6. 如在C:\Windows\System32\dllcache\下發現以下檔案,請刪除:
jucheck.exe
winlogon.exe
7.在C:\Windows\System32\microsoft\入面,檢查有沒有兩個檔名為backup.tftp及backup.ftp,如沒有,請略過。如有,請依照以下步驟:
(i)將 backup.tftp 改成 tftp.exe,及將 backup.ftp 改成 ftp.exe
(ii) 將 tftp.exe 及 ftp.exe 複製到 C:\Windows\System32\ 及 C:\Windows\System32\dllache\,取代原先檔案即可。
步驟五:完成!可到控制台 > 資料項選項 > 檢視 > 點選 不顯示所有檔案和資料夾 及選 隱藏受保護的作業系統檔案 > 確定。可重新啟動msn了!
啟動項目:
啟動項目:
自啟動程式 ShellServiceObjectDelayLoad
ShellServiceObjectDelayLoad
ShellServiceObjectDelayLoad是一個未公佈的註冊表項,可以將元件關聯到這個鍵,這樣一來,系統啟動時間EXPLORER將自動載入目標元件.
這就是某些病毒將自己注射到EXPLORER的辦法.
我們經常會遇到這樣的事情,IeXPLORER的首頁設置為BLANK,註冊表RUN鍵的值也為空,但就是每隔一會兒有莫名其妙的網頁自動彈出,這就是ShellServiceObjectDelayLoad在搞鬼。
O21 - 註冊表鍵 ShellServiceObjectDelayLoad (SSODL)處的自啟動項
揪出自啟動程式 [轉]
一、經典的啟動——“啟動”檔夾
單擊“開始→程式”,你會發現一個“啟動”功能表,這就是最經典的Windows啟動位置,右擊“啟動”功能表選擇“打開”即可將其打開,如所示,其中的程式和快捷方式都會在系統啟動時自動運行。最常見的啟動位置如下:
當前用戶:<C:\Documents and Settings\用戶名\「開始」功能表\程式\啟動>
所有用戶:<C:\Documents and Settings\All Users\「開始」功能表\程式\啟動>
二、有名的啟動——註冊表啟動項
註冊表是啟動程式藏身之處最多的地方,主要有以下幾項:
1.Run鍵
Run鍵是病毒最青睞的自啟動之所,該鍵位置是[HKEY_CURRENT_
USER\Software\Microsoft\Windows\CurrentVersion\Run]和[HKEY_
LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run],其下的所有程式在每次啟動登錄時都會按順序自動執行。
還有一個不被注意的Run鍵,位於註冊表[HKEY_CURRENT_
USER \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]和 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\Explorer\Run],也要仔細查看。
2.RunOnce鍵
RunOnce位於[HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\RunOnce]和[HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce]鍵,與Run不同的是,RunOnce下的程式僅會被自動執行一次。
3.RunServicesOnce鍵
RunServicesOnce鍵位於[HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunServicesOnce]和[HKEY_LOCAL_MACHINE\
Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]下,其中的程式會在系統載入時自動啟動執行一次。
4.RunServices鍵
RunServices繼RunServicesOnce之後啟動的程式,位於註冊表[HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\RunServices]和 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices]鍵。
5.RunOnceEx鍵
該鍵是Windows XP/2003特有的自啟動註冊表項,位於[HKEY_
CURRENT_USER \\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]和 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnceEx]。
6.load鍵
[HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows]下的load鍵值的程式也可以自啟動。
7.Winlogon鍵
該鍵位於位於註冊表[HKEY_CURRENT_USER\SOFTWARE\
Microsoft\Windows NT\CurrentVersion\Winlogon]和[HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon],注意下面的Notify、Userinit、Shell鍵值也會有自啟動的程式,而且其鍵值可以用逗號分隔,從而實現登錄的時候啟動多個程式。
8.其他註冊表位置
還有一些其他鍵值,經常會有一些程式在這裏自動運行,如:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts]
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts]
小提示
註冊表的[HKEY_LOCAL_MACHINE]和[HKEY_CURRENT_USER]鍵的區別:前者對所有用戶有效,後者只對當前用戶有效。
三、古老的啟動——自動批次檔案
從DOS時代過來的朋友肯定知道autoexec.bat(位於系統盤根目錄)這個自動批次檔案,它會在電腦啟動時自動運行,早期許多病毒就看中了它,使用deltree、format等危險命令來破壞硬碟資料。如“C盤殺手”就是用一句“deltree /y c:\*.*”命令,讓電腦一啟動就自動刪除C盤所有檔,害人無數。
小提示
★在Windows 98中,Autoexec.bat還有一個哥們——Winstart.bat文件,winstart.bat位於Windows檔夾,也會在啟動時自動執行。
★在Windows Me/2000/XP中,上述兩個批次檔案默認都不會被執行。
四、常用的啟動——系統配置檔
在Windows的配置檔(包括Win.ini、System.ini和wininit.ini檔)也會載入一些自動運行的程式。
1.Win.ini文件
使用“記事本”打開Win.ini檔,在[windows]段下的“Run=”和“LOAD=”語句後面就可以直接加可執行程式,只要程式名稱及路徑寫在“=”後面即可。
小提示
“load=”後面的程式在自啟動後最小化運行,而“run=”後程式則會正常運行。
2.System.ini文件
使用“記事本”打開System.ini文件,找到[boot]段下“shell=”語句,該語句默認為“shell=Explorer.exe”,啟動的時候運行Windows外殼程式explorer.exe。病毒可不客氣,如“妖之吻”病毒乾脆把它改成“shell=c:\yzw.exe”,如果你強行刪除“妖之吻”病毒程式yzw.exe,Windows就會提示報錯,讓你重裝Windows,嚇人不?也有客氣一點的病毒,如將該句變成 “shell=Explorer.exe 其他程式名”,看到這樣的情況,後面的其他程式名一定是病毒程式如所示。
3.wininit.ini
wininit.ini檔是很容易被許多電腦用戶忽視的系統配置檔,因為該檔在Windows啟動時自動執後會被自動刪除,這就是說該檔中的命令只會自動執行一次。該配置檔主要由軟體的安裝程式生成,對那些在Windows圖形介面啟動後就不能進行刪除、更新和重命名的檔進行操作。若其被病毒寫上危險命令,那麼後果與“C盤殺手”無異。
小提示
★如果不知道它們存放的位置,按F3鍵打開“搜索”對話方塊進行搜索;
★單擊“開始→運行”,輸入sysedit回車,打開“系統配置編輯程式”,如圖2所示,在這裏也可以方便的對上述檔進行查看與修改。
五、智能的啟動——開/關機/登錄/註銷腳本
在Windows 2000/XP中,單擊“開始→運行”,輸入gpedit.msc回車可以打開“組策略編輯器”,在左側窗格展開“本地電腦策略→ 用戶配置→管理範本→系統→登錄”,然後在右窗格中雙擊“在用戶登錄時運行這些程式”,單擊“顯示”按鈕,在“登錄時運行的專案”下就顯示了自啟動的程式。
六、定時的啟動——任務計畫
在默認情況下,“任務計畫”程式隨Windows 一起啟動並在後臺運行。如果把某個程式添加到計畫任務檔夾,並將計畫任務設置為“系統啟動時”或“登錄時”,這樣也可以實現程式自啟動。通過“計畫任務”載入的程式一般會在任務欄系統託盤區裏有它們的圖示。大家也可以雙擊“控制面板”中的“計畫任務”圖示查看其中的專案。
小提示
“任務計畫”也是一個特殊的系統檔夾,單擊“開始→程式→附件→系統工具→任務計畫”即可打開該檔夾,從而方便進行查看和管理。
七、跟著別人的啟動——隨軟體開啟的程式
隨MyIE2啟動的程式,詳見本刊2004年第3期、4期《讓你受用終生的流覽器─MyIE2實用技巧大放送》一文。
下篇 全方位作戰
徹底清查Windows自啟動
一、從“系統資訊”查看啟動程式
單擊“開始→程式→附件→系統工具→系統資訊”,雙擊“軟體環境”,單擊“啟動程式”,在右邊視窗出現的程式就是所有自啟動程式,在“裝載源”或“位置”下顯出該程式是由註冊表還是“啟動”檔夾啟動的。從這裏只能查看自啟動程式,不能對自啟動程式進行禁止自啟動等任何更改操作。
軟體性質: Windows自身功能
推薦指數: ★★★★
二、MSConfig
在Windows 98/Me/XP/2003中,單擊“開始→運行”,輸入msconfig回車即可打開“系統配置實用程式”視窗,單擊“啟動”標籤,在列表框中顯示的就是從註冊表、“啟動”檔夾和系統配置檔中自啟動的程式。程式前有對號的是允許自啟動的程式,沒有對號的則不會自啟動。如果想取消某個程式的自啟動,單擊取消程式前的對勾即可。還可以在autoexec.bat、system.ini和win.ini標籤裏面對它們進行編輯,取消其中的自啟動程式。
小提示
★所有的修改都需要重新啟動才能生效。
★Windows 2000沒有msconfig程式,但是我們可以從Windows 98或者XP拷貝一個到system32目錄,同樣可以起作用。
軟體性質: 免費,微軟原裝
推薦指數: ★★★★
三、startup.cpl
只需要將startup.cpl檔拷貝到Windows安裝目錄下的system32檔夾下麵即可,單擊“開始→設置→控制面板”打開控制面板,你會發現裏面多了一個Startup項,雙擊打開它,在打開的對話方塊中,可以方便地對“啟動”檔夾和註冊表中的啟動專案進行管理,如右擊空白處新建一個啟動項,右擊已有的啟動項目可以對其進行編輯、刪除、禁用和立刻運行等操作。
軟體性質: 免費,綠色軟體
推薦指數: ★★★★★
四、StartupMonitor
雙擊StartupMonitor.msi執行安裝,安裝完成後,它就乖乖的在後臺運行,只佔據100多KB的記憶體,什麼時候才顯示出它的本事呢?當你安裝了一個軟體的時候,如果它想自己偷偷自啟動,嘿嘿,就必須通過StartupMonitor的這一關,如所示,它管得非常寬,無論是什麼程式,它都不放過!漁歌強烈推薦。
軟體性質: 免費,小巧實用
推薦指數: ★★★★★
五、StartStop
軟體安裝後它會將自己加到註冊表的RunOnce 自啟動,啟動後會自動縮小到託盤區一個小圖示,雙擊即可打開StartStop主介面,在這裏列出了本機啟動程式,右擊某個程式可以選擇總是啟動、從不啟動還是每次詢問是否啟動,如所示,它有特色的一個地方是單擊功能表“Options→Startup delay”,可以設置啟動時延遲多少時間啟動程式。
軟體性質: 免費, 有特色
推薦指數: ★★★★
六、Autoruns
下載autoruns.zip後解壓縮直接執行裏面的autoruns.exe即可,由於它不會在啟動時載入,顯得更綠色。雙擊 autoruns.exe打開程式介面,它不僅僅列出的是非常全的啟動項,而且詳細地列出了啟動程式的公司和路徑,如果還不滿意,右擊某個啟動專案,選擇屬性,可以查看該啟動項的檔屬性。它還有兩個特色功能,一個是右擊任何一個啟動項,選擇Jump to就會立刻跳轉到具體的位置,如跳轉到註冊表的具體鍵值、打開啟動檔夾、打開INI檔等,非常方便!還有一個功能是單擊View功能表,可以切換是否顯示所有的啟動位置、是否顯示啟動的服務、是否只顯示非Microsoft公司的專案,這對於檢查啟動專案和過濾專案非常有用。
軟體性質: 免費,綠色軟體
推薦指數: ★★★★★
七、StartUp Organizer
Startup Organizer的組織和管理自啟動項功能很強大,它在控制啟動專案方面做的也比較細,如為某個啟動設定聲音提示,還能設置在 Windows啟動時按某個鍵來控制某些程式啟動與否,還可以備份自啟動配置檔以便應急恢復、比較啟動程式的變化、恢復第一次運行時的默認配置,操作也比較簡單,遺憾之處就是不是免費的。
軟體性質: 共用軟體,30天免費試用
##
Windows-自啟動方式完全總結! |
一.自啟動專案: |
Saturday, April 25, 2009
minidump
Trapping Bugs with BlackBox
Updated:26 May 2003
http://www.codeproject.com/KB/applications/blackbox.aspx
XCrashReport : Exception Handling and Crash Reporting - Part 1
Posted:20 Oct 2003
http://www.codeproject.com/KB/debug/XCrashReportPt1.aspx
XCrashReport : Exception Handling and Crash Reporting - Part 2
Posted:20 Oct 2003
http://www.codeproject.com/KB/debug/XCrashReportPt2.aspx
XCrashReport : Exception Handling and Crash Reporting - Part 3
Posted:20 Oct 2003
http://www.codeproject.com/KB/debug/XCrashReportPt3.aspx
Own Crash Minidump with Call Stack
Updated:18 Nov 2004
http://www.codeproject.com/KB/applications/minidump.aspx
Catch All Bugs with BugTrap!
Updated:31 Jan 2009
http://www.codeproject.com/KB/applications/BugTrap.aspx
BugTrap downloads
You may download BugTrap documentation, setup and source code absolutely for free!
Saturday, April 18, 2009
ThreatExpert:
ThreatExpert:是一個用來分析可疑檔案的網站... ... 線上檢查版:http://www.threatexpert.com/submit.aspx 可以把可疑的檔案上傳,幾分鐘就會有報告
hldrrr.exe srosa.sys bagle
Submission Summary:
- Submission details:
- Submission received: 19 April 2009, 12:09:13
- Processing time: 9 min 24 sec
- Submitted sample:
- File MD5: 0x113554AB42E9EF2B530284E51370C507
- File SHA-1: 0x661783D44061A4AD2077F6C47DBFDDA5AF57A1FE
- Filesize: 655,360 bytes
- Alias:
- Trojan.DL.Bagle.ZPL
[PCTools] - W32.Beagle.EB [Symantec]
- Trojan-Downloader.Win32.Bagle.ajd [Kaspersky Lab]
- Downloader.gen.a [McAfee]
- Troj/Agent-GQY [Sophos]
- TrojanDownloader:Win32/Bagle.RN [Microsoft]
- Trojan-Downloader.Win32.Bagle [Ikarus]
- Win-Trojan/Bagle.655360 [AhnLab]
- Trojan.DL.Bagle.ZPL
- Summary of the findings:
What's been found
Severity Level
Capability to terminate Antivirus, Firewall and other security related processes. 
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine). 
Downloads/requests other files from Internet. 
Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode. 
Creates a startup registry entry. 
Contains characteristics of an identified security risk.
Possible Security Risk
- Attention! Characteristics of the following security risks were identified in the system:
Security Risk
Description
Trojan-Downloader.Bagle
Trojan.Downloader.Bagle runs in the background and attempts to download malicious files from the Internet without the users knowledge.
Trojan.Lodear.D
Trojan.Lodear.D is a trojan that will install itself onto infected computers so it will start everytime the system reboots. It will also try to download and install additional malware from a list of predetermined websites.
Rootkit.Agent
Rootkit.Agent is a trojan that hijack browser in order to produce popup advertisements from known badsites and also have rootkit functionality in order to hide itself as system driver.
- Attention! The following threat categories were identified:
Threat Category
Description
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A program that downloads files to the local computer that may represent security risk
A network-aware worm that attempts to replicate across the existing network(s)
File System Modifications
- The following files were created in the system:
#
Filename(s)
File Size
File Hash
Alias
1
%System%\drivers\hldrrr.exe
[file and pathname of the sample #1]
655,360 bytes
MD5: 0x113554AB42E9EF2B530284E51370C507
SHA-1: 0x661783D44061A4AD2077F6C47DBFDDA5AF57A1FE
Trojan.DL.Bagle.ZPL [PCTools]
W32.Beagle.EB [Symantec]
Trojan-Downloader.Win32.Bagle.ajd [Kaspersky Lab]
Downloader.gen.a [McAfee]
Troj/Agent-GQY [Sophos]
TrojanDownloader:Win32/Bagle.RN [Microsoft]
Trojan-Downloader.Win32.Bagle [Ikarus]
Win-Trojan/Bagle.655360 [AhnLab]
2
%System%\drivers\srosa.sys
100,352 bytes
MD5: 0x09348BABE24297C2911724AD90FC773B
SHA-1: 0x004F941EB05890E960337074F79B83E6A7577C08
Rootkit.Bagle.Gen.21 [PCTools]
Trojan Horse [Symantec]
Trojan-Downloader.Win32.Bagle.jh [Kaspersky Lab]
Generic Downloader.x [McAfee]
Trojan:WinNT/Bagle.gen!B [Microsoft]
Trojan-Downloader.Win32.Bagle [Ikarus]
Win-Trojan/Bagle.100352 [AhnLab]
- Note:
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- The following directory was created:
- %System%\drivers\down
- The following directory was deleted:
- [pathname with a string SHARE]\shared
- The following system services were modified:
Service Name
Display Name
New Status
Service Filename
ALG
Application Layer Gateway Service
"Stopped"
%System%\alg.exe
SharedAccess
Windows Firewall/Internet Connection Sharing (ICS)
"Stopped"
%System%\svchost.exe -k netsvcs
wscsvc
Security Center
"Stopped"
%System%\svchost.exe -k netsvcs
wuauserv
Automatic Updates
"Stopped"
%System%\svchost.exe -k netsvcs
- There was a new kernel-mode driver installed in the system:
Driver Name
Driver Filename
Megadrv3
%System%\drivers\srosa.sys
Registry Modifications
- The following Registry Keys were created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\Svc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Security
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Enum
- HKEY_CURRENT_USER\Software\FirstRRRun
- HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
- HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\uiytuhjy
- HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\uiytuhjy\Settings
- The following Registry Keys were deleted:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppMgmt
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Base
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus Extender
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot file system
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CryptSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DcomLaunch
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmadmin
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmboot.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmio.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmload.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmserver
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\EventLog
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\File system
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Filter
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HelpSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Netlogon
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PCI Configuration
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PlugPlay
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PNP Filter
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Primary disk
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RpcSs
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCSI Class
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sermouse.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sr.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SRService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus Extender
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vga.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vgasave.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinMgmt
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AFD
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AppMgmt
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Base
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot Bus Extender
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot file system
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Browser
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\CryptSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\DcomLaunch
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Dhcp
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmadmin
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmboot.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmio.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmload.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmserver
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\DnsCache
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\EventLog
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\File system
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Filter
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\HelpSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ip6fw.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ipnat.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanServer
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanWorkstation
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LmHosts
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Messenger
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS Wrapper
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Ndisuio
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOS
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOSGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBT
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetDDEGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Netlogon
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetMan
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Network
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetworkProvider
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NtLmSsp
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PCI Configuration
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PlugPlay
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP Filter
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP_TDI
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Primary disk
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpcdd.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpdd.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpwd.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdsessmgr
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\RpcSs
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SCSI Class
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sermouse.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SharedAccess
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sr.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SRService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Streams Drivers
- The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
- EnableLUA = 0x00000000
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\Svc]
- EnableLUA = 0x00000016
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000\Control]
- *NewlyCreated* = 0x00000000
- ActiveService = "srosa"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000]
- Service = "srosa"
- Legacy = 0x00000001
- ConfigFlags = 0x00000000
- Class = "LegacyDriver"
- ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- DeviceDesc = "Megadrv3"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA]
- NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Enum]
- 0 = "Root\LEGACY_SROSA\0000"
- Count = 0x00000001
- NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Security]
- Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa]
- Type = 0x00000001
- Start = 0x00000001
- ErrorControl = 0x00000000
- ImagePath = "%System%\drivers\srosa.sys"
- DisplayName = "Megadrv3"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control]
- *NewlyCreated* = 0x00000000
- ActiveService = "srosa"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000]
- Service = "srosa"
- Legacy = 0x00000001
- ConfigFlags = 0x00000000
- Class = "LegacyDriver"
- ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- DeviceDesc = "Megadrv3"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA]
- NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Enum]
- 0 = "Root\LEGACY_SROSA\0000"
- Count = 0x00000001
- NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Security]
- Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa]
- Type = 0x00000001
- Start = 0x00000001
- ErrorControl = 0x00000000
- ImagePath = "%System%\drivers\srosa.sys"
- DisplayName = "Megadrv3"
- [HKEY_CURRENT_USER\Software\FirstRRRun]
- First12Ru123n = 0x00000001
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- drvsyskit = "%System%\drivers\hldrrr.exe"
so that hldrrr.exe runs every time Windows starts
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
- The following Registry Values were deleted:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
- C:\Documents and Settings\UserName\Application Data\Microsoft\Installer\ = ""
- C:\WINDOWS\Installer\{4275B162-C5C0-4912-9522-E92FE1C4E21D}\ = ""
- C:\Documents and Settings\UserName\Application Data\Microsoft\Installer\{3966BA0C-23BA-4B20-9B9D-7561DEC54E6A}\ = ""
- C:\Program Files\VMware\VMware Tools\Drivers\memctl\ = ""
- C:\Program Files\VMware\VMware Tools\TPOG3\ = ""
- C:\Program Files\VMware\VMware Tools\TPOG3\amd64\ = ""
- C:\Program Files\VMware\VMware Tools\TPOG3\i386\ = ""
- C:\Program Files\VMware\VMware Tools\vmci\ = ""
- C:\WINDOWS\Installer\{3B410500-1802-488E-9EF1-4B11992E0440}\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ = "1"
- C:\WINDOWS\Microsoft.NET\Framework\ = "1"
- C:\WINDOWS\Microsoft.NET\ = "1"
- C:\WINDOWS\PCHEALTH\ERRORREP\ = "1"
- C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\ = "1"
- C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\ = "1"
- C:\WINDOWS\winsxs\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RedistList\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MSBuild\ = ""
- C:\WINDOWS\system32\MUI\0409\ = ""
- C:\Program Files\Internet Explorer\MUI\0409\ = ""
- C:\Program Files\Internet Explorer\MUI\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MUI\0409\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MUI\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\ = ""
- C:\WINDOWS\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\ = ""
- C:\Program Files\Common Files\Microsoft Shared\DW\ = ""
- C:\Program Files\Common Files\Microsoft Shared\DW\1025\ = ""
- C:\Program Files\Common Files\Microsoft Shared\DW\1028\ = ""
- C:\Program Files\Common Files\Microsoft Shared\DW\1031\ = ""
- C:\Program Files\Common Files\Microsoft Shared\DW\1033\ = ""
- C:\Program Files\Common Files\Microsoft Shared\DW\1036\ = ""
- C:\Program Files\Common Files\Microsoft Shared\DW\1040\ = ""
- C:\Program Files\Common Files\Microsoft Shared\DW\1041\ = ""
- C:\Program Files\Common Files\Microsoft Shared\DW\1042\ = ""
- C:\Program Files\Common Files\Microsoft Shared\DW\2052\ = ""
- C:\Program Files\Common Files\Microsoft Shared\DW\3082\ = ""
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\ = ""
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.resx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\createPermission.aspx.resx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.resx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\AppConfigCommon.resx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.resx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.resx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.resx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAddUser.ascx.resx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\navigationBar.ascx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\SmtpSettings.aspx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\WebAdminPage.cs = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.aspx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\requiredBang.gif = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\ProviderList.ascx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\addUser.aspx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardAddUser.ascx = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\alink.dll = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfdll.dll = 0x00000001
- C:\WINDOWS\system32\dfshim.dll = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe.config = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regsvcs.exe.config = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ieexec.exe.config = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe.config = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscomp.dll = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll = 0x00000001
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.tlb = 0x00000002
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
Other details
- To mark the presence in the system, the following Mutex object was created:
- DBWinMutex
- The following Host Name was requested from a host database:
- www.ru
- The following Internet downloads were started (the retrieved bits are saved into the local file):
URL to be downloaded
Filename for the downloaded bits
http://www.courdesloges.com/files2.php
%System%\drivers\down\407265.exe
http://aytocristobal.com/files2.php
%System%\drivers\down\407312.exe
http://cuidatumiembro.com/files2.php
%System%\drivers\down\407328.exe
http://maneironsclimb.com/files2.php
%System%\drivers\down\407328.exe
http://www.etraining.ee/files2.php
%System%\drivers\down\407343.exe
http://dancefrequency.com.br/files2.php
%System%\drivers\down\407343.exe
http://darioo.altervista.org/files2.php
%System%\drivers\down\407359.exe
http://daruliftaa.com/files2.php
%System%\drivers\down\407406.exe
http://datalifecenter.com/files2.php
%System%\drivers\down\407421.exe
http://datissa.com/files2.php
%System%\drivers\down\407421.exe
http://www.dbmetric.com/files2.php
%System%\drivers\down\407421.exe
http://WWW.DDP.COM.PE/files2.php
%System%\drivers\down\407437.exe
http://www.debmark.com/files2.php
%System%\drivers\down\407437.exe
http://decastrogil.es/files2.php
%System%\drivers\down\407484.exe
http://delattres.com/files2.php
%System%\drivers\down\407484.exe
http://demianaiello.com.ar/files2.php
%System%\drivers\down\407500.exe
http://demo.portaltapejara.com/files2.php
%System%\drivers\down\407500.exe
http://derechoydemocracia.es/files2.php
%System%\drivers\down\407515.exe
http://www.devergo.com/files2.php
%System%\drivers\down\407531.exe
http://dezaete.nl/files2.php
%System%\drivers\down\407531.exe
http://dieppeseinemaritime.com/files2.php
%System%\drivers\down\407531.exe
http://digitalpicture.com/files2.php
%System%\drivers\down\407578.exe
http://digicromo.com/files2.php
%System%\drivers\down\407578.exe
http://diocesequebec.qc.ca/files2.php
%System%\drivers\down\407593.exe
http://divinaclub.com/files2.php
%System%\drivers\down\407593.exe
http://divinojocelyn.altervista.org/files2.php
%System%\drivers\down\407609.exe
http://dj-horoz.com/files2.php
%System%\drivers\down\407609.exe
http://djsoprano.cp.win.pl/files2.php
%System%\drivers\down\407609.exe
http://djthefox.com/files2.php
%System%\drivers\down\407625.exe
http://deniselinsconvites.com.br/files2.php
%System%\drivers\down\407687.exe
http://lotva.org/files2.php
%System%\drivers\down\407703.exe
http://oliwia.iskierka.org/files2.php
%System%\drivers\down\407703.exe
http://dospablos.es/files2.php
%System%\drivers\down\407703.exe
http://dponcemi.altervista.org/files2.php
%System%\drivers\down\407718.exe
http://drutplast.com.pl/files2.php
%System%\drivers\down\407765.exe
http://dudys.bx.pl/files2.php
%System%\drivers\down\407765.exe
http://dukedem.com/files2.php
%System%\drivers\down\407781.exe
http://dddesignstudio.com/files2.php
%System%\drivers\down\407796.exe
http://easylimo.es/files2.php
%System%\drivers\down\407828.exe
http://doctorlife.org/files2.php
%System%\drivers\down\407859.exe
http://eccesso.es/files2.php
%System%\drivers\down\407859.exe
http://ecobos.be/files2.php
%System%\drivers\down\407875.exe
http://www.edenvillage.it/files2.php
%System%\drivers\down\407875.exe
http://programaseducativos-salamanca.com/files2.php
%System%\drivers\down\407890.exe
http://www.ekogips.pl/files2.php
%System%\drivers\down\407890.exe
http://www.ekotap.pl/files2.php
%System%\drivers\down\407906.exe
http://elelfogris.com/files2.php
%System%\drivers\down\407906.exe
http://elemco.pl/files2.php
%System%\drivers\down\407906.exe
http://elitan.pl/files2.php
%System%\drivers\down\407953.exe
http://passecdl.co.uk/files2.php
%System%\drivers\down\407953.exe
http://www.elotron.com/files2.php
%System%\drivers\down\407968.exe
http://elpantalan.es/files2.php
%System%\drivers\down\407968.exe
http://industriascarnicaselrobledo.com/files2.php
%System%\drivers\down\407984.exe
http://www.enco-group.cz/files2.php
%System%\drivers\down\407984.exe
http://energiesport.com/files2.php
%System%\drivers\down\407984.exe
http://epamateohernandez.com/files2.php
%System%\drivers\down\408000.exe
http://eravamo100.altervista.org/files2.php
%System%\drivers\down\408000.exe
http://esf-ct.com/files2.php
%System%\drivers\down\408031.exe
http://espaciojoven.org/files2.php
%System%\drivers\down\408046.exe
http://www.espaceprojets-villejuif.fr/files2.php
%System%\drivers\down\408062.exe
http://www.eszterlancaruhaz.hu/files2.php
%System%\drivers\down\408062.exe
http://www.etalon-stroy.ru/files2.php
%System%\drivers\down\408062.exe
http://www.experiment.lv/files2.php
%System%\drivers\down\408078.exe
http://streetlions.com/files2.php
%System%\drivers\down\408078.exe
http://www.false-news.com/files2.php
%System%\drivers\down\408093.exe
http://falshpolcom.18.com1.ru/files2.php
%System%\drivers\down\408093.exe
http://www.concretosfamasa.com/files2.php
%System%\drivers\down\408140.exe
http://fermesdemarie.eolas-services.com/files2.php
%System%\drivers\down\408156.exe
http://fernandoaureliano.com/files2.php
%System%\drivers\down\408156.exe
http://fetems.org.br/files2.php
%System%\drivers\down\408171.exe
http://wolfsdonksport.be/files2.php
%System%\drivers\down\408171.exe
http://filibertovillalobosguijuelo.com/files2.php
%System%\drivers\down\408171.exe
http://finz-center.com/files2.php
%System%\drivers\down\408187.exe
http://www.fitdina.com/files2.php
%System%\drivers\down\408187.exe
http://fiveuk.fi.funpic.org/files2.php
%System%\drivers\down\408203.exe
http://flabs.net/files2.php
%System%\drivers\down\408234.exe
http://fomentocredito.es/files2.php
%System%\drivers\down\408234.exe
http://fortis-sf.home.pl/files2.php
%System%\drivers\down\408250.exe
http://fotoastur.com/files2.php
%System%\drivers\down\408250.exe
http://fouadovedia.com/files2.php
%System%\drivers\down\408250.exe
http://foxx.fan-sites.org/files2.php
%System%\drivers\down\408265.exe
http://frauen-ratgeber.com/files2.php
%System%\drivers\down\408265.exe
http://fritschiclean.ch/files2.php
%System%\drivers\down\408281.exe
http://www.kfzeintragsservice.de/files2.php
%System%\drivers\down\408281.exe
http://www.autometasuche.de./files2.php
%System%\drivers\down\408281.exe
http://www.s-w-services.co.uk/files2.php
%System%\drivers\down\408328.exe
http://www.bodis.at/files2.php
%System%\drivers\down\408343.exe
http://www.musikverein-grosswallstadt.de/files2.php
%System%\drivers\down\408343.exe
http://tripplexwelt.de/files2.php
%System%\drivers\down\408359.exe
http://www.weingut-giegerich.de/files2.php
%System%\drivers\down\408359.exe
http://www.tenbrink-online.de/files2.php
%System%\drivers\down\408375.exe
http://www.alphazip.com/files2.php
%System%\drivers\down\408375.exe
http://www.kayaks.cz/files2.php
%System%\drivers\down\408390.exe
http://galami.sk/files2.php
%System%\drivers\down\408406.exe
http://galateainteriorismo.com/files2.php
%System%\drivers\down\408421.exe
http://galixesol.com/files2.php
%System%\drivers\down\408437.exe
http://www.gan-psifas.co.il/files2.php
%System%\drivers\down\408437.exe
http://robertsandboles.co.nz/files2.php
%System%\drivers\down\408468.exe
http://gazetaszkolna.edu.pl/files2.php
%System%\drivers\down\408468.exe
http://gdri.si/files2.php
%System%\drivers\down\408484.exe
http://generation80.be/files2.php
%System%\drivers\down\408531.exe
Heuristics Analysis
- Heuristically identified capability to terminate the following security related processes:
_avp32.exe
_avpcc.exe
_avpm.exe
ackwin32.exe
alertsvc.exe
alogserv.exe
anti-trojan.exe
antivirus.exe
ants.exe
apvxdwin.exe
armor2net.exe
atcon.exe
atupdater.exe
atwatch.exe
aupdate.exe
autodown.exe
autotrace.exe
autoupdate.exe
avconsol.exe
avengine.exe
avgcc32.exe
avgctrl.exe
avgnt.exe
avgserv.exe
avguard.exe
avgw.exe
avkserv.exe
avkservice.exe
avp.exe
avp32.exe
avpcc.exe
avpm.exe
avpupd.exe
avsched32.exe
avsynmgr.exe
avwupd32.exe
avwupsrv.exe
avxmonitor9x.exe
avxmonitornt.exe
avxquar.exe
blackd.exe
blackice.exe
ccapp.exe
ccevtmgr.exe
ccproxy.exe
cfiaudit.exe
claw95.exe
claw95cf.exe
cleaner.exe
cleaner3.exe
cmgrdian.exe
cpd.exe
defwatch.exe
doors.exe
drweb32w.exe
drwebupw.exe
escanh95.exe
escanhnt.exe
f-agnt95.exe
fameh32.exe
fast.exe
fch32.exe
firewall.exe
f-prot95.exe
frameworkservice.exe
frw.exe
fsav.exe
fsav32.exe
fsgk32.exe
fsm32.exe
fsma32.exe
fsmb32.exe
f-stopw.exe
guard.exe
iamapp.exe
iamserv.exe
icload95.exe
icloadnt.exe
icmon.exe
icssuppnt.exe
icsupp95.exe
icsuppnt.exe
iface.exe
iomon98.exe
isrv95.exe
jedi.exe
kavpf.exe
livesrv.exe
lockdown2000.exe
luall.exe
lucomserver.exe
luinit.exe
mcagent.exe
mcmnhdlr.exe
mcshield.exe
mcupdate.exe
mcvsshld.exe
minilog.exe
monitor.exe
moolive.exe
navapsvc.exe
navapw32.exe
navlu32.exe
navstub.exe
navw32.exe
navwnt.exe
ndd32.exe
neowatchlog.exe
nisum.exe
nmain.exe
nod32.exe
nod32krn.exe
normist.exe
notstart.exe
nprotect.exe
nsched32.exe
ntrtscan.exe
ntxconfig.exe
nupgrade.exe
nvc95.exe
nwservice.exe
outpost.exe
pavfires.exe
pavfnsvr.exe
pavproxy.exe
pavsrv51.exe
pcciomon.exe
pccntmon.exe
persfw.exe
pop3trap.exe
poproxy.exe
pxagent.exe
realmon.exe
rescue.exe
rtvscan.exe
rtvscn95.exe
rulaunch.exe
savscan.exe
scan32.exe
shstat.exe
smc.exe
sndsrvc.exe
sphinx.exe
spyxx.exe
ss3edit.exe
swnetsup.exe
symlcsvc.exe
symproxysvc.exe
taumon.exe
tc.exe
tca.exe
tcm.exe
tds-3.exe
tfak.exe
trjscan.exe
update.exe
updaterui.exe
vettray.exe
vptray.exe
vsecomr.exe
vshwin32.exe
vsmon.exe
vsserv.exe
vsstat.exe
watchdog.exe
webscanx.exe
webtrap.exe
wgfe95.exe
wradmin.exe
wrctrl.exe
xcommsvr.exe
zatutor.exe
zauinst.exe
zonealarm.exe
Downloaded File Summary:
- Download details:
- Download retrieved: 19 April 2009 12:18:38
- Processing time: 7 min 51 sec
- Downloaded sample:
- File MD5: 0x3F4F042FC88BC862989DD6702E19D917
- File SHA-1: 0x566DD782D6E49431A401A43087DBC7AACE784C17
- Filesize: 99,844 bytes
- Alias:
- Trojan.Lodeight.C [Symantec]
- Email-Worm.Win32.Bagle.of [Kaspersky Lab]
- W32/Bagle.gen [McAfee]
- TROJ_BAGLE.AO [Trend Micro]
- Mal/Packer, Mal/Behav-191, Mal/Bagpk-D [Sophos]
- Worm:Win32/Bagle.gen!C [Microsoft]
- Email-Worm.Win32.Bagle [Ikarus]
- Win32/MalPackedB.suspicious [AhnLab]
- Trojan.Lodeight.C
- Summary of the findings:
What's been found
Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.
Technical Details:
Possible Security Risk
- Attention! The following threat categories were identified:
Threat Category
Description
A network-aware worm that attempts to replicate across the existing network(s)
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
File System Modifications
- The following file was created in the system:
#
Filename(s)
File Size
File Hash
Alias
1
%AppData%\m\flec006.exe
[file and pathname of the sample #1]
99,844 bytes
MD5: 0x3F4F042FC88BC862989DD6702E19D917
SHA-1: 0x566DD782D6E49431A401A43087DBC7AACE784C17
Trojan.Lodeight.C [Symantec]
Email-Worm.Win32.Bagle.of [Kaspersky Lab]
W32/Bagle.gen [McAfee]
TROJ_BAGLE.AO [Trend Micro]
Mal/Packer, Mal/Behav-191, Mal/Bagpk-D [Sophos]
Worm:Win32/Bagle.gen!C [Microsoft]
Email-Worm.Win32.Bagle [Ikarus]
Win32/MalPackedB.suspicious [AhnLab]
- Note:
- %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
- The following directory was created:
- %AppData%\m
Memory Modifications
- There were new processes created in the system:
Process Name
Process Filename
Main Module Size
flec006.exe
%AppData%\m\flec006.exe
261,617 bytes
[filename of the sample #1]
[file and pathname of the sample #1]
261,617 bytes
Registry Modifications
- The newly created Registry Value is:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- mule_st_key = "%AppData%\m\flec006.exe"
so that flec006.exe runs every time Windows starts
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
Other details
- The following Host Name was requested from a host database:
- google.com
