Sunday, April 26, 2009

那是個思考題!題目是這樣的:


那是個思考題!題目是這樣的:有一家4口,必須在17分鐘內過河,如沒有在限定的時間內過到對岸,那他們所處的地方就會爆炸。河邊有艘小船,每次只能承載2個人。他們劃船的速度是一一爸爸:1分鐘、媽媽:2分鐘、兒子:5分鐘 & 女兒:10分鐘。如果爸爸跟兒子先過河的話,那他們劃船到對岸的速度將會花費5分鐘(劃船速度將依據比較慢的那個),而爸爸回到原地需再花費1分鐘。他們如何能在17分鐘之內過河呢?


1) 1+2 過河, 1回來 (2+1)


(2) 10+5過河, 2回來 (10+2)


(3) 1+2過河 (2)


=> 17


賴賴與織織

賴賴與織織

賴賴:

http://www.wretch.cc/blog/Lionchain

織織:

http://www.wretch.cc/blog/innermi

txt2pdf,etc.

Enumerate Installed Devices Using Setup API

http://69.10.233.10/KB/system/EnumDevices.aspx

Scan2PDF

http://www.codeproject.com/KB/applications/Scan2PDF.aspx

Text2PDF

http://www.codeproject.com/KB/applications/Text2PDF.aspx

Smart Translator

http://www.codeproject.com/KB/applications/smarttranslator.aspx

WebReplay - an automated software testing tool for Web applications

http://www.codeproject.com/KB/applications/Web_Replay.aspx

Updater

http://www.codeproject.com/KB/applications/updater.aspx

WaterMarker

http://www.codeproject.com/KB/applications/WaterMarker.aspx

n次方根的計算機

n次方根的計算機

http://www.codeproject.com/KB/applications/caclulater.aspx

Calculater

容易想歪的漫畫

容易想歪的漫畫

http://www.youtube.com/watch?gl=US&feature=player_embedded&v=_lzwXNI2FzY

msn virii remove

MSN 中毒的最大特徵就是自己的帳號會不受控地 forward 毒檔或毒連結給人,甚至有更多不明的問題。以下簡述其解決方法:

情況1:收到朋友send來的連結,不慎click了入去:
通常這些網站都係誘騙你登入自己的帳戶及密碼,如乜乜.info等網站。黑客得知後,便可利用程式控制你的帳號並繼續作傳播。不過這些網站相信不會留下病毒在你電腦內的。
補救方法:儘快到官方網站更改帳戶密碼,看看防火牆及防毒有否被關上,清空所有Temporary Internet Files 及 cookies。不過如果你只是登入網站而沒有輸入任何資料,相信不會受影響的。

情況2:透過接收檔案而中毒:

/*********** 鑑別種類 ***********/
由於近來出現了一款新特徵的病毒,其毒檔名稱是一串隨機英文字母,特性有別於傳統的MSN病毒,但病徵卻是一樣,我暫且稱它們為「隨機型」MSN病毒。所以如果你確實中了毒,在閱讀下文前,先要知道是中了「傳統型」還是「隨機型」:
基本步驟:
開始 > 執行 > 輸入 services.msc,按一按欄位的「名稱」來排序,查看有沒有一個名為Print Spooler Service 的服務項,留意不是Print Spooler 啊!不過,病毒開始有變種跡象,其服務項的名稱還發現有:

Ati HotKey
Aventail VPN Client
BlueSoleilCS
BT Modem Lock
CMG Shield
Cognos ReportNet
CommServer
Compaq DMI Web Agent
Creative Labs Licensing
DigiCtrl
DQLWinService
Electronic Arts Licensing Service
SolidWorks Licensing Service

如果有,請看「隨機型MSN病毒」一文;沒有則參閱「傳統型MSN病毒」一文。

/*********** 「隨機型」MSN病毒 ***********/
步驟一:登入服務 (開始 > 執行 > 輸入 services.msc)
即是你剛才登入的地方,右鍵按剛才找到的服務項 > 內容 > 在「一般」下,你會看見「執行檔所在路徑」,它所指著的檔案便是作惡的病毒檔案了!請記下它,因為每一個個案都不同的,例如C:\Windows\system32\ppldji.exe,並且在「啟動類型」選「已停用」> 確定。但要注意如果你中了多於一個msn毒,則未必能在這裏找出來的,但在步驟二裏多數可找到線索。
步驟二:登入regedit (開始 > 執行 > 輸入 regedit)

1. 分別到
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices],檢查右邊有沒有剛才出現過的古怪名稱,例如ppldji,有則刪除。
步驟三:重新啟動電腦。
步驟四:刪除那個位於C:\Windows\System32入面的古怪檔案,例如ppldji.exe,以及你不小心下載回來的zip檔。
步驟五:下載SREng http://www.kztechs.com/sreng/download.html

開啟後,選啟動專案 > 服務 > Win32 服務應用程式 > 在服務名下查看有沒有以上提及的服務項名稱,有則點選該項目 > 刪除服務 > 否,然後重新啟動電腦。

步驟六,檢查剛才的步驟,確保機碼及檔案已不存在,便可以開啟msn了!

/*********** 「傳統型」MSN病毒 ***********/
步驟一:登入regedit (開始 > 執行 > 輸入 regedit)
1. 先尋找以下位置:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
檢查右邊的機碼有沒有以下任何一個 (多數是早期的msn毒):
antivirus
modems
mjd
printers
prodigy1
prodigy323
prodigys323
rdshost
rdfhost
rdihost
syshosts
system32
systrays (不要刪除systray)
version1
w32s
= 一串CLSID
如果有,先抄下那串CLSID,以及它指向的檔案,然後刪除個機碼。如果沒有,則略過 (2)。
2. 刪除 [HKEY_CLASSES_ROOT\CLSID\{你剛才抄下的CLSID}]
3. 到[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
檢查右邊的機碼有沒有以下任何一個,沒有則略過:
Application Layer Gateway Service
Application Layer Services
Audio Device Manager
cdspeed.exe
chcp.exe
Client Server Runtime Process
ehSched
Firefox Plugin Manager
jucheck
kfh
Local Security Authority Service
Logical Disk Detection
Machine Debug Mgr
Memory Allocation Server
MicrosoftService
MicrosoftServicer
Microsoft Genuine Logon
Microsoft Internet Explorer
Microsoft Spooler
Microsoft Visual Application
mono.exe
MSN
MSn Client Cfg
MSN Software
MSN UPNP
Mss Vc
nVidia Display Driver
perfmon.exe
rcimlby.exe
Remote Terminal Service
Server Runtime Server Subsystem
setpoint.exe
sndrec.exe
Spooler SubSystem App
sy
Syncronization
System Services Monitor
User Sharing Wizard
Userfile Sharing Server
usnsvc.exe
Volume Shadow Configuration
wab.exe
wdrmgf.exe
Winamp Agent (留心有空格的,並非WinampAgent)
Windows Audio Control
Windows Audio Startup
Windows Bool Service
Windows Boot
Windows Config
Windows Explorer
Windows Explorer Key
Windows Live Msgs
Windows Live Messenger
Windows Live Servicer
Windows Logon Application
Windows Lsass Services
Windows Messenger Share
Windwos MSN Updates
Windows Network Firewall
Windows Network Service
Windows Pool Manager
Windows Pool Setup
Windows Population Logger
Windows Remote Launcher
Windows Section Event
Windows Terminal Manager
Windows Video Input
Windows Volume Control
winfp.exe
winlogon
若發現存在,請先記下該機碼指向的檔案,然後將整個機碼刪除。

  1. 先尋找以下位置:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]檢查右邊的機碼有沒有以下任何一個 (多數是早期的msn毒):

4. 如果你中了一個VBS型的病毒,那麼會經常有個警告彈出,寫著C:\abc.vbs之類的字眼。這時你需要刪除 [HKEY_CLASSES_ROOT\abc] 整個"abc" 機碼。
步驟二:跳出registry並重新啟動電腦。

步驟三:到控制台 > 資料項選項 > 檢視 > 點選 顯示所有檔案和資料夾 及不選 隱藏受保護的作業系統檔案 > 確定。

步驟四:刪除你剛才抄下的檔案
1.如在C:\下發現以下檔案,請刪除:
?rsss.exe ? 為任意一個英文字母
smsss.exe
pif.exe
autorun.inf
a.bat
abc.vbs
cba.vbs
1.txt
2.txt
f uckrav.com
2. 如在C:\Documents and Settings\用戶名\下發現以下檔案,請刪除:
auto.txt
new.txt
一個6位隨機字母數字.exe

3. 如在C:\Windows\下發現以下檔案,請刪除:
你不心下載回來的zip檔(如img301.zip、img1756.zip),以及你剛才在步驟一第3項抄下來的檔案,它們可能是
ati3evx.exe
cdspeed.exe
chcp.exe
firefoxpgm.exe
install.exe
jitbv.exe
livemessenger.com
logon.exe
mono.exe
msn.com
msnmsg.exe
msnmsgr.exe
msnmsgs.exe
mysexpic.exe
perfmon.exe
rcimlby.exe
sdfax.exe
service52.exe
setpoint.exe
sfhgj.exe
svchost.exe  (記住真正的svchost.exe是在C:\Windows\system32入面,一般會有5-6個在運行。)
system.exe
usnshare.exe
usnsvc.exe
vpcrtf.exe
wab.exe
wdfmgr.exe
winbool32.exe
windrivers.exe
winfp.exe
winlog32.exe
winpo32.exe
winsyshp.exe
wkssvr.exe
wndxp.exe
wnpmcs.exe
xaudiodev.exe
4. 如在C:\Windows\System\下發現以下檔案,請刪除:
ehsched.exe
explorer.exe
lsass.exe (真正的lsass.exe是在system32入面的!)
csrss.exe (真正的csrss.exe是在system32入面的!)
5. 如在C:\Windows\System32\下發現以下檔案,請刪除:
algs.exe
asrsvc.exe
audise.exe
ciserv.exe
csrs.exe
explorer.exe
firewall.exe
firewallav.dll
hs4viewer.dll
iexplore.exe
intlprinters.exe
isass.exe
kfh.exe
libcinet.exe
libweb.dll
libcintles2.dll
libcintles3.dll
logon.exe
lssas.exe
mdesvc.exe
mdn.exe
mrisvc.exe
msn.exe
msn.dll
msnclicfg.exe
msnfix.exe
msnlive.exe
msnsoftware.exe
msnupnp.exe
mssvc.exe
msync.exe
newsystem25.dll
nndsvc.exe
notiffy.dll
notice.dll
nvsvc64.exe
ongsvc.exe
poolmc.exe
poolsc.exe
ppnsvc.exe
prcsvc.exe
printers.exe
prodigy323.dll
prodigys323.dll
rdfhost.dll
rdihost.dll
rmbsvc.exe
rndsvc.exe
rpmsvc.exe
sdrec32.exe
service.exe
servicer.exe
sntsvc.exe
spooisv.exe
spoolsvc.exe
syshelps.dll
syshosts.dll
systrays.dll
sysprinters.dll
usnserv.exe
usnshare.exe
usnsrv.exe
usrserv.exe
vbmsvc.exe
viwsvc.exe
w32_mjd.dll
win422.dll
winamp.exe
winboot.exe
winconfig.exe
winlog32.dll
winiogon.exe
wkssvc.exe
wlivemsg.exe
wmssvc.exe
wnd32.exe
6. 如在C:\Windows\System32\dllcache\下發現以下檔案,請刪除:
jucheck.exe
winlogon.exe
7.在C:\Windows\System32\microsoft\入面,檢查有沒有兩個檔名為backup.tftp及backup.ftp,如沒有,請略過。如有,請依照以下步驟:
(i)將 backup.tftp 改成 tftp.exe,及將 backup.ftp 改成 ftp.exe
(ii) 將 tftp.exeftp.exe 複製到 C:\Windows\System32\ 及 C:\Windows\System32\dllache\,取代原先檔案即可。  
步驟五:完成!可到控制台 > 資料項選項 > 檢視 > 點選 不顯示所有檔案和資料夾 及選 隱藏受保護的作業系統檔案 > 確定。可重新啟動msn了!

啟動項目:

啟動項目:

自啟動程式 ShellServiceObjectDelayLoad

ShellServiceObjectDelayLoad
ShellServiceObjectDelayLoad是一個未公佈的註冊表項,可以將元件關聯到這個鍵,這樣一來,系統啟動時間EXPLORER將自動載入目標元件.
這就是某些病毒將自己注射到EXPLORER的辦法.
我們經常會遇到這樣的事情,IeXPLORER的首頁設置為BLANK,註冊表RUN鍵的值也為空,但就是每隔一會兒有莫名其妙的網頁自動彈出,這就是ShellServiceObjectDelayLoad在搞鬼。
O21 - 註冊表鍵 ShellServiceObjectDelayLoad (SSODL)處的自啟動項
揪出自啟動程式 [轉]
一、經典的啟動——“啟動”檔夾
單擊“開始→程式”,你會發現一個“啟動”功能表,這就是最經典的Windows啟動位置,右擊“啟動”功能表選擇“打開”即可將其打開,如所示,其中的程式和快捷方式都會在系統啟動時自動運行。最常見的啟動位置如下:
當前用戶:<C:\Documents and Settings\用戶名\「開始」功能表\程式\啟動>
所有用戶:<C:\Documents and Settings\All Users\「開始」功能表\程式\啟動>
二、有名的啟動——註冊表啟動項
註冊表是啟動程式藏身之處最多的地方,主要有以下幾項:
1.Run鍵
Run鍵是病毒最青睞的自啟動之所,該鍵位置是[HKEY_CURRENT_
USER\Software\Microsoft\Windows\CurrentVersion\Run]和[HKEY_
LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run],其下的所有程式在每次啟動登錄時都會按順序自動執行。
還有一個不被注意的Run鍵,位於註冊表[HKEY_CURRENT_
USER \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]和 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\Explorer\Run],也要仔細查看。
2.RunOnce鍵
RunOnce位於[HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\RunOnce]和[HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce]鍵,與Run不同的是,RunOnce下的程式僅會被自動執行一次。
3.RunServicesOnce鍵
RunServicesOnce鍵位於[HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunServicesOnce]和[HKEY_LOCAL_MACHINE\
Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]下,其中的程式會在系統載入時自動啟動執行一次。
4.RunServices鍵
RunServices繼RunServicesOnce之後啟動的程式,位於註冊表[HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\RunServices]和 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices]鍵。
5.RunOnceEx鍵
該鍵是Windows XP/2003特有的自啟動註冊表項,位於[HKEY_
CURRENT_USER \\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]和 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnceEx]。
6.load鍵
[HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows]下的load鍵值的程式也可以自啟動。
7.Winlogon鍵
該鍵位於位於註冊表[HKEY_CURRENT_USER\SOFTWARE\
Microsoft\Windows NT\CurrentVersion\Winlogon]和[HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon],注意下面的Notify、Userinit、Shell鍵值也會有自啟動的程式,而且其鍵值可以用逗號分隔,從而實現登錄的時候啟動多個程式。
8.其他註冊表位置
還有一些其他鍵值,經常會有一些程式在這裏自動運行,如:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts]
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts]
小提示
註冊表的[HKEY_LOCAL_MACHINE]和[HKEY_CURRENT_USER]鍵的區別:前者對所有用戶有效,後者只對當前用戶有效。
三、古老的啟動——自動批次檔案
從DOS時代過來的朋友肯定知道autoexec.bat(位於系統盤根目錄)這個自動批次檔案,它會在電腦啟動時自動運行,早期許多病毒就看中了它,使用deltree、format等危險命令來破壞硬碟資料。如“C盤殺手”就是用一句“deltree /y c:\*.*”命令,讓電腦一啟動就自動刪除C盤所有檔,害人無數。
小提示
★在Windows 98中,Autoexec.bat還有一個哥們——Winstart.bat文件,winstart.bat位於Windows檔夾,也會在啟動時自動執行。
★在Windows Me/2000/XP中,上述兩個批次檔案默認都不會被執行。
四、常用的啟動——系統配置檔
在Windows的配置檔(包括Win.ini、System.ini和wininit.ini檔)也會載入一些自動運行的程式。
1.Win.ini文件
使用“記事本”打開Win.ini檔,在[windows]段下的“Run=”和“LOAD=”語句後面就可以直接加可執行程式,只要程式名稱及路徑寫在“=”後面即可。
小提示
“load=”後面的程式在自啟動後最小化運行,而“run=”後程式則會正常運行。
2.System.ini文件
使用“記事本”打開System.ini文件,找到[boot]段下“shell=”語句,該語句默認為“shell=Explorer.exe”,啟動的時候運行Windows外殼程式explorer.exe。病毒可不客氣,如“妖之吻”病毒乾脆把它改成“shell=c:\yzw.exe”,如果你強行刪除“妖之吻”病毒程式yzw.exe,Windows就會提示報錯,讓你重裝Windows,嚇人不?也有客氣一點的病毒,如將該句變成 “shell=Explorer.exe 其他程式名”,看到這樣的情況,後面的其他程式名一定是病毒程式如所示。
3.wininit.ini
wininit.ini檔是很容易被許多電腦用戶忽視的系統配置檔,因為該檔在Windows啟動時自動執後會被自動刪除,這就是說該檔中的命令只會自動執行一次。該配置檔主要由軟體的安裝程式生成,對那些在Windows圖形介面啟動後就不能進行刪除、更新和重命名的檔進行操作。若其被病毒寫上危險命令,那麼後果與“C盤殺手”無異。
小提示
★如果不知道它們存放的位置,按F3鍵打開“搜索”對話方塊進行搜索;
★單擊“開始→運行”,輸入sysedit回車,打開“系統配置編輯程式”,如圖2所示,在這裏也可以方便的對上述檔進行查看與修改。
五、智能的啟動——開/關機/登錄/註銷腳本
在Windows 2000/XP中,單擊“開始→運行”,輸入gpedit.msc回車可以打開“組策略編輯器”,在左側窗格展開“本地電腦策略→ 用戶配置→管理範本→系統→登錄”,然後在右窗格中雙擊“在用戶登錄時運行這些程式”,單擊“顯示”按鈕,在“登錄時運行的專案”下就顯示了自啟動的程式。
六、定時的啟動——任務計畫
在默認情況下,“任務計畫”程式隨Windows 一起啟動並在後臺運行。如果把某個程式添加到計畫任務檔夾,並將計畫任務設置為“系統啟動時”或“登錄時”,這樣也可以實現程式自啟動。通過“計畫任務”載入的程式一般會在任務欄系統託盤區裏有它們的圖示。大家也可以雙擊“控制面板”中的“計畫任務”圖示查看其中的專案。
小提示
“任務計畫”也是一個特殊的系統檔夾,單擊“開始→程式→附件→系統工具→任務計畫”即可打開該檔夾,從而方便進行查看和管理。
七、跟著別人的啟動——隨軟體開啟的程式
隨MyIE2啟動的程式,詳見本刊2004年第3期、4期《讓你受用終生的流覽器─MyIE2實用技巧大放送》一文。
下篇 全方位作戰
徹底清查Windows自啟動
一、從“系統資訊”查看啟動程式
單擊“開始→程式→附件→系統工具→系統資訊”,雙擊“軟體環境”,單擊“啟動程式”,在右邊視窗出現的程式就是所有自啟動程式,在“裝載源”或“位置”下顯出該程式是由註冊表還是“啟動”檔夾啟動的。從這裏只能查看自啟動程式,不能對自啟動程式進行禁止自啟動等任何更改操作。
軟體性質: Windows自身功能
推薦指數: ★★★★
二、MSConfig
在Windows 98/Me/XP/2003中,單擊“開始→運行”,輸入msconfig回車即可打開“系統配置實用程式”視窗,單擊“啟動”標籤,在列表框中顯示的就是從註冊表、“啟動”檔夾和系統配置檔中自啟動的程式。程式前有對號的是允許自啟動的程式,沒有對號的則不會自啟動。如果想取消某個程式的自啟動,單擊取消程式前的對勾即可。還可以在autoexec.bat、system.ini和win.ini標籤裏面對它們進行編輯,取消其中的自啟動程式。
小提示
★所有的修改都需要重新啟動才能生效。
★Windows 2000沒有msconfig程式,但是我們可以從Windows 98或者XP拷貝一個到system32目錄,同樣可以起作用。
軟體性質: 免費,微軟原裝
推薦指數: ★★★★
三、startup.cpl
只需要將startup.cpl檔拷貝到Windows安裝目錄下的system32檔夾下麵即可,單擊“開始→設置→控制面板”打開控制面板,你會發現裏面多了一個Startup項,雙擊打開它,在打開的對話方塊中,可以方便地對“啟動”檔夾和註冊表中的啟動專案進行管理,如右擊空白處新建一個啟動項,右擊已有的啟動項目可以對其進行編輯、刪除、禁用和立刻運行等操作。
軟體性質: 免費,綠色軟體
推薦指數: ★★★★★
四、StartupMonitor
雙擊StartupMonitor.msi執行安裝,安裝完成後,它就乖乖的在後臺運行,只佔據100多KB的記憶體,什麼時候才顯示出它的本事呢?當你安裝了一個軟體的時候,如果它想自己偷偷自啟動,嘿嘿,就必須通過StartupMonitor的這一關,如所示,它管得非常寬,無論是什麼程式,它都不放過!漁歌強烈推薦。
軟體性質: 免費,小巧實用
推薦指數: ★★★★★
五、StartStop
軟體安裝後它會將自己加到註冊表的RunOnce 自啟動,啟動後會自動縮小到託盤區一個小圖示,雙擊即可打開StartStop主介面,在這裏列出了本機啟動程式,右擊某個程式可以選擇總是啟動、從不啟動還是每次詢問是否啟動,如所示,它有特色的一個地方是單擊功能表“Options→Startup delay”,可以設置啟動時延遲多少時間啟動程式。
軟體性質: 免費, 有特色
推薦指數: ★★★★
六、Autoruns
下載autoruns.zip後解壓縮直接執行裏面的autoruns.exe即可,由於它不會在啟動時載入,顯得更綠色。雙擊 autoruns.exe打開程式介面,它不僅僅列出的是非常全的啟動項,而且詳細地列出了啟動程式的公司和路徑,如果還不滿意,右擊某個啟動專案,選擇屬性,可以查看該啟動項的檔屬性。它還有兩個特色功能,一個是右擊任何一個啟動項,選擇Jump to就會立刻跳轉到具體的位置,如跳轉到註冊表的具體鍵值、打開啟動檔夾、打開INI檔等,非常方便!還有一個功能是單擊View功能表,可以切換是否顯示所有的啟動位置、是否顯示啟動的服務、是否只顯示非Microsoft公司的專案,這對於檢查啟動專案和過濾專案非常有用。
軟體性質: 免費,綠色軟體
推薦指數: ★★★★★
七、StartUp Organizer
Startup Organizer的組織和管理自啟動項功能很強大,它在控制啟動專案方面做的也比較細,如為某個啟動設定聲音提示,還能設置在 Windows啟動時按某個鍵來控制某些程式啟動與否,還可以備份自啟動配置檔以便應急恢復、比較啟動程式的變化、恢復第一次運行時的默認配置,操作也比較簡單,遺憾之處就是不是免費的。
軟體性質: 共用軟體,30天免費試用
##

Windows-自啟動方式完全總結!

一.自啟動專案:
開始---程式---啟動,裏面添加一些應用程式或者快捷方式.
這是Windows 裏面最常見,以及應用最簡單的啟動方式,如果想一些檔開機時候啟動,那麼也可以將他拖入裏面或者建立快捷方式拖入裏面.現在一般的病毒不會採取這樣的啟動手法.也有個別會.
路徑:C:\Documents and Settings\Owner\「開始」功能表\程式\啟動
二. 第二自啟動專案:
這個是很明顯卻被人們所忽略的一個,使用方法和第一自啟動目錄是完全一樣的, 只要找到該目錄,將所需要啟動的檔拖放進去就可以達到啟動的目的.
路徑:
C:\Documents and Settings\User\「開始」功能表\程式\啟動
三. 系統配置檔啟動:
對於系統配置檔,許多人一定很陌生,許多病毒都是以這種方式啟動.
1)WIN.INI啟動:
啟動位置(xxx.exe為要啟動的檔案名稱):
[windows]
load=xxx.exe[這種方法檔會在後臺運行]
run=xxx.exe[這種方法檔會在默認狀態下被運行]
2)SYSTEM.INI啟動:
啟動位置(xxx.exe為要啟動的檔案名稱):
默認為:
[boot]
Shell=Explorer.exe [Explorer.exe是Windows程式管理器或者Windows資源管理器,屬於正常]
可啟動檔後為:
[boot]
Shell= Explorer.exe xxx.exe [現在許多病毒會採用此啟動方式,隨著Explorer啟動, 隱蔽性很好]
注意: SYSTEM.INI和WIN.INI檔不同,SYSTEM.INI的啟動只能啟動一個指定檔,不要把Shell=Explorer.exe xxx.exe換為Shell=xxx.exe,這樣會使Windows癱瘓!
3) WININIT.INI啟動:
WinInit即為Windows Setup Initialization Utility, 中文:Windows安裝初始化工具.
它會在系統裝載Windows之前讓系統執行一些命令,包括複製,刪除,重命名等,以完成更新檔的目的.
檔格式:
[rename]
xxx1=xxx2
意思是把xxx2檔複製為檔案名為xxx1的檔,相當於覆蓋xxx1文件
如果要把某檔刪除,則可以用以下命令:
[rename]
nul=xxx2
以上檔案名都必須包含完整路徑.
4) WINSTART.BAT啟動:
這是系統啟動的批次檔案,主要用來複製和刪除檔.如一些軟體卸載後會剩餘一些殘留物在系統,這時它的作用就來了.
如:
“@if exist C:\WINDOWS\TEMPxxxx.BAT call C:\WINDOWS\TEMPxxxx.BAT”
這裏是執行xxxx.BAT文件的意思
5) USERINIT.INI啟動[2/2補充]:
這種啟動方式也會被一些病毒作為啟動方式,與SYSTEM.INI相同.
6) AUTOEXEC.BAT啟動:
這個是常用的啟動方式.病毒會通過它來做一些動作. 在AUTOEXEC.BAT檔中會包含有惡意代碼。如format c: /y 等等其他.
四. 註冊表啟動:
通過註冊表來啟動,是WINDOWS中使用最頻繁的一種.
-----------------------------------------------------------------------------------------------------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\System\ControlSet001\Session Manager\BootExecute
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\本地User\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
HKLM\SOFTWARE\Classes\Protocols\Filter
HKLM\SOFTWARE\Classes\Protocols\Handler
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
HKLM\Software\Microsoft\Internet Explorer\Toolbar
HKLM\Software\Microsoft\Internet Explorer\Extensions
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKCU\Control Panel\Desktop\Scrnsave.exe
HKLM\System\CurrentControlSet\Services\WinSock\Parameters\Protocol_Catalog9
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
五.其他啟動方式:
(1).C:\Explorer.exe啟動方式:
這種啟動方式很少人知道.
在Win9X下,由於SYSTEM.INI只指定了Windows的外殼檔Explorer.exe的名稱,而並沒有指定絕對路徑,所以Win9X會搜索Explorer.exe文件.
搜索順序如下:
(1). 搜索當前目錄.
(2). 如果沒有搜索到Explorer.exe則系統會獲取
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive\Path]的資訊獲得相對路徑.
(3). 如果還是沒有檔系統則會獲取[HKEY_CURRENT_USER\Environment\Path]的資訊獲得相對路徑.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive\Path]和[HKEY_CURRENT_USER\Environment\Path]所保存的相對路徑的鍵值 為:“%SystemRoot%System32;%SystemRoot%”和空.
所以,由於當系統啟動時,“當前目錄”肯定是%SystemDrive%(系統驅動器),這樣系統搜索Explorer.EXE的順序應該是:
(1). %SystemDrive%(例如C:\)
(2). %SystemRoot%System32(例如C:\WINNT\SYSTEM32)
(3). %SystemRoot%(例如C:\WINNT)
此時,如果把一個名為Explorer.EXE的檔放到系統根目錄下,這樣在每次啟動的時候系統就會自動先啟動根目錄下的Explorer.exe而不啟動Windows目錄下的Explorer.exe了.
在WinNT系列下,WindowsNT/Windows2000更加注意了Explorer.exe的檔案名放置的位置,把系統啟動時要使用的外殼檔(Explorer.exe)的名稱放到了:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell] 而在Windows 2000 SP2中微軟已經更改了這一方式.
(2).螢幕保護啟動方式:
Windows 螢幕保護程式是一個*.scr檔,是一個可執行PE檔,如果把螢幕保護程式*.scr重命名為*.exe的檔,這個程式仍然可以正常啟動,類似的*.exe文件更名為*.scr檔也仍然可以正常啟動.
檔路徑保存在System.ini中的SCRNSAVE.EXE=的這條中.如: SCANSAVE.EXE=/%system32% xxxx.scr
這種啟動方式具有一定危險.
(3).計畫任務啟動方式:
Windows 的計畫任務功能是指某個程式在某個特指時間啟動.這種啟動方式隱蔽性相當不錯.
[開始]---[程式]---[附件]---[系統工具]---[計畫任務],按照一步步順序操作即可.
(4).AutoRun.inf的啟動方式:
Autorun.inf這個檔出現於光碟載入的時候,放入光碟時,光碟機會根據這個檔內容來確定是否打開光碟裏面的內容.
Autorun.inf的內容通常是:
[AUTORUN]
OPEN=檔案名.exe
ICON=icon(圖示檔).ico
1.如一個木馬,為xxx.exe.那麼Autorun.inf則可以如下:
ōPEN=Windows\xxx.exe
ICON=xxx.exe
這時,每次雙擊C盤的時候就可以運行木馬xxx.exe.
2.如把Autorun.inf放入C盤根目錄裏,則裏面內容為:
ōPEN=D:\xxx.exe
ICON=xxx.exe
這時,雙擊C盤則可以運行D盤的xxx.exe
(5).更改副檔名啟動方式:
更改副檔名: (*.exe)
如:*.exe的檔可以改為:*.bat,*.scr等副檔名來啟動.
六.Vxd虛擬設備驅動啟動方式:
應用程式通過動態載入的VXD虛擬設備驅動,而去的Windows 9X系統的操控權(VXD虛擬設備驅動只適用於Windows 95/98/Me).
可以用來管理例如硬體設備或者已安裝軟體等系統資源的32位元可執行程式,使得幾個應用程式可以同時使用這些資源.
七.Service[服務]啟動方式:
[開始]---[運行]---輸入"services.msc",不帶引號---即可對服務專案的操作.
在“服務啟動方式”選項下,可以設置系統的啟動方式:程式開始時自動運行,還是手動運行,或者永久停止啟動,或者暫停(重新啟動後依舊會啟動).
註冊表位置:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
通過服務來啟動的程式,都是在後臺運行,例如國產木馬"灰鴿子"就是利用此啟動方式來達到後臺啟動,竊取用戶資訊.
八.驅動程式啟動方式:
有些病毒會偽裝成硬體的驅動程式,從而達到啟動的目的.
1.系統自帶的驅動程式.[指直接使用作業系統自帶的標準程式來啟動]
2.硬體自帶的驅動程式.[指使用硬體自帶的標準程式來啟動]
3.病毒本身偽裝的驅動程式.[指病毒本身偽裝的標準程式來啟動]
06/3/11補充[來自peter_yu]:
windir\Start Menu\Programs\Startup\
User\Startup\
All Users\Startup\
windir\system\iosubsys\
windir\system\vmm32\
windir\Tasks\
c:\explorer.exe
c:\autoexec.bat
c:\config.sys
windir\wininit.ini
windir\winstart.bat
windir\win.ini - [windows] "load"
windir\win.ini - [windows] "run"
windir\system.ini - [boot] "shell"
windir\system.ini - [boot] "scrnsave.exe"
windir\dosstart.bat
windir\system\autoexec.nt
windir\system\config.nt
06/3/25補充[來自smzd2005]:
Folder.htt
desktop.ini
C:\Documents and Settings\用戶名\Application Data\Microsoft\Internet Explorer\Desktop.htt
06/8/1補充[補充(註冊表啟動方式)]:
HKLM\SYSTEM\CurrentControlSet\Control\MPRServices
HKCU\ftp\shell\open\command
HKCR\ftp\shell\open\command
HKCU\Software\Microsoft\ole
HKCU\Software\Microsoft\Command Processor
HKLM\SOFTWARE\Classes\mailto\shell\open\command
HKLM\SOFTWARE\Classes\PROTOCOLS
HKCR\PROTOCOLS
HKCU\Control Panel\Desktop
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\scrīpts
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell folders\Startup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices
HKLM\Software\Microsoft\Active Setup\Installed Components
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
06/8/6補充[補充(註冊表啟動方式)]:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
HKLM\SOFTWARE\Classes\Protocols\Handler
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Saturday, April 25, 2009

minidump

Trapping Bugs with BlackBox

Updated:26 May 2003

http://www.codeproject.com/KB/applications/blackbox.aspx

XCrashReport : Exception Handling and Crash Reporting - Part 1

Posted:20 Oct 2003

http://www.codeproject.com/KB/debug/XCrashReportPt1.aspx

XCrashReport : Exception Handling and Crash Reporting - Part 2

Posted:20 Oct 2003

http://www.codeproject.com/KB/debug/XCrashReportPt2.aspx

XCrashReport : Exception Handling and Crash Reporting - Part 3

Posted:20 Oct 2003

http://www.codeproject.com/KB/debug/XCrashReportPt3.aspx

Microsoft Debugging Tools

Own Crash Minidump with Call Stack

Updated:18 Nov 2004

http://www.codeproject.com/KB/applications/minidump.aspx

Catch All Bugs with BugTrap!

Updated:31 Jan 2009

http://www.codeproject.com/KB/applications/BugTrap.aspx

BugTrap downloads

You may download BugTrap documentation, setup and source code absolutely for free!

http://www.intellesoft.net/downloads.php

Saturday, April 18, 2009

ThreatExpert:

http://blog.threatexpert.com/

ThreatExpert:是一個用來分析可疑檔案的網站... ... 線上檢查版:http://www.threatexpert.com/submit.aspx 可以把可疑的檔案上傳,幾分鐘就會有報告

hldrrr.exe srosa.sys bagle

Submission Summary:

  • Submission details:
    • Submission received: 19 April 2009, 12:09:13
    • Processing time: 9 min 24 sec
    • Submitted sample:
      • File MD5: 0x113554AB42E9EF2B530284E51370C507
      • File SHA-1: 0x661783D44061A4AD2077F6C47DBFDDA5AF57A1FE
      • Filesize: 655,360 bytes
      • Alias:
  • Summary of the findings:

What's been found
Severity Level

Capability to terminate Antivirus, Firewall and other security related processes.

Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).

Downloads/requests other files from Internet.

Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.

Creates a startup registry entry.

Contains characteristics of an identified security risk.


Possible Security Risk

  • Attention! Characteristics of the following security risks were identified in the system:

Security Risk
Description

Trojan-Downloader.Bagle
Trojan.Downloader.Bagle runs in the background and attempts to download malicious files from the Internet without the users knowledge.

Trojan.Lodear.D
Trojan.Lodear.D is a trojan that will install itself onto infected computers so it will start everytime the system reboots. It will also try to download and install additional malware from a list of predetermined websites.

Rootkit.Agent
Rootkit.Agent is a trojan that hijack browser in order to produce popup advertisements from known badsites and also have rootkit functionality in order to hide itself as system driver.

  • Attention! The following threat categories were identified:

Threat Category
Description


A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment


A program that downloads files to the local computer that may represent security risk


A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

  • The following files were created in the system:

#
Filename(s)
File Size
File Hash
Alias

1
%System%\drivers\hldrrr.exe
[file and pathname of the sample #1]
655,360 bytes
MD5: 0x113554AB42E9EF2B530284E51370C507
SHA-1: 0x661783D44061A4AD2077F6C47DBFDDA5AF57A1FE
Trojan.DL.Bagle.ZPL [PCTools]
W32.Beagle.EB [Symantec]
Trojan-Downloader.Win32.Bagle.ajd [Kaspersky Lab]
Downloader.gen.a [McAfee]
Troj/Agent-GQY [Sophos]
TrojanDownloader:Win32/Bagle.RN [Microsoft]
Trojan-Downloader.Win32.Bagle [Ikarus]
Win-Trojan/Bagle.655360 [AhnLab]

2
%System%\drivers\srosa.sys
100,352 bytes
MD5: 0x09348BABE24297C2911724AD90FC773B
SHA-1: 0x004F941EB05890E960337074F79B83E6A7577C08
Rootkit.Bagle.Gen.21 [PCTools]
Trojan Horse [Symantec]
Trojan-Downloader.Win32.Bagle.jh [Kaspersky Lab]
Generic Downloader.x [McAfee]
Trojan:WinNT/Bagle.gen!B [Microsoft]
Trojan-Downloader.Win32.Bagle [Ikarus]
Win-Trojan/Bagle.100352 [AhnLab]

  • Note:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  • The following directory was created:
    • %System%\drivers\down
  • The following directory was deleted:
    • [pathname with a string SHARE]\shared
  • The following system services were modified:

Service Name
Display Name
New Status
Service Filename

ALG
Application Layer Gateway Service
"Stopped"
%System%\alg.exe

SharedAccess
Windows Firewall/Internet Connection Sharing (ICS)
"Stopped"
%System%\svchost.exe -k netsvcs

wscsvc
Security Center
"Stopped"
%System%\svchost.exe -k netsvcs

wuauserv
Automatic Updates
"Stopped"
%System%\svchost.exe -k netsvcs

  • There was a new kernel-mode driver installed in the system:

Driver Name
Driver Filename

Megadrv3
%System%\drivers\srosa.sys

Registry Modifications

  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\Svc
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Enum
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Enum
    • HKEY_CURRENT_USER\Software\FirstRRRun
    • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
    • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\uiytuhjy
    • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\uiytuhjy\Settings
  • The following Registry Keys were deleted:
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppMgmt
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Base
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus Extender
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot file system
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CryptSvc
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DcomLaunch
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmadmin
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmboot.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmio.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmload.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmserver
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\EventLog
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\File system
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Filter
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HelpSvc
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Netlogon
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PCI Configuration
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PlugPlay
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PNP Filter
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Primary disk
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RpcSs
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCSI Class
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sermouse.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sr.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SRService
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus Extender
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vga.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vgasave.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinMgmt
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AFD
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AppMgmt
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Base
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot Bus Extender
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot file system
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Browser
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\CryptSvc
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\DcomLaunch
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Dhcp
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmadmin
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmboot.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmio.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmload.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmserver
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\DnsCache
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\EventLog
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\File system
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Filter
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\HelpSvc
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ip6fw.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ipnat.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanServer
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanWorkstation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LmHosts
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Messenger
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS Wrapper
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Ndisuio
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOS
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOSGroup
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBT
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetDDEGroup
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Netlogon
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetMan
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Network
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetworkProvider
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NtLmSsp
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PCI Configuration
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PlugPlay
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP Filter
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP_TDI
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Primary disk
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpcdd.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpdd.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpwd.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdsessmgr
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\RpcSs
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SCSI Class
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sermouse.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SharedAccess
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sr.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SRService
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Streams Drivers
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
      • EnableLUA = 0x00000000
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\Svc]
      • EnableLUA = 0x00000016
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = "srosa"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000]
      • Service = "srosa"
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = "LegacyDriver"
      • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
      • DeviceDesc = "Megadrv3"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA]
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Enum]
      • 0 = "Root\LEGACY_SROSA\0000"
      • Count = 0x00000001
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Security]
      • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa]
      • Type = 0x00000001
      • Start = 0x00000001
      • ErrorControl = 0x00000000
      • ImagePath = "%System%\drivers\srosa.sys"
      • DisplayName = "Megadrv3"
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = "srosa"
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000]
      • Service = "srosa"
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = "LegacyDriver"
      • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
      • DeviceDesc = "Megadrv3"
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA]
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Enum]
      • 0 = "Root\LEGACY_SROSA\0000"
      • Count = 0x00000001
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Security]
      • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa]
      • Type = 0x00000001
      • Start = 0x00000001
      • ErrorControl = 0x00000000
      • ImagePath = "%System%\drivers\srosa.sys"
      • DisplayName = "Megadrv3"
    • [HKEY_CURRENT_USER\Software\FirstRRRun]
      • First12Ru123n = 0x00000001
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • drvsyskit = "%System%\drivers\hldrrr.exe"

      so that hldrrr.exe runs every time Windows starts
  • The following Registry Values were deleted:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
      • C:\Documents and Settings\UserName\Application Data\Microsoft\Installer\ = ""
      • C:\WINDOWS\Installer\{4275B162-C5C0-4912-9522-E92FE1C4E21D}\ = ""
      • C:\Documents and Settings\UserName\Application Data\Microsoft\Installer\{3966BA0C-23BA-4B20-9B9D-7561DEC54E6A}\ = ""
      • C:\Program Files\VMware\VMware Tools\Drivers\memctl\ = ""
      • C:\Program Files\VMware\VMware Tools\TPOG3\ = ""
      • C:\Program Files\VMware\VMware Tools\TPOG3\amd64\ = ""
      • C:\Program Files\VMware\VMware Tools\TPOG3\i386\ = ""
      • C:\Program Files\VMware\VMware Tools\vmci\ = ""
      • C:\WINDOWS\Installer\{3B410500-1802-488E-9EF1-4B11992E0440}\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ = "1"
      • C:\WINDOWS\Microsoft.NET\Framework\ = "1"
      • C:\WINDOWS\Microsoft.NET\ = "1"
      • C:\WINDOWS\PCHEALTH\ERRORREP\ = "1"
      • C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\ = "1"
      • C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\ = "1"
      • C:\WINDOWS\winsxs\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RedistList\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MSBuild\ = ""
      • C:\WINDOWS\system32\MUI\0409\ = ""
      • C:\Program Files\Internet Explorer\MUI\0409\ = ""
      • C:\Program Files\Internet Explorer\MUI\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MUI\0409\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MUI\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\ = ""
      • C:\WINDOWS\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1025\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1028\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1031\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1033\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1036\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1040\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1041\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1042\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\2052\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\3082\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\ = ""
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\createPermission.aspx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\AppConfigCommon.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAddUser.ascx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\navigationBar.ascx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\SmtpSettings.aspx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\WebAdminPage.cs = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.aspx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\requiredBang.gif = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\ProviderList.ascx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\addUser.aspx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardAddUser.ascx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\alink.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfdll.dll = 0x00000001
      • C:\WINDOWS\system32\dfshim.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe.config = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regsvcs.exe.config = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ieexec.exe.config = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe.config = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscomp.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.tlb = 0x00000002


Other details

  • To mark the presence in the system, the following Mutex object was created:
    • DBWinMutex
  • The following Host Name was requested from a host database:
    • www.ru
  • The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded
Filename for the downloaded bits

http://www.courdesloges.com/files2.php
%System%\drivers\down\407265.exe

http://aytocristobal.com/files2.php
%System%\drivers\down\407312.exe

http://cuidatumiembro.com/files2.php
%System%\drivers\down\407328.exe

http://maneironsclimb.com/files2.php
%System%\drivers\down\407328.exe

http://www.etraining.ee/files2.php
%System%\drivers\down\407343.exe

http://dancefrequency.com.br/files2.php
%System%\drivers\down\407343.exe

http://darioo.altervista.org/files2.php
%System%\drivers\down\407359.exe

http://daruliftaa.com/files2.php
%System%\drivers\down\407406.exe

http://datalifecenter.com/files2.php
%System%\drivers\down\407421.exe

http://datissa.com/files2.php
%System%\drivers\down\407421.exe

http://www.dbmetric.com/files2.php
%System%\drivers\down\407421.exe

http://WWW.DDP.COM.PE/files2.php
%System%\drivers\down\407437.exe

http://www.debmark.com/files2.php
%System%\drivers\down\407437.exe

http://decastrogil.es/files2.php
%System%\drivers\down\407484.exe

http://delattres.com/files2.php
%System%\drivers\down\407484.exe

http://demianaiello.com.ar/files2.php
%System%\drivers\down\407500.exe

http://demo.portaltapejara.com/files2.php
%System%\drivers\down\407500.exe

http://derechoydemocracia.es/files2.php
%System%\drivers\down\407515.exe

http://www.devergo.com/files2.php
%System%\drivers\down\407531.exe

http://dezaete.nl/files2.php
%System%\drivers\down\407531.exe

http://dieppeseinemaritime.com/files2.php
%System%\drivers\down\407531.exe

http://digitalpicture.com/files2.php
%System%\drivers\down\407578.exe

http://digicromo.com/files2.php
%System%\drivers\down\407578.exe

http://diocesequebec.qc.ca/files2.php
%System%\drivers\down\407593.exe

http://divinaclub.com/files2.php
%System%\drivers\down\407593.exe

http://divinojocelyn.altervista.org/files2.php
%System%\drivers\down\407609.exe

http://dj-horoz.com/files2.php
%System%\drivers\down\407609.exe

http://djsoprano.cp.win.pl/files2.php
%System%\drivers\down\407609.exe

http://djthefox.com/files2.php
%System%\drivers\down\407625.exe

http://deniselinsconvites.com.br/files2.php
%System%\drivers\down\407687.exe

http://lotva.org/files2.php
%System%\drivers\down\407703.exe

http://oliwia.iskierka.org/files2.php
%System%\drivers\down\407703.exe

http://dospablos.es/files2.php
%System%\drivers\down\407703.exe

http://dponcemi.altervista.org/files2.php
%System%\drivers\down\407718.exe

http://drutplast.com.pl/files2.php
%System%\drivers\down\407765.exe

http://dudys.bx.pl/files2.php
%System%\drivers\down\407765.exe

http://dukedem.com/files2.php
%System%\drivers\down\407781.exe

http://dddesignstudio.com/files2.php
%System%\drivers\down\407796.exe

http://easylimo.es/files2.php
%System%\drivers\down\407828.exe

http://doctorlife.org/files2.php
%System%\drivers\down\407859.exe

http://eccesso.es/files2.php
%System%\drivers\down\407859.exe

http://ecobos.be/files2.php
%System%\drivers\down\407875.exe

http://www.edenvillage.it/files2.php
%System%\drivers\down\407875.exe

http://programaseducativos-salamanca.com/files2.php
%System%\drivers\down\407890.exe

http://www.ekogips.pl/files2.php
%System%\drivers\down\407890.exe

http://www.ekotap.pl/files2.php
%System%\drivers\down\407906.exe

http://elelfogris.com/files2.php
%System%\drivers\down\407906.exe

http://elemco.pl/files2.php
%System%\drivers\down\407906.exe

http://elitan.pl/files2.php
%System%\drivers\down\407953.exe

http://passecdl.co.uk/files2.php
%System%\drivers\down\407953.exe

http://www.elotron.com/files2.php
%System%\drivers\down\407968.exe

http://elpantalan.es/files2.php
%System%\drivers\down\407968.exe

http://industriascarnicaselrobledo.com/files2.php
%System%\drivers\down\407984.exe

http://www.enco-group.cz/files2.php
%System%\drivers\down\407984.exe

http://energiesport.com/files2.php
%System%\drivers\down\407984.exe

http://epamateohernandez.com/files2.php
%System%\drivers\down\408000.exe

http://eravamo100.altervista.org/files2.php
%System%\drivers\down\408000.exe

http://esf-ct.com/files2.php
%System%\drivers\down\408031.exe

http://espaciojoven.org/files2.php
%System%\drivers\down\408046.exe

http://www.espaceprojets-villejuif.fr/files2.php
%System%\drivers\down\408062.exe

http://www.eszterlancaruhaz.hu/files2.php
%System%\drivers\down\408062.exe

http://www.etalon-stroy.ru/files2.php
%System%\drivers\down\408062.exe

http://www.experiment.lv/files2.php
%System%\drivers\down\408078.exe

http://streetlions.com/files2.php
%System%\drivers\down\408078.exe

http://www.false-news.com/files2.php
%System%\drivers\down\408093.exe

http://falshpolcom.18.com1.ru/files2.php
%System%\drivers\down\408093.exe

http://www.concretosfamasa.com/files2.php
%System%\drivers\down\408140.exe

http://fermesdemarie.eolas-services.com/files2.php
%System%\drivers\down\408156.exe

http://fernandoaureliano.com/files2.php
%System%\drivers\down\408156.exe

http://fetems.org.br/files2.php
%System%\drivers\down\408171.exe

http://wolfsdonksport.be/files2.php
%System%\drivers\down\408171.exe

http://filibertovillalobosguijuelo.com/files2.php
%System%\drivers\down\408171.exe

http://finz-center.com/files2.php
%System%\drivers\down\408187.exe

http://www.fitdina.com/files2.php
%System%\drivers\down\408187.exe

http://fiveuk.fi.funpic.org/files2.php
%System%\drivers\down\408203.exe

http://flabs.net/files2.php
%System%\drivers\down\408234.exe

http://fomentocredito.es/files2.php
%System%\drivers\down\408234.exe

http://fortis-sf.home.pl/files2.php
%System%\drivers\down\408250.exe

http://fotoastur.com/files2.php
%System%\drivers\down\408250.exe

http://fouadovedia.com/files2.php
%System%\drivers\down\408250.exe

http://foxx.fan-sites.org/files2.php
%System%\drivers\down\408265.exe

http://frauen-ratgeber.com/files2.php
%System%\drivers\down\408265.exe

http://fritschiclean.ch/files2.php
%System%\drivers\down\408281.exe

http://www.kfzeintragsservice.de/files2.php
%System%\drivers\down\408281.exe

http://www.autometasuche.de./files2.php
%System%\drivers\down\408281.exe

http://www.s-w-services.co.uk/files2.php
%System%\drivers\down\408328.exe

http://www.bodis.at/files2.php
%System%\drivers\down\408343.exe

http://www.musikverein-grosswallstadt.de/files2.php
%System%\drivers\down\408343.exe

http://tripplexwelt.de/files2.php
%System%\drivers\down\408359.exe

http://www.weingut-giegerich.de/files2.php
%System%\drivers\down\408359.exe

http://www.tenbrink-online.de/files2.php
%System%\drivers\down\408375.exe

http://www.alphazip.com/files2.php
%System%\drivers\down\408375.exe

http://www.kayaks.cz/files2.php
%System%\drivers\down\408390.exe

http://galami.sk/files2.php
%System%\drivers\down\408406.exe

http://galateainteriorismo.com/files2.php
%System%\drivers\down\408421.exe

http://galixesol.com/files2.php
%System%\drivers\down\408437.exe

http://www.gan-psifas.co.il/files2.php
%System%\drivers\down\408437.exe

http://robertsandboles.co.nz/files2.php
%System%\drivers\down\408468.exe

http://gazetaszkolna.edu.pl/files2.php
%System%\drivers\down\408468.exe

http://gdri.si/files2.php
%System%\drivers\down\408484.exe

http://generation80.be/files2.php
%System%\drivers\down\408531.exe

Heuristics Analysis

  • Heuristically identified capability to terminate the following security related processes:

_avp32.exe
_avpcc.exe
_avpm.exe
ackwin32.exe
alertsvc.exe
alogserv.exe
anti-trojan.exe
antivirus.exe
ants.exe
apvxdwin.exe
armor2net.exe
atcon.exe
atupdater.exe
atwatch.exe
aupdate.exe
autodown.exe
autotrace.exe
autoupdate.exe
avconsol.exe
avengine.exe
avgcc32.exe
avgctrl.exe
avgnt.exe
avgserv.exe
avguard.exe
avgw.exe
avkserv.exe
avkservice.exe
avp.exe
avp32.exe
avpcc.exe
avpm.exe
avpupd.exe
avsched32.exe
avsynmgr.exe
avwupd32.exe
avwupsrv.exe
avxmonitor9x.exe
avxmonitornt.exe
avxquar.exe
blackd.exe
blackice.exe
ccapp.exe
ccevtmgr.exe
ccproxy.exe
cfiaudit.exe
claw95.exe
claw95cf.exe
cleaner.exe
cleaner3.exe
cmgrdian.exe
cpd.exe
defwatch.exe
doors.exe
drweb32w.exe
drwebupw.exe
escanh95.exe
escanhnt.exe
f-agnt95.exe
fameh32.exe
fast.exe
fch32.exe
firewall.exe
f-prot95.exe
frameworkservice.exe
frw.exe
fsav.exe
fsav32.exe
fsgk32.exe
fsm32.exe
fsma32.exe
fsmb32.exe
f-stopw.exe
guard.exe
iamapp.exe
iamserv.exe
icload95.exe
icloadnt.exe
icmon.exe
icssuppnt.exe
icsupp95.exe
icsuppnt.exe
iface.exe
iomon98.exe
isrv95.exe
jedi.exe
kavpf.exe
livesrv.exe
lockdown2000.exe
luall.exe
lucomserver.exe
luinit.exe
mcagent.exe
mcmnhdlr.exe
mcshield.exe
mcupdate.exe
mcvsshld.exe
minilog.exe
monitor.exe
moolive.exe
navapsvc.exe
navapw32.exe
navlu32.exe
navstub.exe
navw32.exe
navwnt.exe
ndd32.exe
neowatchlog.exe
nisum.exe
nmain.exe
nod32.exe
nod32krn.exe
normist.exe
notstart.exe
nprotect.exe
nsched32.exe
ntrtscan.exe
ntxconfig.exe
nupgrade.exe
nvc95.exe
nwservice.exe
outpost.exe
pavfires.exe
pavfnsvr.exe
pavproxy.exe
pavsrv51.exe
pcciomon.exe
pccntmon.exe
persfw.exe
pop3trap.exe
poproxy.exe
pxagent.exe
realmon.exe
rescue.exe
rtvscan.exe
rtvscn95.exe
rulaunch.exe
savscan.exe
scan32.exe
shstat.exe
smc.exe
sndsrvc.exe
sphinx.exe
spyxx.exe
ss3edit.exe
swnetsup.exe
symlcsvc.exe
symproxysvc.exe
taumon.exe
tc.exe
tca.exe
tcm.exe
tds-3.exe
tfak.exe
trjscan.exe
update.exe
updaterui.exe
vettray.exe
vptray.exe
vsecomr.exe
vshwin32.exe
vsmon.exe
vsserv.exe
vsstat.exe
watchdog.exe
webscanx.exe
webtrap.exe
wgfe95.exe
wradmin.exe
wrctrl.exe
xcommsvr.exe
zatutor.exe
zauinst.exe
zonealarm.exe

Downloaded File Summary:

  • Summary of the findings:

What's been found
Severity Level

Creates a startup registry entry.

Contains characteristics of an identified security risk.

Technical Details:


Possible Security Risk

  • Attention! The following threat categories were identified:

Threat Category
Description


A network-aware worm that attempts to replicate across the existing network(s)


A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment


File System Modifications

  • The following file was created in the system:

#
Filename(s)
File Size
File Hash
Alias

1
%AppData%\m\flec006.exe
[file and pathname of the sample #1]
99,844 bytes
MD5: 0x3F4F042FC88BC862989DD6702E19D917
SHA-1: 0x566DD782D6E49431A401A43087DBC7AACE784C17
Trojan.Lodeight.C [Symantec]
Email-Worm.Win32.Bagle.of [Kaspersky Lab]
W32/Bagle.gen [McAfee]
TROJ_BAGLE.AO [Trend Micro]
Mal/Packer, Mal/Behav-191, Mal/Bagpk-D [Sophos]
Worm:Win32/Bagle.gen!C [Microsoft]
Email-Worm.Win32.Bagle [Ikarus]
Win32/MalPackedB.suspicious [AhnLab]

  • Note:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
  • The following directory was created:
    • %AppData%\m


Memory Modifications

  • There were new processes created in the system:

Process Name
Process Filename
Main Module Size

flec006.exe
%AppData%\m\flec006.exe
261,617 bytes

[filename of the sample #1]
[file and pathname of the sample #1]
261,617 bytes


Registry Modifications

  • The newly created Registry Value is:
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • mule_st_key = "%AppData%\m\flec006.exe"

      so that flec006.exe runs every time Windows starts


Other details

  • The following Host Name was requested from a host database:
    • google.com