一:先说下以前的解决方案:
1.《 简要分析解决Ghost.pif病毒》 文章地址:www.45its.com/Article/pcedu/Safety/200705/16157.htm
2.《ghost.pif新变种导致杀软0xc00000ba失败的解决》www.45its.com/Article/pcedu/Safety/200706/16376.htm
二:新变种分析:
运行后生成
C:\Program Files\Common Files\Relive.dll C:\Program Files\Internet Explorer\HiJack.bak C:\Program Files\Internet Explorer\HiJack.dll C:\Program Files\Internet Explorer\msvcrt.bak C:\Program Files\Internet Explorer\msvcrt.dll |
添加注册表键值
HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\InProcServer32\: "C:\Program
Files\Internet Explorer\HiJack.dll" HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\InProcServer32\ThreadingModel:
"Apartment" HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\: "" HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\InProcServer32\: "C:\Program
Files\Internet Explorer\msvcrt.dll" HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\InProcServer32\ThreadingModel:
"Apartment" HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\: "" HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\InProcServer32\: "C:\Program
Files\Common Files\Relive.dll" HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\InProcServer32\ThreadingModel:
"Apartment" HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\: "" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{01F6EB6F-AB5C-1FDD-6E5B-
FB6EE3CC6CD6}: "" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0EA12C16-CDEF-6AC1-236E-
CD3FE82F5213}: "" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7515C61-A66C-4319-
A0E0-D416CB8059E3}\: "" |
查询以下注册表项目的某些键值来获取相关安全软件的安装目录,在获得安装目录下生成以系统文件名"ws2_32.dll"
命名的文件夹
SOFTWARE\\rising\\Rav SOFTWARE\\Kingsoft\\AntiVirus SOFTWARE\\JiangMin SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal SOFTWARE\\KasperskyLab\\SetupFolders SOFTWARE\Network Associates\TVD\Shared Components\Framework SOFTWARE\Eset\Nod\CurrentVersion\Info SOFTWARE\\Symantec\\SharedUsage SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe | 并在ws2_32.dll文件夹下生成歧义文件夹1..\导致windows下无法删除该文件夹
控制explorer连接网络202.59.153.91:80下载木马 http://xxx.us/oK/svchost.exe http://xxx.us/Sign/csrss.exe http://xxx.us/Sign/svchost32.exe http://xxx.us/Sign/smss.exe http://xxx.us/Sign/services.exe http://xxx.us/Sign/svchost.exe http://xxx.us/Sign/conime.exe http://xxx.us/Sign/ctfmon.exe http://xxx.us/Sign/mmc.exe http://xxx.us/Sign/IEXPLORE.EXE http://xxx.us/Sign/stpgldk.exe http://xxx.us/Sign/srogm.exe http://xxx.us/Sign/spglsdr.exe http://xxx.us/Sign/copypfh.exe http://xxx.us/Sign/okfile.exe 到临时文件夹
运行后分别在临时文件夹下创建文件
fyso.exe jtso.exe mhso.exe qjso.exe qqso.exe wgso.exe wlso.exe wmso.exe woso.exe ztso.exe daso.exe tlso.exe rxso.exe svchost.exe IEXPLORE.EXE svchost32.exe srogm.exe csrss.exe conime.exe mmc.exe spglsdr.exe services.exe copypfh.exe smss.exe fyso0.dll jtso0.dll mhso0.dll qjso0.dll qqso0.dll wgso0.dll wlso0.dll wmso0.dll woso0.dll ztso0.dll tlso0.dll daso0.dll rxso0.dll | 添加注册表启动项目
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\woso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tlsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\tlso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dasa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\daso.exe" ... | 各个木马创建HKCU\Software\SetVer\ver键
解决办法:
1.打开sreng(可到down.45its.com下载)
启动项目 注册表 删除如下项目 <wosa><C:\DOCUME~1\用户名\LOCALS~1\Temp\woso.exe> [N/A] <ztsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\ztso.exe> [] <mhsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\mhso.exe> [] <fysa><C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso.exe> [] <jtsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\jtso.exe> [] <wlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso.exe> [] <wgsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso.exe> [] <wmsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wmso.exe> [] <qjsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso.exe> [] <rxsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\rxso.exe> [] <wdsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso.exe> [] <tlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\tlso.exe> [] <dasa><C:\DOCUME~1\用户名\LOCALS~1\Temp\daso.exe> [] <{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}><C:\Program Files\Internet Explorer\HiJack.dll>
[Microsoft Corporation] <{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}><C:\Program Files\Internet Explorer\msvcrt.dll>
[Microsoft Corporation]
系统修复 浏览器加载项 选中 [] {D7515C61-A66C-4319-A0E0-D416CB8059E3} <C:\Program Files\Common Files\Relive.dll, Microsoft
Corporation> 并单击右下角的删除所选内容 在弹出的对话框中选择 是 2.重启计算机 双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(
推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定 删除C:\Program Files\Common Files\Relive.dll C:\Program Files\Internet Explorer\HiJack.bak C:\Program Files\Internet Explorer\HiJack.dll C:\Program Files\Internet Explorer\msvcrt.bak C:\Program Files\Internet Explorer\msvcrt.dll 清空临时文件夹C:\DOCUME~1\用户名\LOCALS~1\Temp
3.删除瑞星 江民 卡巴 360文件夹下的ws2_32.dll(按你实际安装的杀软情况) 方法: 假如你的瑞星在C:\Program files\rising\rav下面 则这样做 开始 运行 输入cmd C:\Program files\rising\rav\ws2_32.dll 回车 rd 1..\ 回车 关闭cmd窗口 直接删除ws2_32.dll文件夹即可 其他的文件夹下的ws2_32.dll以此类推
|