病毒释放文件
C:\WINDOWS\Debug\debug.exe C:\WINDOWS\Web\css.css C:\MSDOS.log C:\WINDOWS\Temp\~tmp83.tmp 在D盘 E盘下 生成gbk.com和autorun.inf | C:\WINDOWS\Web\css.css插入其他进程
结束如下进程
kvmonxp.kxp kvsrvxp.exe trojdie.kxp kregex.exe uihost.exe avp.exe avp.exe 360safe.exe runiep.exe ras.exe ccenter.exe ravtask.exe ravmon.exe ravmond.exe ravstub.exe kwatch.exe kavstart.exe kpfwsvc.exe kmailmon.exe kpfw32.exe kavsvc.exe kav.exe |
关闭如下服务 并把相应服务的启动类型改为 禁用
sharedaccess ccenter kvsrvxp kvwsc kavsvc kingsoft antivirus kwatch service kingsoft personal firewall service rsravmon service rising proxy service rising process communication center rising personal firewall service 卡巴斯基反病毒6.0个人版 |
创建如下影像劫持项
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe 指向 C:\WINDOWS\Debug\debug.exe C:\WINDOWS\Web\css.css监视 IFEO键值的修改 如果一旦被删除则马上恢复 | 删除HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden 键 破坏显示隐藏文件
连接网络 下载http://xxxxxxxx.mircosofts.com/history.txt到C盘下 读取里面的内容下载木马,http://xxxxxxxx.2288.org/ms_info32.exe;http://xxxxxxxx.2288.org/ms_info33.exe;http://xxxxxxxx.2288.org/bots.exe到C:\Windows下面 分别命名为1.exe~3.exe
木马运行完毕后 生成的文件如下
C:\WINDOWS\1.exe C:\WINDOWS\2.bat C:\WINDOWS\2.exe C:\WINDOWS\2.vbs C:\WINDOWS\3.exe C:\WINDOWS\IEXPLORE.EXE C:\WINDOWS\tmp$$$.vbs C:\WINDOWS\W1NL0GON.EXE C:\WINDOWS\system32\comspn.dll C:\WINDOWS\system32\inetcfg.h C:\WINDOWS\system32\mst.tlb C:\WINDOWS\system32\SCardSer.exe C:\WINDOWS\system32\spnup.dll 其中1.exe会把系统时间改为2099年12月30日 | sreng日志情况(该工具可到down.45its.com下载) 启动项目
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] <MS Reporter(dont disable)><C:\WINDOWS\W1NL0GON.EXE> [] 服务 [Net Login Helper / netlog][Stopped/Auto Start] <C:\WINDOWS\system32\SCardSer.exe ><N/A>
测试中未发现 主程序 有创建启动项的行为 很奇怪
解决方法: 安全模式下(开机后不断 按F8键 然后出来一个高级菜单 选择第一项 安全模式 进入系统) 首先把系统时间改回来 把sreng(可到down.45its.com下载)改名为其他名称 运行 启动项目 注册表 删除如下项目 <MS Reporter(dont disable)><C:\WINDOWS\W1NL0GON.EXE> []
“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”, 选中以下项目,点“删除服务”,再点“设置”,在弹出的框中点“否”:
Net Login Helper / netlog 把下面的 代码拷入记事本中然后另存为1.reg文件
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "Text"="@shell32.dll,-30500" "Type"="radio" "CheckedValue"=dword:00000001 "ValueName"="Hidden" "DefaultValue"=dword:00000002 "HKeyRoot"=dword:80000001 "HelpID"="shell.hlp#51105" |
双击1.reg把这个注册表项导入
双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定 然后删除以下文件(如遇提示无法删除文件,到down.45its.com下载费尔木马强制删除器工具进行强制删除)
C:\WINDOWS\1.exe C:\WINDOWS\2.bat C:\WINDOWS\2.exe C:\WINDOWS\2.vbs C:\WINDOWS\3.exe C:\WINDOWS\IEXPLORE.EXE C:\WINDOWS\tmp$$$.vbs C:\WINDOWS\W1NL0GON.EXE C:\WINDOWS\system32\comspn.dll C:\WINDOWS\system32\inetcfg.h C:\WINDOWS\system32\mst.tlb C:\WINDOWS\system32\SCardSer.exe C:\WINDOWS\system32\spnup.dll C:\WINDOWS\Debug\debug.exe C:\WINDOWS\Web\css.css C:\MSDOS.log C:\WINDOWS\Temp\~tmp83.tmp 右键点击 菜单中的打开 打开D E删除gbk.com和autorun.inf |
重启计算机 进入正常模式 下载 autoruns (可到down.45its.com下载) 由于这个软件也被映像劫持了 所以我们把他改个名字 打开这个软件后 找到Image hijack (映像劫持) 删除除了Your Image File Name Here without a pathSymbolic Debugger for Windows 2000 Microsoft Corporation c:\windows\system32\ntsd.exe 以外的所有项目
然后修复你的杀毒软件 和其他安全软件 全盘杀毒即可
|