通过Trojan-Dropper.Win32.Agent分析了 BCT、BDO、AXT、BNV、AHN等变种后
以下为查杀方法:
此病毒进安全模式杀毒软件配合360 可以查杀部分的变种
另外需要360修复漏洞(可到down.45it.com下载),并且关掉系统还原。
==============手动删除方法==============
首先断网,关闭系统还原(我的电脑--属性--还原--关闭),清空IE临时文件夹
以下有就进行,没就继续(不同变种,进程、文件都不同)
(1)先结束进程(ctrl+alt+del组合键调用任务管理器结束以下进程):
abc.exe novel.exe upnpsvc.exe internat.exe cdnup.exe (2) 删除病毒衍生文件(详细步骤:打开冰刃(可到down.45it.com下载)-文件-依次找到病毒文件删除即可) %Program Files%\CNNIC\ %WINDOWS\system32%\cdndisp.tmp %WINDOWS\system32%\cdnns.dll %WINDOWS\system32%\cdnprot.dat %WINDOWS\system32\drivers%\cdnprot.sys
%Windir%\ cc123.dll %Windir%\ abc.exe %System32%\odyedknsvgaapyz.dll %System32%\downsss.ini
%WinDir%\sclgntfys.dll %WinDir%\winamps.dll %WinDir%\SysSun1\Ghook.dll %WinDir%\SysSun1\svchost.exe %WinDir%\cmdbcs.exe %WinDir%\gv.dll %WinDir%\mppds.exe %WinDir%\javhavm.exe %WinDir%\msccrt.exe %WinDir%\rising390.exe %WinDir%\shualai.exe %WinDir%\winform.exe %System32%\upnpsvc.exe %System32%\systemt.exe %System32%\systemm.exe %System32%\SMSSS.exe %System32%\servet.exe %System32%\MSTCS.exe %System32%\alg32.exe %System32%\8.exe %WINDOWS%\syssun1\*.* %System32%\syswm7\*.* %System32%\system\.setupq\*.* %System32%\system\sysbacks\*.* %Documents and settings%\ 当前用户名 \local settings\temp\*.*
%Documents and Settings\用户名\Local Settings\Temp\
(3) 恢复病毒修改的注册表项目,删除病毒添加的注册表项(详细步骤:打开冰刃(可到down.45it.com下载)依次找到病毒注册表选项删除即可)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CdnCtr 键值: 字符串:"%ProgramFiles%\CNNIC\Cdn\cdnup.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 键值: 字符串: “%programfiles%\cnnic\cdn\cdnforie.dll” HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\DescriptionName 键值: "cdnprot" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\ImagePath 键值: 类型: REG_EXPAND_SZ 长度: 29 (0x1d) 字节 system32\drivers\cdnprot.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UMWdfmgr\Description Value: String: " 启用 windows 用户模式驱动程序。 " HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UMWdfmgr\DisplayName Value: String: "Windows User Mode Driver" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UMWdfmgr\ImagePath Value: Type: REG_EXPAND_SZ Length: 46 (0x2e) bytes rundll32.exe C:\WINDOWS\winamps. dll _start@16. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\msupdate Value: String: "%WINDOWS%\AntiAdwa.exe other" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\sclgntfys\DllName Value: String: "%\WINDOWS%\sclgntfys.dll HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0c4 Value: String: "%WINDOWS%\AntiAdwa.exe other" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cmdbcs Value: String: "%WINDOWS%\cmdbcs.exe " HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cmdbs Value: String: "%WINDOWS%\cmds.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\javhavm Value: String: "%WINDOWS%\javhavm.exer" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultcheck Value: String: "%WINDOWS%\system32\dumprep.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mppds Value: String: "%WINDOWS%\mppds.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pxdnd Value: String: "%Documents and settings%\ 当前用户 \ localsettings\temp\win4.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\shualai Value: String: "%WINDOWS%\shualai.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\testrun Value: String: "%WINDOWS%\testexe.exer" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\upxdndq Value: String: "%Documents and settings%\ 当前用户\localsettings\temp\upxdnd.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sun Value: String: "%WINDOWS%\syssun1\svchost.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wm Value: String: "%WINDOWS%\syswm7\svchost.exe"
HKEY_CURRENT_USER\Software\Valve\Half-Life\Settings\ HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5DB3D73A-7D9F-49C7967809F2E7CE7A3F}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5DB3D73A- 7D9F-49C7-9678-09F2E7CE7A3F}\@ Value: String: "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5DB3D73A-7D9F -49C7-9678-09F2E7CE7A3F}\InprocServer32\@ Value: String: "C:\WINDOWS\system32\odyedknsvgaapyz.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Browser Helper Objects\{5DB3D73A-7D9F-49C7-9678-09F2E7CE7A3F}\
(4)把以下内容保存为****.reg(如1.reg),再双击导入
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\internat.exe]
"Debugger"="internat.exe"
(5)修复系统漏洞(上文提到的360安全卫士,可到down.45it.com下载)
|