07-06-13 病毒又见病毒!
切以为俺是不会中病毒的,原因有三:一是关键补丁有打;二是KV杀毒软件是正版的,每天都有升级;三是启用了SP2的防火墙;四是有较好的上网习惯,一般不随意上什么网站。然而,结果还是中招了,可恶的是俺竟然还不知道是怎么中的招。只记得头天KV有报杀了一个毒,俺想有KV保护应该问题不大。第二天开电脑时发现KV意然没有启动,此时开始有点怀疑,但是手动点击后还是可以正常启动,所以,想着上班时间比较忙,就暂时没去处理,等晚上回家后再全面杀杀毒。
当天下午,突然感觉右下角KV闪的不对劲(其实正常时KV也是这么闪的,也不知道是见了什么鬼,当时感觉就是不正常),就想干脆就杀杀毒。于是点上去启动KV主界面,没反应,再点,还是没反应,再再点,KV的这个托盘里的图标竟然消失了!!!!
连忙从程序中去启动KV,竟然也一点反应也没有!!!!心想这回应该确定是中毒了,但是也不担心,小小病毒难不到俺 ,俺还有密码武器,正好再借此机会好好玩玩。
思考间,就转到相应的文件夹,点开360SAFE先看看。打不开,再点还是打不开,再多点一点,整个explore.exe就重启!!!心感不妙,立即断开网络,接着重新点开hijackthis、autoruns、sreng、冰刃等等,统统打不开,而且,点开时explore.exe还是会重启!!看来问题严重了!!立即到安全模式,蓝屏、重启用KV boot scan来杀一次,结果boot scan根本就没有出现了!!!!
傻了!!!!无计可施了!!!难道是要重装系统?不可能的,绝对不可以重装。俺芒目的在各个文件夹之间转来转去,发现只要是跟处理病毒有关的文件夹,点开时explore.exe就会重启,而其他的切都正常。看上去这个病毒似乎是专门跟反病毒对着干的,此时心里只有两个字:厉害,真TMD厉害!!
最后检查了注册表中run选项,都挺正常,检查进程也看不到什么!!基本上可以确定,explore.exe 中,应该被注入了什么!
突然想到autoruns可以在命令提示中使用的,立即试了下,哈,果然可以!!终于可以入手了!于是用这个做了一份报告,如下: -------------------------------------------------------------------------------
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
KvNative.exe
File not found: KvNative.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
360rpt.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
360Safe.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
360tray.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
adam.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
AgentSvr.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
AppSvc32.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
autoruns.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
avgrssvc.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
AvMonitor.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
avp.com
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
avp.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
CCenter.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
ccSvcHst.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
FileDsty.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
FTCleanerShell.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
HijackThis.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
IceSword.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
iparmo.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
Iparmor.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
isPwdSvc.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
kabaload.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KaScrScn.SCR
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KASMain.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KASTask.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KAV32.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KAVDX.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KAVPFW.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KAVSetup.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KAVStart.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KISLnchr.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KMailMon.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KMFilter.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KPFW32.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KPFW32X.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KPFWSvc.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KRegEx.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
krepair.COM
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KsLoader.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KVCenter.kxp
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KvDetect.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KvfwMcl.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KVMonXP.kxp
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KVMonXP_1.kxp
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
kvol.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
kvolself.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KvReport.kxp
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KVScan.kxp
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KVSrvXP.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KVStub.kxp
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
kvupload.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
kvwsc.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KvXP.kxp
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KvXP_1.kxp
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KWatch.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KWatch9x.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
KWatchX.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
loaddll.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
MagicSet.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
mcconsol.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
mmqczj.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
mmsk.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
NAVSetup.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
nod32krn.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
nod32kui.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
PFW.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
PFWLiveUpdate.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
QHSET.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
Ras.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
Rav.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
RavMon.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
RavMonD.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
RavStub.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
RavTask.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
RegClean.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
rfwcfg.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
RfwMain.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
rfwProxy.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
rfwsrv.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
RsAgent.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
Rsaupd.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
runiep.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
safelive.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
scan32.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
shcfg32.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
SmartUp.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
SREng.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
symlcsvc.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
SysSafe.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
TrojanDetector.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
Trojanwall.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
TrojDie.kxp
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
UIHost.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
UmxAgent.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
UmxAttachment.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
UmxCfg.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
UmxFwHlp.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
UmxPol.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
UpLive.EXE.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
WoptiClean.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
zxsweep.exe
c:\program files\common files\microsoft shared\msinfo\8337efe5.dat
HKLM\System\CurrentControlSet\Services
ACA
c:\windows\system32\drivers\aca.sys
Belcarra USBLAN
Windows USBLAN Host Driver
(Not verified) Belcarra Technologies
c:\windows\system32\drivers\btblan.sys
istar
iSTAR
(Not verified) UUDynamics Inc.
c:\windows\system32\drivers\istar.sys
NPF
npf.sys (NT5/6 x86) Kernel Driver
(Verified) CACE TECHNOLOGIES, LLC
c:\windows\system32\drivers\npf.sys
npkcrypt
nProtect KeyCrypt Driver
(Not verified) INCA Internet Co., Ltd.
d:\program files\tencent\qq\npkcrypt.sys
PCA
c:\windows\system32\drivers\pca.sys
Sniffer
SNIFFER Protocol Driver
(Not verified) Network General
c:\windows\system32\drivers\sniffer.sys
tap0801
TAP-Win32 Virtual Network Driver
(Not verified) The OpenVPN Project
c:\windows\system32\drivers\tap0801.sys
Tcpip
TCP/IP Protocol Driver
(Not verified) Microsoft Corporation
c:\windows\system32\drivers\tcpip.sys
UUAPPSDR
UUApp Redirector
(Not verified) Windows (R) 2000 DDK provider
c:\windows\system32\drivers\uuappsdr.sys
UUTdiRdr
UURedirect
(Not verified) UUDynamics
c:\windows\system32\drivers\uutdirdr.sys
ZSMC301b
Video streaming and Capture Device Driver
(Not verified) VM
c:\windows\system32\drivers\usbvm31b.sys
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
Microsoft Document Imaging Writer Monitor
Microsoft? Document Imaging
(Not verified) Microsoft Corporation
c:\windows\system32\mdimon.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
StormCodec_Helper
d:\program files\ringz studio\storm codec\stormset.exe
UUTOKEN
UUToken Application
c:\windows\system32\uutoken.exe
NeroFilterCheck
NeroCheck
(Not verified) Ahead Software Gmbh
c:\windows\system32\nerocheck.exe
SunJavaUpdateSched
Java(TM) 2 Platform Standard Edition binary
(Not verified) Sun Microsystems, Inc.
c:\program files\java\jre1.5.0_10\bin\jusched.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
application/octet-stream
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
c:\windows\system32\mscoree.dll
application/x-complus
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
c:\windows\system32\mscoree.dll
application/x-msdownload
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
c:\windows\system32\mscoree.dll
HKLM\SOFTWARE\Classes\Protocols\Handler
msnim
MSN Messenger 协议处理程序
(Not verified) Microsoft Corporation
c:\program files\msn messenger\msgrapp.dll
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
n/a
Microsoft .NET IE SECURITY REGISTRATION
(Not verified) Microsoft Corporation
c:\windows\system32\mscories.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SolarWinds Toolbar
SolarWinds Network Toolbar
(Verified) SolarWinds.Net
d:\program files\solarwinds\broadband engineers edition\solarwinds-
toolbar.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Thunder Browser Helper
XunLeiBHO
(Not verified) Thunder Networking Technologies,LTD
d:\program files\thunder network\thunder\comdlls\xunleibho_007.dll
SSVHelper Class
Java(TM) 2 Platform Standard Edition binary
(Verified) Sun Microsystems, Inc.
c:\program files\java\jre1.5.0_10\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
8337efe5.dll
c:\program files\common files\microsoft shared\msinfo\8337efe5.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Fusion Cache
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
c:\windows\system32\mscoree.dll
WinRAR shell extension
d:\program files\winrar\rarext.dll
ShellLink for Application References
Application Deployment Support Library
(Not verified) Microsoft Corporation
c:\windows\system32\dfshim.dll
Shell Icon Handler for Application References
Application Deployment Support Library
(Not verified) Microsoft Corporation
c:\windows\system32\dfshim.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
启动迅雷5
(Not verified) Thunder Networking Technologies,LTD
d:\program files\thunder network\thunder\thunder.exe 到这里问题非常清楚了,explorer.exe 被注入了这么个8337efe5.dll的东西,然后把几乎大部分的反病毒软件做了映象切持!!
接下来处理就非常轻松了,首先是找到这些文件,以及注入程序,然后把他们粉碎就可以了,同时删除所有的映象切持。
再找文件时,又发现一个现像,就是注册表被修改了隐藏文件,无法打开显示所有文件,当然这也不是个大问题,只须再把注册表改回来就可以了。如下:
--------------------------------------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
------------------------------------------------------------------------------------------------------------
把上面的导入注册中就成。完成后发现,这个注入的程序放在所有的分区的根目录下,并形成了一个autorun.inf文件。真黑啊,也就是说,重装系统也不能解决问题!
问题到此已经可以说是全部找出来了,最后要做的事情就是粉碎所有病毒文件并阻止再生,然后再修复安全模式既可。
花了三个小时,终于重见天日了! 太专业了,看不懂!!!这个是啥病毒啊?kv或者卡巴之类的主流杀毒软件干不掉吗?你开始说发现了个病毒,没在乎,难道这样就中招了? 是不是叫av啥病毒? 应该是,这是俺上星期五的时候中招的,今天就想着整理一下做个备忘~~刚发完,就看到QQ弹出这么个消息:
[url]http://tech.qq.com/a/20070613/000094.htm?qq=0&ADUIN=82792827&ADSESSION=1181696877&ADTAG=CLIENT.QQ.1631_SvrPush_Url.0[/url]
感觉就是这个病毒! 如果kv可以自定义,建议把autorun.inf文件定义成恶意文件:) [quote]原帖由 [i]fishyxq[/i] 于 2007-6-13 12:22 发表 [url=http://www.netexpert.cn/redirect.php?goto=findpost&pid=97683&ptid=15971][img]http://www.netexpert.cn/images/common/back.gif[/img][/url]
如果kv可以自定义,建议把autorun.inf文件定义成恶意文件:) [/quote]
fishyxq兄说的非常有道理,这就干~~:) 好贴字,顶一下! icesword
楼主是用什么干掉 8337efe5.dl 这个文件的l [quote]原帖由 [i]pjlcc1234[/i] 于 2007-6-14 16:00 发表 [url=http://www.netexpert.cn/redirect.php?goto=findpost&pid=97893&ptid=15971][img]http://www.netexpert.cn/images/common/back.gif[/img][/url]
icesword
楼主是用什么干掉 8337efe5.dl 这个文件的l [/quote]
360kill ~ 把你的那个病毒扔上来我看看 感觉就是这个病毒!:loveliness: :loveliness: 学习方法和思路。。
页:
[1]