File: wocfiba.exe
Size: 23423 bytes
MD5: 641D43F5867468DA002E3C579D7350E3
SHA1: 8D9FA956A48BBA1FA0AAD6DB1614A64057464D73
CRC32: 7BB4639B
加壳方式:NSPack
病毒主要特征:
1.破坏安全模式
2.屏蔽显示隐藏文件
3.IFEO映像劫持
4.下载木马
5.修改系统时间(1980年)
6.可通过U盘传播
7.破坏常见杀毒软件及安全工具
运行后在系统文件夹下生成
C:\WINDOWS\system32\wocfiba.exe
C:\WINDOWS\system32\gnkjkrl.exe(随机7位数)
C:\WINDOWS\system32\meex.com
尝试监控并关闭如下进程:
Ras.exe
avp.com
avp.exe
runiep.exe
PFW.exe
FYFireWall.exe
rfwmain.exe
rfwsrv.exe
KAVPF.exe
KPFW32.exe
nod32kui.exe
nod32.exe
Navapsvc.exe
Navapw32.exe
avconsol.exe
webscanx.exe
NPFMntor.exe
vsstat.exe
KPfwSvc.exe
RavTask.exe
Rav.exe
RavMon.exe
mmsk.exe
WoptiClean.exe
QQKav.exe
QQDoctor.exe
EGHOST.exe
360Safe.exe
iparmo.exe
adam.exe
IceSword.exe
360rpt.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KMailMon.exe
KMFilter.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KRepair.com
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
nod32krn.exe
PFWLiveUpdate.exe
QHSET.exe
RavMonD.exe
RavStub.exe
RegClean.exe
rfwcfg.exe
RfwMain.exe
Rsaupd.exe
safelive.exe
scan32.exe
shcfg32.exe
Smartup.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
upiea.exe
删除键
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
破坏安全模式
添加IFEO映像劫持项目
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe
修改HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue为 0x00000000
屏蔽显示隐藏文件
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run下分别创建C:\WINDOWS\system32\wocfiba.exe
C:\WINDOWS\system32\gnkjkrl.exe的启动项
修改系统时间为1980年11月15日 6:14
修改
HKLM\SYSTEM\ControlSet001\Services\wscsvc\Start:为0x00000004
HKLM\SYSTEM\ControlSet001\Services\wuauserv\Start为 0x00000004
HKLM\SYSTEM\CurrentControlSet\Services\helpsvc\Start:为0x00000004
禁用帮助服务,自动更新和安全中心服务
把C:\WINDOWS\system32\verclsid.exe重命名为verclsid.exe.bak然后删除C:\WINDOWS\system32\verclsid.exe
在除系统分区以外的其他分区释放一个autorun.inf和随机7位字母的exe文件 且右键菜单无变化
木马下载行为:
其中一个随机7个字母的exe连接211.141.119.84:80下载木马
http://xz.xxxx9999.info/1.exe
http://xz.xxxx9999.info/2.exe
http://xz.xxxx9999.info/3.exe
http://xz.xxxx9999.info/4.exe
http://xz.xxxx9999.info/5.exe
http://xz.xxxx9999.info/6.exe
http://xz.xxxx9999.info/7.exe
http://xz.xxxx9999.info/8.exe
http://xz.xxxx9999.info/9.exe
http://xz.xxxx9999.info/10.exe到C:\WINDOWS\system32目录下分别命名为11.exe~1010.exe
另一个随机7个字母的exe连接59.54.54.96:80下载http://qq.xxxsf.org/yj/yjkh.txt读取里面的内容
然后根据里面的内容下载http://www.xxx0w.cn/xzz/0602.exe到C:\WINDOWS\system32下
0602.exe实际上是一个木马下载器
由他控制IE继续下载
http://www.xxx0w.cn/71/11.exe
http://www.xxx0w.cn/71/12.exe
http://www.xxx0w.cn/71/13.exe
http://www.xxx0w.cn/71/14.exe
http://www.xxx0w.cn/71/15.exe
http://www.xxx0w.cn/71/16.exe
http://www.xxx0w.cn/71/17.exe
http://www.xxx0w.cn/71/18.exe
http://www.xxx0w.cn/71/19.exe
http://www.xxx0w.cn/71/20.exe
到临时文件夹
木马全部植入完毕后 增加如下文件
C:\WINDOWS\system32\15.dll
C:\WINDOWS\system32\20.dll
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\DLD.DAT
C:\WINDOWS\system32\dllhost32.exe
C:\WINDOWS\system32\EBSPI.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\mosou.exe
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\system32\MsAudio.sys
C:\WINDOWS\system32\mydata.exe
C:\WINDOWS\system32\nwizAsktao.exe
C:\WINDOWS\system32\nwizqjsj.exe
C:\WINDOWS\system32\nwiztlbu.exe
C:\WINDOWS\system32\nwizwmgjs.exe
C:\WINDOWS\system32\nwizzhuxians.exe
C:\WINDOWS\system32\RAVWM531.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\WSVBRS.dll
C:\WINDOWS\system32\ztinetzt.exe
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\Kvsc3.exe
C:\WINDOWS\mppds.exe
C:\WINDOWS\upxdnd.exe
解决方法:
一.清理病毒主程序
1 下载冰刃在网友作品中有下载
解压后 把Icesword.exe改名
然后运行
点击左下角文件按钮 进入C:\windows\system32文件夹
把文件按照时间顺序排列 找1980年创建的文件(最近创建的文件,有的变种不一定修改系统时间)
C:\WINDOWS\system32\随机7位字母组合.exe
C:\WINDOWS\system32\随机7位字母组合.exe(两个文件名不同)
C:\WINDOWS\system32\meex.com
3个文件大小相同
记住他们的名称
2.点击冰刃菜单栏的文件按钮(左上角)设置 把禁止进线程创建的钩挑上
然后确定
3.进入冰刃的 进程 窗口 分别结束刚才记住的那两个随机7位字母组合.exe的进程
4.用冰刃删除C:\WINDOWS\system32\随机7位字母组合.exe
C:\WINDOWS\system32\随机7位字母组合.exe(两个文件名不同)
C:\WINDOWS\system32\meex.com
和各个分区下面的随机7位字母组合.exe以及autorun.inf
5.恢复系统
恢复IFEO映像劫持项目:
这里我们使用autoruns这个软件 http://www.skycn.com/soft/17567.html
由于这个软件也被映像劫持了 所以我们随便把他改个名字
打开这个软件后 找到Image hijack (映像劫持)
删除除了Your Image File Name Here without a pathSymbolic Debugger for Windows 2000 Microsoft
Corporation c:\windows\system32\ntsd.exe
以外的所有项目,此时可以打开sreng了
恢复安全模式:
打开sreng
系统修复 高级修复 点击修复安全模式 在弹出的对话框中点击是
恢复显示隐藏文件:
把下面的 代码拷入记事本中然后另存为1.reg文件
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
双击1.reg把这个注册表项导入
二.清理下载的木马(由于变种不同,且病毒所连接的下载地址的木马随时在更新,所以你的情况不一定和我测试的相符合,此处仅以我测试时候生成的木马为例)
我测试的时候sreng日志如下:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<WSVBRS><C:\WINDOWS\WSVBRS.exe> []
<cmdbcs><C:\WINDOWS\cmdbcs.exe> []
<mppds><C:\WINDOWS\mppds.exe> []
<upxdnd><C:\WINDOWS\upxdnd.exe> []
<Kvsc3><C:\WINDOWS\Kvsc3.exe> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{C54C4AFB-8A2A-6C1E-BA41-C20F02940401}><C:\WINDOWS\system32\15.dll> []
<{C51C4AFB-8A3A-6C1E-BA41-C20F02940603}><C:\WINDOWS\system32\20.dll> []
[WinWMServiceNow / WinWMServiceNow][Stopped/Auto Start]
<C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RAVWM.EXE><N/A>
进程
[PID: 696][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\RAVWM531.dll] [N/A, ]
[PID: 1396][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\WSVBRS.dll] [N/A, ]
[C:\WINDOWS\system32\cmdbcs.dll] [N/A, ]
[C:\WINDOWS\system32\mppds.dll] [N/A, ]
[C:\WINDOWS\system32\upxdnd.dll] [N/A, ]
[C:\WINDOWS\system32\Kvsc3.dll] [N/A, ]
[C:\WINDOWS\system32\15.dll] [N/A, ]
[C:\WINDOWS\system32\20.dll] [N/A, ]
Winsock 提供者
EBSPI over MSAFD Tcpip [TCP/IP]
C:\WINDOWS\system32\EBSPI.dll(, N/A)
EBSPI
C:\WINDOWS\system32\EBSPI.dll(, N/A)
其中有一个关联到了winsock
1.清理启动项目和服务 打开sreng
启动项目 注册表 删除如下项目
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<WSVBRS><C:\WINDOWS\WSVBRS.exe> []
<cmdbcs><C:\WINDOWS\cmdbcs.exe> []
<mppds><C:\WINDOWS\mppds.exe> []
<upxdnd><C:\WINDOWS\upxdnd.exe> []
<Kvsc3><C:\WINDOWS\Kvsc3.exe> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{C54C4AFB-8A2A-6C1E-BA41-C20F02940401}><C:\WINDOWS\system32\15.dll> []
<{C51C4AFB-8A3A-6C1E-BA41-C20F02940603}><C:\WINDOWS\system32\20.dll> []
[WinWMServiceNow / WinWMServiceNow][Stopped/Auto Start]
<C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RAVWM.EXE><N/A>
“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”,
选中以下项目,点“删除服务”,再点“设置”,在弹出的框中点“否”:
WinWMServiceNow / WinWMServiceNow
系统修复-高级修复-点击重置winsock
重启计算机
双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定
重命名C:\WINDOWS\system32\verclsid.exe.bak为clsid.exe
删除如下文件:C:\WINDOWS\system32\15.dll
C:\WINDOWS\system32\20.dll
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\DLD.DAT
C:\WINDOWS\system32\dllhost32.exe
C:\WINDOWS\system32\EBSPI.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\mosou.exe
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\system32\MsAudio.sys
C:\WINDOWS\system32\mydata.exe
C:\WINDOWS\system32\nwizAsktao.exe
C:\WINDOWS\system32\nwizqjsj.exe
C:\WINDOWS\system32\nwiztlbu.exe
C:\WINDOWS\system32\nwizwmgjs.exe
C:\WINDOWS\system32\nwizzhuxians.exe
C:\WINDOWS\system32\RAVWM531.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\WSVBRS.dll
C:\WINDOWS\system32\ztinetzt.exe
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\Kvsc3.exe
C:\WINDOWS\mppds.exe
C:\WINDOWS\upxdnd.exe
大功告成
近期此类病毒异常猖獗,且病毒变种很多,下载的木马也随时更新,杀毒软件不可能跟得上木马和病毒更新得速度,所以大家要多加防范,尤其在插入移动存储的时候,要用winrar等工具查看有没有autorun.inf等文件。
| 
