[凝逸反毒]黑洞引擎的[自定吞噬]处理示范2

qqq000@qq.com

[凝逸反毒]黑洞引擎的[自定吞噬]处理示范2



=====木马=========
启动文件夹
logonui.exe
C:\WINDOWS\system32\klogon.dl
%systemroot%\system32\shmgrate.exe
%SystemRoot%\system32\themeui.dll
advpack.dll
C:\Documents and Settings\All Users.WINDOWS\「开始」菜单\程序\启动\Adobe Gamma Loader.lnk
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
C:\Documents and Settings\All Users.WINDOWS\「开始」菜单\程序\启动\Adobe Reader Speed Launch.lnk
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
C:\Documents and Settings\All Users.WINDOWS\「开始」菜单\程序\启动\Microsoft Office.lnk
C:\PROGRA~1\MICROS~2\Office\OSA9.EXE
C:\Documents and Settings\rh\「开始」菜单\程序\启动\QQ游戏启动加速程序.lnk
%SystemRoot%\System32\hidserv.dll
====注册表值==
(HidServ)
(SoundMAX Agent Service (default))
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]





===========================================

试下:[凝逸反毒]的[黑洞]引擎,
    (把木马与注册表值加入【自定吞噬】,就能删除)
    1.黑洞吞噬一切启动型病毒
    2.吞噬:av终结者.帕虫.随机7/8位病毒,U盘病毒,QQ尾巴,
    3.锁定时间.显示文件
方法:  1.点【黑洞】
       2.强行关机后,重开机在点次【黑洞】
       3.在用杀软扫除病毒
【自定吞噬】
      删除难清除木马的文件与注册表目录

【凝逸实验室】-[凝逸反毒]
QQ:503165656
主页:http://hi.baidu.com/503165656
下载:http://groups.google.com/group/503165656/web/nyfd.zip

杀不了,样本发到:503165656@qq.com
[黑洞]引擎的【自定吞噬】说明
http://hi.baidu.com/503165656/blog/item/1420ebfc5637acfffd037f4a.html



=============

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<WebThunder><; C:\Program Files\Thunder Network\WebThunder\WebThunder.exe> [(Verified)ShenZhen Thunder Networking Technologies Ltd.]
<racer><C:\Program Files\racer-han-cnc\racer.exe> [Putian Runway]
<Google IME Autoupdater><"d:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"> [(Verified)Google Inc]
<WangWang><; "D:\Program Files\WangWang\WangWang.EXE"> [阿里巴巴软件(上海)有限公司]
<AVP><"D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"> [Kaspersky Lab]
<Look 'n' Stop><"d:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto> [Soft4Ever]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\UserInit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
<WinlogonNotify: klogon><C:\WINDOWS\system32\klogon.dll> [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub> []
==================================
启动文件夹
[Adobe Gamma Loader]
<C:\Documents and Settings\All Users.WINDOWS\「开始」菜单\程序\启动\Adobe Gamma Loader.lnk --> C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [Adobe Systems, Inc.]><N>
[Adobe Reader Speed Launch]
<C:\Documents and Settings\All Users.WINDOWS\「开始」菜单\程序\启动\Adobe Reader Speed Launch.lnk --> C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [Adobe Systems Incorporated]><N>
[Microsoft Office]
<C:\Documents and Settings\All Users.WINDOWS\「开始」菜单\程序\启动\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [Microsoft Corporation]><N>
[河南网通宽带用户客户端]
<C:\Documents and Settings\All Users.WINDOWS\「开始」菜单\程序\启动\河南网通宽带用户客户端.lnk --> C:\Program Files\racer-henan-cnc\racer.exe [N/A]><N>
[QQ游戏启动加速程序]
<C:\Documents and Settings\rh\「开始」菜单\程序\启动\QQ游戏启动加速程序.lnk --> C:\PROGRA~1\Tencent\QQGame\Accel.exe [深圳市腾讯计算机系统有限公司]><N>
==================================
服务
[卡巴斯基反病毒6.0 / AVP][Running/Auto Start]
<"D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r><Kaspersky Lab>
[ewido anti-spyware 4.0 guard / ewido anti-spyware 4.0 guard][Running/Auto Start]
<d:\Program Files\ewido anti-spyware 4.0\guard.exe><Anti-Malware Development a.s.>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[SoundMAX Agent Service / SoundMAX Agent Service (default)][Running/Auto Start]
<C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe><Analog Devices, Inc.>

jpzy

怎么看起来这几个帖子都差不多啊！
LZ，再发这样的帖子，版主会当作广告处理的！！

qqq000@qq.com

差不多?
是 在卡卡今天的中毒贴,每个毒不同的,

jpzy

其实你只要发一个帖子，把问题说的清楚明白，把功能解释的清楚就行了！！

出了一个问题你发一个，一堆注册表键值，你觉得会有多少人有兴趣慢慢看呢？

说不清楚，又重复的发，不知道你想干嘛！！！

qqq000@qq.com

原帖由 jpzy 于 2007-7-20 04:37 发表
其实你只要发一个帖子，把问题说的清楚明白，把功能解释的清楚就行了！！

出了一个问题你发一个，一堆注册表键值，你觉得会有多少人有兴趣慢慢看呢？

说不清楚，又重复的发，不知道你想干嘛！！！

收到

卡江东N

LZ的人品.....

微点卫士

虽然界面很丑，但是我已经审美疲劳了

随风轻荡

一堆数字加字母……根本看不下去……