[凝逸反毒]黑洞引擎[吞噬]5
-----
试下:[凝逸反毒]的[黑洞]引擎,
(把木马与注册表值加入【自定吞噬】,就能删除)
1.黑洞吞噬一切启动型病毒
2.吞噬:av终结者.帕虫.随机7/8位病毒,U盘病毒,QQ尾巴,
3.锁定时间.显示文件
方法: 1.点【黑洞】
2.强行关机后,重开机在点次【黑洞】
3.在用杀软扫除病毒
【自定吞噬】
删除难清除木马的文件与注册表目录
【凝逸实验室】-[凝逸反毒]
QQ:503165656
主页:http://hi.baidu.com/503165656
下载:http://groups.google.com/group/503165656/web/nyfd.zip
杀不了,样本发到:503165656@qq.com
[黑洞]引擎的【自定吞噬】说明
http://hi.baidu.com/503165656/blog/item/1420ebfc5637acfffd037f4a.html
(把木马与注册表值加入【自定吞噬】,就能删除)
========木马============
C:\DOCUME~1\fu\LOCALS~1\Temp\mhso.exe
C:\DOCUME~1\fu\LOCALS~1\Temp\woso.exe
C:\DOCUME~1\fu\LOCALS~1\Temp\ztso.exe
C:\DOCUME~1\fu\LOCALS~1\Temp\jtso.exe
C:\DOCUME~1\fu\LOCALS~1\Temp\wlso.exe
C:\DOCUME~1\fu\LOCALS~1\Temp\wgso.exe
C:\DOCUME~1\fu\LOCALS~1\Temp\wmso.exe
C:\DOCUME~1\fu\LOCALS~1\Temp\fyso.exe
C:\DOCUME~1\fu\LOCALS~1\Temp\qjso.exe
C:\DOCUME~1\fu\LOCALS~1\Temp\rxso.exe
C:\DOCUME~1\fu\LOCALS~1\Temp\wdso.exe
C:\DOCUME~1\fu\LOCALS~1\Temp\tlso.exe
C:\DOCUME~1\fu\LOCALS~1\Temp\daso.exe
C:\DOCUME~1\fu\LOCALS~1\Temp\zxso.exe
D:\PROGRA~1\StormII\StormSet.dll
C:\WINDOWS\system32\RavExt.dll
%systemroot%\system32\shmgrate.exe
%SystemRoot%\system32\themeui.dll
%ProgramFiles%\Outlook Express\setup50.exe
C:\WINDOWS\INF\msnetmtg.inf
advpack.dll
C:\WINDOWS\INF\msmsgs.inf
advpack.dll
C:\WINDOWS\INF\wmp.inf
v
===注册表===
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{32CD708B-60A7-4C00-9377-D73EAA495F0F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
SOFTWARE(HidServ)
==================================
==================可能的====
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\Rising\AntiSpyware\runiep.exe
G:\Program Files\Rising\AntiSpyware\RunOnce.exe
==================================
====原记录=======
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
<run><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<BigDogPath><C:\WINDOWS\VM_STI.EXE USB PC Camera 301P> [N/A]
<RfwMain><"D:\Program Files\Rising\Rfw\rfwmain.exe" -Startup> [Beijing Rising Technology Co., Ltd.]
<Storm2Set><C:\WINDOWS\system32\rundll32.exe "D:\PROGRA~1\StormII\StormSet.dll",CheckEnv> [(Verified)Beijing Baofeng Inc.]
<thunder_mini><D:\Program Files\Maxthon\Thundermini\ThunderMini.exe> [深圳市三代科技开发有限公司]
<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot> [(Verified)"RealNetworks, Inc."]
<runeip><"G:\Program Files\Rising\AntiSpyware\runiep.exe" /startup> [Beijing Rising Technology Co., Ltd.]
<mhsa><C:\DOCUME~1\fu\LOCALS~1\Temp\mhso.exe> [N/A]
<wosa><C:\DOCUME~1\fu\LOCALS~1\Temp\woso.exe> [N/A]
<ztsa><C:\DOCUME~1\fu\LOCALS~1\Temp\ztso.exe> [N/A]
<jtsa><C:\DOCUME~1\fu\LOCALS~1\Temp\jtso.exe> [N/A]
<wlsa><C:\DOCUME~1\fu\LOCALS~1\Temp\wlso.exe> [N/A]
<wgsa><C:\DOCUME~1\fu\LOCALS~1\Temp\wgso.exe> [N/A]
<wmsa><C:\DOCUME~1\fu\LOCALS~1\Temp\wmso.exe> [N/A]
<fysa><C:\DOCUME~1\fu\LOCALS~1\Temp\fyso.exe> [N/A]
<qjsa><C:\DOCUME~1\fu\LOCALS~1\Temp\qjso.exe> [N/A]
<rxsa><C:\DOCUME~1\fu\LOCALS~1\Temp\rxso.exe> [N/A]
<wdsa><C:\DOCUME~1\fu\LOCALS~1\Temp\wdso.exe> [N/A]
<tlsa><C:\DOCUME~1\fu\LOCALS~1\Temp\tlso.exe> [N/A]
<dasa><C:\DOCUME~1\fu\LOCALS~1\Temp\daso.exe> [N/A]
<zxsa><C:\DOCUME~1\fu\LOCALS~1\Temp\zxso.exe> [N/A]
<RavTask><"D:\Program Files\Rising\Rav\RavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<KKDelay><G:\Program Files\Rising\AntiSpyware\RunOnce.exe> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [N/A]
==================================
启动文件夹
N/A
==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Rising Proxy Service / RfwProxySrv][Stopped/Manual Start]
<d:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
<d:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
<"D:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
<"D:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Technology Co., Ltd.> |
[复制链接]
发表于 2007-7-20 11:50:00
楼主
