123
返回列表 发新帖
楼主: deadend1984
收起左侧

[病毒样本] oso.exe的变种

[复制链接]
nadia921923
发表于 2007-3-15 21:02:31 | 显示全部楼层
帮我看看里面还有什么病毒没有?
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Corporation]
    <e0><C:\WINDOWS\iexpl0ra.exe>  [N/A]
    <u><C:\WINDOWS\winlog0a.exe>  [N/A]
    <22x><C:\WINDOWS\Servera.exe>  [N/A]
    <v5sl><C:\WINDOWS\crasoa.exe>  [N/A]
    <d><C:\WINDOWS\rundl13a.exe>  [N/A]
    <wzfsxldmk><C:\WINDOWS\c0nima.exe>  [N/A]
    <g><C:\WINDOWS\servicea.exe>  [N/A]
    <ikwigi112><C:\WINDOWS\cftmoa.exe>  [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <run><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Corporation]
    <PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Corporation]
    <PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Corporation]
    <kis><"D:\Program Files\shadu\avp.exe">  [Kaspersky Lab]
    <!AVG Anti-Spyware><"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized>  [Anti-Malware Development a.s.]
    <FYNEWS><C:\DOCUME~1\Admin\LOCALS~1\Temp\sl.exe>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\System32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{A6011F8F-A7F8-49AA-9ADA-49127D43138F}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk>  [N/A]
    <{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys>  [N/A]
    <{57B86673-276A-48B2-BAE7-C6DBB3020EB8}><C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll>  [Anti-Malware Development a.s.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
    <WinlogonNotify: klogon><C:\WINDOWS\system32\klogon.dll>  [Kaspersky Lab]
==================================
启动文件夹
N/A
==================================
服务
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard][Running/Auto Start]
  <C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe><Anti-Malware Development a.s.>
[卡巴斯基互联网安全套装 6.0 / AVP][Running/Auto Start]
  <"D:\Program Files\shadu\avp.exe" -r><Kaspersky Lab>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
==================================
驱动程序
[Intel(r) 82801 Audio Driver Install Service (WDM) / ac97intc][Running/Manual Start]
  <system32\drivers\ac97intc.sys><Intel Corporation>
[AliIde / AliIde][Stopped/Boot Start]
  <\SystemRoot\System32\DRIVERS\aliide.sys><N/A>
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver][Running/System Start]
  <\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
  <System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[CmdIde / CmdIde][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\cmdide.sys><CMD Technology, Inc.>
[C-Media PCI Audio Driver (WDM) / cmpci][Running/Manual Start]
  <system32\drivers\cmaudio.sys><C-Media Inc>
[VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver / FETNDIS][Stopped/Manual Start]
  <system32\DRIVERS\fetnd5.sys><VIA Technologies, Inc.>
[kl1 / kl1][Running/Boot Start]
  <\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[MegaIDE / MegaIDE][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\MegaIDE.sys><LSI Logic Corporation.>
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
  <system32\DRIVERS\npf.sys><CACE Technologies>
[npkcrypt / npkcrypt][Stopped/Auto Start]
  <\??\D:\Program Files\qq2007\npkcrypt.sys><N/A>
[nv / nv][Running/Manual Start]
  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><N/A>
[ViaIde / ViaIde][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\viaide.sys><Microsoft Corporation>
[100320012 / 100320012][Running/Manual Start]
  <2 - 系统找不到指定的文件。
><N/A>
==================================
浏览器加载项
[Web反病毒保护]
  {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <D:\Program Files\shadu\scieplugin.dll, Kaspersky Lab>
[QQ]
  {c95fe080-8f5d-11d2-a20b-00aa003c157b} <, N/A>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Microsoft Web 浏览器]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[AUDIO__MP3 Moniker Class]
  {CD3AFA76-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\KAV2007\Flash.OCX, N/A>
[上传到QQ网络硬盘]
  <, N/A>
[添加到QQ自定义面板]
  <, N/A>
[添加到QQ表情]
  <, N/A>
[用QQ彩信发送该图片]
  <, N/A>
==================================
正在运行的进程
[PID: 468][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 624][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 648][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\klogon.dll]  [Kaspersky Lab, 6.0.0.299]
[PID: 692][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 704][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 860][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 904][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 968][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\Program Files\shadu\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
[PID: 1080][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1212][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1376][C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe]  [Anti-Malware Development a.s., 7, 5, 0, 47]
    [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll]  [Anti-Malware Development a.s., 4, 2, 0, 15]
[PID: 1392][D:\Program Files\shadu\avp.exe]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\pr_remote.dll]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\FSSync.dll]  [Kaspersky Lab, 6.0.5.0]
    [D:\Program Files\shadu\AVPGS.PPL]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\prloader.dll]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\prkernel.ppl]  [Kaspersky Lab, 6.0.0.304]
    [d:\program files\shadu\pxstub.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\params.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\winreg.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\tm.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\nfio.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\fsdrvplgn.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\bl.ppl]  [Kaspersky Lab, 6.0.0.300]
    [d:\program files\shadu\wmihlpr.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\ndetect.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\crpthlpr.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\schedule.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\timer.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\thpimpl.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\lic60.ppl]  [Kaspersky Lab, 6.0.0.306]
    [d:\program files\shadu\report.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\hashmd5.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\avs.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\avpmgr.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\wdiskio.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\avlib.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\avspm.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\avp3info.ppl]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\CKAHUM.dll]  [Kaspersky Lab, 6.0.0.1]
    [D:\Program Files\shadu\CKAHComm.dll]  [Kaspersky Lab, 6.0.0.1]
    [D:\Program Files\shadu\ckahrule.dll]  [Kaspersky Lab, 6.0.0.1]
    [d:\program files\shadu\pdm.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\antispam.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\og.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\ahfw.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\oas.ppl]  [Kaspersky Lab, 6.0.0.300]
    [d:\program files\shadu\mc.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\httpscan.ppl]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\klaveng.dll]  [N/A, N/A]
    [d:\program files\shadu\sfdb.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\dtreg.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\prutil.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\avp1.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\l_llio.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\smtpprotocoller.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\procmon.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\httpanlz.ppl]  [Kaspersky Lab, 6.0.0.300]
    [d:\program files\shadu\sc.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\resip.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\pop3protocoller.ppl]  [Kaspersky Lab, 6.0.0.300]
    [d:\program files\shadu\aphish.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\trafficmonitor2.ppl]  [N/A, N/A]
    [d:\program files\shadu\maildisp.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\imapprotocoller.ppl]  [Kaspersky Lab, 6.0.0.300]
    [d:\program files\shadu\nntpprotocoller.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\ichk2.ppl]  [Kaspersky Lab, 6.0.0.300]
    [d:\program files\shadu\icheckersa.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\hashcont.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\hccmp.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\iwgen.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\ods.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\buffer.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\startupenum2.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\mdb.ppl]  [Kaspersky Lab, 6.0.0.300]
    [d:\program files\shadu\tempfile.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\msoe.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\inifile.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\ntfsstrm.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\btdisk.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\qb.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\uniarc.ppl]  [Kaspersky Lab, 6.0.0.16]
    [d:\program files\shadu\minizip.ppl]  [Kaspersky Lab, 6.0.0.16]
    [d:\program files\shadu\cab.ppl]  [Kaspersky Lab, 6.0.0.16]
    [d:\program files\shadu\arj.ppl]  [Kaspersky Lab, 6.0.0.16]
    [d:\program files\shadu\rar.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\lha.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\btimages.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\prseqio.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\unlzx.ppl]  [Kaspersky Lab, 6.0.0.16]
    [d:\program files\shadu\mdmap.ppl]  [Kaspersky Lab, 6.0.0.16]
    [d:\program files\shadu\updater2005.ppl]  [Kaspersky Lab, 6.0.0.300]
    [d:\program files\shadu\productinfo.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\updater.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\diff.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\base64p.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\updateinfo.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\netsession.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\socket.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\httpsession.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\ntlm.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\updateobjectinfo.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\base64.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\updatecategory.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\updateinstaller.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\baseinstaller.ppl]  [Kaspersky Lab, 6.0.0.306]
    [d:\program files\shadu\execinstaller.ppl]  [Kaspersky Lab, 6.0.0.306]
[PID: 1692][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, N/A]
    [D:\Program Files\shadu\shellex.dll]  [Kaspersky Lab, 6.0.0.299]
    [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll]  [Anti-Malware Development a.s., 7, 5, 0, 49]
    [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll]  [Anti-Malware Development a.s., 7, 5, 0, 47]
    [D:\Program Files\shadu\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
[PID: 1960][D:\Program Files\shadu\avp.exe]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\pr_remote.dll]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\FSSync.dll]  [Kaspersky Lab, 6.0.5.0]
    [D:\Program Files\shadu\AVPGS.PPL]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\prloader.dll]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\prkernel.ppl]  [Kaspersky Lab, 6.0.0.304]
    [d:\program files\shadu\pxstub.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\params.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\winreg.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\avpgui.ppl]  [Kaspersky Lab, 6.0.0.307]
    [D:\Program Files\shadu\basegui.dll]  [Kaspersky Lab, 6.0.0.307]
    [d:\program files\shadu\nfio.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\fsdrvplgn.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\thpimpl.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\qb.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\inflate.ppl]  [Kaspersky Lab, 6.0.0.16]
    [d:\program files\shadu\report.ppl]  [Kaspersky Lab, 6.0.0.299]
[PID: 1996][C:\DOCUME~1\Admin\LOCALS~1\Temp\sl.exe]  [N/A, N/A]
[PID: 2016][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2632][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3024][C:\WINDOWS\system32\taskmgr.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1444][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\Program Files\shadu\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\scr_ch_pg.dll]  [Kaspersky Lab, 1.0.6.299]
    [D:\Program Files\shadu\klscav.dll]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\pr_remote.dll]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\prloader.dll]  [Kaspersky Lab, 6.0.0.299]
    [D:\Program Files\shadu\prkernel.ppl]  [Kaspersky Lab, 6.0.0.304]
    [d:\program files\shadu\params.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\pxstub.ppl]  [Kaspersky Lab, 6.0.0.299]
    [d:\program files\shadu\tempfile.ppl]  [Kaspersky Lab, 6.0.0.299]
    [C:\WINDOWS\system32\msdmo.dll]  [N/A, N/A]
[PID: 604][C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe]  [Anti-Malware Development a.s., 7, 5, 0, 50]
    [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll]  [Anti-Malware Development a.s., 4, 2, 0, 15]
[PID: 1668][F:\234ng.EXE]  [Smallfrogs Studio, 2.3.13.690]
    [D:\Program Files\shadu\adialhk.dll]  [Kaspersky Lab, 6.0.0.299]
==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. ["hh.exe" %1]
.HLP  Error. [winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1       localhost
==================================
API HOOK
警告!System Repair Engineer 提醒
你下面的函数内容与预期值不符,他
们可能被一些恶意的软件所修改:
RVA  错误: LoadLibraryA
RVA  错误: LoadLibraryExA
RVA  错误: LoadLibraryExW
RVA  错误: LoadLibraryW
nadia921923
发表于 2007-3-15 21:03:44 | 显示全部楼层
同志们```帮帮我````谢谢``谢谢啊````
solcroft
发表于 2007-3-15 21:17:41 | 显示全部楼层
基本上病毒好像是清除掉了
只是有些系统设置和注册表项目必须改回+删掉一下
nadia921923
发表于 2007-3-16 08:24:03 | 显示全部楼层
怎么改呢`~?
mistelote2
发表于 2007-4-2 09:42:47 | 显示全部楼层
在网上看到的这个病毒的 解决方法:

病毒名:Worm.Pabug.ck

大小:38,132 字节
MD5:2391109c40ccb0f982b86af86cfbc900
加壳方式:FSG2.0
编写语言:Delphi


传播方式:通过移动介质或网页恶意脚本传播

经虚拟机中运行,与脱壳后OD分析结合,其行为如下:

文件创建:
%systemroot%\system32\gfosdg.exe
%systemroot%\system32\gfosdg.dll
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\mpnxyl.exe
%systemroot%\system32\drivers\conime.exe
%systemroot%\system32\hx1.bat
%systemroot%\system32\noruns.reg
X:\OSO.exe
X:\autorun.inf
X指非系统盘符
%systemroot%是环境变量,对于装在C盘的Windows XP系统,默认路径为C:\WINDOWS文件夹,以下以此假设进行分析。

创建进程:
%systemroot%\system32\gfosdg.exe
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\conime.exe

使用net stop命令,结束可能存在的杀毒软件服务

调用sc.exe,
config [对应服务] start=disabled
禁用这些服务

被结束和禁用的服务包括:
srservice
sharedaccess(此即系统自带防火墙——笔者注)
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter

其中,在结束瑞星服务的过程中,由于瑞星会弹出提示,病毒作了相应处理:
用FindWindowA函数,捕捉标题为"瑞星提示"的窗口
用FindWindowExA函数,找到其中“是(&Y)”的按钮
用SendMessageA函数向系统发送信息,相当于按下此按钮


禁止或结束以下进程运行,包括但不限于:
PFW.exe
Kav.exe
KVOL.exe
KVFW.exe
adam.exe
qqav.exe
qqkav.exe
TBMon.exe
kav32.exe
kvwsc.exe
CCAPP.exe
EGHOST.exe
KRegEx.exe
kavsvc.exe
VPTray.exe
RAVMON.exe
KavPFW.exe
SHSTAT.exe
RavTask.exe
TrojDie.kxp
Iparmor.exe
MAILMON.exe
MCAGENT.exe
KAVPLUS.exe
RavMonD.exe
Rtvscan.exe
Nvsvc32.exe
KVMonXP.exe
Kvsrvxp.exe
CCenter.exe
KpopMon.exe
RfwMain.exe
KWATCHUI.exe
MCVSESCN.exe
MSKAGENT.exe
kvolself.exe
KVCenter.kxp
kavstart.exe
RAVTIMER.exe
RRfwMain.exe
FireTray.exe
UpdaterUI.exe
KVSrvXp_1.exe
RavService.exe

创建noruns.reg,并导入注册表,之后删除此文件。导入内容:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:b5
改变驱动器的autorun方式(在我的虚拟机里没有实现)

修改注册表,创建启动项(后来在SREng日志中可见的项目):
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<mpnxyl><C:\WINDOWS\system32\gfosdg.exe> [N/A]
<gfosdg><C:\WINDOWS\system32\severe.exe> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe C:\WINDOWS\system32\drivers\conime.exe> [N/A]

为预防瑞星注册表监控提示,故伎重施:
用FindWindowA函数捕捉标题为“瑞星注册表监控提示”的窗口
用mouse_event控制鼠标自动选择允许修改。

访问注册表
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
CheckedValue键
破坏显示隐藏文件的功能(这一点在我的虚拟机中没有实现,可能是被TINY或SSM默认阻止了)


然而,做了这么多工作除去杀毒软件之后,作者似乎觉得还不保险,他终于使出了“杀手锏”:
在注册表
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
创建以安全软件程序名为名的子项

子项中创建子键
"Debugger"="C:\\WINDOWS\\system32\\drivers\\mpnxyl.exe"
使得这些程序在被双击运行时,均会转为运行病毒文件mpnxyl.exe
形如:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
"Debugger"="C:\\WINDOWS\\system32\\drivers\\mpnxyl.exe"

autoruns的日志中可以清楚地看到这些项目,以及遭到这种手法“蹂躏”的程序:
+ 360Safe.exe c:\windows\system32\drivers\mpnxyl.exe
+ adam.exe c:\windows\system32\drivers\mpnxyl.exe
+ avp.com c:\windows\system32\drivers\mpnxyl.exe
+ avp.exe c:\windows\system32\drivers\mpnxyl.exe
+ IceSword.exe c:\windows\system32\drivers\mpnxyl.exe
+ iparmo.exe c:\windows\system32\drivers\mpnxyl.exe
+ kabaload.exe c:\windows\system32\drivers\mpnxyl.exe
+ KRegEx.exe c:\windows\system32\drivers\mpnxyl.exe
+ KvDetect.exe c:\windows\system32\drivers\mpnxyl.exe
+ KVMonXP.kxp c:\windows\system32\drivers\mpnxyl.exe
+ KvXP.kxp c:\windows\system32\drivers\mpnxyl.exe
+ MagicSet.exe c:\windows\system32\drivers\mpnxyl.exe
+ mmsk.exe c:\windows\system32\drivers\mpnxyl.exe
+ msconfig.com c:\windows\system32\drivers\mpnxyl.exe
+ msconfig.exe c:\windows\system32\drivers\mpnxyl.exe
+ PFW.exe c:\windows\system32\drivers\mpnxyl.exe
+ PFWLiveUpdate.exe c:\windows\system32\drivers\mpnxyl.exe
+ QQDoctor.exe c:\windows\system32\drivers\mpnxyl.exe
+ Ras.exe c:\windows\system32\drivers\mpnxyl.exe
+ Rav.exe c:\windows\system32\drivers\mpnxyl.exe
+ RavMon.exe c:\windows\system32\drivers\mpnxyl.exe
+ regedit.com c:\windows\system32\drivers\mpnxyl.exe
+ regedit.exe c:\windows\system32\drivers\mpnxyl.exe
+ runiep.exe c:\windows\system32\drivers\mpnxyl.exe
+ SREng.EXE c:\windows\system32\drivers\mpnxyl.exe
+ TrojDie.kxp c:\windows\system32\drivers\mpnxyl.exe
+ WoptiClean.exe c:\windows\system32\drivers\mpnxyl.exe

删除卡卡助手的dll文件kakatool.dll(的确这么做了,虚拟机运行的结果和程序代码里的内容相映证)

为了堵死中毒者的“后路”,又采取了另一种卑劣的手法
修改hosts文件,屏蔽杀毒软件厂商的网站,卡卡社区“有幸”成为被屏蔽的其中一员:
这是后来用SREng看到的结果,在程序代码里也有相应内容:

127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com

另外:

hx1.bat内容:
@echo off
set date=2004-1-22
ping ** localhost > nul
date %date%
del %0

改日期?不过在虚拟机里没有实现

autorun.inf的内容:
[AutoRun]
open=OSO.exe
shellexecute=OSO.exe
shell\Auto\command=OSO.exe

如果你要从右键菜单来判别,很不幸,右键菜单完全看不出异常,无论你是双击还是右键,同样会激活病毒!

TINY还记录到,病毒关闭系统还原服务后再打开。这恐怕会导致丢失还原点的结果。

至此这个十分恶劣的病毒的行为分析告一段落,下面介绍清除方法(上面内容看得头晕的会员们,直接看清除方法即可)


清除方法归结为一句话:“夹缝中求生”
IceSword.exe、SREng.exe均被禁,但只需将文件改名,照样可以运行
autoruns.exe则不在被禁的行列
其他的被禁程序,一步步解禁

具体过程:

结束进程:
%systemroot%\system32\gfosdg.exe
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\conime.exe
没有发现此病毒禁用任务管理器。也可以用其他工具如procexp等

用autoruns删除以下项目(建议用autoruns,一是没被禁,二是一目了然,注意先选Options-Hide Microsoft Entries):
+ 360Safe.exe c:\windows\system32\drivers\mpnxyl.exe
+ adam.exe c:\windows\system32\drivers\mpnxyl.exe
+ avp.com c:\windows\system32\drivers\mpnxyl.exe
+ avp.exe c:\windows\system32\drivers\mpnxyl.exe
+ IceSword.exe c:\windows\system32\drivers\mpnxyl.exe
+ iparmo.exe c:\windows\system32\drivers\mpnxyl.exe
+ kabaload.exe c:\windows\system32\drivers\mpnxyl.exe
+ KRegEx.exe c:\windows\system32\drivers\mpnxyl.exe
+ KvDetect.exe c:\windows\system32\drivers\mpnxyl.exe
+ KVMonXP.kxp c:\windows\system32\drivers\mpnxyl.exe
+ KvXP.kxp c:\windows\system32\drivers\mpnxyl.exe
+ MagicSet.exe c:\windows\system32\drivers\mpnxyl.exe
+ mmsk.exe c:\windows\system32\drivers\mpnxyl.exe
+ msconfig.com c:\windows\system32\drivers\mpnxyl.exe
+ msconfig.exe c:\windows\system32\drivers\mpnxyl.exe
+ PFW.exe c:\windows\system32\drivers\mpnxyl.exe
+ PFWLiveUpdate.exe c:\windows\system32\drivers\mpnxyl.exe
+ QQDoctor.exe c:\windows\system32\drivers\mpnxyl.exe
+ Ras.exe c:\windows\system32\drivers\mpnxyl.exe
+ Rav.exe c:\windows\system32\drivers\mpnxyl.exe
+ RavMon.exe c:\windows\system32\drivers\mpnxyl.exe
+ regedit.com c:\windows\system32\drivers\mpnxyl.exe
+ regedit.exe c:\windows\system32\drivers\mpnxyl.exe
+ runiep.exe c:\windows\system32\drivers\mpnxyl.exe
+ SREng.EXE c:\windows\system32\drivers\mpnxyl.exe
+ TrojDie.kxp c:\windows\system32\drivers\mpnxyl.exe
+ WoptiClean.exe c:\windows\system32\drivers\mpnxyl.exe

这样包括IceSword、SREng、注册表编辑器和系统配置实用程序在内的部分程序不再被禁止

删除或修改启动项:
以用SREng为例
在“启动项目”-“注册表”中删除:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<mpnxyl><C:\WINDOWS\system32\gfosdg.exe> [N/A]
<gfosdg><C:\WINDOWS\system32\severe.exe> [N/A]

双击以下项目,把“值”中Explorer.exe后面的内容删除
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe C:\WINDOWS\system32\drivers\conime.exe> [N/A]

删除文件:
由于非系统盘即便右键打开也会有危险,应该采用其他方法,推荐用IceSword或WINRAR来做
删除:
%systemroot%\system32\gfosdg.exe
%systemroot%\system32\gfosdg.dll
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\mpnxyl.exe
%systemroot%\system32\drivers\conime.exe
%systemroot%\system32\hx1.bat
%systemroot%\system32\noruns.reg
X:\OSO.exe
X:\autorun.inf

系统修复与清理:

在注册表展开
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
建议将原CheckedValue键删除,再新建正常的键值:
"CheckedValue"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoDriveTypeAutoRun键的值,是否要改,要改为什么,视乎各人所需,一般默认为91(十六进制的)
此键的含义,请搜索网上资料,在此不再赘述

HOSTS文件的清理
可以用记事本打开%systemroot%\system32\drivers\etc\hosts,清除被病毒加入的内容
也可以用SREng在“系统修复”-“HOSTS文件”中点“重置”,然后点“保存”

最后修复一下服务被破坏的杀毒软件。
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-3-29 15:39 , Processed in 0.101875 second(s), 15 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表