各位帮看看，如何清除这个病毒

显示全部楼层 · 发表于 2011-5-11 09:29:43

做了太多坏事，手动删除会非常麻烦，如果非要如此，必须在安全模式下，如果连安全模式都无法启动，估计得启动PE系统以下是分析报告
http://camas.comodo.com/cgi-bin/submit?file=d55ddd5193c6e23fcfa701e396ae54aa8c8d42793c564b37a40ec298b1850ee9
• File Info

Name	Value
Size	103140
MD5	4584f105c4820694d1a7786b5c1b70b7
SHA1	f96c990cdc5611e0bffe6ec1bac074a01a992821
SHA256	d55ddd5193c6e23fcfa701e396ae54aa8c8d42793c564b37a40ec298b1850ee9
Process	Active

• Keys Created

Name	Last Write Time
CU\Software\Microsoft\Windows\CurrentVersion\Policies\system	2009.01.09 10:54:20.390
CU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1	2009.01.09 10:54:23.343
CU\Software\Microsoft\Windows\ShellNoRoam\Bags\2	2009.01.09 10:54:23.343
CU\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell	2009.01.09 10:54:23.343
LM\Software\Microsoft\Security Center\Svc	2009.01.09 10:54:20.390

• Keys Changed• Keys Deleted• Values Created

Name	Type	Size	Value
CU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline	REG_DWORD	4	0x0
CU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools	REG_DWORD	4	0x1
CU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr	REG_DWORD	4	0x1
CU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1	REG_BINARY	27	?
CU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\MRUListEx	REG_BINARY	4	?
CU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\NodeSlot	REG_DWORD	4	0x2
CU\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell\FolderType	REG_SZ	20	"Documents"
LM\Software\Microsoft\Security Center\Svc\AntiVirusDisableNotify	REG_DWORD	4	0x1
LM\Software\Microsoft\Security Center\Svc\AntiVirusOverride	REG_DWORD	4	0x1
LM\Software\Microsoft\Security Center\Svc\FirewallDisableNotify	REG_DWORD	4	0x1
LM\Software\Microsoft\Security Center\Svc\FirewallOverride	REG_DWORD	4	0x1
LM\Software\Microsoft\Security Center\Svc\UacDisableNotify	REG_DWORD	4	0x1
LM\Software\Microsoft\Security Center\Svc\UpdatesDisableNotify	REG_DWORD	4	0x1
LM\Software\Microsoft\Security Center\UacDisableNotify	REG_DWORD	4	0x1
LM\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA	REG_DWORD	4	0x0
LM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\TEST\sample.exe	REG_SZ	70	"C:\TEST\sample.exe:*:Enabled:ipsec"
LM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications	REG_DWORD	4	0x1
LM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions	REG_DWORD	4	0x0

• Values Changed

Name	Type	Size	Value
CU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden	REG_DWORD/REG_DWORD	4/4	0x1/0x2
CU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\MRUListEx	REG_BINARY/REG_BINARY	8/12	?/?
CU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots	REG_BINARY/REG_BINARY	1/2	?/?
LM\Software\Microsoft\Security Center\FirewallOverride	REG_DWORD/REG_DWORD	4/4	0x0/0x1
LM\System\CurrentControlSet\Services\SharedAccess\Epoch\Epoch	REG_DWORD/REG_DWORD	4/4	0xd8/0xd9

• Values Deleted• Directories Created• Directories Changed• Directories Deleted• Files Created• Files Changed

Name	Size	Last Write Time	Creation Time	Last Access Time	Attr
C:\Documents and Settings\User\NTUSER.DAT	786432/786432	2009.01.09 10:43:17.421/2009.01.09 10:54:20.765	2008.08.01 09:32:39.687/2008.08.01 09:32:39.687	2009.01.09 10:43:17.421/2009.01.09 10:43:17.421	0x22/0x22
C:\WINDOWS\system.ini	231/266	2008.08.01 08:41:19.390/2009.01.09 10:54:20.453	2007.07.27 12:00:00.000/2007.07.27 12:00:00.000	2008.08.08 09:14:32.593/2008.08.08 09:14:32.593	0x20/0x20

• Files Deleted• Directories Hidden• Files Hidden• Drivers Loaded• Drivers Unloaded• Processes Created• Processes Terminated• Threads Created

PId	Process Name	TId	Start	Start Mem	Win32 Start	Win32 Start Mem
0xe0	ctfmon.exe	0x10c	0x7c810856	MEM_IMAGE	0x920000	MEM_PRIVATE
0xe0	ctfmon.exe	0x114	0x7c810856	MEM_IMAGE	0xa30000	MEM_PRIVATE
0xe0	ctfmon.exe	0x168	0x7c810856	MEM_IMAGE	0x9206d3	MEM_PRIVATE
0x348	svchost.exe	0x784	0x7c810856	MEM_IMAGE	0x7c910760	MEM_IMAGE
0x3e8	svchost.exe	0xec	0x7c810856	MEM_IMAGE	0x77e76bf0	MEM_IMAGE
0x3e8	svchost.exe	0xf8	0x7c810856	MEM_IMAGE	0x762cf010	MEM_IMAGE
0x3e8	svchost.exe	0xfc	0x7c810856	MEM_IMAGE	0x762cf0a3	MEM_IMAGE
0x444	svchost.exe	0x194	0x7c810856	MEM_IMAGE	0x7c910760	MEM_IMAGE
0x788	explorer.exe	0x100	0x7c810856	MEM_IMAGE	0xf00000	MEM_PRIVATE
0x788	explorer.exe	0x104	0x7c810856	MEM_IMAGE	0xf10000	MEM_PRIVATE
0x788	explorer.exe	0x108	0x7c810856	MEM_IMAGE	0xf006d3	MEM_PRIVATE
0x788	explorer.exe	0x1d0	0x7c810856	MEM_IMAGE	0x75fa533d	MEM_IMAGE

• Modules Loaded

PId	Process Name	Base	Size	Flags	Image Name
0x3e8	svchost.exe	0x506a0000	0x6b000	0x80084004	C:\WINDOWS\system32\wuapi.dll
0x3e8	svchost.exe	0x74ed0000	0xe000	0x80084004	C:\WINDOWS\system32\wbem\wbemsvc.dll
0x3e8	svchost.exe	0x74ef0000	0x8000	0x800c4004	C:\WINDOWS\system32\wbem\wbemprox.dll
0x788	explorer.exe	0x1620000	0x12000	0x204004	C:\WINDOWS\system32\browselc.dll

• Windows Api Calls

PId	Image Name	Address	Function ( Parameters ) \| Return Value
0xd8	C:\TEST\sample.exe	0x98cfe2	CreateRemoteThread(hProcess: 0x12c, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0xf00000, lpParameter: 0x0, dwCreationFlags: 0x0, lpThreadId: 0x0)\|0x16c
0xd8	C:\TEST\sample.exe	0x98d0aa	CreateRemoteThread(hProcess: 0x12c, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0xf10000, lpParameter: 0x0, dwCreationFlags: 0x0, lpThreadId: 0x0)\|0x144
0xd8	C:\TEST\sample.exe	0x98cfe2	CreateRemoteThread(hProcess: 0x13c, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0x920000, lpParameter: 0x0, dwCreationFlags: 0x0, lpThreadId: 0x0)\|0x170
0xd8	C:\TEST\sample.exe	0x98d0aa	CreateRemoteThread(hProcess: 0x13c, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0xa30000, lpParameter: 0x0, dwCreationFlags: 0x0, lpThreadId: 0x0)\|0x154
0xd8	C:\TEST\sample.exe	0x98cfe2	CreateRemoteThread(hProcess: 0x13c, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0x3b0000, lpParameter: 0x0, dwCreationFlags: 0x0, lpThreadId: 0x0)\|0x180
0xd8	C:\TEST\sample.exe	0x98d0aa	CreateRemoteThread(hProcess: 0x13c, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0x3c0000, lpParameter: 0x0, dwCreationFlags: 0x0, lpThreadId: 0x0)\|0x174
0xd8	C:\TEST\sample.exe	0x98cfe2	CreateRemoteThread(hProcess: 0x12c, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0x1ac0000, lpParameter: 0x0, dwCreationFlags: 0x0, lpThreadId: 0x0)\|0x184
0xd8	C:\TEST\sample.exe	0x98d0aa	CreateRemoteThread(hProcess: 0x12c, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0x1ad0000, lpParameter: 0x0, dwCreationFlags: 0x0, lpThreadId: 0x0)\|0x17c

• DNS Queries• HTTP Queries• Verdict

Auto Analysis Verdict

Suspicious+

• Description

Suspicious Actions Detected

Disables registry tools

Disables task manager

Disables windows firewall

Injects code into other processes

• Mutexes Created or Opened

PId	Image Name	Address	Mutex Name
0xd8	C:\TEST\sample.exe	0x1ac07f9	uxJLpe1m
0xd8	C:\TEST\sample.exe	0x1ad001d	sample.exeM_216_
0xd8	C:\TEST\sample.exe	0x40254b	Ap1mutx7
0xd8	C:\TEST\sample.exe	0x402b0f	uxJLpe1m
0xd8	C:\TEST\sample.exe	0x98cf4e	csrss.exeM_608_
0xd8	C:\TEST\sample.exe	0x98cf4e	lsass.exeM_688_
0xd8	C:\TEST\sample.exe	0x98cf4e	services.exeM_676_
0xd8	C:\TEST\sample.exe	0x98cf4e	smss.exeM_544_
0xd8	C:\TEST\sample.exe	0x98cf4e	spoolsv.exeM_1320_
0xd8	C:\TEST\sample.exe	0x98cf4e	svchost.exeM_1000_
0xd8	C:\TEST\sample.exe	0x98cf4e	svchost.exeM_840_
0xd8	C:\TEST\sample.exe	0x98cf4e	winlogon.exeM_632_
0xd8	C:\TEST\sample.exe	0x98cf4e	wuauclt.exeM_1104_
0xd8	C:\TEST\sample.exe	0x98d349	alg.exeM_372_
0xd8	C:\TEST\sample.exe	0x98d349	csrss.exeM_608_
0xd8	C:\TEST\sample.exe	0x98d349	ctfmon.exeM_224_
0xd8	C:\TEST\sample.exe	0x98d349	execute.exeM_328_
0xd8	C:\TEST\sample.exe	0x98d349	explorer.exeM_1928_
0xd8	C:\TEST\sample.exe	0x98d349	lsass.exeM_688_
0xd8	C:\TEST\sample.exe	0x98d349	sample.exeM_216_
0xd8	C:\TEST\sample.exe	0x98d349	services.exeM_676_
0xd8	C:\TEST\sample.exe	0x98d349	smss.exeM_544_
0xd8	C:\TEST\sample.exe	0x98d349	spoolsv.exeM_1320_
0xd8	C:\TEST\sample.exe	0x98d349	svchost.exeM_1000_
0xd8	C:\TEST\sample.exe	0x98d349	svchost.exeM_1056_
0xd8	C:\TEST\sample.exe	0x98d349	svchost.exeM_1092_
0xd8	C:\TEST\sample.exe	0x98d349	svchost.exeM_840_
0xd8	C:\TEST\sample.exe	0x98d349	svchost.exeM_916_
0xd8	C:\TEST\sample.exe	0x98d349	winlogon.exeM_632_
0xd8	C:\TEST\sample.exe	0x98d349	wuauclt.exeM_1104_

• Events Created or Opened

PId	Image Name	Address	Event Name
0xd8	C:\TEST\sample.exe	0x77a89422	Global\crypt32LogoffEvent

金山能够检测到

显示全部楼层 · 发表于 2011-5-11 09:32:54

空信箱远程木马kwin32.sality.k
威胁级别：★
　　这个远程控制木马行为单一，经毒霸反病毒工程师检查，除将用户电脑连接到远程黑客服务器外，没有其它破坏行为。
　　该毒进入用户系统后，在临时目录%WINDOWS%\TEMP\中释放出自己的文件~1999.tmp、~1999.tmp.exe、~DF8199.tmp，其中~1999.tmp.exe是病毒主文件，会被写入注册表启动项，帮助病毒整体实现开机自启动。该文件很明显是采取双后缀来欺骗用户，试图不让用户知道它是个可执行文件。
　　当它运行起来，会获取系统管理员的全部权限，与一个伪装成微软HOTMAIL主页的黑客服务器取得联系，等待入侵指令。同时，它建立一个互斥体文件，避免自己的其它副本进入电脑后重复运行。因为一旦出现重复运行，就有可能导致系统崩溃，那样用户就会怀疑自己电脑是否中了毒，不利于黑客的长期控制。

显示全部楼层 · 发表于 2011-5-11 09:33:41

这是专杀
http://www.sanlen.com/down/sl_down_164.htm
但愿有用

显示全部楼层 · 发表于 2011-5-11 13:49:09

Virus: W32/Sality.AT
Type: File infector
In the wild: No
Reported Infections: Low
Distribution Potential: Medium to high
Damage Potential: Medium to high
Static file: No

显示全部楼层 · 发表于 2011-5-18 23:05:35

微点有这么强大？

显示全部楼层 · 发表于 2011-5-19 20:35:44

用 360 急救箱试一下

[病毒样本] 各位帮看看，如何清除这个病毒

浏览过的版块