WD1X.COM - 问答一下,轻松解决,电脑应用解决专家
主板显卡CPU内存显示器
硬盘维修显卡维修显示器维修
注册表系统命令DOS命令Win8
存储光存储鼠标键盘
内存维修打印机维修
WinXPWin7Win11Linux
硬件综合机箱电源散热器手机数码
主板维修CPU维修键盘鼠标维修
Word教程Excel教程PowerPointWPS
网络工具系统工具图像工具
数据库javascript服务器
PHP教程CSS教程XML教程

搜索

首页 > 电脑学院 > 网络安全 >

Virus.Win32.AutoRun.bk(M1.exe)病毒手动清除

更新时间:2007-07-20 11:07 作者:孤独更可靠点击:

病毒信息:

文件名称:M1.exe

文件大小:23087字节

AV命名:Virus.Win32.AutoRun.bk(卡吧斯基)

感染平台:MS-DOS executable (EXE), OS/2 or MS Windows(9X以上系统)

加壳方式:UPX 0.89.6 - 1.02 / 1.05 - 1.24

编写语言:Borland Delphi 6.0 - 7.0

病毒类型:Virus.Win32

文件MD5:c7f7e9d653cba09ee2e935c3061dfd8e

文件SHA1 :    da39a3ee5e6b4b0d3255bfef95601890afd80709

文件CRC32     : 1AC355C7

危害等级:★ ★ ★ ☆

传播方式:U盘等移动介质,网页漏洞,邮件传播等

行为分析:

1、释放病毒文件:

C:\Program Files\Common Files\Relive.dll   14895 字节, HSA

C:\Program Files\Common Files\svchost.exe 21756 字节, A

C:\Program Files\Internet Explorer\msvcrt.bak 23087 字节, HS

C:\Program Files\Internet Explorer\msvcrt.dll 14895 字节, HSA

C:\Program Files\Internet Explorer\msvcrt.ebk 14895 字节, HSA

2、msvcrt.dll注入Explorer.exe进程,反弹连接209.11.243.**,下载盗号木马:

C:\WINNT\system32\drivers\npf.sys
C:\WINNT\system32\wpcap.dll
C:\WINNT\system32\Packet.dll
C:\WINNT\system32\WanPacket.dll

C:\Documents and Settings\User name\Local Settings\Temp\wmso.exe
C:\Documents and Settings\User name\Local Settings\Temp\BCG5.tmp
C:\Documents and Settings\User name\Local Settings\Temp\mhso.exe
C:\Documents and Settings\User name\Local Settings\Temp\mhso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\wmso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\woso.exe
C:\Documents and Settings\User name\Local Settings\Temp\woso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\fyso.exe
C:\Documents and Settings\User name\Local Settings\Temp\ztso.exe
C:\Documents and Settings\User name\Local Settings\Temp\ztso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\qjso.exe
C:\Documents and Settings\User name\Local Settings\Temp\jtso.exe
C:\Documents and Settings\User name\Local Settings\Temp\jtso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\tlso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wlso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wlso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\wdso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wgso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wgso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\tlso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\daso.exe
C:\Documents and Settings\User name\Local Settings\Temp\fyso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\zxso.exe
C:\Documents and Settings\User name\Local Settings\Temp\qjso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\$$a.bat
C:\Documents and Settings\User name\Local Settings\Temp\rxso.exe
C:\Documents and Settings\User name\Local Settings\Temp\rxso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\wdso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\daso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\zxso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\M1.exe
C:\Documents and Settings\User name\Local Settings\Temp\oKoK.exe

注:User name是你的用户名```

3、msvcrt.dll通过搜索注册表,获得卡吧、360、瑞星、江民等安装目录,在其目录下生成:

ws2_32.dll\!O!0.  

导致杀软的监控(初始化)失败!

由于是非法文件夹,那么这个文件夹无法用常规手段删除。

4、添加注册表,实现Dll文件开机注入进程:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

指向:C:\Program Files\Internet Explorer\msvcrt.dll

5、删除文件:

%Systemroot%\system32\drivers\etc\Hosts (域名解析文件)

和一些ShellExecuteHooks键下一些常见的安全工具启动项。(未实现)

解决方法:

到down.wd1x.com下载sreng2.zip和IceSword120_cn.zip

然后关闭不必要的进程和断开网络连接并全面清空系统临时文件,按步骤进行:

(1)打开冰刃,设置“禁止进线程创建”,确定。并使用冰刃“文件”功能,删除:

C:\Program Files\Common Files\Relive.dll
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\msvcrt.dll
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.ebk

和上面提到的木马群。

(2)设置冰刃,选择“重启并监视”。重启后,打开SREng,删除:

注册表:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

      <mhsa><C:\DOCUME~1\admin\LOCALS~1\Temp\mhso.exe>    []
      <wosa><C:\DOCUME~1\admin\LOCALS~1\Temp\woso.exe>    []
      <ztsa><C:\DOCUME~1\admin\LOCALS~1\Temp\ztso.exe>    []
      <jtsa><C:\DOCUME~1\admin\LOCALS~1\Temp\jtso.exe>    []
      <wlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wlso.exe>    []
      <wgsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wgso.exe>    []
      <wmsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wmso.exe>    []
      <fysa><C:\DOCUME~1\admin\LOCALS~1\Temp\fyso.exe>    []
      <qjsa><C:\DOCUME~1\admin\LOCALS~1\Temp\qjso.exe>    []
      <rxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\rxso.exe>    []
      <wdsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wdso.exe>    []
      <tlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\tlso.exe>    []
      <dasa><C:\DOCUME~1\admin\LOCALS~1\Temp\daso.exe>    []
      <zxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\zxso.exe>    []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

<C:\Program Files\Internet Explorer\msvcrt.dll>    [Microsoft Corporation]

驱动:

[Netgroup Packet Filter / NPF][Running/Manual Start]
   <system32\drivers\npf.sys><CACE Technologies>

(请先备份)

(3)下载:Unlocker.rar(可到down.wd1x.com下载)

安装后,打开至杀软目录下,右键删除ws2_32.dll文件夹。

(4)及时修改QQ、邮箱、网游等密码。并升级杀软,全盘扫。
顶一下
(0)
0%
踩一下
(0)
0%
------分隔线----------------------------
推荐图文
你可能感兴趣的内容
推荐内容
热点内容

关于我们 | 联系方式 | 版权声明 | 网站导航 | Tag标签 |

Copyright © 2021-2022 WD1X.Com Inc All Rights Reserved.