ghost.pif病毒解决教程(新变种)

时间:2007-06-16 15:38:51   来源:  作者:  点击:次  出处:技术无忧
关键字:病毒 变种 木马 注册表

一:先说下以前的解决方案:

1.《 简要分析解决Ghost.pif病毒》 文章地址:www.pc51.net/Article/pcedu/Safety/200705/16157.htm

2.《ghost.pif新变种导致杀软0xc00000ba失败的解决》www.pc51.net/Article/pcedu/Safety/200706/16376.htm

     二:新变种分析:

     运行后生成
 C:\Program Files\Common Files\Relive.dll
C:\Program Files\Internet Explorer\HiJack.bak
C:\Program Files\Internet Explorer\HiJack.dll
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.dll


添加注册表键值
 HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\InProcServer32\: "C:\Program
Files\Internet Explorer\HiJack.dll"
HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\InProcServer32\ThreadingModel:

"Apartment"
HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\: ""
HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\InProcServer32\: "C:\Program

Files\Internet Explorer\msvcrt.dll"
HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\InProcServer32\ThreadingModel:

"Apartment"
HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\: ""
HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\InProcServer32\: "C:\Program

Files\Common Files\Relive.dll"
HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\InProcServer32\ThreadingModel:

"Apartment"
HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{01F6EB6F-AB5C-1FDD-6E5B-

FB6EE3CC6CD6}: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0EA12C16-CDEF-6AC1-236E-

CD3FE82F5213}: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7515C61-A66C-4319-

A0E0-D416CB8059E3}\: ""
 


查询以下注册表项目的某些键值来获取相关安全软件的安装目录,在获得安装目录下生成以系统文件名"ws2_32.dll"

命名的文件夹
 SOFTWARE\\rising\\Rav
SOFTWARE\\Kingsoft\\AntiVirus
SOFTWARE\\JiangMin
SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal
SOFTWARE\\KasperskyLab\\SetupFolders
SOFTWARE\Network Associates\TVD\Shared Components\Framework
SOFTWARE\Eset\Nod\CurrentVersion\Info
SOFTWARE\\Symantec\\SharedUsage
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
并在ws2_32.dll文件夹下生成歧义文件夹1..\导致windows下无法删除该文件夹

控制explorer连接网络202.59.153.91:80下载木马
http://xxx.us/oK/svchost.exe
http://xxx.us/Sign/csrss.exe
http://xxx.us/Sign/svchost32.exe
http://xxx.us/Sign/smss.exe
http://xxx.us/Sign/services.exe
http://xxx.us/Sign/svchost.exe
http://xxx.us/Sign/conime.exe
http://xxx.us/Sign/ctfmon.exe
http://xxx.us/Sign/mmc.exe
http://xxx.us/Sign/IEXPLORE.EXE
http://xxx.us/Sign/stpgldk.exe
http://xxx.us/Sign/srogm.exe
http://xxx.us/Sign/spglsdr.exe
http://xxx.us/Sign/copypfh.exe
http://xxx.us/Sign/okfile.exe
到临时文件夹

运行后分别在临时文件夹下创建文件

fyso.exe 
jtso.exe 
mhso.exe  
qjso.exe
qqso.exe  
wgso.exe 
wlso.exe 
wmso.exe
woso.exe 
ztso.exe  
daso.exe  
tlso.exe
rxso.exe 
svchost.exe 
IEXPLORE.EXE
svchost32.exe  
srogm.exe 
csrss.exe
conime.exe 
mmc.exe 
spglsdr.exe 
services.exe 
copypfh.exe 
smss.exe 
fyso0.dll
jtso0.dll  
mhso0.dll 
qjso0.dll 
qqso0.dll
wgso0.dll 
wlso0.dll 
wmso0.dll
woso0.dll 
ztso0.dll  
tlso0.dll
daso0.dll 
rxso0.dll
添加注册表启动项目

 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\woso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tlsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\tlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dasa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\daso.exe"
...

各个木马创建HKCU\Software\SetVer\ver键

解决办法:

1.打开sreng(可到www.pc51.net下载)

启动项目     注册表 删除如下项目
<wosa><C:\DOCUME~1\用户名\LOCALS~1\Temp\woso.exe> [N/A]
<ztsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\ztso.exe> []
<mhsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\mhso.exe> []
<fysa><C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso.exe> []
<jtsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\jtso.exe> []
<wlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso.exe> []
<wgsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso.exe> []
<wmsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wmso.exe> []
<qjsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso.exe> []
<rxsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\rxso.exe> []
<wdsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso.exe> []
<tlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\tlso.exe> []
<dasa><C:\DOCUME~1\用户名\LOCALS~1\Temp\daso.exe> []
       <{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}><C:\Program Files\Internet Explorer\HiJack.dll> 

[Microsoft Corporation]
       <{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}><C:\Program Files\Internet Explorer\msvcrt.dll> 

[Microsoft Corporation]

系统修复 浏览器加载项 选中
[]
     {D7515C61-A66C-4319-A0E0-D416CB8059E3} <C:\Program Files\Common Files\Relive.dll, Microsoft

Corporation>
并单击右下角的删除所选内容 在弹出的对话框中选择 是
2.重启计算机
双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(

推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定
删除C:\Program Files\Common Files\Relive.dll
C:\Program Files\Internet Explorer\HiJack.bak
C:\Program Files\Internet Explorer\HiJack.dll
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.dll
清空临时文件夹C:\DOCUME~1\用户名\LOCALS~1\Temp

3.删除瑞星 江民 卡巴 360文件夹下的ws2_32.dll(按你实际安装的杀软情况)
方法:
假如你的瑞星在C:\Program files\rising\rav下面
则这样做 开始 运行 输入cmd C:\Program files\rising\rav\ws2_32.dll     回车
rd 1..\      回车
关闭cmd窗口     直接删除ws2_32.dll文件夹即可
其他的文件夹下的ws2_32.dll以此类推

访问技术无忧网,软硬件通吃保你技术无忧!中文网址http://www.技术无忧.com 或 http://www.技术无忧.net


顶一下

文章评论

共有 0 位网友发表了评论 此处只显示部分留言 点击查看完整评论页面

特别推荐

最新信息