最后那些病毒的尸体加起来就有30M,恐怖。害得我杀了一个工作日,好久不碰病毒,技艺生疏也。
能干的坏事全干了,能藏的位置全藏了。病毒主要藏身位置:
C:\ 系统盘根目录下
C:\WINDOWS\
C:\WINDOWS\system
C:\windows\fonts
c:\windows\inf
C:\WINDOWS\system32\config\
C:\WINDOWS\system32
c:\windows\system32\drivers
C:\WINDOWS\system32\inf\
C:\WINDOWS\temp
c:\docume~1\admini~1\locals~1\temp\
C:\Documents and Settings\All Users\「开始」菜单\程序\启动\
c:\program files\internet explorer\plugins\
C:\windows\Downloaded Program Files\
C:\WINDOWS\Help\
C:\Documents and Settings\Administrator\Local Settings\Temp
各个盘根目录下,各个盘回收站receycled目录中
等等。
还有个乖乖的目录 C:\runauto...
很多病毒图标就采用文件夹的图标,勿混淆
C:\windows\zuoyu16.ini 是一个病毒的记录,把其中记录的文件一一删除
把文件按照创建时间和修改时间排序,即可基本上把所有病毒体都找出来。
打开C:\windows\system32\drivers\etc\hosts文件(可用记事本、word等文本编辑器或字处理软件打开),把其中的东西该删除的删除,如果不会,直接使用SREng把hosts文件重置即可。
C:\ntldr.exe
C:\discovery.exe
C:\recycled\dc1.exe
C:\WINDOWS\SVIQ.EXE
C:\WINDOWS\system\Fun.exe
C:\WINDOWS\dc.exe
C:\WINDOWS\inf\Other.exe
C:\WINDOWS\system32\config\Win.exe
C:\WINDOWS\Fonts\cd8b366baadbfc0c4ab44b982b5c3781\system\soundma.exe
c:\program files\internet explorer\plugins\winsys8v.sys
C:\WINDOWS\system32\15b1.dll
C:\windows\Downloaded Program Files\461b.dll
C:\windows\Downloaded Program Files\15b.exe
C:\Program Files\Common Files\CPUSH\cpush.dll
下面的东西摘自SREng和Autoruns的扫描,有删减,删减过程中可能遗漏某些病毒,也可能勿写非病毒文件。
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<dc2k5><C:\WINDOWS\SVIQ.EXE> []
<Fun><C:\WINDOWS\system\Fun.exe> []
<dc><C:\WINDOWS\dc.exe> []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><C:\WINDOWS\inf\Other.exe> []
<run><C:\WINDOWS\system32\config\Win.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<inudhya><C:\WINDOWS\Fonts\cd8b366baadbfc0c4ab44b982b5c3781\system\soundma.exe> []
<mfchlp32><C:\WINDOWS\mfchlp32.exe> []
<tciocp32><C:\WINDOWS\tciocp32.exe> []
<msccrt><C:\WINDOWS\msccrt.exe> []
<fmsbbqi><C:\WINDOWS\fmsbbqi.exe> []
<RavLoa><C:\WINDOWS\system32\RavLoa.exe> []
<TBMonEx><C:\WINDOWS\Fonts\cd8b366baadbfc0c4ab44b982b5c3781\system\> [N/A]
<DbgHlp32><C:\WINDOWS\DbgHlp32.exe> []
<SHAProc><C:\WINDOWS\SHAProc.exe> []
<igzwzslm><C:\WINDOWS\gwsmhxuq.exe> []
<PTSShell><C:\WINDOWS\PTSShell.exe> []
<WSockDrv32><C:\WINDOWS\WSockDrv32.exe> []
<AVPSrv><C:\WINDOWS\AVPSrv.exE> []
<upxdnd><C:\WINDOWS\upxdnd.exe> []
<LotusHlp><C:\WINDOWS\LotusHlp.exe> []
<cmdbcs><C:\WINDOWS\cmdbcs.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
<vymwvk44><%systemroot%\system32\Rundll32.exe %systemroot%\system32\vymwvk44.dll DllUnregisterServer> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<zuoyue><C:\WINDOWS\system32\inf\svch0st.exe C:\WINDOWS\system32\lwizysy16_080414.dll start> [N/A]
<zsmscc><rundll32.exe C:\WINDOWS\system32\mycc080201.dll mymain> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll> [(Verified)Microsoft Windows Component Publisher]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><> [N/A]
<{6ce08af1-5f70-4c1a-8d1a-8aba11619e87}><C:\WINDOWS\system32\ayFKKFKK1055.dll> []
<{fe0ebc25-107f-4fda-ada3-7238573f90ad}><C:\WINDOWS\system32\ayJHVJHV1015.dll> []
<{734bfbb9-34f7-441c-b064-b3590bbe34ea}><C:\WINDOWS\system32\txWWQWWQ1006.dll> []
<{c4bf46a2-1c05-427d-992f-4e24f7d57f68}><C:\WINDOWS\system32\ttNNBNNB1047.dll> []
<{05922c2d-da84-48e8-a3e4-e797c58c39cf}><C:\WINDOWS\system32\ttEZZEZZ1046.dll> []
<{29fab913-d0cd-477b-a3f0-3d7c3a90379b}><C:\WINDOWS\system32\ttVUFVUF1011.dll> []
<{79dae25e-7bee-4484-bb1a-f30c45d535d9}><C:\WINDOWS\system32\ttQACQAC1035.dll> []
<{6167F471-EF2B-41DD-A5E5-C26ACDB5C096}><C:\Program Files\Internet Explorer\PLUGINS\WinSys8v.Sys> []
<{b669b098-7a40-42da-91f5-f3cadf9319e1}><C:\WINDOWS\system32\txRJHRJH1021.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Discoverr]
<N/A><C:\WINDOWS\system32\Discovery.exe> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\] 映像劫持
<C:\WINDOWS\system32\Discovery.exe> 和 <C:\xue.exe>劫持了一大堆的工具软件,这俩还有竞争
==================================
启动文件夹
[webspeed]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\webspeed.exe --> [N/A]><N>
==================================
服务
[DCOM Service Process Manager / DCOMManager][Stopped/Auto Start]
<C:\WINDOWS\system32\svchost.exe -k netsvcs-->c:\windows\inf\pcidevices8.inf><Microsoft Corporation>
[Windows ptug RunThem / ptug][Stopped/Auto Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\kopb\uyzl.dll><>
[Remote Procedure Call System(RPCS) / RpcS][Stopped/Auto Start]
<C:\WINDOWS\system32\RpcS.exe><Microsoft Corporation>
[Perfor and Alell / Transfer Service][Stopped/Auto Start]
<C:\WINDOWS\system32\Transfer Sebvice.exe><N/A>
==================================
驱动程序
[cqit / cqit][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp33.tmp><N/A>
[dohs / dohs][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpDF.tmp><N/A>
[fpids32 / fpids32][Stopped/Auto Start]
<\??\C:\WINDOWS\system32\drivers\msosfpids32.sys><N/A>
[iCafe Manager / iCafe Manager][Stopped/Manual Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\usbhcid.sys><N/A>
[kbrhqjlb / kbrhqjlb][Running/Boot Start]
<\SystemRoot\\SystemRoot\System32\drivers\kbrhqjlb.sys><N/A>
[mhfp / mhfp][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp258.tmp><N/A>
[mnsf / mnsf][Stopped/Auto Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp265.tmp><N/A>
[msfpfis64 / msfpfis64][Stopped/Auto Start]
<\??\C:\WINDOWS\system32\drivers\msosmsfpfis64.sys><N/A>
[ZTE USB / MX_98Drv][Stopped/Auto Start]
[NPF / NPF][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\EF.tmp><N/A>
[npkcrypt / npkcrypt][Stopped/Auto Start]
<\??\C:\Program Files\QQ2006\npkcrypt.sys><N/A>
[ntptdb / ntptdb][Stopped/Auto Start]
<\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\ntptdb.sys><N/A>
[RESSDT / RESSDT][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\ssdtdt.sys><N/A>
[Sc Manager / Sc Manager][Stopped/Manual Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\usbcams3.sys><N/A>
[vymwvk4 / vymwvk44][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\vymwvk44.sys><N/A>
[kavell / kavell][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\kavell.sys><N/A>
[PID: 956][C:\WINDOWS\Explorer.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\xbcvxb.dll] [N/A, ]
[C:\WINDOWS\system32\msepbe.dll] [N/A, ]
[C:\WINDOWS\system32\ayFKKFKK1055.dll] [N/A, ]
[C:\WINDOWS\system32\ayJHVJHV1015.dll] [N/A, ]
[C:\WINDOWS\system32\txWWQWWQ1006.dll] [N/A, ]
[C:\WINDOWS\system32\ttNNBNNB1047.dll] [N/A, ]
[C:\WINDOWS\system32\ttEZZEZZ1046.dll] [N/A, ]
[C:\WINDOWS\system32\ttVUFVUF1011.dll] [N/A, ]
[C:\WINDOWS\system32\ttQACQAC1035.dll] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\WinSys8v.Sys] [N/A, ]
[C:\WINDOWS\system32\txRJHRJH1021.dll] [N/A, ]
[PID: 1140][C:\WINDOWS\SVIQ.EXE] [, 1.00]
[C:\WINDOWS\system32\xbcvxb.dll] [N/A, ]
[C:\WINDOWS\system32\msepbe.dll] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\WinSys8v.Sys] [N/A, ]
[PID: 1188][C:\WINDOWS\dc.exe] [, 1.00]
[PID: 1416][C:\WINDOWS\system\Fun.exe] [, 1.00]
==================================
Autorun.inf
[C:\]
[AutoRun]
Open=Discovery.exe
Shell\Open=打开(&O)
Shell\Open\Command=Discovery.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=Discovery.exe
==================================
进程特权扫描
特殊特权被允许: SeDebugPrivilege [PID = 1140, C:\WINDOWS\SVIQ.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 1188, C:\WINDOWS\DC.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 1416, C:\WINDOWS\SYSTEM\FUN.EXE]
[QQgame]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\QQgame.exe --> [N/A]><N>
==================================
浏览器加载项
+ brush Class File not found: c:\windows\system32\solid.dll
+ CAdLogic Object c:\program files\common files\cpush\cpush.dll
+ HTML Doucment File not found: C:\WINDOWS\system32\mseval.dll
+ Invoke Class File not found: C:\WINDOWS\system32\15b1.dll
+ Windows Word File not found: C:\WINDOWS\system32\newtn.dll
+ {989D2FEB-5411-4565-8988-1DD2C5263377} File not found: C:\WINDOWS\system32\SysInfo.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ msdxm.ocx File not found: C:\msdxm.ocx
HKLM\System\CurrentControlSet\Services
+ DCOMManager 管理 DCOM 服务加载功能,该服务不能被删除。 Microsoft Corporation c:\windows\inf\pcidevices8.inf
+ IPRIP File not found: C:\WINDOWS\system32\wordms.dll
+ kkdc 在域控制器上此服务启用用户使用 Kerberos 授权协议登录网络。如果此服务在域控制器上被停用,用户将无法登录网络。如果此服务被禁用,任何依赖于它的服务将无法启用 File not found: C:\WINDOWS\lsass.exe
+ ms_2fax Fax 2Client File not found: C:\WINDOWS\system32\5b211.exe
+ ptug 网络管理服务,如果此服务被停止,有可能部分网络功能无法实现。 c:\program files\kopb\uyzl.dll
HKLM\System\CurrentControlSet\Services
+ ALCXWDM File not found: system32\drivers\ALCXWDM.SYS
+ cqit File not found: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp33.tmp
+ dohs File not found: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpDF.tmp
+ mhfp File not found: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp258.tmp
+ mnsf File not found: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp265.tmp
+ msfpfis64 c:\windows\system32\drivers\msosmsfpfis64.sys
+ NPF File not found: C:\WINDOWS\system32\drivers\5A.tmp
+ npkcrypt File not found: C:\Program Files\QQ2006\npkcrypt.sys
HKLM\Software\Microsoft\Command Processor\Autorun
+ C:\WINDOWS\system32\sashost.exe File not found: C:\WINDOWS\system32\sashost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
+ atehhz.dllawef.dll File not found: atehhz.dllawef.dll
+ m File not found: m
+ msoscqit01.dll c:\windows\system32\msoscqit01.dll
+ msosdohs00.dll c:\windows\system32\msosdohs00.dll
+ msosmhfp00.dll c:\windows\system32\msosmhfp00.dll
+ msosmnsf01.dll c:\windows\system32\msosmnsf01.dll
+ msosping01.dll c:\windows\system32\msosping01.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
+ eqaxsh54 Run a DLL as an App Microsoft Corporation c:\windows\system32\rundll32.exe
+ vymwvk44 Run a DLL as an App Microsoft Corporation c:\windows\system32\rundll32.exe
C:\Documents and Settings\All Users\「开始」菜单\程序\启动
+ Adobe Gamma Loader.lnk Adobe Gamma Loader Adobe Systems, Inc. c:\program files\common files\adobe\calibration\adobe gamma loader.exe
+ qqgame.exe c:\documents and settings\all users\「开始」菜单\程序\启动\autorunsdisabled\qqgame.exe
+ webspeed.exe c:\documents and settings\all users\「开始」菜单\程序\启动\autorunsdisabled\webspeed.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
+ C:\WINDOWS\inf\Other.exe File not found: C:\WINDOWS\inf\Other.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
+ C:\WINDOWS\system32\config\Win.exe File not found: C:\WINDOWS\system32\config\Win.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+ 011 File not found: C:\WINDOWS\system32\011.dll
+ 461b Microsoft DirectMusic Interactive Engine Microsoft Corporation c:\windows\downloaded program files\461b.dll
+ zsmscc File not found: C:\WINDOWS\system32\mycc080201.dll mymain
+ zsmscc File not found: C:\WINDOWS\system32\mycc080201.dll mymain
+ zuoyue Run a DLL as an App Microsoft Corporation c:\windows\system32\inf\svch0st.exe
+ zuoyue Run a DLL as an App Microsoft Corporation c:\windows\system32\inf\svch0st.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ ctfmon.exe CTF Loader Microsoft Corporation c:\windows\system32\ctfmon.exe
+ dc File not found: C:\WINDOWS\dc.exe
+ dc2k5 File not found: C:\WINDOWS\SVIQ.EXE
+ Fun File not found: C:\WINDOWS\system\Fun.exe
+ imscmig File not found: C:\WINDOWS\imscmig.exe
发表于 @ 2008年04月20日 11:44:00|评论(loading...)|编辑