一个 映象劫持＋dll注入＋驱动保护 小毒的清理方法

 首先感谢 ygq1968 提供的样本。
原贴： 可以“秒杀”卡巴和360安全卫士的恶意软件！



本人不会反编译，所以写的难免肤浅，高手见谅！

QUOTE:

病毒尊容

QUOTE:

简单的扫描下，似乎是UPX1.2的壳

QUOTE:

卡巴斯基扫描下，确实没有反应，但是请相信，它确实是个危险文件，接下来你会发现的。

病毒行为分析

■■■■

释放文件：

C:/Program Files/Common Files/Microsoft Shared/MSInfo/45633AA1.dat C:/Program Files/Common Files/Microsoft Shared/MSInfo/45633AA1.dll C:/WINDOWS/system32/wbem/Repository/FS/INDEX.MAP C:/WINDOWS/system32/wbem/Repository/FS/MAPPING.VER C:/WINDOWS/system32/wbem/Repository/FS/MAPPING1.MAP C:/WINDOWS/system32/wbem/Repository/FS/OBJECTS.MAP C:/WINDOWS/system32/SevenSowrdSvr.exe c:/windows/system32/sevenlog.sys C:/WINDOWS.0/45633AA1.hlp

■■■■

将自己设为开机自动启动

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run SevenSowrd＝C:/WINDOWS/system32/SysSevenSowrd.exe

■■■■

注册为服务并设置为自动启动：

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/SevenSword HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Sevenlink

■■■■

向运行的应用程序注入45633aa1.dll

c:/program files/common files/microsoft shared/msinfo/45633aa1.dll

■■■■

劫持IFEO,有点名气的差不多都挂了。。。

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360rpt.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360Safe.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360tray.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/adam.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AgentSvr.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AppSvc32.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/autoruns.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avgrssvc.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AvMonitor.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.com HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/CCenter.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/ccSvcHst.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FileDsty.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FTCleanerShell.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/HijackThis.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/IceSword.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/iparmo.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Iparmor.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/isPwdSvc.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kabaload.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KaScrScn.SCR HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASMain.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASTask.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAV32.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVDX.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVPFW.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVSetup.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVStart.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KISLnchr.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMailMon.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMFilter.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32X.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFWSvc.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRegEx.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRepair.COM HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KsLoader.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVCenter.kxp HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvDetect.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvfwMcl.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonXP.kxp HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonXP_1.kxp HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvol.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvolself.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvReport.kxp HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVScan.kxp HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVSrvXP.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVStub.kxp HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvupload.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvwsc.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvXP.kxp HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvXP_1.kxp HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch9x.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatchX.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/loaddll.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/MagicSet.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mcconsol.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmqczj.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmsk.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/NAVSetup.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32krn.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32kui.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFW.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFWLiveUpdate.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/QHSET.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Ras.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rav.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMon.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMonD.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavStub.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavTask.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RegClean.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwcfg.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RfwMain.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwProxy.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwsrv.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RsAgent.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rsaupd.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/runiep.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/safelive.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/scan32.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/shcfg32.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SmartUp.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SREng.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/symlcsvc.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SysSafe.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojanDetector.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Trojanwall.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojDie.kxp HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UIHost.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAgent.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAttachment.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxCfg.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxFwHlp.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxPol.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UpLive.EXE.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/WoptiClean.exe HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/zxsweep.exe 所有的 Debugger全部指向: "C:/PROGRA~1/COMMON~1/MICROS~1/MSINFO/45633AA1.dat"

■■■■

修改该死的ShellExecuteHooks实现特殊自启动

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks/{33AA4563-4563-3AA1-633A-563AA5633AA1}: ""

■■■■

使系统显示隐藏文件失效

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden/SHOWALL/CheckedValue: 0x00000001 HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden/SHOWALL/CheckedValue: 0x00000000

■■■■

破坏卡巴斯基服务

HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Services/AVP/Start: 0x00000003 HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Services/AVP/Start: 0x00000004 HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/AVP/Start: 0x00000003 HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/AVP/Start: 0x00000004

■■■■

破坏安全模式

如果开机按下F8进入安全模式－－－蓝屏！

 

解决办法

1.你需要准备以下工具：

XPSP2无法进入安全模式注册表修复

完美解决开机后看不到桌面的问题_FOR WINDOWS XP.rar   请注意，这个包适用于windows XP，如果你的系统是windows 2000，请点这里下载适用于windows 2000的修复包。

修复_显示所有文件.rar

360文件粉碎工具

syscheck2(1.0.0.68).rar

2.打开360文件粉碎工具

将下面的文件列表选择复制。
点“ ”－－》“ ”－－》勾上“ ”－－》“ ”

[Copy to clipboard] [ - ]

CODE:

C:/Program Files/Common Files/Microsoft Shared/MSInfo/45633AA1.dat
C:/Program Files/Common Files/Microsoft Shared/MSInfo/45633AA1.dll
C:/WINDOWS/system32/wbem/Repository/FS/INDEX.MAP
C:/WINDOWS/system32/wbem/Repository/FS/MAPPING.VER
C:/WINDOWS/system32/wbem/Repository/FS/MAPPING1.MAP
C:/WINDOWS/system32/wbem/Repository/FS/OBJECTS.MAP
C:/WINDOWS/system32/SevenSowrdSvr.exe
c:/windows/system32/sevenlog.sys
C:/WINDOWS.0/45633AA1.hlp

3.使用XPSP2无法进入安全模式注册表修复

4.使用修复_显示所有文件.rar

5.解压缩syscheck2(1.0.0.68).rar，打开syscheck2，嘿嘿，你禁用那么多，没想到我还有这个利剑吧。。

①点“服务管理"
：


点击下面的”仅显示非微软“

点击这两个S开头的服务：



选择右键菜单中的”删除服务及文件“，两个都要删除。








②换个地方，”检测修复“－－》”活动文件“





勾上下面图片中的两个。



看到屏幕下面，有没有 ？，点一下，修复这两项。



5.打完收工，这个病毒被彻底制服！