续上篇：比较彻底的清除"代理木马下载器"的方法

最新推荐文章于 2025-03-24 22:31:36 发布

weixin_33727510

最新推荐文章于 2025-03-24 22:31:36 发布

阅读量127

点赞数

CC 4.0 BY-SA版权

文章标签：操作系统

原文链接：http://www.cnblogs.com/diylab/archive/2006/10/04/520858.html

本文介绍了一种顽固的代理木马下载器病毒的清除方法。该病毒能够自我复活并在系统重装后仍然存在，通过隐藏在QQ安装目录等方式感染系统。文章详细记录了使用多种工具监测病毒行为的过程，并提供了彻底清除病毒所需的步骤。

　　今天才发现前天手工清除的"代理木马下载器"病毒不干净。它总是复活，甚至在我重装了N次系统以后，被改成www.4419.com的IE首页还在向我自豪地笑。最后终于发现。病毒原来隐藏在D盘的QQ里。今天花了一个晚上时间研究了一下它做些什么。下面是研究资料和我认为比较彻底的清除方法。

一、监视病毒网页、文件目录和注册表获得的信息
使用工具： filemonNT by Mark Russinovich and Bryce Cogswell   http://www.sysinternals.com
                              Regmon by Mark Russinovich and Bryce Cogswell http://www.sysinternals.com
                              regshot 1.7 by TiANWEi                http://regshot.yeah.net/

监视网页http//www.4199.com获得的信息：

修改注册表，以修改IE起始页start page 为　http://www.4199.com　(此网页中有ad11.jpg为病毒文件)。
创建文件
C:\WINDOWS\system32\rsrc.dll

用IE打开3570端口。

　　运行并监视硬盘上可疑文件Timeplantform.exe获得的一些信息：

在QQ安装目录下生成Timeplantform.exe　和user.dll
生成c:\windows\system32\drives\modol.sys
生成c:\windows\system32\ravdm.dll
生成　c:\windows\system32\rsrc.dll
修改 C:\WINDOWS\system32\drivers\etc\hosts ,将localhost解析为125. 91.1 . 20
添加注册表启动项，
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"9"="C:\\WINDOWS\\system32\\Ravdm.exe"
"KernelCheck"="C:\\WINDOWS\\system32\\winasse.exe"

借鉴其它电脑出现的类似问题，还可能伴随以下情况：

生成　c:\windows\winlogon.exe
生成　c:\windows\vbarun.dll
生成　C:\WINDOWS\DNSAPI.dll
生成　C:\WINDOWS\hnetcfg.dll
生成　C:\WINDOWS\rasadhlp.dll
生成　c:\windows\system32\user.dll //弹出http://www.4199.com 的元凶e
生成　c:\windows\system32\ravdm.exe
生成　C:\WINDOWS\system32\rundll32.com
生成　c:\windows\system32\realplayer.exe　//弹出http://www.7939.com 的元凶
分区根目录下有autorun.inf

　　生成以下注册表项

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\ 5603 ]
" 000 " = " user.dll "
" 001 " = " rsrc.dll "

[HKEY_USERS\S - 1 - 5 - 21 - 2000478354 - 1715567821 - 1417001333 - 500 \Software\Microsoft\Search Assistant\ACMru\ 5603 ]
" 000 " = " user.dll "
" 001 " = " rsrc.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" run " = " rundll32 rsrc.dll s "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KASDisabled]
" rundll " = " rundll32 user.dll s "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
" PendingFileRenameOperations " = hex( 7 ):5c, 00 ,3f, 00 ,3f, 00 ,5c, 00 , 43 , 00 ,3a, 00 ,5c, 00 ,\
   57 , 00 , 49 , 00 ,4e, 00 , 44 , 00 ,4f, 00 , 57 , 00 , 53 , 00 ,5c, 00 , 73 , 00 , 79 , 00 , 73 , 00 , 74 , 00 , 65 ,\
   00 ,6d, 00 , 33 , 00 , 32 , 00 ,5c, 00 , 64 , 00 , 72 , 00 , 69 , 00 , 76 , 00 , 65 , 00 , 72 , 00 , 73 , 00 ,5c, 00 ,\
  6d, 00 ,6f, 00 , 64 , 00 ,6f, 00 ,6c, 00 ,2e, 00 , 73 , 00 , 79 , 00 , 73 , 00 , 00 , 00 , 00 , 00 , 00 , 00
// 注：hex(7)的值是字符串\??\C:\WINDOWS\system32\drivers\modol.sys　的十六进制表示。

windows NT\currentversion\windwos:load
(msconfig显示这里也产生了可疑的东东，我不知道是什么。)

　　二、清除方法。需要清除的有：病毒文件和注册表相关信息

这个病毒有不同的版本，下面所列的文件中，有的可能你的电脑上没有。
注意：有的文件隐藏得很深，比如"realplayer.exe",即使在“文件夹选项”中选择“显示所有的文件和文件夹”，你也找不到它。查看是不是有这个文件的办法是在命令提示符下使用命令"attrib realplayer.exe"。

需清除的文件列表：

del system32\GroupPolicy\Machine\Scripts\scripts.ini
del C:\WINDOWS\DNSAPI.dll
del C:\WINDOWS\hnetcfg.dll
del C:\WINDOWS\rasadhlp.dll
del C:\WINDOWS\vbarun.dll
del c:\windows\winlogon.exe

del C:\WINDOWS\system32\realplayer.exe
del C:\WINDOWS\system32\Ravdm.exe
del C:\WINDOWS\system32\rsrc.dll
del C:\WINDOWS\system32\rundll32.com
del C:\WINDOWS\system32\winasse.exe
del C:\WINDOWS\system32\user.dll

del c:\windows\system32\drives\modol.sys
将 hosts 文件（路径: C:\WINDOWS\system32\drivers\etc\)中不认识的东东都删掉。或干脆把这个文件删掉。
删除d:\ e:\…等盘符根目录下的autorun.inf
完全删除QQ的安装目录。

　　然后把下面的文本保存成.reg文件，双击导入注册表。方括号内的减号表示删除整个注册表项。键名右边的减号表示删除此键。注意文件末的回车不能省略。
如果你能看懂注册表，最好亲自把下面所列的项检查一下，把可疑的删掉。记住，修改这前先备份注册表！

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
" 9 " =-
" KernelCheck " =-

[-HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5602]

[-HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

[-HKEY_USERS\S-1-5-21-2000478354-1715567821-1417001333-500\Software\Microsoft\Search Assistant\ACMru\5602]
[-HKEY_USERS\S-1-5-21-2000478354-1715567821-1417001333-500\Software\Microsoft\Search Assistant\ACMru\5603]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" run " =-
" rundll " =-
" realplayer " =-

[ - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KASDisabled]
" rundll " =-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
" PendingFileRenameOperations " =-

　　附：系统监视相关记录
下面是使用regshot 对运行timeplatform.exe前后的注册表进行对比的结果

要点注释:after run Timeplatform
日期时间: 2006 / 10 / 3 18 : 57 : 26 , 2006 / 10 / 3 18 : 59 : 01
计算机名:CRACK , CRACK
使用者名: 624 , 624

增加键: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

增加值: 3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ 9 : 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 52 61 76 64 6D 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S - 1 - 5 - 21 - 2000478354 - 1715567821 - 1417001333 - 1003 \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\ * \d: " D:\1499\before run tpf.hiv "
HKU\S - 1 - 5 - 21 - 2000478354 - 1715567821 - 1417001333 - 1003 \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\c: " D:\1499\before run tpf.hiv "

修改值: 5
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000019
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000001D
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000013
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000016
HKU\S - 1 - 5 - 21 - 2000478354 - 1715567821 - 1417001333 - 1003 \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\ * \MRUList: " cba "
HKU\S - 1 - 5 - 21 - 2000478354 - 1715567821 - 1417001333 - 1003 \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\ * \MRUList: " dcba "
HKU\S - 1 - 5 - 21 - 2000478354 - 1715567821 - 1417001333 - 1003 \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: " ba "
HKU\S - 1 - 5 - 21 - 2000478354 - 1715567821 - 1417001333 - 1003 \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: " cba "
HKU\S - 1 - 5 - 21 - 2000478354 - 1715567821 - 1417001333 - 1003 \Software\Microsoft\Windows NT\CurrentVersion\Windows\load: ""
HKU\S - 1 - 5 - 21 - 2000478354 - 1715567821 - 1417001333 - 1003 \Software\Microsoft\Windows NT\CurrentVersion\Windows\load: ""

文件增加: 2
C:\WINDOWS\system32\drivers\modol.sys
C:\WINDOWS\system32\Ravdm.exe

文件修改: 2
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG

总计: 14

　　下面是使用filemon获得的文件读写记录

1272 2 : 58 : 06 TIMPlatform.exe: 1456 WRITE C:\WINDOWS\system32\Drivers\modol.sys SUCCESS Offset: 0 Length: 768

1274 2 : 58 : 06 TIMPlatform.exe: 1456 WRITE D:\Program Files\tencent\QQ2006\TIMPlatfrom.exe SUCCESS Offset: 0 Length: 65536

1275 2 : 58 : 06 TIMPlatform.exe: 1456 WRITE D:\Program Files\tencent\QQ2006\TIMPlatfrom.exe SUCCESS Offset: 65536 Length: 4096

1276 2 : 58 : 06 TIMPlatform.exe: 1456 SET INFORMATION D:\Program Files\tencent\QQ2006\TIMPlatfrom.exe SUCCESS FileBasicInformation

1278 2 : 58 : 06 TIMPlatform.exe: 1456 SET INFORMATION D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS Length: 18740

1279 2 : 58 : 06 TIMPlatform.exe: 1456 WRITE D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS Offset: 0 Length: 18740

1280 2 : 58 : 06 TIMPlatform.exe: 1456 SET INFORMATION D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS FileBasicInformation

1282 2 : 58 : 06 TIMPlatform.exe: 1456 SET INFORMATION C:\Documents and Settings\ 624 \ntuser.dat.LOG SUCCESS Length: 49152

1283 2 : 58 : 07 svchost.exe: 720 DELETE D:\ 1499 \TIMPlatform.exe SUCCESS

　　下面是运行QQ安装目录下已被替换为病毒文件的timeplatform.exe时的文件读写监控。有删节，保留了文件读取失败的内容。可以看出病毒文件在找哪些文件。

1      3 : 12 : 30     QQ.exe: 400     OPEN    D:\Program Files\tencent\QQ2006\TIMPlatform.exe    SUCCESS    Options: Open  Access: All
2      3 : 12 : 30     QQ.exe: 400     OPEN    D:\Program Files\tencent\QQ2006\TIMPlatform.exe.Manifest    NOT FOUND    Options: Open  Access: All
3      3 : 12 : 30     TIMPlatform.exe: 2044     OPEN    C:\WINDOWS\Prefetch\TIMPLATFORM.EXE - 0DEDB957.pf    NOT FOUND    Options: Open  Access: All
13      3 : 12 : 30     TIMPlatform.exe: 2044     OPEN    D:\autorun.inf    NOT FOUND    Options: Open  Access: All
14      3 : 12 : 30     TIMPlatform.exe: 2044     OPEN    D:\autorun.inf    NOT FOUND    Options: Open  Access: All
15      3 : 12 : 30     TIMPlatform.exe: 2044     OPEN    C:\WINDOWS\Winlogon.exe    NOT FOUND    Options: Open  Access: All
16      3 : 12 : 30     TIMPlatform.exe: 2044     OPEN    C:\WINDOWS\Winlogon.exe    NOT FOUND    Options: Open  Access: All
17      3 : 12 : 30     TIMPlatform.exe: 2044     CREATE    C:\WINDOWS\system32\Drivers\modol.sys    SHARING VIOLATION    Options: OverwriteIf  Access: All
25      3 : 12 : 30     TIMPlatform.exe: 2044     OPEN    C:\WINDOWS\AppPatch\sysmain.sdb    SUCCESS    Options: Open  Access: All
26      3 : 12 : 30     TIMPlatform.exe: 2044     OPEN    C:\WINDOWS\AppPatch\systest.sdb    NOT FOUND    Options: Open  Access: All
27      3 : 12 : 30     TIMPlatform.exe: 2044     OPEN    D:\Program Files\tencent\QQ2006\    SUCCESS    Options: Open Directory  Access: All
34      3 : 12 : 30     TIMPlatform.exe: 2044     OPEN    D:\Program Files\tencent\QQ2006\TIMPlatfrom.exe.Manifest    NOT FOUND    Options: Open  Access: All
35      3 : 12 : 30     svchost.exe: 888     OPEN    C:\WINDOWS\Prefetch\TIMPLATFORM.EXE - 0DEDB957.pf    NOT FOUND    Options: Open  Access: All
36      3 : 12 : 30     svchost.exe: 720     OPEN    D:\Program Files\tencent\QQ2006\TIMPlatform.exe    SUCCESS    Options: Open Sequential  Access: All
37      3 : 12 : 30     svchost.exe: 720     OPEN    D:\Program Files\tencent\QQ2006\TIMPlatform.exe    SUCCESS    Options: Open  Access: All
38      3 : 12 : 30     svchost.exe: 720     DELETE     D:\Program Files\tencent\QQ2006\TIMPlatform.exe    CANNOT DELETE

转载于:https://www.cnblogs.com/diylab/archive/2006/10/04/520858.html