怎么解决Ghost.pif病毒?
病毒特点:
1.通过U盘传播
2.木马下载器
File: Ghost.pif
Size: 19527 bytes
MD5: 32C89902E912757B30C648C2AFAB2E3A
SHA1: 6318FCE89503D4DE19337E2E1D6EDA6C15EA3268
CRC32: 49BA1E56
运行后
生成
C:Program FilesCommon FilesMicrosoft SharedMSInfosvchost.exe
C:Program FilesInternet Explorerromdrivers.bak
C:Program FilesInternet Explorerromdrivers.bkk
C:Program FilesInternet Explorerromdrivers.dll
注册表操作
删除HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks{AEB6717E-7E19-11d0-97EE-00C04FD91972}
增加HKLMSOFTWAREClassesCLSID{09B68AD9-FF66-3E63-636B-B693E62F6236}InProcServer32: "C:Program FilesInternet Explorerromdrivers.dll"
HKLMSOFTWAREClassesCLSID{09B68AD9-FF66-3E63-636B-B693E62F6236}InProcServer32ThreadingModel: "Apartment"
HKLMSOFTWAREClassesCLSID{09B68AD9-FF66-3E63-636B-B693E62F6236}: ""
HKLMSOFTWAREClassesCLSID{0CB68AD9-FF66-3E63-636B-B693E62F6236}InProcServer32: "C:Program FilesInternet Explorerromdrivers.dll"
HKLMSOFTWAREClassesCLSID{0CB68AD9-FF66-3E63-636B-B693E62F6236}InProcServer32ThreadingModel: "Apartment"
HKLMSOFTWAREClassesCLSID{0CB68AD9-FF66-3E63-636B-B693E62F6236}: ""
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks{0CB68AD9-FF66-3E63-636B-B693E62F6236}: ""
指向C:Program FilesInternet Explorerromdrivers.dll
使用Explorer进程 连接网络 下载木马
http://XXa.us/oKK/TestOKK.exe
http://XXa.us/oKK/smss.exe
http://XXa.us/Sign/csrss.exe
http://XXa.us/Sign/svchost32.exe
http://XXa.us/Sign/smss.exe
http://XXa.us/Sign/services.exe
http://XXa.us/Sign/svchost.exe
http://XXa.us/Sign/conime.exe
http://XXa.us/Sign/ctfmon.exe
http://XXa.us/Sign/mmc.exe
http://XXa.us/Sign/IEXPLORE.EXE
http://XXa.us/Sign/stpgldk.exe
http://XXa.us/Sign/srogm.exe
http://XXa.us/Sign/spglsdr.exe
http://XXa.us/Sign/copypfh.exe
到临时文件夹
各个木马分别在HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun下面添加自己的启动项目
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunwosa: "C:DOCUME~1ADMINI~1LOCALS~1Tempwoso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunfysa: "C:DOCUME~1ADMINI~1LOCALS~1Tempfyso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunwlsa: "C:DOCUME~1ADMINI~1LOCALS~1Tempwlso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunwgsa: "C:DOCUME~1ADMINI~1LOCALS~1Tempwgso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunqjsa: "C:DOCUME~1ADMINI~1LOCALS~1Tempqjso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunwdsa: "C:DOCUME~1ADMINI~1LOCALS~1Tempwdso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRuntlsa: "C:DOCUME~1ADMINI~1LOCALS~1Temptlso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRundasa: "C:DOCUME~1ADMINI~1LOCALS~1Tempdaso.exe"
创建HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVer
分别在其下面增加值
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver7y7: "v1.9"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerverMe: "1.28"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver1: "2.92"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver2: "2.92"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver3: "2.96"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver4: "2.8"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver5: "2.8"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver6: "2.91"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver7: "2.91"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver8: "2.8"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver9: "2.95"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver10: "1.93"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver11: "1.96"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver12: "1.86"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver13: "1.6"
后面ver对应的值为各个木马的版本 以便木马更新对照更新使用
清除方法:
安全模式下
1.使用冰刃 删除以下文件(可到down.45it.com下载)
C:Program FilesCommon FilesMicrosoft SharedMSInfosvchost.exe
C:Program FilesInternet Explorerromdrivers.bak
C:Program FilesInternet Explorerromdrivers.bkk
C:Program FilesInternet Explorerromdrivers.dll
2.sreng删除类似(可到down.45it.com下载)
<wosa><C:DOCUME~1ADMINI~1LOCALS~1Tempwoso.exe> []
<fysa><C:DOCUME~1ADMINI~1LOCALS~1Tempfyso.exe> []
<wlsa><C:DOCUME~1ADMINI~1LOCALS~1Tempwlso.exe> []
<wgsa><C:DOCUME~1ADMINI~1LOCALS~1Tempwgso.exe> []
<qjsa><C:DOCUME~1ADMINI~1LOCALS~1Tempqjso.exe> []
<wdsa><C:DOCUME~1ADMINI~1LOCALS~1Tempwdso.exe> []
<tlsa><C:DOCUME~1ADMINI~1LOCALS~1Temptlso.exe> []
<dasa><C:DOCUME~1ADMINI~1LOCALS~1Tempdaso.exe> []的启动项目
3.清空临时文件夹
本文地址:http://www.45fan.com/dnjc/12305.html