45fan.com - 路饭网

搜索: 您的位置主页 > 电脑频道 > 电脑教程 > 阅读资讯:怎么解决Ghost.pif病毒?

怎么解决Ghost.pif病毒?

2015-06-22 04:49:03 来源:www.45fan.com 【

怎么解决Ghost.pif病毒?

病毒特点:
1.通过U盘传播
2.木马下载器

File: Ghost.pif
Size: 19527 bytes
MD5: 32C89902E912757B30C648C2AFAB2E3A
SHA1: 6318FCE89503D4DE19337E2E1D6EDA6C15EA3268
CRC32: 49BA1E56

运行后
生成
C:Program FilesCommon FilesMicrosoft SharedMSInfosvchost.exe
C:Program FilesInternet Explorerromdrivers.bak
C:Program FilesInternet Explorerromdrivers.bkk
C:Program FilesInternet Explorerromdrivers.dll

注册表操作
删除HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks{AEB6717E-7E19-11d0-97EE-00C04FD91972}

增加HKLMSOFTWAREClassesCLSID{09B68AD9-FF66-3E63-636B-B693E62F6236}InProcServer32: "C:Program FilesInternet Explorerromdrivers.dll"
HKLMSOFTWAREClassesCLSID{09B68AD9-FF66-3E63-636B-B693E62F6236}InProcServer32ThreadingModel: "Apartment"
HKLMSOFTWAREClassesCLSID{09B68AD9-FF66-3E63-636B-B693E62F6236}: ""
HKLMSOFTWAREClassesCLSID{0CB68AD9-FF66-3E63-636B-B693E62F6236}InProcServer32: "C:Program FilesInternet Explorerromdrivers.dll"
HKLMSOFTWAREClassesCLSID{0CB68AD9-FF66-3E63-636B-B693E62F6236}InProcServer32ThreadingModel: "Apartment"
HKLMSOFTWAREClassesCLSID{0CB68AD9-FF66-3E63-636B-B693E62F6236}: ""
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks{0CB68AD9-FF66-3E63-636B-B693E62F6236}: ""
指向C:Program FilesInternet Explorerromdrivers.dll

使用Explorer进程 连接网络 下载木马
http://XXa.us/oKK/TestOKK.exe
http://XXa.us/oKK/smss.exe
http://XXa.us/Sign/csrss.exe
http://XXa.us/Sign/svchost32.exe
http://XXa.us/Sign/smss.exe
http://XXa.us/Sign/services.exe
http://XXa.us/Sign/svchost.exe
http://XXa.us/Sign/conime.exe
http://XXa.us/Sign/ctfmon.exe
http://XXa.us/Sign/mmc.exe
http://XXa.us/Sign/IEXPLORE.EXE
http://XXa.us/Sign/stpgldk.exe
http://XXa.us/Sign/srogm.exe
http://XXa.us/Sign/spglsdr.exe
http://XXa.us/Sign/copypfh.exe

到临时文件夹
各个木马分别在HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun下面添加自己的启动项目
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunwosa: "C:DOCUME~1ADMINI~1LOCALS~1Tempwoso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunfysa: "C:DOCUME~1ADMINI~1LOCALS~1Tempfyso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunwlsa: "C:DOCUME~1ADMINI~1LOCALS~1Tempwlso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunwgsa: "C:DOCUME~1ADMINI~1LOCALS~1Tempwgso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunqjsa: "C:DOCUME~1ADMINI~1LOCALS~1Tempqjso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunwdsa: "C:DOCUME~1ADMINI~1LOCALS~1Tempwdso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRuntlsa: "C:DOCUME~1ADMINI~1LOCALS~1Temptlso.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRundasa: "C:DOCUME~1ADMINI~1LOCALS~1Tempdaso.exe"


创建HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVer
分别在其下面增加值
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver7y7: "v1.9"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerverMe: "1.28"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver1: "2.92"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver2: "2.92"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver3: "2.96"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver4: "2.8"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver5: "2.8"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver6: "2.91"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver7: "2.91"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver8: "2.8"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver9: "2.95"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver10: "1.93"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver11: "1.96"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver12: "1.86"
HKUS-1-5-21-1085031214-1078145449-839522115-500SoftwareSetVerver13: "1.6"
后面ver对应的值为各个木马的版本 以便木马更新对照更新使用

清除方法:

安全模式下

1.使用冰刃 删除以下文件(可到down.45it.com下载)

C:Program FilesCommon FilesMicrosoft SharedMSInfosvchost.exe
C:Program FilesInternet Explorerromdrivers.bak
C:Program FilesInternet Explorerromdrivers.bkk
C:Program FilesInternet Explorerromdrivers.dll

2.sreng删除类似(可到down.45it.com下载)

<wosa><C:DOCUME~1ADMINI~1LOCALS~1Tempwoso.exe> []
<fysa><C:DOCUME~1ADMINI~1LOCALS~1Tempfyso.exe> []
<wlsa><C:DOCUME~1ADMINI~1LOCALS~1Tempwlso.exe> []
<wgsa><C:DOCUME~1ADMINI~1LOCALS~1Tempwgso.exe> []
<qjsa><C:DOCUME~1ADMINI~1LOCALS~1Tempqjso.exe> []
<wdsa><C:DOCUME~1ADMINI~1LOCALS~1Tempwdso.exe> []
<tlsa><C:DOCUME~1ADMINI~1LOCALS~1Temptlso.exe> []
<dasa><C:DOCUME~1ADMINI~1LOCALS~1Tempdaso.exe> []的启动项目

3.清空临时文件夹


本文地址:http://www.45fan.com/dnjc/12305.html
Tags: 解决 病毒 Ghost.pif
编辑:路饭网
  • 上一篇:怎么清理Virus.Win32.Dzan.a(Worm.Suser.a)病毒?
  • 下一篇:强行格式化U盘的具体方法
    • 相关文章列表
    推广内容
    推荐阅读
    热门推荐
    推荐文章
    关于我们 | 联系我们 | 友情链接 | 网站地图 | Sitemap | App | 返回顶部

    Copyright ©2012-2013 . 版权所有  

    路饭网|路由器设置|192.168.1.1|无线路由器设置|192.168.0.1 www.45Fan.com