访问8888se网站遭遇木马病毒,杀毒软件用不了、任务管理器也打不开,屏幕定时闪一下。检查SREng扫描的日志,发现该木马使用映像劫持技术劫持大量杀毒软件与安全工具:
360rpt.exe 360Safe.exe 360safebox.exe 360tray.exe adam.exe AgentSvr.exe AntiArp.exe AppSvc32.exe arswp.exe AST.exe autoruns.exe avconsol.exe avgnt.exe avgrssvc.exe AvMonitor.exe avp.com avp.exe CCenter.exe ccSvcHst.exe DrvAnti.exe EGHOST.exe FileDsty.exe filemon.exe FTCleanerShell.exe FYFireWall.exe GFRing3.exe GFUpd.exe HijackThis.exe IceSword.exe iparmo.exe Iparmor.exe isPwdSvc.exe kabaload.exe KASMain.exe KASTask.exe KAV32.exe KAVDX.exe KAVPF.exe KAVPFW.exe KAVSetup.exe KAVStart.exe KISLnchr.exe KMailMon.exe KMFilter.exe KPFW32.exe KPFW32X.exe KPfwSvc.exe Kregex.exe KRepair.com KsLoader.exe KvDetect.exe KvfwMcl.exe kvol.exe kvolself.exe KVSrvXP.exe kvupload.exe kvwsc.exe KvXP.kxp KWatch.exe KWatch9x.exe KWatchX.exe MagicSet.exe mcconsol.exe McNASvc.exe McProxy.exe Mcshield.exe mcsysmon.exe mmqczj.exe mmsk.exe MpfSrv.exe Navapsvc.exe Navapw32.exe NAVSetup.exe nod32.exe nod32krn.exe nod32kui.exe NPFMntor.exe PFW.exe PFWLiveUpdate.exe ProcessSafe.exe procexp.exe QHSET.exe QQKav.exe Ras.exe Rav.exe RavMon.exe RavMonD.exe RavStub.exe RavTask.exe RawCopy.exe RegClean.exe regmon.exe RegTool.exe rfwcfg.exe rfwmain.exe rfwProxy.exe rfwsrv.exe rfwstub.exe RsAgent.exe Rsaupd.exe RStray.exe rstrui.exe Rtvscan.exe runiep.exe safeboxTray.exe safelive.exe scan32.exe shcfg32.exe SmartUp.exe SREng.exe SuperKiller.exe symlcsvc.exe SysSafe.exe taskmgr.exe TrojanDetector.exe Trojanwall.exe TrojDie.exe UIHost.exe UmxAgent.exe UmxAttachment.exe UmxCfg.exe UmxFwHlp.exe UmxPol.exe upiea.exe UpLive.exe USBCleaner.exe vsstat.exe webscanx.exe WoptiClean.exe zxsweep.exe
任务管理器也在其中,被劫持项的debugger的值为ntsd -d,使被劫持项无法正常运行。同时在HOSTS文件中屏蔽大量安全网站,如360、卡巴斯基、江民、瑞星、金山、NOD32等官网。
清除方法:
1.删除以下文件:(参考 怎样根据SREng日志的分析报告清除病毒 )
c:\windows\system32\mlkbajnh.dll
c:\docume~1\admini~1\locals~1\temp\wget.exe(即c:\documents and settings\administrator(视当前登录用户名而定)\local settings\temp\)
c:\windows\system32\0306438f.dll
2.使用SREng修复下面各项:
启动项目-注册表之如下项删除:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<Stromliv><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wget.exe>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{0306438F-7E67-4DDA-8EF2-C0AD040FEBE0}><0306438F.dll>
<{654BA371-4886-4971-8398-92C3A29C6CCC}><C:\WINDOWS\system32\mlkbajnh.dll>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<654BA371><C:\WINDOWS\system32\mlkbajnh.dll>
修改[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]下[AppInit_DLLs]的值,删除其中的mlkbajnh.dll
删除所有IFEO(映像劫持,SREng中会以红色标出IFEO项目)
3.SREng-系统修复-HOSTS-重置(或直接到c:\windows\system32\drivers\etc\中修改HOSTS文件)
另外应检查下控制面板中的计划任务中是否有病毒残留任务,同时建议清空临时文件夹temp,并检查系统时间是否正常。
>> 除非说明均为原创,如转载请注明来源于http://www.stormcn.cn/post/273.html