中华吸血鬼

　　同事电脑打不开某些网站，而有的网页能打开也会跳出“盗版软件”提示，即使百度网站也会跳出来“盗版”提示，比如用百度搜索“中华吸血鬼专杀”，就会跳出所谓“Windows盗版验证”窗口，说：“安全提示：您正在使用的百度搜索_中华吸血鬼专杀是盗版软件，可能您是盗版软件的受害者，……”。(后来到网上查了下中华吸血鬼的描述，发现这个盗版提示本来是针对安全工具、杀毒软件的，借用一下清新阳光的图，提示就是下面的样子，看来病毒比较笨，只要搜索到当前窗口标题中有相关安全工具、杀毒软件、专杀等的关键字，就认为是软件，而没区分IE窗口。更多该病毒信息请到网上搜索。

　　由于当时无法上网查到这些信息，只能根据网站打不开推测可能HOSTS文件有问题，检查了下HOSTS，果然，里面劫持了许多安全网站，还在首行写下“中华吸血鬼免疫杀毒软件”。而且无法修复HOSTS，一清空马上被病毒改回去。后来从其它地方先拷来一个HOSTS的正常文件到桌面，改成只读属性，再复制到c:\winnt\system32\drivers\etc(该电脑装的是2000，如果是xp则位置是：c:\windows\system32\drivers\etc)下替换病毒修改的HOSTS文件，才保证了不会被病毒改回去。

　　然后，就是下载windows清理助手(修复HOSTS，安全网站就可以打开并下载工具软件)扫描清理，再用SREng扫尾，总算搞定。下面提供相关杀毒日志(该机系统是2000)：

SREng日志：

启动项目
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <shoket><C:\WINNT\system32\SHELLEXT\svchs0t.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><hourpx2.dll>  [](此项清空AppInit_DLLs的值即可)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{00230023-0023-0023-0023-00230023BB15}><C:\WINNT\system32\rasdlgcq.dll>  []
    <{00250025-0025-0025-0025-00250025BB15}><C:\WINNT\system32\slbiopfs2.dll>  []
    <{00060006-0006-0006-0006-00060006BB15}><C:\WINNT\system32\dispexcb.dll>  []
    <{00120012-0012-0012-0012-00120012BB15}><C:\WINNT\system32\kbdswjr.dll>  []
    <{00010001-0001-0001-0001-00010001BB15}><C:\WINNT\system32\adsntzt.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <rasdlgcq.dll><C:\WINNT\system32\rasdlgcq.dll>  []
    <slbiopfs2.dll><C:\WINNT\system32\slbiopfs2.dll>  []
    <dispexcb.dll><C:\WINNT\system32\dispexcb.dll>  []
    <kbdswjr.dll><C:\WINNT\system32\kbdswjr.dll>  []
    <adsntzt.dll><C:\WINNT\system32\adsntzt.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}]
    <系统设置><%windir%\Tasks\hackshen.vbs>  []

==================================
服务
[Smart Card Helper / SCardDrv][Stopped/Auto Start]
  <C:\WINNT\system32\scardsvr32.exe -v><(File is missing)>
[Security Control / seictrl][Stopped/Auto Start]
  <c:\winnt\system32\rundll32.exe dbi100.dll,scan><Microsoft Corporation>
[CurrentContSet / Winx86ite][Stopped/Auto Start]
  <C:\WINDOWS\system32\severs.exe><(File is missing)>

==================================
驱动程序
[junzhang / junzhang][Stopped/Manual Start]
  <\??\C:\WINNT\system32\wincab.sys><N/A>
[Pandrv / Pandrv][Running/Disabled]
  <\??\C:\WINNT\TEMP\Pandrv.sys><N/A>

==================================
正在运行的进程(以下是病毒文件插入进程的情形)
[PID: 856][C:\WINNT\Explorer.EXE]  [Microsoft Corporation, 5.00.3700.6690]
    [C:\WINNT\system32\rasdlgcq.dll]  [N/A, ]
    [C:\WINNT\system32\slbiopfs2.dll]  [N/A, ]
    [C:\WINNT\system32\dispexcb.dll]  [N/A, ]
    [C:\WINNT\system32\kbdswjr.dll]  [N/A, ]
    [C:\WINNT\system32\adsntzt.dll]  [N/A, ]
[PID: 664][C:\WINNT\system32\Rundll32.exe]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\dbi100.dll]  [N/A, ]
    [C:\WINNT\system32\pthreadCG3.dll]  [N/A, ]
[PID: 876][C:\WINNT\Tasks\csrss.exe]  [N/A, ]
    [C:\WINNT\system32\dbi100.dll]  [N/A, ]
    [C:\WINNT\system32\pthreadCG3.dll]  [N/A, ]
    [C:\WINNT\system32\adsntzt.dll]  [N/A, ]
    [C:\WINNT\system32\kbdswjr.dll]  [N/A, ]
    [C:\WINNT\system32\dispexcb.dll]  [N/A, ]
    [C:\WINNT\system32\slbiopfs2.dll]  [N/A, ]
    [C:\WINNT\system32\rasdlgcq.dll]  [N/A, ]
[PID: 1344][C:\WINNT\system32\hkcmd.exe]  [Intel Corporation, 3,0,0,2082]
    [C:\WINNT\system32\dbi100.dll]  [N/A, ]
    [C:\WINNT\system32\pthreadCG3.dll]  [N/A, ]
    [C:\WINNT\system32\adsntzt.dll]  [N/A, ]
    [C:\WINNT\system32\kbdswjr.dll]  [N/A, ]
    [C:\WINNT\system32\dispexcb.dll]  [N/A, ]
    [C:\WINNT\system32\slbiopfs2.dll]  [N/A, ]
    [C:\WINNT\system32\rasdlgcq.dll]  [N/A, ]
[PID: 1352][C:\WINNT\SOUNDMAN.EXE]  [Realtek Semiconductor Corp., 5.0.19]
    [C:\WINNT\system32\dbi100.dll]  [N/A, ]
    [C:\WINNT\system32\pthreadCG3.dll]  [N/A, ]
    [C:\WINNT\system32\adsntzt.dll]  [N/A, ]
    [C:\WINNT\system32\kbdswjr.dll]  [N/A, ]
    [C:\WINNT\system32\dispexcb.dll]  [N/A, ]
    [C:\WINNT\system32\slbiopfs2.dll]  [N/A, ]
    [C:\WINNT\system32\rasdlgcq.dll]  [N/A, ]
[PID: 1392][C:\WINNT\system32\internat.exe]  [Microsoft Corporation, 5.00.2920.0000]
    [C:\WINNT\system32\dbi100.dll]  [N/A, ]
    [C:\WINNT\system32\pthreadCG3.dll]  [N/A, ]
    [C:\WINNT\system32\adsntzt.dll]  [N/A, ]
    [C:\WINNT\system32\kbdswjr.dll]  [N/A, ]
    [C:\WINNT\system32\dispexcb.dll]  [N/A, ]
    [C:\WINNT\system32\slbiopfs2.dll]  [N/A, ]
    [C:\WINNT\system32\rasdlgcq.dll]  [N/A, ]
[PID: 1500][C:\WINNT\system32\conime.exe]  [Microsoft Corporation, 5.00.2195.6655]
    [C:\WINNT\system32\adsntzt.dll]  [N/A, ]
    [C:\WINNT\system32\kbdswjr.dll]  [N/A, ]
    [C:\WINNT\system32\dispexcb.dll]  [N/A, ]
    [C:\WINNT\system32\slbiopfs2.dll]  [N/A, ]
    [C:\WINNT\system32\rasdlgcq.dll]  [N/A, ]
[PID: 3292][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 5.00.2920.0000]
    [C:\WINNT\system32\dbi100.dll]  [N/A, ]
    [C:\WINNT\system32\pthreadCG3.dll]  [N/A, ]
    [C:\WINNT\system32\adsntzt.dll]  [N/A, ]
    [C:\WINNT\system32\kbdswjr.dll]  [N/A, ]
    [C:\WINNT\system32\dispexcb.dll]  [N/A, ]
    [C:\WINNT\system32\slbiopfs2.dll]  [N/A, ]
    [C:\WINNT\system32\rasdlgcq.dll]  [N/A, ]
[PID: 4004][C:\Program Files\WinRAR\WinRAR.exe]  [N/A, ]
    [C:\WINNT\system32\dbi100.dll]  [N/A, ]
    [C:\WINNT\system32\pthreadCG3.dll]  [N/A, ]
    [C:\WINNT\system32\adsntzt.dll]  [N/A, ]
    [C:\WINNT\system32\kbdswjr.dll]  [N/A, ]
    [C:\WINNT\system32\dispexcb.dll]  [N/A, ]
    [C:\WINNT\system32\slbiopfs2.dll]  [N/A, ]
    [C:\WINNT\system32\rasdlgcq.dll]  [N/A, ]

windows清理助手的日志：

[7939/9505]
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{6E44887F-5214-41F2-AB46-4728735C4CC6}

[Cnscheck001]
HKEY_CLASSES_ROOT\CLSID\{9A0CFC58-5A6F-41BA-9FFE-4320F4F621BA}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{9A0CFC58-5A6F-41BA-9FFE-4320F4F621BA}

[MyWow]
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NETWORKLOGON
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\ENUM\ROOT\LEGACY_NETWORKLOGON
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NETWORKLOGON

[WinDHCPsvc]
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WINDHCPSVC
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\ENUM\ROOT\LEGACY_CELINDRV
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\ENUM\ROOT\LEGACY_WINDHCPSVC
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_WINDHCPSVC

[WSD_SOCK32]
HKEY_CLASSES_ROOT\CLSID\{1A404685-7563-4D02-B0F6-58B308A406A9}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{1A404685-7563-4D02-B0F6-58B308A406A9}

[System16]
HKEY_CLASSES_ROOT\CLSID\{6E44887F-5214-41F2-AB46-4728735C4CC6}
HKEY_CURRENT_USER\SOFTWARE\MS\TNND

[Trojan HorseDownloader]
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_WINDOWS_MANAGEMENT_NETWORK_SERVICE_EXTENSIONS

[Trojan.Msdebug]
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_CELINDRV
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_CELINDRV

[Trojan.psw.avx]
C:\WINNT\SYSTEM32\DISPEXCB.DLL
C:\WINNT\SYSTEM32\DISPEXCB.NLS
C:\WINNT\SYSTEM32\RASDLGCQ.NLS
C:\WINNT\TASKS\CSRSS.EXE
C:\WINNT\TASKS\HACKSHEN.VBS
C:\WINNT\TASKS\绿化.BAT
HKEY_CLASSES_ROOT\CLSID\{00060006-0006-0006-0006-00060006BB15}
HKEY_CLASSES_ROOT\CLSID\{00230023-0023-0023-0023-00230023BB15}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{00060006-0006-0006-0006-00060006BB15}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{00230023-0023-0023-0023-00230023BB15}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{H9I12RB03-AB-B70-7-11D2-9CBD-0O00FS7AH6-9E2121BHJLK}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{00060006-0006-0006-0006-00060006BB15}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{00230023-0023-0023-0023-00230023BB15}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELLSERVICEOBJECTDELAYLOAD\DISPEXCB.DLL
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\IAS
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\IAS
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\IAS

[Uncorrect AppInit_DLLs]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\APPINIT_DLLS\REG_SZ00

[Trojan.Hdv32.MMHX]
C:\WINNT\SYSTEM32\KBDSWJR.DLL
HKEY_CLASSES_ROOT\CLSID\{00120012-0012-0012-0012-00120012BB15}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{00120012-0012-0012-0012-00120012BB15}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{00120012-0012-0012-0012-00120012BB15}

[Trojan.ytewcxzsw.wrew2ds]
C:\WINNT\SYSTEM32\ADSNTZT.DLL
C:\WINNT\SYSTEM32\ADSNTZT.NLS
C:\WINNT\SYSTEM32\KBDSWJR.NLS
HKEY_CLASSES_ROOT\CLSID\{00010001-0001-0001-0001-00010001BB15}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{00010001-0001-0001-0001-00010001BB15}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{00010001-0001-0001-0001-00010001BB15}

[Fake.MicosoftUpdateServ.seictrl]
C:\WINNT\SYSTEM32\DBI100.DLL
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_SEICTRL
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SEICTRL
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\ENUM\ROOT\LEGACY_SEICTRL
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\SEICTRL
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_SEICTRL
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\SEICTRL

[Trojan.inityuser.go10]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELLSERVICEOBJECTDELAYLOAD\ADSNTZT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELLSERVICEOBJECTDELAYLOAD\KBDSWJR.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELLSERVICEOBJECTDELAYLOAD\RASDLGCQ.DLL

[Unknown Trojan Horse/Virus]
C:\WINNT\SYSTEM32\PTHREADCG3.DLL
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MSNDNS
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_MSNDNS

[Maybe Useless object]
C:\WINNT\QQ.EXE(QQ程序还能跑到系统目录中来？）

>> 除非说明均为原创，如转载请注明来源于http://www.stormcn.cn/post/88.html

Tags: HOSTS  病毒 木马  

作者:流风33 | 分类:

病毒救援

| 评论:3 | 浏览: