最近,很少研究病毒查杀了。昨天,忙乱中收到电话求援,有一位同事的系统不能用了,启动不了,蓝屏。去了一看,系统坏了,修复系统—》启动成功了。接下来,杀软报告出现了很多的病毒,杀不掉(杀软有点儿垃圾 )。重启——》安全模式,找了很多小工具都不能用(这里提到一句,他用IFEO劫持技术,屏闭掉了很多工具)。
分析过程中,由于IFEO的原因,我把工具都改名了,才能分析得到这些东西的。也为快速的清除它,提供了方便。
分析:
1.
释放自身到启动文件夹随机加载:
%ALLUSERSPROFILE%\「开始」菜单\程序\启动\AtiSrv.exe
%ALLUSERSPROFILE%\「开始」菜单\程序\启动\AtiSrv.exe
2.
写入执行挂钩:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
ffHADHAD1042.dll
HKCR\CLSID\{1133c611-c3b1-4626-bd63-6605ea0d3486}
c:\windows\system32\ffhadhad1042.dll
Microsoft
HKCR\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}
c:\windows\system32\zjydcx.dll
Microsoft
HKCR\CLSID\{6E6CA8A1-81BC-4707-A54C-F4903DD70BAD}
c:\windows\system32\zgxfdx.dll
Microsoft
HKCR\CLSID\{1DB3C525-5271-46F7-887A-D4E1ADAA7632}
c:\windows\system32\hfrdzx.dll
fJACJAC1041.dll
HKCR\CLSID\{6b22d384-97ba-4c43-81ab-a6bb24e9d831}
c:\windows\system32\fjacjac1041.dll
fNNBNNB1032.dll
HKCR\CLSID\{a6f28a4f-afc8-430e-9093-25083eb3aa77}
c:\windows\system32\fnnbnnb1032.dll
fSACSAC1016.dll
HKCR\CLSID\{f93de3de-bc82-4f9a-a3fc-e49c4fe9c38d}
c:\windows\system32\fsacsac1016.dll
ffHADHAD1042.dll
HKCR\CLSID\{1133c611-c3b1-4626-bd63-6605ea0d3486}
c:\windows\system32\ffhadhad1042.dll
Microsoft
HKCR\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}
c:\windows\system32\zjydcx.dll
Microsoft
HKCR\CLSID\{6E6CA8A1-81BC-4707-A54C-F4903DD70BAD}
c:\windows\system32\zgxfdx.dll
Microsoft
HKCR\CLSID\{1DB3C525-5271-46F7-887A-D4E1ADAA7632}
c:\windows\system32\hfrdzx.dll
fJACJAC1041.dll
HKCR\CLSID\{6b22d384-97ba-4c43-81ab-a6bb24e9d831}
c:\windows\system32\fjacjac1041.dll
fNNBNNB1032.dll
HKCR\CLSID\{a6f28a4f-afc8-430e-9093-25083eb3aa77}
c:\windows\system32\fnnbnnb1032.dll
fSACSAC1016.dll
HKCR\CLSID\{f93de3de-bc82-4f9a-a3fc-e49c4fe9c38d}
c:\windows\system32\fsacsac1016.dll
HKCR\CLSID\{6167F471-EF2B-41DD-A5E5-C26ACDB5C096}
c:\program files\internet explorer\plugins\winsys8v.sys( 这部分刚开始没看到,后来分析完了才发现,有这个文件,我清除的过程中,这个是最后一个被发现的)
3. 写入Appinit_dlls(用hijackthis分析得到的)
c:\program files\internet explorer\plugins\winsys8v.sys( 这部分刚开始没看到,后来分析完了才发现,有这个文件,我清除的过程中,这个是最后一个被发现的)
3. 写入Appinit_dlls(用hijackthis分析得到的)
现在很多的病毒的编写,都是利用这里,在安全模式下加载病毒,让安全模式下也是病毒的运行环境。这部分写入很多,无法具体的分析加载的东西,只把这部分文件名放上来
bauhgnem.dll,eohsom.dll,fyom.dll,sauhad.dll,ijougiemnaw.dll,taijoad.dll,lnaixnauhqq.dll,idtj.dll,vhqq.dll,atgnehz.dll,rsqq.dll,tsqc.dll,vauyiqvlnaix.dll,wQ.dll,fmxh.dll,cty.dll,pahzij.dll,jz.dll,bz.dll,pyomielnux.dll,mhtd.dll,qnefnaib.dll,ej.dll,uixauh.dll,hjiq.dll,kiluw.dll,dsfg.dll,yqhs.dll,oaijihzeuyouhz.dll,jemnaw.dll,cuhad.dll,laixuhz.dll,rfhx.dll,mnauygniqaixnaij.dll,oqnauhc.dll,xjxr.dll,utiemnaw.dll,sve.dll,wininat.dll,gnolnait.dll,zadnew.dll,htwx.dll,knaixnauhuoyizqq.dll,duygnef.dll,gmx.dll,nadgnohiac.dll,agzg.dll,qlihzouhgnfe.dll,bchib.dll,tzm.dll,r2.dll,slcs.dll,xptyj.dll,xhtd.dll,QQ.dll,sfhx.dll,gnaixnauhqq.dll,3auhad.dll,oadnew.dll,iemnaw.dll,qcsct.dll,oadgnohiac.dll,iqnauhc.dll,aixauh.dll,ddtj.dll,nuygnef.dll,uohsom.dll,gnefnaib.dll,ijiq.dll,hjxr.dll,naijoad.dll,naixuhz.dll,nahzij.dll,fmxh.dll,zqhs.dll,jsfg.dll,utgnehz.dll,uyom.dll,wtiemnaw.dll,uyomielnux.dll,vlihzouhgnfe.dll,2ty.dll,nauhgnem.dll,auhad.dll,rj.dll,hz.dll,naijihzeuyouhz.dll,xhqq.dll,jmx.dll,dgzg.dll,gsqq.dll,fz.dll,gnaixnauhuoyizqq.dll,gnolnait.dll,jsqc.dll,dqncj.dll,eve.dll,2nauygniqaixnaij.dll,niluw.dll,ijougiemnaw.dll,wtwx.dll,jghf.dll,msd.dll,asj.dll,her.dll,awf.dll,
4. 下载病毒到WINDOWS里,以便运行它们 (这是机器狗的比较明显特征)
4. 下载病毒到WINDOWS里,以便运行它们 (这是机器狗的比较明显特征)
可能因为,我同事中毒以后,没连上网,只在,C:\windows下发现,28.EXE,27.EXE,两个病毒
5.
加载rootkits驱动进行自我保护(没发现,可能用工具清除了吧)
6.
写入ntsd劫持(分析不清楚,只看到一运行,就出现标题为ntsd的窗口,提示cuhad.dll映像无效)
7.IFEO劫持(屏闭一些软件,由其是杀毒小工具,这包括了当前能知道的杀软都在这里呢.这里感谢QQKAV软件帮忙,得到这部分内容)
60rpt.exe
360safe.exe
360safebox.exe
360tray.exe
adam.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avconsol.exe
avgrssvc.exe
AvMonitor.exe
avp.com
avp.exe
CCenter.exe
ccSvcHst.exe
EGHOST.exe
FileDsty.exe
FTCleanerShell.exe
FYFireWall.exe
HijackThis.exe
IceSword.exe
iparmo.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPF.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32.exe
KPFW32X.exe
KPfwSvc.exe
KRegEx.exe
KRepair.com
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
mmsk.exe
Navapsvc.exe
Navapw32.exe
nod32.exe
nod32krn.exe
nod32kui.exe
NPFMntor.exe
OllyDBG.EXE
OllyICE.EXE
PFW.exe
PFWLiveUpdate.exe
procexp.exe
QHSET.exe
QQDoctor.exe
QQKav.exe
Ras.exe
RavMonD.exe
RavStub.exe
RawCopy.exe
RegClean.exe
RegTool.exe
rfwcfg.exe
rfwmain.exe
rfwProxy.exe
rfwsrv.exe
rfwstub.exe
RsAgent.exe
Rsaupd.exe
runiep.exe
safebank.exe
safeboxTray.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
vsstat.exe
webscanx.exe
WinDbg.exe
WoptiClean.exe
360safe.exe
360safebox.exe
360tray.exe
adam.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avconsol.exe
avgrssvc.exe
AvMonitor.exe
avp.com
avp.exe
CCenter.exe
ccSvcHst.exe
EGHOST.exe
FileDsty.exe
FTCleanerShell.exe
FYFireWall.exe
HijackThis.exe
IceSword.exe
iparmo.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPF.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32.exe
KPFW32X.exe
KPfwSvc.exe
KRegEx.exe
KRepair.com
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
mmsk.exe
Navapsvc.exe
Navapw32.exe
nod32.exe
nod32krn.exe
nod32kui.exe
NPFMntor.exe
OllyDBG.EXE
OllyICE.EXE
PFW.exe
PFWLiveUpdate.exe
procexp.exe
QHSET.exe
QQDoctor.exe
QQKav.exe
Ras.exe
RavMonD.exe
RavStub.exe
RawCopy.exe
RegClean.exe
RegTool.exe
rfwcfg.exe
rfwmain.exe
rfwProxy.exe
rfwsrv.exe
rfwstub.exe
RsAgent.exe
Rsaupd.exe
runiep.exe
safebank.exe
safeboxTray.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
vsstat.exe
webscanx.exe
WinDbg.exe
WoptiClean.exe
清除:(首先,简单说一说我的方法)
1.我把中毒的硬盘接到无毒的电脑上,清除了分析1,2的所得文件(落下了c:\program files\internet explorer\plugins\winsys8v.sys,让我走了不少弯路)
2.启动电脑,这时我们的杀软,不再提示有病毒,不过工具还是不能用,试了很方法还是不能运行,最后改名工具,可以用了.
3.用hijackthis分析解决了Appinit_dlls
4.用qqkav杀掉了其它病毒,还修复了IFEO项
5.修复我们的杀软
至此,修复完成了
其实,网上有还有其它的方法查杀,基本原理相同,清除关键是清掉分析中得到的文件,修复IFEO项.
其它工具也可以清除
机器狗/AV终结者(版本号5.4)
机器狗映像劫持修复工具检测与修复