19.exe,pagefile.pif专杀 pagefile.pif病毒 auto.inf
File: 19.exe
Size: 33495 bytes
File Version: 0.00.0204
Modified: 2007年12月29日, 21:23:18
MD5: 4B2BE9775B6CA847FB2547DD75025625
SHA1: 2660F88591AD4DA8849A3A56F357E7DFB9694D45
CRC32: 2A485241
编写语言:VB
1.病毒运行后,衍生如下副本及文件:
Quote:
%systemroot%DebugDebugProgram.exe
%systemroot%system32command.pif
%systemroot%system32dxdiag.com
%systemroot%system32finder.com
%systemroot%system32MSCONFIG.COM
%systemroot%system32
egedit.com
%systemroot%system32
undll32.com
%systemroot%1.com
%systemroot%ExERoute.exe
%systemroot%explorer.com
%systemroot%finder.com
%systemroot%SERVICES.EXE
D:autorun.inf
D:pagefile.pif
2.提升自身权限,试图结束带有如下关键字的进程
Quote:
360tray*
ravmon*
ccenter*
trojdie*
kpop*
ssistse*
agentsvr*
kv*
kreg*
iefind*
iparmor*
uphc*
rulewize*
fygt*
rfwsrv*
rfwma*
trojan*
svi.exe
3.篡改很多文件关联方式 使得打开这些文件后会启动病毒
Quote:
HKLMSOFTWAREClasses.bfcShellNewCommand: "%SystemRoot%system32
undll32.com %SystemRoot%system32syncui.dll,Briefcase_Create %2!d! %1"
HKLMSOFTWAREClassesCLSID{871C5380-42A0-1069-A2EA-08002B30309D}shellOpenHomePageCommand: ""C:Program FilesInternet Exploreriexplore.com""
HKLMSOFTWAREClassesDriveshellfindcommand: "%SystemRoot%explorer.com"
HKLMSOFTWAREClassesdunfileshellopencommand: "%SystemRoot%system32
undll32.com NETSHELL.DLL,InvokeDunFile %1"
HKLMSOFTWAREClasseshtmlfileshellprintcommand: "rundll32.com %SystemRoot%system32mshtml.dll,PrintHTML "%1""
HKLMSOFTWAREClassesinffileshellInstallcommand: "%SystemRoot%System32
undll32.com setupapi,InstallHinfSection DefaultInstall 132 %1"
HKLMSOFTWAREClassesUnknownshellopenascommand: "%SystemRoot%system32finder.com %SystemRoot%system32shell32.dll,OpenAs_RunDLL %1"(打开未知程序都能启动病毒,汗...)
HKLMSOFTWAREClientsStartMenuInternetiexplore.pifshellopencommand: ""C:Program Filescommon~1iexplore.pif""
(修改开始程序上的IE的指向文件)
HKLMSOFTWAREClasses.lnkShellNewCommand: "rundll32.com appwiz.cpl,NewLinkHere %1"
HKLMSOFTWAREClassesApplicationsiexplore.exeshellopencommand: ""C:Program FilesInternet Exploreriexplore.com" %1"
HKLMSOFTWAREClassescplfileshellcplopencommand: "rundll32.com shell32.dll,Control_RunDLL "%1",%*"
HKLMSOFTWAREClassesftpshellopencommand: ""C:Program FilesInternet Exploreriexplore.com" %1"
HKLMSOFTWAREClasseshtmlfileshellopencommand: ""C:Program FilesInternet Exploreriexplore.com" -nohome"
HKLMSOFTWAREClasseshtmlfileshellopennewcommand: ""C:Program Filescommon~1iexplore.pif" %1"
HKLMSOFTWAREClassesHTTPshellopencommand: ""C:Program Filescommon~1iexplore.pif" -nohome"
HKLMSOFTWAREClassesInternetShortcutshellopencommand: "finder.com shdocvw.dll,OpenURL %l"
HKLMSOFTWAREClassesscrfileshellinstallcommand: "finder.com desk.cpl,InstallScreenSaver %l"
HKLMSOFTWAREClassesscriptletfileShellGenerate Typelibcommand: ""C:WINDOWSsystem32finder.com" C:WINDOWSsystem32scrobj.dll,GenerateTypeLib "%1""
HKLMSOFTWAREClasses elnetshellopencommand: "finder.com url.dll,TelnetProtocolHandler %l"
HKLMSOFTWAREClientsStartMenuInternet: "iexplore.pif"
...
增加winfiles的新的文件关联指向C:WINDOWSExERoute.exe
并篡改exe文件关联HKLMSOFTWAREClasses.exe: "winfiles"
4.修改
Quote:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon
的{shell}值为Explorer.exe 1
5.连接网络盗取传奇世界等游戏的帐号密码
清除方法:
1.解压缩Icesword 把Icesword.exe改名为Icesword.com运行
进程一栏 结束%systemroot%SERVICES.EXE
点击左下角的文件按钮删除如下文件
%systemroot%DebugDebugProgram.exe
%systemroot%system32command.pif
%systemroot%system32dxdiag.com
%systemroot%system32finder.com
%systemroot%system32MSCONFIG.COM
%systemroot%system32
egedit.com
%systemroot%system32
undll32.com
%systemroot%1.com
%systemroot%ExERoute.exe
%systemroot%explorer.com
%systemroot%finder.com
%systemroot%SERVICES.EXE
D:autorun.inf
D:pagefile.pif
2.把sreng扩展名改为bat,运行
系统修复-文件关联 修复
3.修复系统
打开系统盘 直接运行%systemroot%system32
egedit.exe
把被病毒修改的注册表恢复回来
Quote:
HKLMSOFTWAREClasses.lnkShellNewCommand: "rundll32.exe appwiz.cpl,NewLinkHere %1"
HKLMSOFTWAREClassesApplicationsiexplore.exeshellopencommand: ""C:Program FilesInternet Exploreriexplore.exe" %1"
HKLMSOFTWAREClassescplfileshellcplopencommand: "rundll32.exe shell32.dll,Control_RunDLL "%1",%*"
HKLMSOFTWAREClassescplfileshellcplopencommand: "rundll32.exe shell32.dll,Control_RunDLL "%1",%*"
HKLMSOFTWAREClasseshtmlfileshellopencommand: ""C:Program FilesInternet Exploreriexplore.exe" -nohome"
HKLMSOFTWAREClasseshtmlfileshellopennewcommand: ""C:Program FilesInternet Exploreriexplore.exe" %1"
HKLMSOFTWAREClassesHTTPshellopencommand: ""C:Program FilesInternet Exploreriexplore.exe" -nohome"
HKLMSOFTWAREClassesInternetShortcutshellopencommand: "rundll32.exe shdocvw.dll,OpenURL %l"
HKLMSOFTWAREClassesscrfileshellinstallcommand: "rundll32.exe desk.cpl,InstallScreenSaver %l"
HKLMSOFTWAREClassesscrfileshellinstallcommand: "rundll32.exe desk.cpl,InstallScreenSaver %l"
HKLMSOFTWAREClasses elnetshellopencommand: "rundll32.exe url.dll,TelnetProtocolHandler %l"
HKLMSOFTWAREClasses elnetshellopencommand: "rundll32.exe url.dll,TelnetProtocolHandler %l"
HKLMSOFTWAREClassesDriveshellfindcommand: "%SystemRoot%Explorer.exe"
HKLMSOFTWAREClassesCLSID{871C5380-42A0-1069-A2EA-08002B30309D}shellOpenHomePageCommand: ""C:Program FilesInternet Exploreriexplore.exe""
HKLMSOFTWAREClassesDriveshellfindcommand: "%SystemRoot%Explorer.exe"
HKLMSOFTWAREClassesdunfileshellopencommand: "%SystemRoot%system32RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1"
HKLMSOFTWAREClasseshtmlfileshellprintcommand: "rundll32.exe %SystemRoot%system32mshtml.dll,PrintHTML "%1""
HKLMSOFTWAREClassesinffileshellInstallcommand: "%SystemRoot%System32
undll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1"
HKLMSOFTWAREClassesUnknownshellopenascommand: "%SystemRoot%system32
undll32.exe %SystemRoot%system32shell32.dll,OpenAs_RunDLL %1"
删除HKLMSOFTWAREClasseswinfiles整个子键
修改HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon
的{shell}值为Explorer.exe
- .NET Core系列之MemoryCache 初识
- 007手机一键Root(安机网一键Root) v3.0 官方最新版 一键ROOT您的Android手机
- 12306密码被盗了怎么办?12306密码外泄解决方法
- 12个字的qq网名
- 150M迷你型无线路由器怎么设置?
- 192.168.1.1打不开怎么办?路由器192.168.1.1打不开的原因以及解决办法
- 2011年电子报合订本 电子报 编辑部 中文 PDF版 [84M]
- 2015年1月15日小米新旗舰发布会现场图文直播
- 2016.3.1vivo Xplay5新品发布会现场视频直播 优酷直播
- 2016华为P9发布会视频直播地址 4月15日华为P9国行发布会直播