shualai.exe病毒及手工查杀方法
2007-04-19 00:00
501 查看
这是个利用ANI漏洞传播的木马群,其“动态插入进程”的功能是导致中招后杀毒困难的原因之一。
另:中招后,系统分区以外的.exe全被感染。这也是中此毒后的麻烦之处。
中招后的“症状”:进程列表中可见shualai.exe进程。
建议:用SRENG扫份日志保存,以便弄清基本情况,便于后面的手工杀毒操作。
手工查杀流程如下(用IceSword操作):
1、禁止进程创建。
2、根据SRENG日志,先结束病毒进程shualai.exe以及所有被病毒模块插入的进程(病毒插入了哪些进程,取决于你当时运行的程序。以下是我运行该样本后的例子。)
Code:
[PID: 484][C:\windows\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Msxo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\fyzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rav30.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Gjzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy1.dll] [N/A, N/A]
[C:\windows\system32\cmdbcs.dll] [N/A, N/A]
[PID: 2252][C:\Program Files\Tiny Firewall Pro\amon.exe] [Computer Associates International, Inc., 6.5.3.2]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\fyzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Msxo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Gjzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rav30.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy1.dll] [N/A, N/A]
[PID: 3880][C:\WINDOWS\system32\shadow\ShadowTip.exe] [PowerShadow, 1, 0, 0, 1]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy1.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Gjzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rav30.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\fyzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Msxo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy0.dll] [N/A, N/A]
[PID: 2760][C:\Program Files\SREng2\SREng.exe] [Smallfrogs Studio, 2.3.13.690]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy1.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Gjzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rav30.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\fyzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Msxo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy0.dll] [N/A, N/A]
[PID: 2548][C:\windows\shualai.exe] [N/A, N/A]
3、删除病毒文件;清空IE临时文件夹。
4、删除病毒启动项
考虑一种特殊情况:
如果有人将autoruns等工具放在了系统分区以外,此时运行autoruns――――麻烦大了!!――――中此毒后,系统分区以外的.exe全被感染。
5、取消IceSword的“禁止进程创建”。
6、修复hosts文件。
注:系统分区以外的那些被病毒感染的.exe――估计是没救了。
另:中招后,系统分区以外的.exe全被感染。这也是中此毒后的麻烦之处。
中招后的“症状”:进程列表中可见shualai.exe进程。
建议:用SRENG扫份日志保存,以便弄清基本情况,便于后面的手工杀毒操作。
手工查杀流程如下(用IceSword操作):
1、禁止进程创建。
2、根据SRENG日志,先结束病毒进程shualai.exe以及所有被病毒模块插入的进程(病毒插入了哪些进程,取决于你当时运行的程序。以下是我运行该样本后的例子。)
Code:
[PID: 484][C:\windows\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Msxo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\fyzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rav30.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Gjzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy1.dll] [N/A, N/A]
[C:\windows\system32\cmdbcs.dll] [N/A, N/A]
[PID: 2252][C:\Program Files\Tiny Firewall Pro\amon.exe] [Computer Associates International, Inc., 6.5.3.2]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\fyzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Msxo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Gjzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rav30.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy1.dll] [N/A, N/A]
[PID: 3880][C:\WINDOWS\system32\shadow\ShadowTip.exe] [PowerShadow, 1, 0, 0, 1]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy1.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Gjzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rav30.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\fyzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Msxo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy0.dll] [N/A, N/A]
[PID: 2760][C:\Program Files\SREng2\SREng.exe] [Smallfrogs Studio, 2.3.13.690]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy1.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Gjzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rav30.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\fyzo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\Msxo0.dll] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\LgSy0.dll] [N/A, N/A]
[PID: 2548][C:\windows\shualai.exe] [N/A, N/A]
3、删除病毒文件;清空IE临时文件夹。
4、删除病毒启动项
考虑一种特殊情况:
如果有人将autoruns等工具放在了系统分区以外,此时运行autoruns――――麻烦大了!!――――中此毒后,系统分区以外的.exe全被感染。
5、取消IceSword的“禁止进程创建”。
6、修复hosts文件。
注:系统分区以外的那些被病毒感染的.exe――估计是没救了。
相关文章推荐
- jun.exe 病毒手工清除方法+我的电脑属性显示更改工具
- 水牛(shuiniu.exe)手工查杀方法不用专杀工具
- recycle.exe(Trojan-Dropper.Win32.VB.rj)病毒的查杀方法
- 2006十大病毒手工查杀方法
- 专家谈手工查杀AV终结者病毒方法详解
- lsass.exe病毒木马手工清除方法
- sola 病毒使文件变成exe后的手工杀毒及修复方法
- Svchost.exe病毒的查杀方法
- 2006十大病毒手工查杀方法
- winlogon.exe(落雪)病毒查杀方法
- winlogon.exe病毒的查杀方法
- HDM.exe手工查杀U盘病毒的方法
- MyDocument.exe病毒查杀方法
- 最新病毒结合auto.exe,游戏盗号木马下载者手工查杀microsofts.vbs
- wuauclt.exe进程和wuauclt病毒的查杀清理方法
- 成功手工查杀wc1.exe、wc2.exe、setup.exe、autorun.inf等病毒
- D盘双击打不开完美解决方法。。lsass.exe病毒木马病毒症状及手工清除方法修正版
- 美女游戏病毒iwbkvd.exe查杀方法
- 最新病毒变种sxs.exe及xeklsk.exe(柯南病毒)查杀方法
- 手工查杀SMSS.exe hook.dll fOxkb.sys的方法