Filesize:18593bytes
MD5:c595bc161e1d64b4d8f4d84139ef02b0
SHA1:100e8a9ae7034b41443e4ddaa46f175adb70eb06
病毒名称:未知
测试时间:2007-3-10
更新时间:明晚将更新此分析日志,
运行后病毒样本,自动删除病毒本身,自动释放病毒到%system%目录下
%system%del.bat
%system%msgcom.dll
%system%1.exe
%system%2.exe
%system%3.exe
%system%4.exe
%system%5.exe
%system%6.exe
创建启动项:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonNotifycmdmant
<WinlogonNotify:cmdmant><msgcom.dll>
修改Explorer.exe其内存,Explorer.exe尝试获取网络存取权限.202.88.90.186,试图启动%system%1.exe
%system%2.exe
%system%3.exe
%system%4.exe
%system%5.exe
%system%6.exe
%system%1.exe分析如下:
Explorer.exe启动1.EXE后,自动删除本身
释放病毒文件
%system%wsvbs.dll
%windows%wsvbs.exe
创建启动项
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
<wsttrs><%windows%wsvbs.exe>
%system%2.exe分析如下
Explorer.exe启动2.EXE后,
释放病毒文件
%system%mppds.dll
%windows%mppds.exe
创建启动项
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
<mppds><%windows%mppds.exe>
%system%3.exe分析如下
Explorer.exe启动3.EXE后,
释放病毒文件
%ProgramFiles%InternetExplorerPLUGINSsystem2.jmp
%ProgramFiles%InternetExplorerPLUGINSSystemKb.sys
%system%4.exe分析如下:
Explorer.exe启动4.EXE后,自动删除本身
释放病毒文件
%system%wsttrs.dll
%windows%wsttrs.exe
创建启动项
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
<wsttrs><%windows%wsttrs.exe>
%system%5.exe分析如下:
Explorer.exe启动5.EXE后,自动删除本身
释放病毒文件,并插入各进程.
%windows%608769.bmp
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWindows
<AppInit_DLLs><608769M.BMP>
%system%6.exe分析如下:
Explorer.exe启动6.EXE后,
释放病毒文件
c:DocumentsandSettings你的用户名LocalSettingsTempie888.exe
c:DocumentsandSettings你的用户名LocalSettingsTempiim.dll
c:DocumentsandSettings你的用户名LocalSettingsTemppacket.dll
c:DocumentsandSettings你的用户名LocalSettingsTempwanpacket.dll
%ProgramFiles%InternetExplorerPLUGINSSystemKb.bak
%system%driversnpf.sys
修改hosts内容,添加以下内容
58.215.65.136hyap98.com
58.215.65.136www.hyap98.com
60.169.1.178www.82087871.com
60.169.1.17847555.cn
60.169.1.178nc.47555.cn
60.169.1.178cn.47555.cn
60.169.1.178crsky.47555.cn
60.169.1.178www.47555.cn
60.169.1.178baibu.com
60.169.1.178www.baidu.com
60.169.1.178dgufida.com.cn
60.169.1.17888.our2000.com
60.169.1.178new.eyliao.com
60.169.1.178sybaby.a78.zgsj.com
附SRENG日志,
启动项目
注册表
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
<svc><C:DOCUME~1MIBLOCALS~1Tempie888.exe>
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
<wsvbs><C:windowswsvbs.exe>
<mppds><C:windowsmppds.exe>
<wsttrs><C:windowswsttrs.exe>
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWindows]
<AppInit_DLLs><608769M.BMP>
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:ProgramFilesInternetExplorerPLUGINSSystemKb.sys>[N/A]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonNotifycmdmant]
<WinlogonNotify:cmdmant><msgcom.dll>
正在运行的进程
[PID:700][??C:WINDOWSsystem32winlogon.exe]
[C:windows608769M.BMP][N/A,N/A]
[C:WINDOWSsystem32msgcom.dll][N/A,N/A]
[PID:752][C:windowssystem32services.exe
[C:windows608769M.BMP]
[PID:764][C:windowssystem32lsass.exe]
[C:windows608769M.BMP][N/A,N/A]
[PID:932][C:windowssystem32svchost.exe]
[C:windows608769M.BMP][N/A,N/A]
[PID:1020][C:windowssystem32svchost.exe
[C:windows608769M.BMP][N/A,N/A]
[PID:1116][C:windowsSystem32svchost.exe]
[C:windows608769M.BMP][N/A,N/A]
[PID:1408][C:windowssystem32svchost.exe]
[C:windows608769M.BMP][N/A,N/A]
[PID:1456][C:windowssystem32svchost.exe]
[C:windows608769M.BMP][N/A,N/A]
解决方法如下:
1.开始---运行---输入---regedit---依次展开
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
删除
<svc>
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
删除
<wsvbs>
<mppds>
<wsttrs>
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWindows
删除
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}>
删除
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonNotifycmdmant]
<WinlogonNotify:cmdmant>
2.重启计算机
3.删除以下文件
%system%del.bat
%system%msgcom.dll
%system%wsvbs.dll
%windows%wsvbs.exe
%system%mppds.dll
%windows%mppds.exe
%ProgramFiles%InternetExplorerPLUGINSsystem2.jmp
%ProgramFiles%InternetExplorerPLUGINSSystemKb.sys
%system%wsttrs.dll
%windows%wsttrs.exe
c:DocumentsandSettings你的用户名LocalSettingsTempie888.exe
c:DocumentsandSettings你的用户名LocalSettingsTempiim.dll
c:DocumentsandSettings你的用户名LocalSettingsTemppacket.dll
c:DocumentsandSettings你的用户名LocalSettingsTempwanpacket.dll
%ProgramFiles%InternetExplorerPLUGINSSystemKb.bak
%system%driversnpf.sys
%system%3.exe
%system%6.exe
system32driversetchosts
用记事打开HOSTS文件,删除以下内容
58.215.65.136hyap98.com
58.215.65.136www.hyap98.com
60.169.1.178www.82087871.com
60.169.1.17847555.cn
60.169.1.178nc.47555.cn
60.169.1.178cn.47555.cn
60.169.1.178crsky.47555.cn
60.169.1.178www47555cn
60.169.1.178baibu.com
60.169.1.178www.baidu.com
60.169.1.178dgufida.com.cn
60.169.1.17888.our2000.com
60.169.1.178new.eyliao.com
60.169.1.178sybaby.a78.zgsj.com
%windows%608769M.BMP
到我的E盘下载专杀.
http://free5.ys168.com/?ufwihgu168
(<因为对SSM监控到的桌面进程不是很懂,对这个网络连接分析存在有问题,将于明晚进行更新,也请高手指正,内容如下,谢谢)
进程:
路径:C:WINDOWSexplorer.exe
PID:1988
信息:WindowsExplorer(MicrosoftCorporation)
网络信息:
IP地址:222.88.90.186
信任的区域:否
协议:TCP
【chenzi.exe的分析及解决方法】相关文章:
★ odbcasvc.exe导致CPU使用100%问题的解决办法
★ 手动清除rundll2kxp.exe病毒的方法,无需专杀
★ SysWin7z.Jmp SysWin7z.sys木马病毒的手动删除方法
★ 病毒Autorun.inf、pagefile.pif等的解决办法
★ Trojan.DL.VBS.Agent.cpb(k[1].js)脚本病毒的解决方法