病毒指纹： SHA-160             : DA14DDB10D14C568B62176AAB738B0C479A06863 MD5                 : C505733FFDDA0394D404BD5BB652C1A6 RIPEMD-160          : 410EF9736AD4966094C096E57B477B7572B7ED9C CRC-32              : FF6E4568 病毒大小：43,900 字节 连接网络下载病毒： 输入地址：61.152.255.252 对应地址：上海市电信IDC 在本机随机生成如下病毒文件： meex.com、rmwaccq.exe、wojhadp.exe、nqgphqd.exe、autorun.inf 下载运行如下文件： 1A11.exe、2B12.exe、3C13.exe、2B12.exe 随机生成hiv文件进行进程互守 破坏安全模式； .Upack:00408184 s_SystemControl db 'SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}',0 .Upack:00408184                                              ; DATA XREF: sub_407CF4+6B o .Upack:004081D9                      align 4 .Upack:004081DC s_T                  db 0FFh,0FFh,0FFh,0FFh,'T',0 .Upack:004081E2                      align 4 .Upack:004081E4 s_SystemContr_0 db 'SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}',0 .Upack:004081E4                                              ; DATA XREF: sub_407CF4+7A o .Upack:00408239                      align 4 .Upack:0040823C s_X                  db 0FFh,0FFh,0FFh,0FFh,'X',0 .Upack:00408242                      align 4 .Upack:00408244 s_SystemCurrent db 'SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}',0 .Upack:00408244                                              ; DATA XREF: sub_407CF4+89 o .Upack:0040829D                      align 10h .Upack:004082A0 s_X_0                db 0FFh,0FFh,0FFh,0FFh,'X',0 .Upack:004082A6                      align 4 .Upack:004082A8 s_SystemCurre_0 db 'SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}',0 .Upack:004082A8                                              ; DATA XREF: sub_407CF4+98 o .Upack:00408301                      align 4 .Upack:00408304                      dd 0FFFFFFFFh, 0Ch 破坏隐藏文件选项： .Upack:0040830C s_Checkedvalue       db 'CheckedValue',0          ; DATA XREF: sub_407CF4+A7 o .Upack:00408319                      align 4 .Upack:0040831C s_Q                  db 0FFh,0FFh,0FFh,0FFh,'Q',0 .Upack:00408322                      align 4 .Upack:00408324 s_SoftwareMicro db 'software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall',0 开启自动播放； .Upack:00408524 s_SoftwareMic_4 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer',0 .Upack:00408524                                              ; DATA XREF: sub_407CF4+201 o .Upack:00408560 ; char s_Nodrivetypeau[] .Upack:00408560 s_Nodrivetypeau db 'NoDriveTypeAutoRun',0 ; DATA XREF: sub_407CF4+21A o 关闭并禁用AVP、wuauserv、wscsvc'、RsRavMon、RsCCenter、RSPPSYS服务 .Upack:004085CC ; char s_SystemCurre_5[] .Upack:00408600 s_SystemCurre_6 db 'SYSTEM\CurrentControlSet\Services\RSPPSYS',0 .Upack:00408600                                            ; DATA XREF: sub_407CF4+2D9 o .Upack:0040862A                    align 4 .Upack:0040862C ; char s_SystemCurre_7[] .Upack:0040862C s_SystemCurre_7 db 'SYSTEM\CurrentControlSet\Services\RsCCenter',0 .Upack:0040862C                                            ; DATA XREF: sub_407CF4+30F o .Upack:00408658 ; char s_SystemContr_1[] .Upack:00408658 s_SystemContr_1 db 'SYSTEM\ControlSet001\Services\RsCCenter',0 .Upack:00408658                                            ; DATA XREF: sub_407CF4+345 o .Upack:00408680 ; char s_SystemContr_2[] .Upack:00408680 s_SystemContr_2 db 'SYSTEM\ControlSet001\Services\RsRavMon',0 .Upack:00408680                                            ; DATA XREF: sub_407CF4+37B o .Upack:004086A7                    align 4 .Upack:004086A8 ; char s_SystemContr_5[] .Upack:004086A8 s_SystemContr_5 db 'SYSTEM\ControlSet001\Services\wscsvc',0 .Upack:004086A8                                            ; DATA XREF: sub_407CF4+3B1 o .Upack:004086CD                    align 10h .Upack:004086D0 ; char s_SystemContr_3[] .Upack:004086D0 s_SystemContr_3 db 'SYSTEM\ControlSet001\Services\wuauserv',0 .Upack:004086D0                                            ; DATA XREF: sub_407CF4+3E7 o .Upack:004086F7                    align 4 .Upack:004086F8 ; char s_SystemContr_4[] .Upack:004086F8 s_SystemContr_4 db 'SYSTEM\ControlSet002\Services\AVP',0 .Upack:004086F8                                            ; DATA XREF: sub_407CF4+41D o [b]对Ｎ多的安全工具、系统程序以及杀毒软件做映像劫持（IFEO）[/b] 由于太多就不列出了，和以前的病毒样本劫持的一样，具体可以参见好友[url=http://hi.baidu.com/ycosxhack/blog/item/c75fe7cafef4c647f21fe78a.html]余弦函数[/url]的文章。 [b]解决方法[/b] 使用[b]procexp.exe暂停[/b]病毒两个进程，运行里面键入“[b]system32[/b]”后[b]按时间排列图标[/b]找到病毒文件后删除：

[img]http://hiphotos.baidu.com/renlangliu/pic/item/69b408d5269c06c150da4b5c.jpg[/img]

重命名[b]autoruns[/b]打开找到[b]映像劫持[/b]项只保留[b]Your Image File Name Here without a path[/b]项其他全部删除

[img]http://files.jb51.net/upload/2007611213621219.jpg[/img]

打开[b]acdsee删除每个盘符下的病毒文件和autorun.inf脚本[/b]，[b]切忌不要使用右键的打开和资源管理器，[/b]

[img]http://hiphotos.baidu.com/renlangliu/pic/item/1cb419d1b82e29d6562c845a.jpg[/img]

[AutoRun] open=nqgphqd.exe shell\open=打开(&O) [b]shell\open\Command=nqgphqd.exe[/b] shell\open\Default=1 shell\explore=资源管理器(&X) [b]shell\explore\Command=nqgphqd.exe[/b] [b]修复安全模式和隐藏文件的注册表如下（将如下文件保存为reg文件双击导入注册表）：[/b] Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}] @="DiskDrive" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}] @="DiskDrive" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "Type"="radio" "CheckedValue"=dword:00000001 [b]病毒用脚本插入了这两个常规命令，由于病毒生成的文件名随机，而且进程标识符（ＰＩＤ）也是随机变化的，所以只能够贴图来写解决方法了。[/b]