中毒情况如下描述:
谁教我手动杀了这个病毒:iwnaeje.exe和jhhmssr.exe(进程名)
悬赏分:20 -
离问题结束还有 14 天 18 小时进程里的iwnaeje.exe和jhhmssr.exe结束又自动重新运行……
中毒情况:有点像AV终结者,包含有关“杀毒”、两个进程名称的网页等都打不开;杀毒软件、AV终结者专杀(我截获病毒文件后好像AV终结者也查不出)、冰刃等软件打开都是闪了一下就没有了……
病毒文件名为:diwlmoa.exe(应该还有个autorun.inf,不过将U盘插入时可能就被360删了)
用卡巴扫描病毒文件显示是:Virus.Win32.AutoRun.um
不过因为中了毒的机无法开杀毒软件,所以想在这里请教一下高手如何手动删除这个病毒,谢谢啦!!
======================================
在下乡的时候,我就用当时用360安全卫士搞掂过类似的病毒,
当时是安全模式进不了,任何杀毒程序都运行不了,当时终止病毒程序后,把安全卫士改名,才能运行,一运行就把垃圾给清了下,终止程序等,用命令行把病毒给删除。
然后重启就正常了。
今天这位校友把病毒样本上传上来了,我就用虚拟机把它中上,然后再手动搞它。
实验得到的结果如下:
个病毒在windows2003并不能很正常感染,但它的感染能力还是不错的。
关键会删除掉c:\windows\system32\verclsid.exe这个文件。可能就是它的丢失才会那么容易死机。
0、这个丢失的文件最好在别的机器上复制个回来。
00、至于jhhmssr.exe
和iwnaeje.exe 的终止,不必用到别的程序,直接在任务管理器也可以关闭掉。
1、先把iwnaeje.exe jhhmssr.exe 的优先级降到最低。
再终止iwnaeje.exe,弹出窗口先不要那么快确定,等会再y。接着同样关掉jhhmssr.exe。
2、还有个进程:avzxdst.exe也用同样方法终止掉。
3、然后把各种修复工具改文件名,记住一定要改再运行,否则病毒又被激活,那就要多结束一次进程了。
4、这个系统应该会比较不稳定的了,它还修改了很多东西的。要手动修复也行。比较麻烦而已。
5、这个病毒会释放出五种木马或插件程序。
有:1珠仙盗号木马c:\windows\fonts\mszhaosd.fon
2kafy盗号木马c:\windows\system32\avzxdmn.dll,avzxdst.exe
3 秀宝桌面定向广告c:\windows\system32\server.exe
4pkeusvq:c:\progra~1\meex.exe
5恶意程序services.exe:c:\windows\system\services.exe
6、iwnaeje.exe,jhhmssr.exe ,diwlmoa.exe等几个文件都隐藏到了c:\program files\common files\system 和c:\program files\common files\mirosoft shared files的目录里面了。所以要去除掉显示不出隐藏文件的,
用这个注册表文件就可以回复隐藏文件的查看:
==========================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"TaskbarSizeMove"=dword:00000000
"TaskbarGlomming"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder]
"Type"="group"
"Text"="@shell32.dll,-30498"
"Bitmap"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,\
48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,34,00,00,\
00
"HelpID"="shell.hlp#51140"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ClassicViewState]
"Type"="checkbox"
"Text"="@shell32.dll,-30506"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="ClassicViewState"
"CheckedValue"=dword:00000000
"UncheckedValue"=dword:00000001
"DefaultValue"=dword:00000000
"HelpID"="shell.hlp#51076"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ControlPanelInMyComputer]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideMyComputerIcons"
"Text"="@shell32.dll,-30497"
"Type"="checkbox"
"ValueName"="{21EC2020-3AEA-1069-A2DD-08002B30309D}"
"CheckedValue"=dword:00000000
"UncheckedValue"=dword:00000001
"DefaultValue"=dword:00000001
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51150"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess]
"Type"="checkbox"
"Text"="@shell32.dll,-30507"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="SeparateProcess"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000000
"HelpID"="shell.hlp#51079"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess\Policy]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess\Policy\SeparateProcess]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DisableThumbCache]
"Type"="checkbox"
"Text"="@shell32.dll,-30517"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="DisableThumbnailCache"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000000
"HelpID"="shell.hlp#51155"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\FolderSizeTip]
"Type"="checkbox"
"Text"="@shell32.dll,-30514"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="FolderContentsInfoTip"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\FriendlyTree]
"Type"="checkbox"
"Text"="@shell32.dll,-30511"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="FriendlyTree"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"HelpID"="shell.hlp#51149"
"DefaultValue"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
"Text"="@shell32.dll,-30499"
"Type"="group"
"Bitmap"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,\
48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,34,00,00,\
00
"HelpID"="shell.hlp#51131"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30501"
"Type"="radio"
"CheckedValue"=dword:00000002
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51104"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
"Type"="checkbox"
"Text"="@shell32.dll,-30503"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="HideFileExt"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000001
"HelpID"="shell.hlp#51101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler]
"Type"="checkbox"
"Text"="@shell32.dll,-30509"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="NoNetCrawling"
"CheckedValue"=dword:00000000
"UncheckedValue"=dword:00000001
"DefaultValue"=dword:00000000
"HelpID"="shell.hlp#51147"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler\Policy]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler\Policy\NoNetCrawling]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\PersistBrowsers]
"Type"="checkbox"
"Text"="@shell32.dll,-30513"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="PersistBrowsers"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"HelpID"="shell.hlp#51152"
"DefaultValue"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowCompColor]
"Type"="checkbox"
"Text"="@shell32.dll,-30512"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="ShowCompColor"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000001
"HelpID"="shell.hlp#51130"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPath]
"Type"="checkbox"
"Text"="@shell32.dll,-30504"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CabinetState"
"ValueName"="FullPath"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000000
"HelpID"="shell.hlp#51100"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPathAddress]
"Type"="checkbox"
"Text"="@shell32.dll,-30505"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CabinetState"
"ValueName"="FullPathAddress"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000001
"HelpID"="shell.hlp#51107"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowInfoTip]
"Type"="checkbox"
"Text"="@shell32.dll,-30502"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="ShowInfoTip"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000001
"HelpID"="shell.hlp#51102"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SimpleSharing]
"Type"="checkbox"
"Text"="@shell32.dll,-30518"
"HKeyRoot"=dword:80000002
"RegPath"="System\\CurrentControlSet\\Control\\LSA"
"ValueName"="ForceGuest"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"HelpID"="shell.hlp#51154"
"DefaultValue"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
"Type"="checkbox"
"Text"="@shell32.dll,-30508"
"WarningIfNotDefault"="@shell32.dll,-28964"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="ShowSuperHidden"
"CheckedValue"=dword:00000000
"UncheckedValue"=dword:00000001
"DefaultValue"=dword:00000000
"HelpID"="shell.hlp#51103"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets]
"Text"="管理网页和文件夹对"
"HelpID"="TBD"
"Type"="group"
"Bitmap"="C:\\WINDOWS\\system32\\\\SHELL32.DLL,4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\AUTO]
"CheckedValue"=dword:00000000
"Type"="radio"
"ValueName"="NoFileFolderConnection"
"HelpID"="TBD"
"Text"="作为单一文件显示和管理对"
"DefaultValue"=dword:00000000
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer"
"HKeyRoot"=dword:80000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\NOHIDE]
"ValueName"="NoFileFolderConnection"
"DefaultValue"=dword:00000000
"Text"="显示两部分但是作为单一文件进行管理"
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer"
"HelpID"="TBD"
"Type"="radio"
"CheckedValue"=dword:00000002
"HKeyRoot"=dword:80000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\NONE]
"CheckedValue"=dword:00000001
"Type"="radio"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer"
"HelpID"="TBD"
"ValueName"="NoFileFolderConnection"
"DefaultValue"=dword:00000000
"Text"="显示两部分并分别进行管理"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\WebViewBarricade]
"Type"="checkbox"
"Text"="@shell32.dll,-30510"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="WebViewBarricade"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"HelpID"="shell.hlp#51148"
"DefaultValue"=dword:00000000
===================
上面的代码储存为show.reg,双击导入,应该就可以找到它们了。
360安全卫士里面可以看得到这些自启动文件,删除吧,里面所有的修复功能都搞下,否则重启又回来了。
谨此记录。
