这个病毒搞的人焦头烂额,最后害得我重装系统。在网上找了一些资料。

一:先说下以前的解决方案:

(一).《 简要分析解决Ghost.pif病毒》
病毒特点:
1.通过U盘传播
2.木马下载器

File: Ghost.pif
Size: 19527 bytes
MD5: 32C89902E912757B30C648C2AFAB2E3A
SHA1: 6318FCE89503D4DE19337E2E1D6EDA6C15EA3268
CRC32: 49BA1E56

运行后
生成
C:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe
C:\Program Files\Internet Explorer\romdrivers.bak
C:\Program Files\Internet Explorer\romdrivers.bkk
C:\Program Files\Internet Explorer\romdrivers.dll

注册表操作
删除HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{AEB6717E-7E19-11d0-97EE-00C04FD91972}

增加HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "C:\Program Files\Internet Explorer\romdrivers.dll"
HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\: ""
HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "C:\Program Files\Internet Explorer\romdrivers.dll"
HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0CB68AD9-FF66-3E63-636B-B693E62F6236}: ""
指向C:\Program Files\Internet Explorer\romdrivers.dll

使用Explorer进程 连接网络 下载木马
http://XXa.us/oKK/TestOKK.exe
http://XXa.us/oKK/smss.exe
http://XXa.us/Sign/csrss.exe
http://XXa.us/Sign/svchost32.exe
http://XXa.us/Sign/smss.exe
http://XXa.us/Sign/services.exe
http://XXa.us/Sign/svchost.exe
http://XXa.us/Sign/conime.exe
http://XXa.us/Sign/ctfmon.exe
http://XXa.us/Sign/mmc.exe
http://XXa.us/Sign/IEXPLORE.EXE
http://XXa.us/Sign/stpgldk.exe
http://XXa.us/Sign/srogm.exe
http://XXa.us/Sign/spglsdr.exe
http://XXa.us/Sign/copypfh.exe

到临时文件夹
各个木马分别在HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\下面添加自己的启动项目
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\woso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fyso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wgso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qjso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wdso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tlsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dasa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\daso.exe"

创建HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer
分别在其下面增加值
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\7y7: "v1.9"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\Me: "1.28"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\1: "2.92"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\2: "2.92"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\3: "2.96"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\4: "2.8"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\5: "2.8"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\6: "2.91"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\7: "2.91"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\8: "2.8"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\9: "2.95"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\10: "1.93"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\11: "1.96"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\12: "1.86"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\13: "1.6"
后面ver对应的值为各个木马的版本 以便木马更新对照更新使用

清除方法:

安全模式下

1.使用冰刃 删除以下文件(可到down.45it.com下载)

C:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe
C:\Program Files\Internet Explorer\romdrivers.bak
C:\Program Files\Internet Explorer\romdrivers.bkk
C:\Program Files\Internet Explorer\romdrivers.dll

2.sreng删除类似(可到down.45it.com下载)

     <wosa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\woso.exe>   []
     <fysa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fyso.exe>   []
     <wlsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wlso.exe>   []
     <wgsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wgso.exe>   []
     <qjsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qjso.exe>   []
     <wdsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wdso.exe>   []
     <tlsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso.exe>   []
     <dasa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\daso.exe>   []的启动项目

3.清空临时文件夹

 

(二).《ghost.pif新变种导致杀软0xc00000ba失败的解决》  
这个问题是由一个叫做ghost.pif的U盘病毒导致的

  关于原分析见:简要分析解决Ghost.pif病毒http://www.45it.com/Article/pcedu/Safety/200705/16157.htm

  不过最新变种的病毒会查询以下注册表项的某些键值来获取相关安全软件的安装目录,在获得安装目录下生成以系统文件名"ws2_32.dll"命名的文件夹,从而使相关安全软件运行失败。

  SOFTWARE\\rising\\Rav
  SOFTWARE\\Kingsoft\\AntiVirus
  SOFTWARE\\JiangMin
  SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal
  SOFTWARE\\KasperskyLab\\SetupFolders
  SOFTWARE\Network Associates\TVD\Shared Components\Framework
  SOFTWARE\Eset\Nod\CurrentVersion\Info
  SOFTWARE\\Symantec\\SharedUsage
  SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

  因为这些安全软件运行时候会加载ws2_32.dll ws2_32.dll正确的位置是在system32下面 而软件通常寻找dll的方法是首先从自己的文件夹中寻找 那么病毒通过在这些软件的文件夹里创建一个伪造的ws2_32.dll从而导致软件启动时加载这个伪造的ws2_32.dll 导致启动失败!

  解决方法如下:

  1.安全模式下(开机后不断 按F8键 然后出来一个高级菜单 选择第一项 安全模式 进入系统)
  打开sreng (可到down.45it.com下载)
  启动项目 注册表 删除如下项目
  <{0CB68AD9-FF66-3E63-636B-B693E62F6236}><C:\Program Files\Internet Explorer\romdrivers.dll> [Microsoft Corporation]

  双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定

  右键点击 右键菜单中的打开 打开C盘
  删除
  C:\Program Files\Internet Explorer\romdrivers.bak
  C:\Program Files\Internet Explorer\romdrivers.bkk
  C:\Program Files\Internet Explorer\romdrivers.dll

  2.清空C:\DOCUME~1\用户名\LOCALS~1\Temp下面所有内容

  3.右键点击 右键菜单中的打开 打开其他分区 删除autorun.inf和ghost.pif

  打开sreng

  启动项目 注册表 删除如下项目
  <wosa><C:\DOCUME~1\用户名\LOCALS~1\Temp\woso.exe> []
  <ztsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\ztso.exe> []
  <mhsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\mhso.exe> []
  <fysa><C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso.exe> []
  <jtsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\jtso.exe> []
  <wlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso.exe> []
  <wgsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso.exe> []
  <rxsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\rxso.exe> []
  <wdsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso.exe> []
  <tlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\tlso.exe> []
  <dasa><C:\DOCUME~1\用户名\LOCALS~1\Temp\daso.exe> []
  <wmsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wmso.exe> []
  <qjsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso.exe> [] (有哪个删哪个)

  4.删除 瑞星杀毒软件 金山毒霸 江民杀毒软件 卡巴斯基杀毒软件 360安全卫士 等文件夹下名为ws2_32.dll的文件夹

     (三):新变种分析:

     运行后生成
 C:\Program Files\Common Files\Relive.dll
C:\Program Files\Internet Explorer\HiJack.bak
C:\Program Files\Internet Explorer\HiJack.dll
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.dll 

添加注册表键值
 HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\InProcServer32\: "C:\Program 
Files\Internet Explorer\HiJack.dll"
HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\InProcServer32\ThreadingModel: 

"Apartment"
HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\: ""
HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\InProcServer32\: "C:\Program 

Files\Internet Explorer\msvcrt.dll"
HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\InProcServer32\ThreadingModel: 

"Apartment"
HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\: ""
HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\InProcServer32\: "C:\Program 

Files\Common Files\Relive.dll"
HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\InProcServer32\ThreadingModel: 

"Apartment"
HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{01F6EB6F-AB5C-1FDD-6E5B-

FB6EE3CC6CD6}: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0EA12C16-CDEF-6AC1-236E-

CD3FE82F5213}: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7515C61-A66C-4319-

A0E0-D416CB8059E3}\: ""
 

查询以下注册表项目的某些键值来获取相关安全软件的安装目录,在获得安装目录下生成以系统文件名"ws2_32.dll"

命名的文件夹
 SOFTWARE\\rising\\Rav
SOFTWARE\\Kingsoft\\AntiVirus
SOFTWARE\\JiangMin
SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal
SOFTWARE\\KasperskyLab\\SetupFolders
SOFTWARE\Network Associates\TVD\Shared Components\Framework
SOFTWARE\Eset\Nod\CurrentVersion\Info
SOFTWARE\\Symantec\\SharedUsage
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe 
并在ws2_32.dll文件夹下生成歧义文件夹1..\导致windows下无法删除该文件夹

控制explorer连接网络202.59.153.91:80下载木马
http://xxx.us/oK/svchost.exe
http://xxx.us/Sign/csrss.exe
http://xxx.us/Sign/svchost32.exe
http://xxx.us/Sign/smss.exe
http://xxx.us/Sign/services.exe
http://xxx.us/Sign/svchost.exe
http://xxx.us/Sign/conime.exe
http://xxx.us/Sign/ctfmon.exe
http://xxx.us/Sign/mmc.exe
http://xxx.us/Sign/IEXPLORE.EXE
http://xxx.us/Sign/stpgldk.exe
http://xxx.us/Sign/srogm.exe
http://xxx.us/Sign/spglsdr.exe
http://xxx.us/Sign/copypfh.exe
http://xxx.us/Sign/okfile.exe
到临时文件夹 

运行后分别在临时文件夹下创建文件

fyso.exe  
jtso.exe  
mhso.exe   
qjso.exe
qqso.exe   
wgso.exe  
wlso.exe  
wmso.exe
woso.exe  
ztso.exe   
daso.exe   
tlso.exe
rxso.exe  
svchost.exe  
IEXPLORE.EXE
svchost32.exe   
srogm.exe  
csrss.exe
conime.exe  
mmc.exe  
spglsdr.exe  
services.exe  
copypfh.exe  
smss.exe  
fyso0.dll
jtso0.dll   
mhso0.dll  
qjso0.dll  
qqso0.dll
wgso0.dll  
wlso0.dll  
wmso0.dll
woso0.dll  
ztso0.dll   
tlso0.dll
daso0.dll  
rxso0.dll 
添加注册表启动项目

 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\woso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tlsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\tlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dasa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\daso.exe"
… 

各个木马创建HKCU\Software\SetVer\ver键

解决办法:

1.打开sreng(可到down.45it.com下载)

启动项目     注册表 删除如下项目
<wosa><C:\DOCUME~1\用户名\LOCALS~1\Temp\woso.exe> [N/A]
<ztsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\ztso.exe> []
<mhsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\mhso.exe> []
<fysa><C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso.exe> []
<jtsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\jtso.exe> []
<wlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso.exe> []
<wgsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso.exe> []
<wmsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wmso.exe> []
<qjsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso.exe> []
<rxsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\rxso.exe> []
<wdsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso.exe> []
<tlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\tlso.exe> []
<dasa><C:\DOCUME~1\用户名\LOCALS~1\Temp\daso.exe> []
       <{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}><C:\Program Files\Internet Explorer\HiJack.dll>  

[Microsoft Corporation]
       <{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}><C:\Program Files\Internet Explorer\msvcrt.dll>  

[Microsoft Corporation]

系统修复 浏览器加载项 选中
[]
     {D7515C61-A66C-4319-A0E0-D416CB8059E3} <C:\Program Files\Common Files\Relive.dll, Microsoft 

Corporation>
并单击右下角的删除所选内容 在弹出的对话框中选择 是
2.重启计算机
双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(

推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定
删除C:\Program Files\Common Files\Relive.dll
C:\Program Files\Internet Explorer\HiJack.bak
C:\Program Files\Internet Explorer\HiJack.dll
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.dll
清空临时文件夹C:\DOCUME~1\用户名\LOCALS~1\Temp

3.删除瑞星 江民 卡巴 360文件夹下的ws2_32.dll(按你实际安装的杀软情况)
方法:
假如你的瑞星在C:\Program files\rising\rav下面
则这样做 开始 运行 输入cmd C:\Program files\rising\rav\ws2_32.dll     回车
rd 1..\      回车 
关闭cmd窗口     直接删除ws2_32.dll文件夹即可
其他的文件夹下的ws2_32.dll以此类推 



标签: