20070412 rootkit 木马 清除
http://www.yippeesoft.com
终于搞定了那个木马,
下载https://europe.f-secure.com/exclude/blacklight/blbeta.exe
Try F-Secure BlackLight Beta
Click the button/link to download Blacklight Beta (graphical user interface version):
点击scan,扫描完成后将扫到的东西rename,然后重启,删除那些扫到被重命名的文件。
syswav.sys dlmain4.dll dlmon4.dll
本来有些怀疑
[syswav / syswav][Running/System Start]
<\\SystemRoot\\system32\\drivers\\syswav.sys><Intel Corporation.>
因为好像INTEL不做声卡芯片,可是搜索没有找到文件,一下子也没倒腾,结果这个BLBETA发现,终于到DOS干掉
1 无法搜索到对应文件
2 ICESWORD无法运行
3 SREG扫描不到
4 mcafee kav都扫描不到
5 超级兔子 ssm 清理王。。。360安全卫士 都没有搞定
隐藏位置 ShellServiceObjectDelayLoad
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID&leftsign;91DEDA10-86AA-4ED0-874B-28B92A3D4E99&rightsign;]
[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID&leftsign;91DEDA10-86AA-4ED0-874B-28B92A3D4E99&rightsign;InprocServer32]
@="D:\\WINDOWS\\AppPatch\\DLMon4.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion ShellServiceObjectDelayLoad]
"PostBootReminder"="&leftsign;7849596a-48ea-486e-8937-a2a3009f31a9&rightsign;"
"CDBurn"="&leftsign;fbeb8a05-beee-4442-804e-409d6c4515e9&rightsign;"
"WebCheck"="&leftsign;E6FB5E20-DE35-11CF-9C87-00AA005127ED&rightsign;"
"SysTray"="&leftsign;35CEC8A3-2BE6-11D2-8773-92E220524153&rightsign;"
"DLMon4"="&leftsign;91DEDA10-86AA-4ED0-874B-28B92A3D4E99&rightsign;"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessyswav]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,
74,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,
00,69,00,76,00,65,00,72,00,73,00,5c,00,73,00,79,00,73,00,77,00,61,00,76,00,
2e,00,73,00,79,00,73,00,00,00
"DisplayName"="syswav"
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessyswavSecurity]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
是ROOTKIK
ICESWORD也可以了
不过 DR WEB 无法运行,可能和MCAFEE冲突
MCAFEE KAV 都没有检测到
因为工作需要,开了IIS,而COMODO刚好那时候闹脾气,没法安装
可能是WPRIN带来的
MCAFEE 也有一个ROOTKIK,一运行WINXP重启
ICESWROD居然也被屏蔽
自己懒惰,没有进入安全模式检测
历史博文
- CopyFromScreen截屏 - 2009
- Wordpress搬迁Mysql改表名改表编码 - 2009
- 东方红 1965 歌词 - 2008
- 0417 司帕沙星 - 2006
- perl7 编程 embperl安装1 - 2005
- perl6 编程 embperl 1 - 2005
- perl 5 编程 mod_perl - 2005
- boblog搜索引擎优化SEO1关键字keywords标题title - 2005