Avsystemcare駭客病毒應對: Avsystemcare駭客病毒應對: 4th更新2007-1110 中毒現象: a.出現 "Windows Security Alert"視窗: 騙您已經中間諜軟體; 如果按Y 進入avsystemcare.com(或是gomyhit.com等怪公司) 網頁 騙您已經掃瞄出中間諜軟體 等電腦病毒 要馬上根治 B.控制台消失 C.Regedit 停用 D.目前許多知名掃毒程式可以抓出許多病毒,但是仍然無法清除 解毒步驟:(治標) 0.先用最新掃毒程式掃毒,清毒 1.刪除 開始/程式集/啟動/ system.exe(最好開機按F8進入安全模式才能刪除), 2.刪除 開始/程式集/啟動/ autorun.exe, 3.刪除c:\windows\system32\winavxx.exe, 4.刪除c:\windows\system32\printer.exe,(最好開機按F8進入安全模式才能刪除), [如果進入WindowsXP安全模式仍然不能刪除,改名,然後用其他無毒檔案改名printer.exe] 5.刪除 c:\windows\avp.exe (最好開機按F8進入安全模式才能刪除), 6.刪除C:\Documents and Settings\用戶名\Local Settings\Temp\ 及 Temporary Internet Files 所有檔案7.搜尋c:\Windows\ 所有含WinAvXX.exe內容之檔案例如:Windows\prefetch\winavxx.exe-050ef48b.pfWindows\PChealth\HelpCtr\DataColl\xxxx.xml x 5 8刪除.c:\program files\lycos\ 所有檔案 9.刪除.c:\program files\myway\ 所有檔案 10.刪除 c:\windows\ifinst27.exe 11.關機, 再開機 觀察是否殺毒成功(失敗後快速殺改檔案立即拔插頭關閉電源) 其他資訊: #1. 掃毒/解毒: http://www2.uwants.com/redirect.php?tid=5005493&goto=lastpost http://gdhanson.xoftspyse.hop.clickbank.net/?aid= 21世紀房屋仲介7834&p=download&tid=fscavsca]Download automatical AVSystemCare removal tool #2. 原理: 木馬病毒 Trojan.Fakeavalert 危害級別:★★☆☆☆ Trojan.Fakeavalert 是一個木馬病毒,感染 Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP 系統。它顯示假的報警資訊,減低系統安全設置。當收到、打開此病毒時,主要有以下危害: A 生成文件 用戶目錄\Start Menu\Programs\Startup\system.exe C:\Documents and Settings\All Users\ Start Menu\Programs\Startup\autorun.exe 系統目錄\printer.exe 系統目錄\WinAvXX.exe B 創建以下註冊表項,使得病毒每次開機後自動執行 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "WinAVX" = "%System%\WinAvXX.exe" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "WinAVX" = "%System%\WinAvXX.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon\"Shell" = "Explorer.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon\"Shell" = "Explorer.exe %System%\printer.exe" C 修改註冊表項 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\0\"1200" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ 澎湖民宿InternetSettings\Zones\0\"1201" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\0\"1208" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\0\"1608" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\0\"1804" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\0\"2500" = "3" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\1\"1200" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\1\"1201" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\1\"1208" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\1\"1608" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\1\"1804" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\1\"2500" = "3" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\2\"1200" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr 21世紀房屋仲介entVersion\ InternetSettings\Zones\2\"1201" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\2\"1208" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\2\"1608" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\2\"1804" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\2\"2500" = "3" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\3\"1200" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\3\"1201" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\3\"1208" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\3\"1608" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\3\"1804" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\3\"2500" = "3" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\4\"1200" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current 襯衫Version\ InternetSettings\Zones\4\"1201" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\4\"1208" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\4\"1608" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\4\"1804" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ InternetSettings\Zones\4\"2500" = "3" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ "Enable Browser Extensions" = "yes" D 修改註冊表項,穿透windows防火牆 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Ena 酒店工作bled:@xpsp2res.dll,-22019" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\ winav.exe:*:Enabled:@xpsp2res.dll,-22019" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\ winav.exe:*:Enabled:@xpsp2res.dll,-22019" E 修改註冊表項,默認打開網頁 HKEY_CLASSES_ROOT\.htm\"(Default Value)" = "htmlfile" HKEY_CLASSES_ROOT\.html\"(Default Value)" = "htmlfile" HKEY_CLASSES_ROOT\.shtml\"(Default Value)" = "htmlfile" HKEY_CLASSES_ROOT\.xht\"(Default Value)" = "htmlfile" HKEY_CLASSES_ROOT\.xhtml\"(Default Value)" = "htmlfile" F 修改註冊表項,關閉關鍵保護 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Advanced\"EnableBalloonTips" = "1" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Advanced\"EnableBallo 買屋網onTips" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies \system\"DisableTaskMgr" = "1" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies \system\"DisableTaskMgr" = "1" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies \Explorer\"NoControlPanel" = "1" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies \Explorer\"NoControlPanel" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies \system\"DisableRegistryTools" = "1" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies \system\"DisableRegistryTools" = "1" HKEY_CURRENT_USER\Software\Policies\Microsoft\windows\Windows Update \"NoAutoUpdate" = "1" HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate \AU\"NoAutoUpdate" = "1" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\"NoWindowsUpdate" = "1" G 修改註冊表項,更改打開方式 HKEY_CLASSES_ROOT\gopher\shell\open\command\:""C:\Program Files\ Internet Explorer\"iexplore.exe" = "-nohome" HKEY_CLASSES_ROOT\gopher\shell\open\command\: ""C:\Program Files \Internet Explorer\"iexplore.exe" = "%1" HKEY_CLASSES_ROOT\HTTP\shell\open\command\: ""C:\Program Files\ Internet Explorer\"iexplore.exe" 禮服= "-nohome" HKEY_CLASSES_ROOT\HTTP\shell\open\command\: ""C:\Program Files\ Internet Explorer\"iexplore.exe" = "%1" HKEY_CLASSES_ROOT\https\shell\open\command\: ""C:\Program Files\ Internet Explorer\"iexplore.exe" = "-nohome" HKEY_CLASSES_ROOT\https\shell\open\command\: ""C:\Program Files\ Internet Explorer\"iexplore.exe" = "%1" H 修改註冊表項,更改默認網頁和搜索項 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ "Default_Search_URL" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ "Default_Search_URL" = "http://www.google.com/ie" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ "Search Page" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ "Search Page" = "http://www.google.com" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ "Start Page" = "http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID }&pver={SUB_PVER}&ar=home" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ "Start Page" = "http://www.google.com" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ "Start Page" = "http://www.google.com/" HKEY_CURRENT_USER\Software\Microsoft\Internet 酒店打工Explorer\Main\ "Start Page" = "http://www.google.com" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ "Search Page" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ "Search Page" = "http://www.google.com" I 修改主機解析文件,僅用以下網站 ad.doubleclick.net ad.fastclick.net ads.fastclick.net ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net banner.fastclick.net banners.fastclick.net ca.com click.atdmt.com clicks.atdmt.com customer.symantec.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads-us1.kaspersky-labs.com downloads-us2.kaspersky-labs.com downloads-us3.kaspersky-labs.com downloads.microsoft.com downloads1.kaspersky-labs.com downloads2.kaspersky-labs.com downloads3.kaspersky-labs.com downloads4.kaspersky-labs.com engine.awaps.net f-secure.com fastclick.net ftp.avp.ch ftp.downloads1.kaspersky-labs.com ftp.downloads2.kaspersky-labs.com ftp.downloads3.kaspersky-labs.com ftp.f-secure.com ftp.kasperskylab.ru ftp.sophos.com go.microsoft.com ids.kaspersky-labs.com kaspersky-labs.com kaspersky.com liveupdate.symantec.com liveupdate.symantecliveupdate.com mast.mcafee.com mcafe 酒店兼職e.com media.fastclick.net microsoft.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com norton.com office.microsoft.com pandasoftware.com phx.corporate-ir.net rads.mcafee.com secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com trendmicro.com update.symantec.com updates.symantec.com updates1.kaspersky-labs.com updates2.kaspersky-labs.com updates3.kaspersky-labs.com updates4.kaspersky-labs.com updates5.kaspersky-labs.com us.mcafee.com vil.nai.com viruslist.com viruslist.ru virusscan.jotti.org virustotal.com windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.fastclick.net www.grisoft.com www.kaspersky-labs.com www.kaspersky.com www.kaspersky.ru www.mcafee.com www.microsoft.com www.my-etrust.com www.nai.com www.networkassociates.com www.pandasoftware.com www.sophos.com www.symantec.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www.virustotal.com www3.ca.com J 顯示虛假報警資訊(見圖一) .msgcontent .wsharing ul li { text-indent: 0; } 分享 Facebook Plurk YAHOO! 小型辦公室  .
arrow
arrow
    全站熱搜

    onkcye 發表在 痞客邦 留言(0) 人氣()