4CD4F692.exe 样本由guyueseng提供。
卡巴斯基报：Trojan_PSW.Win32.OnLineGames.mu

4CD4F692.exe运行后，在C:\Program Files\Common Files\Microsoft Shared\MSInfo文件夹释放下列文件：
XXXXXXXX.dll
XXXXXXXX.dat
在C:\WINDOWS\Help文件夹释放XXXXXXXX.chm
在C:\WINDOWS\system32文件夹释放verclsid.exe（先将原来的verclsid.exe改名为verclsid.exe.bak）

注：XXXXXXXX为随机数字/字母组合

在注册表中添加下列启动项：

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks           
XXXXXXXX.dll（本次感染为：423F27F3.dll    ）
在HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options分支添加N个劫持项，废掉多个杀软、防火墙以及常用手工杀毒工具软件。

手工杀毒流程：

1、将IceSword.exe改名为IS.EXE运行。用IceSword禁止进程创建。
2、结束系统核心进程以外的所有进程。
3、删除下列文件：
C:\Program Files\Common Files\Microsoft Shared\MSInfo文件夹中的：
XXXXXXXX.dll
XXXXXXXX.dat
C:\WINDOWS\Help文件夹中的XXXXXXXX.chm
C:\WINDOWS\system32文件夹中的verclsid.exe
4、展开：HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks           
删除： XXXXXXXX.dll

5、取消IceSword的“禁止进程创建”。将autoruns.exe改名为autorun.exe运行：
找到HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options           
删除：       

360rpt.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

360Safe.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

360tray.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

adam.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

AgentSvr.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

AppSvc32.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

autoruns.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

avp.com            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

avp.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

CCenter.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

ccSvcHst.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

FileDsty.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

FTCleanerShell.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

HijackThis.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

IceSword.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

iparmo.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

Iparmor.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

isPwdSvc.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

kabaload.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KaScrScn.SCR            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KASMain.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KASTask.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KAV32.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KAVDX.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KAVPFW.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KAVStart.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KISLnchr.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KMailMon.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KMFilter.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KPFW32.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KPFW32X.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KPFWSvc.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KRegEx.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KRepair.COM            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KsLoader.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KVCenter.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KvDetect.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KvfwMcl.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KVMonXP.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KVMonXP_1.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

kvol.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

kvolself.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KvReport.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KVScan.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KVSrvXP.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KVStub.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

kvupload.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

kvwsc.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KvXP.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KvXP_1.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KWatch.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KWatch9x.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

KWatchX.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

loaddll.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

MagicSet.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

mcconsol.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

mmqczj.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

mmsk.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

nod32.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

nod32krn.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

nod32kui.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

PFW.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

PFWLiveUpdate.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

Ras.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

Rav.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RavMon.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RavMonD.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RavStub.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RavTask.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RegClean.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

rfwcfg.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RfwMain.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

rfwProxy.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

rfwsrv.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

RsAgent.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

Rsaupd.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

runiep.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

safelive.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

scan32.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

shcfg32.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

SmartUp.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

SREng.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

symlcsvc.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

TrojanDetector.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

Trojanwall.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

TrojDie.kxp            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

UIHost.exe            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

UpLive.EXE            File not found: C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\423F27F3.dat

将C:\WINDOWS\system32文件夹中的verclsid.exe.bak改名为verclsid.exe

至于不能查看隐藏文件问题，请打开注册表编辑器，展开：
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
将"CheckedValue"=dword:00000000改为"CheckedValue"=dword:00000001即可。

此毒貌似不会重复感染同一系统。
杀毒后，再次运行样本————没有任何中毒迹象。

1、将IceSword.exe改名为IS.EXE运行。用IceSword禁止进程创建。

可是！！！
我叫他改名试！！！！！

他竟然说改了也没用啊！！！！！！！！！！

我以为有多厉害呢！！！！

我说的两个工具都是猫叔用的，他竟然还说改了名都不行？

版主大大是用的虚拟机么？

也许他那机里的病毒还有辅助的程序？？？？？？？？？？？？

不然他怎那么坚定。

引用:

【guyueseng的贴子】版主大大是用的虚拟机么？ ………………

实机运行样本。
autoruns、SRENG、IceSword——可以改名运行。

SRENG 我了多次真的不行 都是鼠标一闪就没了。是不是我我机器里面还有其他的病毒。。。。。。汗啊。还有一个病毒没提取出来文件名相同但是大小是2M左右，因为是隐藏文件无法提取，是不是这个文件在作怪？

可他自己说不行啊！！！！！！

要不等他自己处理看咯！！！！！！

佩服baohe ！！！！！！！

我今晚没白熬夜！！！！！

又学了！！！！！

版主大大厉害，老僧佩服，看来本寺院唯一一个中此病毒的就是我了。

恩！！！！！！！！！！！！

你快去先处理这个！！！！！！

顺带观察有没有其它的。

我可好奇呢！！！！

这个名字的命名权利应该给我，哭啊，我折腾一天了