Trojan.PSW.QQPass是叫做QQ通行证的病毒,可以试试瑞星免费的专杀工具——“‘橙色八月’专用提取清除工具”。该工具可清除“QQ通行证(Trojan.PSW.QQPass)”、“传奇终结者(Trojan.PSW.Lmir)”、“密西木马(Trojan.psw.misc)”等病毒及其变种。所有未安装杀毒软件,或者使用其它杀毒软件但是被感染的用户,都可以登陆到瑞星网站()免费下载使用该工具。
insect建议:中了这种病毒的同命人,不要一次一次的重装系统,这是没有用的,必须下载——“‘橙色八月’专用提取清除工具”。切忌不要轻易相信一些杀毒网站的木马清除软件,因为现在有好多变种软件,下载下来的压缩包里都有一别的病毒,如黑鸽子之类。
找到橙色八月之后,在安全模式下杀毒,然后正常模式下再杀,重新装上瑞星,发现小红伞变回原来的小绿伞了。最后用升级到新版本的瑞星再杀一便。就ok了。这是本人整整研究了两天的结果。
快去行动吧!
自己觉得它的样本是:REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RavTask"="\"C:\\Program Files\\Rising\\Rav\\RavTask.exe\" -system"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExpScaner]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
52,69,73,69,6e,67,5c,52,61,76,5c,45,78,70,53,63,61,6e,2e,73,79,\
73,00
"DisplayName"="ExpScaner"
"Group"="TDI"
"DependOnService"=hex(7):42,61,73,65,54,44,49,00,00
"DependOnGroup"=hex(7):00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExpScaner\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,\
00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,\
00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\
01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,\
01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExpScaner\Enum]
"0"="Root\\LEGACY_EXPSCANER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookCont]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
52,69,73,69,6e,67,5c,52,61,76,5c,48,4f,4f,4b,43,4f,4e,54,2e,73,\
79,73,00
"DisplayName"="HookCont"
"Group"="TDI"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookCont\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,\
00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,\
00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\
01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,\
01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookCont\Enum]
"0"="Root\\LEGACY_HOOKCONT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookReg]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
52,69,73,69,6e,67,5c,52,61,76,5c,48,6f,6f,6b,52,65,67,2e,73,79,\
73,00
"DisplayName"="HookReg"
"Group"="TDI"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookReg\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,\
00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,\
00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\
01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,\
01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookReg\Enum]
"0"="Root\\LEGACY_HOOKREG\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookSys]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
52,69,73,69,6e,67,5c,52,61,76,5c,48,6f,6f,6b,53,79,73,2e,73,79,\
73,00
"DisplayName"="HookSys"
"Group"="TDI"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookSys\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,\
00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,\
00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\
01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,\
01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HookSys\Enum]
"0"="Root\\LEGACY_HOOKSYS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsCCenter]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):22,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,52,69,73,\
69,6e,67,5c,52,61,76,5c,43,43,65,6e,74,65,72,2e,65,78,65,22,00
"DisplayName"="Rising Process Communication Center"
"Group"="COM Infrastructure"
"DependOnService"=hex(7):52,70,63,53,73,00,00
"DependOnGroup"=hex(7):00
"
ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsCCenter\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,\
00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,\
00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\
01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,\
01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsCCenter\Enum]
"0"="Root\\LEGACY_RSCCENTER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsRavMon]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):22,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,52,69,73,\
69,6e,67,5c,52,61,76,5c,52,61,76,6d,6f,6e,64,2e,65,78,65,22,00
"DisplayName"="RsRavMon Service"
"Group"="TDI"
"DependOnService"=hex(7):52,73,43,43,65,6e,74,65,72,00,00
"DependOnGroup"=hex(7):00
"
ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsRavMon\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,\
00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,\
00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\
01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,\
01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RsRavMon\Enum]
"0"="Root\\LEGACY_RSRAVMON\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Trojan.PSW.LMir
病毒运行后,复制自身到系统目录中,修改注册表启动项,实现开机之后自启动。病毒会在后台悄悄运行,窃取《传奇》游戏玩家的用户名、密码、登陆服务器、用户所属区域等信息,并把这些资料发送给病毒散布者。
专杀工具下载地址:
http://code.cnxad.com/analyseads_lead.aspx?userid=2396&typeid=23&adsid=1034QQ专杀:
http://www.jsing.net/soft/qqkav.exeewido:
http://www.orsoon.com/Software/catalog184/2727.html 注册码: 6617-EBE8-D1FD-FEA2
"输入注册码后接着关掉自动更新,每次升级后得再次输入注册码"
下载这些软件时,不要直接点击,而是点击右键的“使用迅雷下载”
然后就卡巴了,卡巴+ewido+QQ专杀=就是不死也得脱皮!!!!!
先装卡巴:
