看来这个最近流行,谢谢baohe斑竹吧,估计你中的baohe斑竹测试的一个病毒
一、创建的文件
Create file
Object:C:\windows\nvideogui.exe
Create file
Object:C:\WINDOWS\system32\remon.sys
二、注册表更改
1、启动项:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvideoGUI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nvideoGUI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\remon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\remon
2、其它项:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\\MSBCRM
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\\Minstallvariable
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\\Mupvariable
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableRegistryTools
HKLM\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride
HKLM\SOFTWARE\Microsoft\Security Center\\FirewallOverride
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\\EnableFirewall
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\\AUOptions
HKLM\System\CurrentControlSet\Services\wscsvc\\Start
HKLM\System\CurrentControlSet\Services\TlntSvr\\Start
HKLM\System\CurrentControlSet\Services\RemoteRegistry\\Start
HKLM\System\CurrentControlSet\Services\Messenger\\Start
HKLM\System\CurrentControlSet\Control\Lsa\\restrictanonymous
HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\\AutoShareWks
HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\\AutoShareServer
HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters\\AutoShareWks
HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters\\AutoShareServer
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\\DoNotAllowXPSP2
HKLM\SOFTWARE\Microsoft\Ole\\EnableDCOM
HKLM\System\CurrentControlSet\Control\\WaitToKillServiceTimeout
3、HJ日志内容:
O23 - NT 服务: Nvidia Graphic Displacement (nvideoGUI) - Unknown owner - C:\windows\nvideogui.exe
4、其它特点:
C:\windows\nvideogui.exe有进程守护功能(见附图);SSM2.0.0555可禁止C:\windows\nvideogui.exe启动加载。
木马eraseme_13348.exe查杀:
1、如果安装了SSM2.0.0555,请在其“选项”面板中将其设置成“自动启动”、“自动连接用户界面”。
2、重启系统。
3、删除下列木马文件:
C:\windows\nvideogui.exe
C:\WINDOWS\system32\remon.sys
4、删除木马添加主要注册表项:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvideoGUI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nvideoGUI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\remon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\remon
HKLM\System\CurrentControlSet\Control\\WaitToKillServiceTimeout
其它注册表改动,最好也改过来(不必在注册表中做)。如:安全中心的开启,自动更新和WINDOWS防火墙的开启——可在安全中心的设置中完成。
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters,"AutoShareWks"=dword:00000000。这样的键值是否改,自己决定。