病毒名：cool_gamesetup.exe
个人描叙：这个病毒出来应该有一段时间了，最近网上反应此病毒的留言已经慢慢增多，俗称山栽版熊猫烧香，我现场见到的特征是传播速度非常快，会改注册表，隐藏文件看不到，感染.EXE文件，改主页为www.wz123.com等网址，还很多症状，我用瑞星也杀不了，后来我又用别的杀毒软件杀也无用，因我那台电脑已经全部瘫痪了，无法提供病毒样本！不知贵公司是否开发出此病毒的专杀工具
  这个病毒太流氓了！


用户系统信息：Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

电脑都瘫痪了，我也怕用U盘拷得那个文件，怕将公司的电脑干掉了，这个文件有可能只是个传播工具而已

好的，非常感谢，我到时回家拷过来上传。我先到网上找下样本

帅哥，你好，这是我在网上找到，附件我等下就传上来，症状和我的差不多，肯定就是那病毒

各位高手：
      小弟求救： 
系统环境： windows xp sp2系统
病毒现象：1.各个分区都生成autorun.inf和(空格).exe；
                  2.在c:/windows/system32/drivers下生成txplatform.exe且强制加入开机启动项伪装成explorer.exe，用sreng2强制删除该启动项后，开机后一会儿又自动启动  txplatform.exe进程；
                  3.本机共享文件夹下生成cool_gamesetup.exe
                  4.(空格).exe、cool_gamesetup.exe以及c:/windows/system32/drivers/txplatform.exe图标显示最近一次本机执行的可执行程序的图标
                  5.本机执行可执行程序，会自动生成该可执行程序.exe.exe如：qq.exe运行后无响应，且生成qq.exe.exe
                  6.大多安全软件无法通过系统托盘正常启动，从开始-程序启动提示：无效个快捷方式。

小弟，曾试着winpe启动后，到各分区删除autorun.inf、(空格).exe、cool_gamesetup.exe以及c:/windows/system32/drivers/txplatform.exe，然后进入安全模式利用sreng2强制删除启动项explorer.exe（screng2显示该启动项的路径为c:/windows/system32/drivers/txplatform.exe），用杀毒软件查杀病毒，无异常后，重启进入正常模式，一连上网络，提示各分区根目录下有autorun.inf病毒，只有金山的清理助手提示：c:/windows/system32/drivers/txplatform.exe正在加入启动项，提示允许还是禁止。其他杀毒软件对该c:/windows/system32/drivers/txplatform.exe都无提示。好多帖子提示用大蜘蛛，但大蜘蛛只能查出autorun.inf、(空格).exe。
SREngLOG.txt (136.19 KB)
下载次数:100

2009-1-1 08:06

小弟不知道在哪可以添加附件，所以将里面的内容给粘上来了
[CODE]

2008-12-30,10:54:20

System Repair Engineer 2.6.12.1018
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件
    进程特权扫描


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
    <MsnMsgr><"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background>  [(Verified)Microsoft Corporation]
    <Explorer><C:\WINDOWS\system32\drivers\TXPlatform.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <360Antiarp><D:\Program Files\360safe\antiarp\AntiArp.exe /start>  [(Verified)Qizhi Software (beijing) Co. Ltd]
    <360Safetray><D:\Program Files\360safe\safemon\360tray.exe /start>  [(Verified)Qizhi Software (beijing) Co. Ltd]
    <!AVG Anti-Spyware><"E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized>  [(Verified)GRISOFT LTD]
    <egui><"C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice>  [(Verified)"ESET, spol. s r.o."]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    <360Safe><Rundll32.exe D:\PROGRA~1\360safe\AntiAdwa.dll,KillAdware>  [(Verified)Qizhi Software (beijing) Co. Ltd]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{57B86673-276A-48B2-BAE7-C6DBB3020EB8}><e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll>  [(Verified)GRISOFT LTD]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <WebCheck><%SystemRoot%\system32\webcheck.dll>  [(Verified)Microsoft Windows Publisher]
    <SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
    <浏览器自定义组件><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    <Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    <Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
    <N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <HotKey><; C:\WINDOWS\Twain_32\Th7100\HotKey.exe>  [Pmx. Electronics Ltd.]
    <IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Windows Publisher]
    <runeip><; "C:\Program Files\Rising\AntiSpyware\runiep.exe" /startup>  []
    <SoundMan><; SOUNDMAN.EXE>  [Realtek Semiconductor Corp.]
    <VTTimer><; VTTimer.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <VTTrayp><; VTtrayp.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <WeNeedRestart><; SOUNDMAN.EXE>  [Realtek Semiconductor Corp.]

==================================
启动文件夹
N/A

==================================
服务
[Adobe LM Service / Adobe LM Service][Stopped/Manual Start]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard][Running/Auto Start]
  <e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe><GRISOFT s.r.o.>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Server / lanmanserver][Running/Auto Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\srvsvc.dll><Microsoft Corporation>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\mspmsnsv.dll><Microsoft Corporation>
[Eset HTTP Server / EHttpSrv][Stopped/Manual Start]
  <"C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe"><ESET>
[Eset Service / ekrn][Running/Auto Start]
  <"C:\Program Files\ESET\ESET Smart Security\ekrn.exe"><ESET>

==================================
驱动程序
[360AntiArp / 360AntiArp][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\360AntiArp.sys><360安全中心>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver][Running/System Start]
  <\??\e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
  <System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[IP Network Address Translator / IpNat][Stopped/Manual Start]
  <system32\DRIVERS\ipnat.sys><Microsoft Corporation>
[DDK PACKET Protocol / Packet][Running/Manual Start]
  <system32\DRIVERS\ProtoDrv.sys><360安全中心>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
  <\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising Technology Co., Ltd.>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[Sony USB Filter Driver (SONYPVU1) / SONYPVU1][Stopped/Manual Start]
  <system32\DRIVERS\SONYPVU1.SYS><Sony Corporation>
[Microcode Update Driver / Update][Running/Manual Start]
  <system32\DRIVERS\update.sys><Microsoft Corporation>
[viagfx / viagfx][Running/Manual Start]
  <system32\DRIVERS\vtmini.sys><Copyright (C) VIA/S3 Graphics Co, Ltd.>
[videX32 / videX32][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\videX32.sys><VIA Technologies, Inc.>

还有好多，请问帅哥阿福可否有邮箱？我将那个文件发给你看下！谢谢

以下也是网上找的：

病毒名：win32.bmw.j.75783
病毒体大小：74.0 KB (75,783 字节)
病毒类型：熊猫烧香变种
二、病毒行为
这是一个熊猫烧香的变种，伪装成毒霸的图标来迷惑用户，它还会下载其他病毒并执行。
1.病毒会删除安全软件的开机启动项目和服务项目。
2.每1秒添加自己的启动项，并将文件隐藏显示注册表键值破坏。
3.每隔6秒在每个驱动器下（A和B驱动器除外），删除所在的autorun.inf文件或文件夹，并创建autorun.inf和对应的 .exe文件。
4.每隔6秒停止部分安全软件服务，删除部分安全软件的服务和开机自启动项目。
5.每10秒关闭以下进程，并添加映像劫持，指向ntsd -d
avp.exe rav.exe rsagent.exe ravmon.exe ravmond.exe
ravstub.exe ravtask.exe ccenter.exe 360tray.exe 360safe.exe
6.每30分钟下载一次木马 http://www.xxxxxx08.com/down/down.txt。
7.病毒会感染扩展名为exe、pif、com、src的文件，把自己附加到文件的头部，并在扩展名为htm、html、asp、php、jsp、aspx的文件中添加一网址，用户一但打开了该文件，IE就会不断的在后台点击写入的网址，达到增加点击量的目的。且该网页有漏洞，新变种的病毒会被下载并运行。
感染时排除以下文件夹中的文件
WINDOW Winnt winrar system32 Documents and Settings System Volume Information Recycled
Windows NT WindowsUpdate Windows Media Player Outlook Express Internet Explorer NetMeeting
Common Files ComPlus Applications Messenger InstallShield Installation Information MSN
Microsoft Frontpage Movie Maker MSN Gamin Zone
也不感染NTDETECT.COM和rar后缀的文件。
感染后会在感染目录下创建Desk_top_.ini文件，其内写入当前系统时间。有新变种病毒结合了vip.exe文件。

一、主要病毒程序

Cool-gamesetup.exe 这个病毒,会导致桌面的快捷方式打不开，变色，且EXCEL表格不能用。感染该病毒后占用系统大量内存，主要是杀不绝!该病毒在每个盘符下面生成一个AUTORUN.INF 和 （空格）.EXE 这两个文件,然后在C:\WIDNOWS\SYSTEM3\DRIVERS\产生一个SUCHOST.EXE文件有的还可能感染DWWIN.EXE这个文件!然后寻找局域网内没有密码的共享目录,复制本身cool-gameseutp.exe 到共享目骗用户点击!中毒后,出现所有EXE 文件被修改造成打开成CMD闪过状态。

该病毒类似熊猫烧香,该病毒自2008年12月初在互联网上陆续出现，现在危害很大.各杀毒软件厂商暂时没有发布相关消息及专杀工具。