Filesize:57108bytes

MD5:9207fdee2f25a834d4e7151475fc7f45

SHA1:37e51a5632fd615432840fd480abd9ba175a0505

病毒名称:Trojan-Downloader.Win32.QQHelper.vn<Kaspersky命名>

运行后病毒样本,自动复制副本到%SYSTEMroot%及%WINDIR%目录下

Code: %SYSTEMroot%nttstat.exe

%WINDIR%nttstat.exe

%WINDIR%d6.exe

%WINDIR%ft001.exe

%WINDIR%KB9269O4.log

X:DocumentsandSettings你的用户名ApplicationDataCuckooHost.dat

又是一个利用IFEO劫持的病毒.

Code: HKLMSoftwareMicrosoftWindowsNTCurrentVersionImageFileExecutionOptions

<Explorer.exe><%SYSTEMroot%nttstat.exe>

如图一:

%WINDIR%d6.exe释放病毒如下:

Code: %ProgramFiles%CommonFilesCPUSHUninst.exe

%ProgramFiles%CommonFilesCPUSHcpush.dll

X:DocumentsandSettings你的用户名LocalSettingsTempnsa1A.tmp

%WINDIR%ft001.exe释放病毒如下:

Code: %SYSTEMroot%driversgpkcsw.sys

%SYSTEMroot%gpkcsw.dll

%SYSTEMroot%hydlvr.dll

X:DocumentsandSettings你的用户名LocalSettingsTemptmp1B.CAB

X:DocumentsandSettings你的用户名LocalSettingsTemptmp1B.tmp

X:DocumentsandSettings你的用户名LocalSettingsTemptmp1c.tmp

X:DocumentsandSettings你的用户名LocalSettingsTemptmp1d.tmp

附sreng日志:

驱动程序

Code: [gpkcsw/gpkcsw][Stopped/BootStart]

<SystemRootsystem32driversgpkcsw.sys><MicrosoftCorporation>

==================================

浏览器加载项

Code: [CAdLogicObject]

{11F09AFD-75AD-4E51-AB43-E09E9351CE16}<C:ProgramFilesCommonFilesCPUSHcpush0.dll,>

==================================

正在运行的进程

Code: [PID:432][C:windowsExplorer.EXE]

[C:windowsKB9269O4.log][N/A,]

[PID:432][C:windowsnttstat.exe][N/A,]

[PID:432][C:windowssystem32nttstat.exe]

[PID:1076][C:windowssystem32RUNDLL32.exe]

[C:windowssystem32hydlvr.dll]

解决方法:

1.开始---运行---regedit---依次展开:

HKLMSoftwareMicrosoftWindowsNTCurrentVersionImageFileExecutionOptions

删除:

<Explorer.exe>

2.运行ICESWORD---设置---禁止进线程创建---中止病毒进程

Code: %WINDIR%d6.exe

3.使用ICESWORD---设置---禁止进线程创建---强制卸载被插入进程Explorer.EXE<如图二>及 Code: RUNDLL32.exe

C:windowsKB9269O4.log

C:windowsnttstat.exe

C:windowssystem32hydlvr.dll

4.运行SRENG---启动项目---服务---驱动程序---删除服务

Code: [gpkcsw/gpkcsw][Stopped/BootStart]

<SystemRootsystem32driversgpkcsw.sys><MicrosoftCorporation>

5.关闭所有浏览窗口以及一些不必要的程序

运行SREng2,使用：系统修复－－浏览器加载项－－选中以下的项删除

Code: C:ProgramFilesCommonFilesCPUSHcpush0.dll

6.使用ICESWORD---文件---删除以下病毒文件

%SYSTEMroot%nttstat.exe

%WINDIR%nttstat.exe

%WINDIR%d6.exe

%WINDIR%ft001.exe

%WINDIR%KB9269O4.log

%SYSTEMroot%driversgpkcsw.sys

%ProgramFiles%CommonFilesCPUSH删除文件夹

%SYSTEMroot%gpkcsw.dll

%SYSTEMroot%hydlvr.dll

X:DocumentsandSettings你的用户名LocalSettingsTemp清空文件夹

X:DocumentsandSettings你的用户名ApplicationDataCuckooHost.dat