19.exe,pagefile.pif专杀 pagefile.pif病毒 auto.inf_病毒查杀教程-查字典教程网

File:19.exe

Size:33495bytes

FileVersion:0.00.0204

Modified:2007年12月29日,21:23:18

MD5:4B2BE9775B6CA847FB2547DD75025625

SHA1:2660F88591AD4DA8849A3A56F357E7DFB9694D45

CRC32:2A485241

编写语言：VB

1.病毒运行后，衍生如下副本及文件：

Quote:

%systemroot%DebugDebugProgram.exe

%systemroot%system32command.pif

%systemroot%system32dxdiag.com

%systemroot%system32finder.com

%systemroot%system32MSCONFIG.COM

%systemroot%system32regedit.com

%systemroot%system32rundll32.com

%systemroot%1.com

%systemroot%ExERoute.exe

%systemroot%explorer.com

%systemroot%finder.com

%systemroot%SERVICES.EXE

D:autorun.inf

D:pagefile.pif

2.提升自身权限，试图结束带有如下关键字的进程

Quote:

360tray*

ravmon*

ccenter*

trojdie*

kpop*

ssistse*

agentsvr*

kv*

kreg*

iefind*

iparmor*

uphc*

rulewize*

fygt*

rfwsrv*

rfwma*

trojan*

svi.exe

3.篡改很多文件关联方式使得打开这些文件后会启动病毒

Quote:

HKLMSOFTWAREClasses.bfcShellNewCommand:"%SystemRoot%system32rundll32.com%SystemRoot%system32syncui.dll,Briefcase_Create%2!d!%1"

HKLMSOFTWAREClassesCLSID{871C5380-42A0-1069-A2EA-08002B30309D}shellOpenHomePageCommand:""C:ProgramFilesInternetExploreriexplore.com""

HKLMSOFTWAREClassesDriveshellfindcommand:"%SystemRoot%explorer.com"

HKLMSOFTWAREClassesdunfileshellopencommand:"%SystemRoot%system32rundll32.comNETSHELL.DLL,InvokeDunFile%1"

HKLMSOFTWAREClasseshtmlfileshellprintcommand:"rundll32.com%SystemRoot%system32mshtml.dll,PrintHTML"%1""

HKLMSOFTWAREClassesinffileshellInstallcommand:"%SystemRoot%System32rundll32.comsetupapi,InstallHinfSectionDefaultInstall132%1"

HKLMSOFTWAREClassesUnknownshellopenascommand:"%SystemRoot%system32finder.com%SystemRoot%system32shell32.dll,OpenAs_RunDLL%1"（打开未知程序都能启动病毒，汗...）

HKLMSOFTWAREClientsStartMenuInternetiexplore.pifshellopencommand:""C:ProgramFilescommon~1iexplore.pif""

（修改开始程序上的IE的指向文件）

HKLMSOFTWAREClasses.lnkShellNewCommand:"rundll32.comappwiz.cpl,NewLinkHere%1"

HKLMSOFTWAREClassesApplicationsiexplore.exeshellopencommand:""C:ProgramFilesInternetExploreriexplore.com"%1"

HKLMSOFTWAREClassescplfileshellcplopencommand:"rundll32.comshell32.dll,Control_RunDLL"%1",%*"

HKLMSOFTWAREClassesftpshellopencommand:""C:ProgramFilesInternetExploreriexplore.com"%1"

HKLMSOFTWAREClasseshtmlfileshellopencommand:""C:ProgramFilesInternetExploreriexplore.com"-nohome"

HKLMSOFTWAREClasseshtmlfileshellopennewcommand:""C:ProgramFilescommon~1iexplore.pif"%1"

HKLMSOFTWAREClassesHTTPshellopencommand:""C:ProgramFilescommon~1iexplore.pif"-nohome"

HKLMSOFTWAREClassesInternetShortcutshellopencommand:"finder.comshdocvw.dll,OpenURL%l"

HKLMSOFTWAREClassesscrfileshellinstallcommand:"finder.comdesk.cpl,InstallScreenSaver%l"

HKLMSOFTWAREClassesscriptletfileShellGenerateTypelibcommand:""C:WINDOWSsystem32finder.com"C:WINDOWSsystem32scrobj.dll,GenerateTypeLib"%1""

HKLMSOFTWAREClassestelnetshellopencommand:"finder.comurl.dll,TelnetProtocolHandler%l"

HKLMSOFTWAREClientsStartMenuInternet:"iexplore.pif"

...

增加winfiles的新的文件关联指向C:WINDOWSExERoute.exe

并篡改exe文件关联HKLMSOFTWAREClasses.exe:"winfiles"

4.修改

Quote:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogon

的{shell}值为Explorer.exe1

5.连接网络盗取传奇世界等游戏的帐号密码

清除方法：

1.解压缩Icesword把Icesword.exe改名为Icesword.com运行

进程一栏结束%systemroot%SERVICES.EXE

点击左下角的文件按钮删除如下文件

%systemroot%DebugDebugProgram.exe

%systemroot%system32command.pif

%systemroot%system32dxdiag.com

%systemroot%system32finder.com

%systemroot%system32MSCONFIG.COM

%systemroot%system32regedit.com

%systemroot%system32rundll32.com

%systemroot%1.com

%systemroot%ExERoute.exe

%systemroot%explorer.com

%systemroot%finder.com

%systemroot%SERVICES.EXE

D:autorun.inf

D:pagefile.pif

2.把sreng扩展名改为bat，运行

系统修复－文件关联修复

3.修复系统

打开系统盘直接运行%systemroot%system32regedit.exe

把被病毒修改的注册表恢复回来

Quote:

HKLMSOFTWAREClasses.lnkShellNewCommand:"rundll32.exeappwiz.cpl,NewLinkHere%1"

HKLMSOFTWAREClassesApplicationsiexplore.exeshellopencommand:""C:ProgramFilesInternetExploreriexplore.exe"%1"

HKLMSOFTWAREClassescplfileshellcplopencommand:"rundll32.exeshell32.dll,Control_RunDLL"%1",%*"

HKLMSOFTWAREClasseshtmlfileshellopencommand:""C:ProgramFilesInternetExploreriexplore.exe"-nohome"

HKLMSOFTWAREClasseshtmlfileshellopennewcommand:""C:ProgramFilesInternetExploreriexplore.exe"%1"

HKLMSOFTWAREClassesHTTPshellopencommand:""C:ProgramFilesInternetExploreriexplore.exe"-nohome"

HKLMSOFTWAREClassesInternetShortcutshellopencommand:"rundll32.exeshdocvw.dll,OpenURL%l"

HKLMSOFTWAREClassesscrfileshellinstallcommand:"rundll32.exedesk.cpl,InstallScreenSaver%l"

HKLMSOFTWAREClassestelnetshellopencommand:"rundll32.exeurl.dll,TelnetProtocolHandler%l"

HKLMSOFTWAREClassesDriveshellfindcommand:"%SystemRoot%Explorer.exe"

HKLMSOFTWAREClassesCLSID{871C5380-42A0-1069-A2EA-08002B30309D}shellOpenHomePageCommand:""C:ProgramFilesInternetExploreriexplore.exe""

HKLMSOFTWAREClassesDriveshellfindcommand:"%SystemRoot%Explorer.exe"

HKLMSOFTWAREClassesdunfileshellopencommand:"%SystemRoot%system32RUNDLL32.EXENETSHELL.DLL,InvokeDunFile%1"

HKLMSOFTWAREClasseshtmlfileshellprintcommand:"rundll32.exe%SystemRoot%system32mshtml.dll,PrintHTML"%1""

HKLMSOFTWAREClassesinffileshellInstallcommand:"%SystemRoot%System32rundll32.exesetupapi,InstallHinfSectionDefaultInstall132%1"

HKLMSOFTWAREClassesUnknownshellopenascommand:"%SystemRoot%system32rundll32.exe%SystemRoot%system32shell32.dll,OpenAs_RunDLL%1"

删除HKLMSOFTWAREClasseswinfiles整个子键

修改HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogon

的{shell}值为Explorer.exe