续上篇：比较彻底的清除"代理木马下载器"的方法

　　今天才发现前天手工清除的"代理木马下载器"病毒不干净。它总是复活，甚至在我重装了N次系统以后，被改成www.4419.com的IE首页还在向我自豪地笑。最后终于发现。病毒原来隐藏在D盘的QQ里。今天花了一个晚上时间研究了一下它做些什么。下面是研究资料和我认为比较彻底的清除方法。

一、监视病毒网页、文件目录和注册表获得的信息
使用工具： filemonNT by Mark Russinovich and Bryce Cogswell   http://www.sysinternals.com
                              Regmon by Mark Russinovich and Bryce Cogswell http://www.sysinternals.com
                              regshot 1.7 by TiANWEi                http://regshot.yeah.net/

监视网页http//www.4199.com获得的信息：

修改注册表，以修改IE起始页start page 为　http://www.4199.com　(此网页中有ad11.jpg为病毒文件)。
创建文件
C:\WINDOWS\system32\rsrc.dll

用IE打开3570端口。

　　运行并监视硬盘上可疑文件Timeplantform.exe获得的一些信息：

在QQ安装目录下生成Timeplantform.exe　和user.dll
生成c:\windows\system32\drives\modol.sys
生成c:\windows\system32\ravdm.dll
生成　c:\windows\system32\rsrc.dll
修改 C:\WINDOWS\system32\drivers\etc\hosts ,将localhost解析为125.91.1.20
添加注册表启动项，
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"9"="C:\\WINDOWS\\system32\\Ravdm.exe"
"KernelCheck"="C:\\WINDOWS\\system32\\winasse.exe"

借鉴其它电脑出现的类似问题，还可能伴随以下情况：

生成　c:\windows\winlogon.exe
生成　c:\windows\vbarun.dll
生成　C:\WINDOWS\DNSAPI.dll
生成　C:\WINDOWS\hnetcfg.dll
生成　C:\WINDOWS\rasadhlp.dll
生成　c:\windows\system32\user.dll //弹出http://www.4199.com 的元凶e
生成　c:\windows\system32\ravdm.exe
生成　C:\WINDOWS\system32\rundll32.com
生成　c:\windows\system32\realplayer.exe　//弹出http://www.7939.com 的元凶
分区根目录下有autorun.inf

　　生成以下注册表项

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="user.dll"
"001"="rsrc.dll"

[HKEY_USERS\S-1-5-21-2000478354-1715567821-1417001333-500\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="user.dll"
"001"="rsrc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"run"="rundll32 rsrc.dll s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KASDisabled]
"rundll"="rundll32 user.dll s"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
"PendingFileRenameOperations"=hex(7):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,\
  57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,\
  00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,\
  6d,00,6f,00,64,00,6f,00,6c,00,2e,00,73,00,79,00,73,00,00,00,00,00,00,00
//注：hex(7)的值是字符串\??\C:\WINDOWS\system32\drivers\modol.sys　的十六进制表示。

windows NT\currentversion\windwos:load
(msconfig显示这里也产生了可疑的东东，我不知道是什么。)

　　二、清除方法。需要清除的有：病毒文件和注册表相关信息

这个病毒有不同的版本，下面所列的文件中，有的可能你的电脑上没有。
注意：有的文件隐藏得很深，比如"realplayer.exe",即使在“文件夹选项”中选择“显示所有的文件和文件夹”，你也找不到它。查看是不是有这个文件的办法是在命令提示符下使用命令"attrib realplayer.exe"。

需清除的文件列表：

del system32\GroupPolicy\Machine\Scripts\scripts.ini
del C:\WINDOWS\DNSAPI.dll
del C:\WINDOWS\hnetcfg.dll
del C:\WINDOWS\rasadhlp.dll
del C:\WINDOWS\vbarun.dll
del c:\windows\winlogon.exe

del C:\WINDOWS\system32\realplayer.exe
del C:\WINDOWS\system32\Ravdm.exe
del C:\WINDOWS\system32\rsrc.dll
del C:\WINDOWS\system32\rundll32.com
del C:\WINDOWS\system32\winasse.exe
del C:\WINDOWS\system32\user.dll

del c:\windows\system32\drives\modol.sys
将 hosts 文件（路径: C:\WINDOWS\system32\drivers\etc\)中不认识的东东都删掉。或干脆把这个文件删掉。
删除d:\ e:\…等盘符根目录下的autorun.inf
完全删除QQ的安装目录。

　　然后把下面的文本保存成.reg文件，双击导入注册表。方括号内的减号表示删除整个注册表项。键名右边的减号表示删除此键。注意文件末的回车不能省略。
如果你能看懂注册表，最好亲自把下面所列的项检查一下，把可疑的删掉。记住，修改这前先备份注册表！

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"9"=-
"KernelCheck"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5602]

[-HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

[-HKEY_USERS\S-1-5-21-2000478354-1715567821-1417001333-500\Software\Microsoft\Search Assistant\ACMru\5602]
[-HKEY_USERS\S-1-5-21-2000478354-1715567821-1417001333-500\Software\Microsoft\Search Assistant\ACMru\5603]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"run"=-
"rundll"=-
"realplayer"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KASDisabled]
"rundll"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
"PendingFileRenameOperations"=-

　　附：系统监视相关记录
下面是使用regshot 对运行timeplatform.exe前后的注册表进行对比的结果

要点注释:after run Timeplatform
日期时间:2006/10/3 18:57:26 , 2006/10/3 18:59:01
计算机名:CRACK , CRACK
使用者名:624 , 624

增加键:2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

增加值:3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\9: 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 52 61 76 64 6D 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\d: "D:\1499\before run tpf.hiv"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\c: "D:\1499\before run tpf.hiv"

修改值:5
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000019
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000001D
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000013
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000016
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "cba"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "dcba"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "ba"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "cba"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: ""
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: ""

文件增加:2
C:\WINDOWS\system32\drivers\modol.sys
C:\WINDOWS\system32\Ravdm.exe

文件修改:2
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG

总计:14

　　下面是使用filemon获得的文件读写记录

1272 2:58:06 TIMPlatform.exe:1456 WRITE C:\WINDOWS\system32\Drivers\modol.sys SUCCESS Offset: 0 Length: 768

1274 2:58:06 TIMPlatform.exe:1456 WRITE D:\Program Files\tencent\QQ2006\TIMPlatfrom.exe SUCCESS Offset: 0 Length: 65536

1275 2:58:06 TIMPlatform.exe:1456 WRITE D:\Program Files\tencent\QQ2006\TIMPlatfrom.exe SUCCESS Offset: 65536 Length: 4096

1276 2:58:06 TIMPlatform.exe:1456 SET INFORMATION D:\Program Files\tencent\QQ2006\TIMPlatfrom.exe SUCCESS FileBasicInformation

1278 2:58:06 TIMPlatform.exe:1456 SET INFORMATION D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS Length: 18740

1279 2:58:06 TIMPlatform.exe:1456 WRITE D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS Offset: 0 Length: 18740

1280 2:58:06 TIMPlatform.exe:1456 SET INFORMATION D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS FileBasicInformation

1282 2:58:06 TIMPlatform.exe:1456 SET INFORMATION C:\Documents and Settings\624\ntuser.dat.LOG SUCCESS Length: 49152

1283 2:58:07 svchost.exe:720 DELETE D:\1499\TIMPlatform.exe SUCCESS

　　下面是运行QQ安装目录下已被替换为病毒文件的timeplatform.exe时的文件读写监控。有删节，保留了文件读取失败的内容。可以看出病毒文件在找哪些文件。

1    3:12:30    QQ.exe:400    OPEN    D:\Program Files\tencent\QQ2006\TIMPlatform.exe    SUCCESS    Options: Open  Access: All
2    3:12:30    QQ.exe:400    OPEN    D:\Program Files\tencent\QQ2006\TIMPlatform.exe.Manifest    NOT FOUND    Options: Open  Access: All
3    3:12:30    TIMPlatform.exe:2044    OPEN    C:\WINDOWS\Prefetch\TIMPLATFORM.EXE-0DEDB957.pf    NOT FOUND    Options: Open  Access: All
13    3:12:30    TIMPlatform.exe:2044    OPEN    D:\autorun.inf    NOT FOUND    Options: Open  Access: All
14    3:12:30    TIMPlatform.exe:2044    OPEN    D:\autorun.inf    NOT FOUND    Options: Open  Access: All
15    3:12:30    TIMPlatform.exe:2044    OPEN    C:\WINDOWS\Winlogon.exe    NOT FOUND    Options: Open  Access: All
16    3:12:30    TIMPlatform.exe:2044    OPEN    C:\WINDOWS\Winlogon.exe    NOT FOUND    Options: Open  Access: All
17    3:12:30    TIMPlatform.exe:2044    CREATE    C:\WINDOWS\system32\Drivers\modol.sys    SHARING VIOLATION    Options: OverwriteIf  Access: All
25    3:12:30    TIMPlatform.exe:2044    OPEN    C:\WINDOWS\AppPatch\sysmain.sdb    SUCCESS    Options: Open  Access: All
26    3:12:30    TIMPlatform.exe:2044    OPEN    C:\WINDOWS\AppPatch\systest.sdb    NOT FOUND    Options: Open  Access: All
27    3:12:30    TIMPlatform.exe:2044    OPEN    D:\Program Files\tencent\QQ2006\    SUCCESS    Options: Open Directory  Access: All
34    3:12:30    TIMPlatform.exe:2044    OPEN    D:\Program Files\tencent\QQ2006\TIMPlatfrom.exe.Manifest    NOT FOUND    Options: Open  Access: All
35    3:12:30    svchost.exe:888    OPEN    C:\WINDOWS\Prefetch\TIMPLATFORM.EXE-0DEDB957.pf    NOT FOUND    Options: Open  Access: All
36    3:12:30    svchost.exe:720    OPEN    D:\Program Files\tencent\QQ2006\TIMPlatform.exe    SUCCESS    Options: Open Sequential  Access: All
37    3:12:30    svchost.exe:720    OPEN    D:\Program Files\tencent\QQ2006\TIMPlatform.exe    SUCCESS    Options: Open  Access: All
38    3:12:30    svchost.exe:720    DELETE     D:\Program Files\tencent\QQ2006\TIMPlatform.exe    CANNOT DELETE

范晨鹏
------------------
软件是一种态度
成功是一种习惯