Rar.exe,Ping.exe,cmd.exe病毒症状分析及手动清除解决方案

任侠
电脑基础
2010-02-06
8485热度
4评论

下载一个软件的时候，不小心把这个给染上了，而且是自己粗心给手动运行起来的，后来为了这个病毒花了几个小时，而且还原了两次系统，巨汗。。。

通过网上搜集结合个人总结，对该病毒表现症状及解决方案做如下整理，仅供遇到同类问题而又苦恼不已者参考。

首先描述一下中毒后表现症状：

1、任务管理器中多出很多rar.exe、ping.exe和cmd.exe等进程，且不断跳动产生，无法结束关闭（所以很多人就叫它rar.exe ping.exe病毒。。）
2、所有可执行的exe文件和网页文件html都会被感染，即如有网友总结感染后：感染病毒文件 = （病毒体 + 原文件 + 配置文件），所以感染后的文件会比原文件大。
3、杀毒软件以及360安全卫士的一些功能被强制关闭破坏，常用软件快捷方式无法打开，会如“应用程序或DLL C：windowssystem32lpk.dll为无效的windows映像。请再检测一遍您的安装盘”等类似错误提示，甚至导致大部分软件不能正常使用。
4、进入安全模式则会蓝屏
5、重装系统后，但是其他盘内存在，很容易再次感染；会感染U盘
6、会隐藏访问这个网址的一些文件：http://web.nba1001.net:8888 ，如：http://web.nba1001.net:8888/tj/tongji.js 等，该js文件里包含病毒页面，使用的数据统计为量子恒道统计
7、卡巴报毒为：Virus.Win32.Agent.a。其他不再详细描述

病毒特征：
编程的人其实就是借鉴了经典的AV终结者的一些思路，该病毒会开后门让你机器不停的再下各种木马病毒然后又调用WINRAR里的RAR.EXE程序把自己打包进你硬盘里的每一个EXE文件里，同时生成一堆堆随机名字的DLL exe在你的SYSTEM32文件夹里，当然经典的IFEO映像劫持是必不可少的，它让你开不开任何常用的杀毒软件，并且破坏安全模式（网友总结）

推荐解决方案：

1、发现中毒后应尽快卸载WINRAR软件，进入C:PF文件夹WINRAR，双击Uninstall即可卸载。或者将该文件夹下的RAR.EXE WINRAR.EXE改名。（这病毒很简单他没有用更多的代码去搜索RAR,EXE 这个文件而只是认识这个名字当你改名后病毒的压缩复制）功能就失效了来得及的话能抢救一部分EXE
2、用最新的360系统急救箱/金山急救箱/AV终结者专杀 /瑞星工具箱，进行全盘扫描。这些工具都会把IFEO映像劫持破掉（360系统急救箱下载地址：http://www.360.cn/killer/360compkill.html）
有网友推荐用贝壳专杀，针对exe感染的专杀，下载地址为：
http://go.beike.cn/BeikeSetup.exe
还有一款相关的专杀工具：lpk+usp10病毒恢复工具.rar可参考使用，下载地址为：
lpk_usp10病毒恢复工具.rar

3、如果此时你的杀毒软件还能用并且系统故障不是太多的话（很少有可能），进行全盘查杀
大型杀毒软件会彻底剿灭这些预留的病毒，如果安全模式还是进不去，把这下面的代码复制到到一个记事本TXT文件里，然后保存记事本，最后改成.reg文件，之后双击就OK

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot]
"AlternateShell"="cmd.exe"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalAppMgmt]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalBase]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalBoot Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalBoot file system]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalCryptSvc]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalDcomLaunch]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimaldmadmin]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimaldmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimaldmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimaldmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimaldmserver]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalEventLog]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalFile system]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalFilter]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalHelpSvc]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalNetlogon]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalPCI Configuration]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalPlugPlay]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalPNP Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalPrimary disk]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalRpcSs]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalSCSI Class]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalsermouse.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalsr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalSRService]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalSystem Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalvga.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalvgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinMgmt]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkAFD]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkAppMgmt]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkBase]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkBoot Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkBoot file system]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkBrowser]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkCryptSvc]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkDcomLaunch]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkDhcp]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkdmadmin]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkdmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkdmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkdmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkdmserver]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkDnsCache]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkEventLog]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkFile system]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkFilter]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkHelpSvc]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkip6fw.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkipnat.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkLanmanServer]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkLanmanWorkstation]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkLmHosts]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkMessenger]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkNDIS]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkNDIS Wrapper]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkNdisuio]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkNetBIOS]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkNetBIOSGroup]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkNetBT]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkNetDDEGroup]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkNetlogon]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkNetMan]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkNetwork]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkNetworkProvider]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkNtLmSsp]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkPCI Configuration]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkPlugPlay]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkPNP Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkPNP_TDI]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkPrimary disk]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkrdpcdd.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkrdpdd.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkrdpwd.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkrdsessmgr]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkRpcSs]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkSCSI Class]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworksermouse.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkSharedAccess]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworksr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkSRService]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkStreams Drivers]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkSystem Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkTcpip]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkTDI]
@="Driver Group"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworktdpipe.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworktdtcp.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworktermservice]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkvga.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkvgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkWinMgmt]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkWZCSVC]
@="Service"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

如果情况比较糟糕，则进行还原系统或者重装系统，并继续下面的操作
4、进入安全模式，用360安全急救箱全盘扫描
5、进入系统，不要轻易打开或运行C盘以外的盘符里的文件，安装杀毒软件，然后全盘查杀，对于感染的文件清除不掉的，最好选择删除。（用的卡巴斯基，基本都能够清除掉该病毒，不过有的exe文件还是被破坏不能使用了）

至此，我想您也和我一样，忙活了几个小时了，基本搞掂了关掉电脑歇息一下吧。。。

欢迎经验共享