病毒簡介
名稱
Trojan/PSW.Agent.cxh類型
木馬危險級別
★★影響平台
Win 9X/ME/NT/2000/XP/2003描述
這是一個 木馬 病毒。病毒特徵
基本特徵
1、打開瀏覽器後,把主頁修改成病毒主頁2、會自動在 桌面建立三個名稱分別為"最酷手機鈴聲"、"最熱音樂連播"、"最新手機圖片"的html連結
3、該html連結刪除之後過10秒左右又會新建
4、過幾分鐘就會彈出視窗直接進入病毒網址
5、如果訪問本網站會導致直接進入網址病毒網址
6、如果在正常模式下用安全衛士查殺電腦會接著自動關機
掃描結果
註冊表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run][(Verified)Microsoft Windows Publisher]
[]
[N/A]
[]
[]
[]
[]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
[N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[(Verified)Microsoft Windows Publisher]
[(Verified)Microsoft Windows Publisher]
[N/A]
[(Verified)ShenZhen Thunder Networking Technologies Ltd.]
[(Verified)"RealNetworks, Inc."]
[Beijing Rising Technology Co., Ltd.]
[Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[(Verified)Microsoft Windows Publisher]
[(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
[N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
[Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
[(Verified)Microsoft Windows Component Publisher]
服務項
服務
[Help and Support / helpsvc][Stopped/Auto Start]%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll>
[Human Interface Device Access / HidServ][Stopped/Disabled]
%SystemRoot%\System32\hidserv.dll>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
[Windows Driver Foundation - User-mode Driver Framework / WudfSvc][Stopped/Manual Start]
%SystemRoot%\System32\WUDFSvc.dll>
相關驅動
驅動程式
[2310_00 / 2310_00][Stopped/Boot Start][3WAREDRV / 3WAREDRV][Stopped/Boot Start]
[3WAREGSM / 3WAREGSM][Stopped/Boot Start]
[3WDRV100 / 3WDRV100][Stopped/Boot Start]
[A320RAID / A320RAID][Stopped/Boot Start]
[AAC / AAC][Stopped/Boot Start]
[AACSAS / AACSAS][Stopped/Boot Start]
[AAR81XX / AAR81XX][Stopped/Boot Start]
[AARSI3X / AARSI3X][Stopped/Boot Start]
[ADP94XX / ADP94XX][Stopped/Boot Start]
[adpu160m / adpu160m][Stopped/Boot Start]
[ADPU320 / ADPU320][Stopped/Boot Start]
[AEC6210 / AEC6210][Stopped/Boot Start]
[AEC6260 / AEC6260][Stopped/Boot Start]
[AEC6280 / AEC6280][Stopped/Boot Start]
[AEC67160 / AEC67160][Stopped/Boot Start]
[AEC67162 / AEC67162][Stopped/Boot Start]
[AEC671X / AEC671X][Stopped/Boot Start]
[AEC6880 / AEC6880][Stopped/Boot Start]
[AEC6897 / AEC6897][Stopped/Boot Start]
[AEC68X5 / AEC68X5][Stopped/Boot Start]
[aic78u2 / aic78u2][Stopped/Boot Start]
[aic78xx / aic78xx][Stopped/Boot Start]
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
[ARCM_X86 / ARCM_X86][Stopped/Boot Start]
[asc / asc][Stopped/Boot Start]
[BaseTDI / BaseTDI][Running/Auto Start]
[BCHTSW32 / BCHTSW32][Stopped/Boot Start]
[buslogic / buslogic][Running/Boot Start]
[CDA1000 / CDA1000][Stopped/Boot Start]
[CmdIde / CmdIde][Running/Boot Start]
[CPQARRY2 / CPQARRY2][Stopped/Boot Start]
[CPQCISSM / CPQCISSM][Stopped/Boot Start]
[CSB6IDE / CSB6IDE][Running/Boot Start]
[dac2w2k / dac2w2k][Stopped/Boot Start]
[DMX3191 / DMX3191][Stopped/Boot Start]
[DMX3194 / DMX3194][Stopped/Boot Start]
[dpti2o / dpti2o][Stopped/Boot Start]
[DPTSCSI / DPTSCSI][Stopped/Boot Start]
[ExpScaner / ExpScaner][Running/Auto Start]
[FASTSX / FASTSX][Running/Boot Start]
[FASTTRAK / FASTTRAK][Running/Boot Start]
[FASTTX2K / FASTTX2K][Running/Boot Start]
[fd16_700 / fd16_700][Stopped/Boot Start]
[VIA Rhine-Family Fast Ethernet Adapter Driver Service / FETND5BV][Running/Manual Start]
[fireport / fireport][Stopped/Boot Start]
[flashpnt / flashpnt][Running/Boot Start]
[FT8300 / FT8300][Running/Boot Start]
[FTSATA2 / FTSATA2][Stopped/Boot Start]
清除方法
1. 刪除木馬的啟動項:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"wow"="%System%\Launcher.exe"
2. 重新啟動計算機
3. 刪除木馬檔案:
%System%\Launcher.exe
%System%\mywow.dll
