[病毒]最近装了SQL Server 2005和Win2003R2的尤为注意/reginf.exe

最近发现以前常用的几个软件都经常出错,开始并没有想到是病毒,因为自己一直用Mcafee组合,平时也不上H网,不中病毒好多年了。今天开机的时候顺手开了下任务管理器,发现一个“reginf.exe”的进程,持续10s左右后又消失了。Google了以下,果然中病毒了。个人感觉此毒很不好清理。楼下将贴出本人的清理过程,以供大家参考。大虾有高招请赐教。5Q的声明:http://bbs.5qzone.net/htm_data/46/0601/462744.htmlQuote:
含有病毒的文件相关参数(注意,文件名可以修改):文件名:   Microsoft SQL Server 2005 Enterprise Edition.iso 
文件大小:   1,033,852,928 Byte
    1,009,622 KB
    985 MB (985.89 MB)BT 中的 Hash 校验:   160c077966b3b321145217ade904170a82088243
BT 种子服务器:     http://bt.5qzone.net:8080/
电骡中的 Hash 校验:   9EFBE3B95E760692114A8AC583F932C3
文件MD5值:     73a23eb975227a4d76cca18e40e7948d
经过检测,在运行安装程序时,病毒会在 system32 目录下生成两个隐藏系统属性的文件:reginf.exe 和 shellapi.dll,并在注册表里把 reginf.exe 添加为启动项目,还把病毒伪装为系统服务:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiHardwareSrv]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,65,00,67,00,69,00,6e,00,66,00,2e,00,65,00,78,00,65,00,22,00,00,00
"DisplayName"="Wmi Hardware Management"
"ObjectName"="LocalSystem"
"Description"="Monitors all hardwares and event trace providers that are configured to publish Windows Management Instrumentation (WMI) or event trace information. If this service is disabled, any services that explicitly depend on it will fail to start."[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiHardwareSrv\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiHardwareSrv\Enum]
"0"="Root\\LEGACY_WMIHARDWARESRV\00"
"Count"=dword:00000001
"NextInstance"=dword:00000001shellapi.dll 负责把 reginf.exe(伪装成 win2003 的语言包,版本为SP1)挂钩到系统进程 LSASS.exe 中,然后 LSASS.exe 不断尝试访问 211.158.6.107(尼金时代)。reginf.exe 启动后会在 system32 目录里随机生成一个 *TMP*.EXE 文件,这两个程序互相保护,任何一个被中止或者删除,另一个就拷贝自身并重新启动。
经上网查证,此病毒为 QQ 盗号器,制造此病毒的无耻小人还正在利用 “Windows Server 2003 R2安装盘”、算号器、激活器等形式,大面积的通过BT和电骡传播病毒!!!
具體刪除方法:
http://www.pxue.com/Html/575.html