瑞星卡卡安全论坛

一、在IceSword的设置中勾选“禁止进程创建”、“禁止协件功能”。然后结束木马进程vspool.exe。
并停止木马注册的服务vspool.exe。
二、删除木马文件（见图）。
三、清理注册表：


1、定位到：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
删除注册表项：Vspool
2、定位到：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
删除注册表项：Vspool
3、定位到：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
删除：Vspool

附件: 1558472005811162936.jpg

vspool.exe感染系统详细记录

Create file
Object:C:\windows\system32\vspool.exe

Starting process
Object:C:\WINDOWS\system32\vspool.exe

Create registry key
Object:HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal

Set registry key value
Object:HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Vspool\\


Create registry key
Object:HKLM\System\CurrentControlSet\Control\SafeBoot\Network

Set registry key value
Object:HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Vspool\\

Set registry key value
Object:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Cache

Set registry key value
Object:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\\Directory

Set registry key value
Object:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\\Paths


Set registry key value
Object:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\\CachePath

Set registry key value
Object:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\\CachePath

Set registry key value
Object:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\\CachePath

Set registry key value
Object:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\\CachePath


Set registry key value
Object:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\\CacheLimit

Set registry key value
Object:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\\CacheLimit

Set registry key value
Object:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\\CacheLimit

Set registry key value
Object:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Cookies

Set registry key value
Object:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\History

Set registry key value
Object:HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProxyBypass

Set registry key value
Object:HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\IntranetName

Set registry key value
Object:HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\UNCAsIntranet

Create file
Object:C:\Documents and Settings\用户名\Local Settings\Temp\terminate.bat
Time:2005-8-11 15:51:48

路过！学习了！

引用:

【baohe的贴子】vspool.exe感染系统详细记录 Create file :C:\windows\system32\vspool.exe Starting process :C:\WINDOWS\system32\vspool.exe Create registry key :HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal Set registry key value :HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Vspool\\ Create registry key :HKLM\System\CurrentControlSet\Control\SafeBoot\Network Set registry key value :HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Vspool\\ Set registry key value :HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Cache Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\\Directory Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\\Paths Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\\CachePath Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\\CachePath Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\\CachePath Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\\CachePath Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\\CacheLimit Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\\CacheLimit Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\\CacheLimit Set registry key value :HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Cookies Set registry key value :HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\History Set registry key value :HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProxyBypass Set registry key value :HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\IntranetName Set registry key value :HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\UNCAsIntranet Create file :C:\Documents and Settings\用户名\Local Settings\Temp\terminate.bat Time:2005-8-11 15:51:48 ...........................

这记录是TPF报的吧???

真是good!

楼上的你啥意思，你的表情。。。。。。你该不会是有什么企图吧

斑竹，有问题想问，我已经把补丁都打全了，瑞星也每天杀毒。危险端口也封上了，为什么还是老中木马阿，我应该还防范点什么啊？我最近这个礼拜一直在中木马，每天都在中，一天一个新木马。

引用:

【茶香蜜糖的贴子】斑竹，有问题想问，我已经把补丁都打全了，瑞星也每天杀毒。危险端口也封上了，为什么还是老中木马阿，我应该还防范点什么啊？我最近这个礼拜一直在中木马，每天都在中，一天一个新木马。 ...........................

一一检查系统服务，没用的或没必要打开的——坚决关闭。
给系统用户设置足够长、足够复杂的口令。

引用:

【baohe的贴子】vspool.exe感染系统详细记录 Create file :C:\windows\system32\vspool.exe Starting process :C:\WINDOWS\system32\vspool.exe Create registry key :HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal Set registry key value :HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Vspool\\ Create registry key :HKLM\System\CurrentControlSet\Control\SafeBoot\Network Set registry key value :HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Vspool\\ Set registry key value :HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Cache Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\\Directory Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\\Paths Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\\CachePath Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\\CachePath Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\\CachePath Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\\CachePath Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\\CacheLimit Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\\CacheLimit Set registry key value :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\\CacheLimit Set registry key value :HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Cookies Set registry key value :HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\History Set registry key value :HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProxyBypass Set registry key value :HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\IntranetName Set registry key value :HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\UNCAsIntranet Create file :C:\Documents and Settings\用户名\Local Settings\Temp\terminate.bat Time:2005-8-11 15:51:48 ...........................

这个日志从TPF哪里出来的,随便问下在IDS&IPS里的Rules有条backdoor.rules有必要选上吗?

引用:

【命运里の金色的贴子】这个日志从TPF哪里出来的,随便问下在IDS&IPS里的Rules有条backdoor.rules有必要选上吗? ...........................

那是TPF的实时监控日志。每次搞完一个病毒后，我自己拷贝的病毒“作案记录”。这东东不能自动导出。
IDS&IPS里的Rules——我全部选上了。

【回复“baohe”的帖子】知道了,谢谢斑竹

没有这个软件，参考学习一下吧。