赞
踩
SMSS病毒介绍:这是一种Windows下的PE病毒,它采用VB6编写 ,是一个能够破坏IE和EXPLORER的征途木马病毒变种。该病毒会在注册表中多处添加自己的启动项,还会修改系统文件,并在[WINDOWS]项中加入"RUN" = "%WINDIR%/SMSS.EXE"。
病毒症状:确定自己中招没就看看吧!如果打开网页超慢,资源管理器无法正常使用,并且系统会进入倒计时关机,以及系统进程中出现了2个smss.exe进程,而且其中的smss.exe路径是"WINDOWS/SMSS.EXE",那就是中了这种病毒。
针对现在最新的征途木马变种SMSS.exe写的专杀工具!!!enjoy!
因为不知道CSDN该怎么上传,所以只好引用我网络硬盘的地址了!唉!
下载地址:http://www.vdisk.cn/API/fileq.php?sid=1163360.1157101632.-1120202758
公布源码:
// KillerDlg.cpp : implementation file
//
#include "stdafx.h"
#include "KillerDlg.h"
#include<Tlhelp32.h>
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
/
//log
FILE *fp;
//Registry Editor
HKEY hKey;
char content[256];
DWORD dwType=REG_SZ;
DWORD dwLength=256;
struct HKEY__*RootKey;
TCHAR *SubKey;
TCHAR *KeyName;
TCHAR *ValueName;
LPBYTE SetContent_S;
int SetContent_D[256];
BYTE SetContent_B[256];
int ShowContent (struct HKEY__*ReRootKey,TCHAR *ReSubKey,TCHAR *ReValueName);
int SetValue_S (struct HKEY__*ReRootKey,TCHAR *ReSubKey,TCHAR *ReValueName,LPBYTE ReSetContent_S);
int SetValue_D (struct HKEY__*ReRootKey,TCHAR *ReSubKey,TCHAR *ReValueName,int ReSetContent_D[256]);
int SetValue_B (struct HKEY__*ReRootKey,TCHAR *ReSubKey,TCHAR *ReValueName,BYTE ReSetContent_B[256]);
int DeleteKey (struct HKEY__*ReRootKey,TCHAR *ReSubKey,TCHAR *ReKeyName);
int DeleteValue (struct HKEY__*ReRootKey,TCHAR *ReSubKey,TCHAR *ReValueName);
/**********************************************************
Function name:ShowContent
Description:show content
Parameter:ReRootKey root key, ReSubKey sub keu
ReValueName value name
Return:int
Time:2006.07.31
***********************************************************/
ShowContent (struct HKEY__*ReRootKey,TCHAR *ReSubKey,TCHAR *ReValueName)
{
int i=0; //0==succeed
if(RegOpenKeyEx(ReRootKey,ReSubKey,0,KEY_READ,&hKey)==ERROR_SUCCESS)
{
if(RegQueryValueEx(hKey,ReValueName,NULL,&dwType,(unsigned char *)content,&dwLength)!=ERROR_SUCCESS)
{
AfxMessageBox("Error:cannot access Registry");
i=1;
}
RegCloseKey(hKey);
}
else
{
AfxMessageBox("Error:cannot find the hKEY");
i=1;
}
return i;
}
/**********************************************************
Function name:SetValue_S
Description:set string value
Parameter:ReRootKey root key, ReSubKey sub keu
ReValueName value name
Return:int
Time:2006.07.31
***********************************************************/
SetValue_S (struct HKEY__*ReRootKey,TCHAR *ReSubKey,TCHAR *ReValueName,LPBYTE ReSetContent_S)
{
int i=0; //0==succeed
//int StrLength;
//StrLength=CString(SetContent_S).GetLength();
if(RegOpenKeyEx(ReRootKey,ReSubKey,0,KEY_WRITE,&hKey)==ERROR_SUCCESS)
{
if(RegSetValueEx(hKey,ReValueName,NULL,REG_SZ,ReSetContent_S,CString(SetContent_S).GetLength())!=ERROR_SUCCESS)
{
AfxMessageBox("Error:cannot access Registry");
i=1;
}
RegCloseKey(hKey);
}
else
{
AfxMessageBox("Error:cannot find the hKEY");
i=1;
}
return i;
}
/**********************************************************
Function name:SetValue_D
Description:set DWORD value
Parameter:ReRootKey root key, ReSubKey sub keu
ReValueName value name
Return:int
Time:2006.07.31
***********************************************************/
SetValue_D (struct HKEY__*ReRootKey,TCHAR *ReSubKey,TCHAR *ReValueName,int ReSetContent_D[256])
{
int i=0; //0==succeed
if(RegOpenKeyEx(ReRootKey,ReSubKey,0,KEY_WRITE,&hKey)==ERROR_SUCCESS)
{
if(RegSetValueEx(hKey,ReValueName,NULL,REG_DWORD,(const unsigned char *)ReSetContent_D,4)!=ERROR_SUCCESS)
{
AfxMessageBox("Error:cannot access Registry");
i=1;
}
RegCloseKey(hKey);
}
else
{
AfxMessageBox("Error:cannot find the hKEY");
i=1;
}
return i;
}
/**********************************************************
Function name:SetValue_B
Description:set binary value
Parameter:ReRootKey root key, ReSubKey sub keu
ReValueName value name
Return:int
Time:2006.07.31
***********************************************************/
SetValue_B (struct HKEY__*ReRootKey,TCHAR *ReSubKey,TCHAR *ReValueName,BYTE ReSetContent_B[256])
{
int i=0; //0==succeed
if(RegOpenKeyEx(ReRootKey,ReSubKey,0,KEY_WRITE,&hKey)==ERROR_SUCCESS)
{
if(RegSetValueEx(hKey,ReValueName,NULL,REG_BINARY,(const unsigned char *)ReSetContent_B,4)!=ERROR_SUCCESS)
{
AfxMessageBox("Error:cannot access Registry");
i=1;
}
RegCloseKey(hKey);
}
else
{
AfxMessageBox("Error:cannot find the hKEY");
i=1;
}
return i;
}
/**********************************************************
Function name:DeleteKey
Description:delete sub key
Parameter:ReRootKey root key, ReSubKey sub keu
ReValueName value name
Return:int
Time:2006.07.31
***********************************************************/
DeleteKey (struct HKEY__*ReRootKey,TCHAR *ReSubKey,TCHAR *ReKeyName)
{
int i=0; //0==succeed
if((RegOpenKeyEx(ReRootKey,ReSubKey,0,KEY_WRITE,&hKey))==ERROR_SUCCESS)
{
if((RegDeleteKey(hKey,ReKeyName))!=ERROR_SUCCESS)
{
AfxMessageBox("Error: cannot delete sub key!");
i=1;
}
RegCloseKey(hKey);
}
else
{
AfxMessageBox("Error:cannot find the hKEY");
i=1;
}
return i;
}
/**********************************************************
Function name:DeleteValue
Description:delete value
Parameter:ReRootKey root key, ReSubKey sub keu
ReValueName value name
Return:int
Time:2006.07.31
***********************************************************/
DeleteValue (struct HKEY__*ReRootKey,TCHAR *ReSubKey,TCHAR *ReValueName)
{
int i=0; //0==succeed
if(RegOpenKeyEx(ReRootKey,ReSubKey,0,KEY_WRITE,&hKey)==ERROR_SUCCESS)
{
if(RegDeleteValue(hKey,ReValueName)!=ERROR_SUCCESS)
{
i=1;
}
RegCloseKey(hKey);
}
else
{
i=1;
}
return i;
}
/
// CAboutDlg dialog used for App About
class CAboutDlg : public CDialog
{
public:
CAboutDlg();
// Dialog Data
//{{AFX_DATA(CAboutDlg)
enum { IDD = IDD_ABOUTBOX };
//}}AFX_DATA
// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CAboutDlg)
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support
//}}AFX_VIRTUAL
// Implementation
protected:
//{{AFX_MSG(CAboutDlg)
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};
CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
{
//{{AFX_DATA_INIT(CAboutDlg)
//}}AFX_DATA_INIT
}
void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
//{{AFX_DATA_MAP(CAboutDlg)
//}}AFX_DATA_MAP
}
BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
//{{AFX_MSG_MAP(CAboutDlg)
// No message handlers
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
/
// CMyDlg dialog
CMyDlg::CMyDlg(CWnd* pParent /*=NULL*/)
: CDialog(CMyDlg::IDD, pParent)
{
//{{AFX_DATA_INIT(CMyDlg)
// NOTE: the ClassWizard will add member initialization here
//}}AFX_DATA_INIT
// Note that LoadIcon does not require a subsequent DestroyIcon in Win32
m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}
void CMyDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
//{{AFX_DATA_MAP(CMyDlg)
DDX_Control(pDX, IDC_LIST1, m_list);
DDX_Control(pDX, IDC_PROGRESS1, m_progress);
//}}AFX_DATA_MAP
}
BEGIN_MESSAGE_MAP(CMyDlg, CDialog)
//{{AFX_MSG_MAP(CMyDlg)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
ON_BN_CLICKED(IDC_BUTTON2, OnButton2)
ON_BN_CLICKED(IDC_BUTTON1, OnButton1)
ON_BN_CLICKED(IDC_BUTTON3, OnButton3)
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
/
// CMyDlg message handlers
BOOL CMyDlg::OnInitDialog()
{
CDialog::OnInitDialog();
m_bFinded = FALSE;
m_progress.SetRange(0,100);
m_progress.SetPos(0);
iPos = 0;
m_list.InsertColumn(0, " Virus Name", LVCFMT_LEFT, 120, 0);
m_list.InsertColumn(1, "ProID", LVCFMT_CENTER, 65, 1);
m_list.InsertColumn(2, "Parent ProID", LVCFMT_CENTER, 90, 2);
m_list.DeleteAllItems();
// Add "About..." menu item to system menu.
// IDM_ABOUTBOX must be in the system command range.
ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
ASSERT(IDM_ABOUTBOX < 0xF000);
CMenu* pSysMenu = GetSystemMenu(FALSE);
if (pSysMenu != NULL)
{
CString strAboutMenu;
strAboutMenu.LoadString(IDS_ABOUTBOX);
if (!strAboutMenu.IsEmpty())
{
pSysMenu->AppendMenu(MF_SEPARATOR);
pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
}
}
// Set the icon for this dialog. The framework does this automatically
// when the application's main window is not a dialog
SetIcon(m_hIcon, TRUE); // Set big icon
SetIcon(m_hIcon, FALSE); // Set small icon
// TODO: Add extra initialization here
return TRUE; // return TRUE unless you set the focus to a control
}
void CMyDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
if ((nID & 0xFFF0) == IDM_ABOUTBOX)
{
CAboutDlg dlgAbout;
dlgAbout.DoModal();
}
else
{
CDialog::OnSysCommand(nID, lParam);
}
}
// If you add a minimize button to your dialog, you will need the code below
// to draw the icon. For MFC applications using the document/view model,
// this is automatically done for you by the framework.
void CMyDlg::OnPaint()
{
if (IsIconic())
{
CPaintDC dc(this); // device context for painting
SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);
// Center icon in client rectangle
int cxIcon = GetSystemMetrics(SM_CXICON);
int cyIcon = GetSystemMetrics(SM_CYICON);
CRect rect;
GetClientRect(&rect);
int x = (rect.Width() - cxIcon + 1) / 2;
int y = (rect.Height() - cyIcon + 1) / 2;
// Draw the icon
dc.DrawIcon(x, y, m_hIcon);
}
else
{
CDialog::OnPaint();
}
}
// The system calls this to obtain the cursor to display while the user drags
// the minimized window.
HCURSOR CMyDlg::OnQueryDragIcon()
{
return (HCURSOR) m_hIcon;
}
/**********************************************************
Function name:DeleteVirusFiles
Description:delete virus files
Parameter: NULL
Return:int count of virus files
Time:2006.07.31
***********************************************************/
int CMyDlg::DeleteVirusFiles()
{
int i = 0;
BOOL bRet = FALSE;
char chBuf[256];
char chLog[256];
CString str, strWIN, strSYS, strPRO;
GetWindowsDirectory(chBuf, 256);
strWIN = chBuf;
strcat(chBuf, "//SMSS.EXE");
HANDLE hFile = CreateFile(chBuf, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
WriteLog("No virus files found");
return -1;
}
CloseHandle(hFile);
WriteLog("Find virus key process:SMSS.exe");
m_progress.SetPos(iPos++);
str = strWIN + "//1.com";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
str = strWIN + "//ExERoute.exe";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
str = strWIN + "//explorer.com";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
str = strWIN + "//finder.com";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
str = strWIN + "//SMSS.EXE";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
str = strWIN + "//BOOT.BIN.BAK";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
str = strWIN + "//Debug//DebugProgram.exe";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
strSYS = strWIN + "//system32";
str = strSYS + "//command.pif";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
str = strSYS + "//dxdiag.com";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
str = strSYS + "//finder.com";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
str = strSYS + "//MSCONFIG.COM";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
str = strSYS + "//regedit.com";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
str = strSYS + "//rundll32.com";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
strPRO = strWIN.Left(1) + "://Program Files";
str = strPRO + "//Internet Explorer//iexplore.com";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
str = strPRO + "//Common Files//iexplore.pif";
bRet = DeleteFile( str.GetBuffer(str.GetLength()) );
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
bRet = DeleteFile("D://autorun.inf");
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
bRet = DeleteFile("D://pagefile.pif");
if (bRet)
{
sprintf(chLog, "deleted virus file‘ %s’ successfully!", str);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to delete virus file‘ %s’", str);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
return i;
}
/**********************************************************
Function name:DeleteRegValues
Description:delete virus registry
Parameter: NULL
Return:int
Time:2006.07.31
***********************************************************/
int CMyDlg::DeleteRegValues()
{
int i = 0;
char chLog[256];
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Microsoft//Windows//CurrentVersion//Run";
ValueName = "TProgram";
if( !(DeleteValue(RootKey, SubKey, ValueName)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Microsoft//Windows//CurrentVersion//Runservices";
ValueName = "TProgram";
if( !(DeleteValue(RootKey, SubKey, ValueName)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Microsoft//Windows NT//CurrentVersion//Winlogon";
ValueName = "Shell";
SetContent_S = LPBYTE("Explorer.exe");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//.bfc//ShellNew";
ValueName = "Command";
SetContent_S = LPBYTE("%SystemRoot%//system32//rundll32.exe %SystemRoot%//system32//syncui.dll,Briefcase_Create %2!d! %1");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//.lnk//ShellNew";
ValueName = "Command";
SetContent_S = LPBYTE("rundll32.exe appwiz.cpl,NewLinkHere %1");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//Applications//iexplore.exe//shell//open//command";
ValueName = "";
SetContent_S = LPBYTE("%ProgramFiles%//Internet Explorer//IEXPLORE.EXE");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//CLSID//{871C5380-42A0-1069-A2EA-08002B30309D}//shell//OpenHomePage//command";
ValueName = "";
SetContent_S = LPBYTE("%ProgramFiles%//Internet Explorer//IEXPLORE.EXE");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//cplfile//shell//cplopen//command";
ValueName = "";
SetContent_S = LPBYTE("rundll32.exe shell32.dll,Control_RunDLL %1,%*");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//Drive//shell//find//command";
ValueName = "";
SetContent_S = LPBYTE("%SystemRoot%//Explorer.exe");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//dunfile//shell//open//command";
ValueName = "";
SetContent_S = LPBYTE("%SystemRoot%//system32//RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//ftp//shell//open//command";
ValueName = "";
SetContent_S = LPBYTE("%ProgramFiles%//Internet Explorer//iexplore.exe %1");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//htmlfile//shell//open//command";
ValueName = "";
SetContent_S = LPBYTE("%ProgramFiles%//Internet Explorer//iexplore.exe %1");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//htmlfile//shell//opennew//command";
ValueName = "";
SetContent_S = LPBYTE("%ProgramFiles%//Internet Explorer//iexplore.exe %1");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//http//shell//open//command";
ValueName = "";
SetContent_S = LPBYTE("%ProgramFiles%//Internet Explorer//iexplore.exe %1");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//inffile//shell//install//command";
ValueName = "";
SetContent_S = LPBYTE("%SystemRoot%//System32//rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//inffile//shell//open//command";
ValueName = "";
SetContent_S = LPBYTE("%SystemRoot%//System32//NOTEPAD.EXE %1");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//inffile//shell//print//command";
ValueName = "";
SetContent_S = LPBYTE("%SystemRoot%//System32//NOTEPAD.EXE /p %1");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//InternetShortcut//shell//open//command";
ValueName = "";
SetContent_S = LPBYTE("%ProgramFiles%//Internet Explorer//iexplore.exe %1");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//InternetShortcut//shell//print//command";
ValueName = "";
SetContent_S = LPBYTE("rundll32.exe %SystemRoot%//system32//mshtml.dll,PrintHTML /"%1/"");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//InternetShortcut//shell//printto//command";
ValueName = "";
SetContent_S = LPBYTE("rundll32.exe %SystemRoot%//system32//mshtml.dll,PrintHTML /"%1/" /"%2/" /"%3/" /"%4/"");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//scrfile//shell//install//command";
ValueName = "";
SetContent_S = LPBYTE("rundll32.exe desk.cpl,InstallScreenSaver %l");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//scrfile//shell//open//command";
ValueName = "";
SetContent_S = LPBYTE("/"%1/" /S");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//scriptletfile//shell//Generate Typelib//command";
ValueName = "";
SetContent_S = LPBYTE("/"C://WINNT//system32//RUNDLL32.EXE/" C://WINNT//system32//scrobj.dll,GenerateTypeLib /"%1/"");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//scriptletfile//shell//open//command";
ValueName = "";
SetContent_S = LPBYTE("/"C://WINNT//NOTEPAD.EXE/" /"%1/"");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//telnet//shell//open//command";
ValueName = "";
SetContent_S = LPBYTE("C://Program Files//Windows NT//hypertrm.exe /t %1");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Classes//Unknown//shell//openas//command";
ValueName = "";
SetContent_S = LPBYTE("%SystemRoot%//system32//rundll32.exe %SystemRoot%//system32//shell32.dll,OpenAs_RunDLL %1");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
RootKey = HKEY_LOCAL_MACHINE;
SubKey = "Software//Clients//StartMenuInternet";
ValueName = "";
SetContent_S = LPBYTE("iexplore.exe");
if( !(SetValue_S(RootKey, SubKey, ValueName, SetContent_S)) )
{
sprintf(chLog, "recovered registry key <%s> successfully!", SubKey);
WriteLog(chLog);
}
else
{
i++;
sprintf(chLog, "failed to recover registry key <%s>", SubKey);
WriteLog(chLog);
}
m_progress.SetPos(iPos++);
return i;
}
/**********************************************************
Function name:WriteLog
Description: log
Parameter: char* chLog
Return:void
Time:2006.07.31
***********************************************************/
void CMyDlg::WriteLog(char* chLog)
{
SYSTEMTIME NowT;
GetLocalTime(&NowT);
//char chTEMP[256];
//sprintf(chTEMP,"%%SystemRoot%%//system32//syncui.dll,Briefcase_Create %%2!d! %%1");
fp = fopen("result.log", "a+");
if (fp != NULL)
{
fprintf(fp," %d/%d/%d/ %d:%d:%d %s/n", NowT.wYear, NowT.wMonth, NowT.wDay,
NowT.wHour, NowT.wMinute, NowT.wSecond, chLog);
//fprintf(fp,"%s/%/n",chLog);
fclose(fp);
}
}
void CMyDlg::OnOK()
{
CString strVirusName;
char chMsg[256];
int iCount = 0;
iCount = DeleteRegValues();
if (iCount>0)
{
sprintf(chMsg, "failed to delete [%d] virus files, please try it again on Safemode. read log for details.", iCount);
AfxMessageBox(chMsg);
}
m_bFinded = FALSE;
m_list.DeleteAllItems();
HANDLE SnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (SnapShot == NULL)
{
MessageBox("failed to kill the virus, please try it again on Safemode.");
return;
}
SHFILEINFO shSmall;
int nIndex;
CString str, prcnum;
PROCESSENTRY32 ProcessInfo;//declare process information
ProcessInfo.dwSize = sizeof(ProcessInfo);//size of ProcessInfo
BOOL Status = Process32First(SnapShot, &ProcessInfo);
int m_nProcess=0, num=0;
while(Status)
{
m_nProcess++;
num++;
//ZeroMemory(&shSmall,sizeof(shSmall));
//get process info
SHGetFileInfo(ProcessInfo.szExeFile, 0, &shSmall,
sizeof(shSmall), SHGFI_ICON|SHGFI_SMALLICON);
strVirusName = ProcessInfo.szExeFile;
if (!strVirusName.Compare("SMSS.exe"))
{
WriteLog("detected SMSS virus");
nIndex = m_list.InsertItem(m_nProcess, ProcessInfo.szExeFile);
str.Format("%08x",ProcessInfo.th32ProcessID);
m_list.SetItemText(nIndex,1,str);
str.Format("%08x",ProcessInfo.th32ParentProcessID);
m_list.SetItemText(nIndex,2,str);
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE,ProcessInfo.th32ProcessID);
if (!::TerminateProcess(hProcess,1))
{
WriteLog("failed to kill");
MessageBox("failed to kill the virus, please try it again on Windows Safemode.");
iPos = 0;
m_progress.SetPos(iPos);
return;
}
m_progress.SetPos(iPos++);
Sleep(100);//wait for stopping process
iCount = DeleteVirusFiles();
if (iCount>0)
{
sprintf(chMsg, "failed to delete [%d] virus files, please try it again on Safemode. read log for details.", iCount);
AfxMessageBox(chMsg);
}
iCount = DeleteRegValues();
if (iCount>0)
{
sprintf(chMsg, "failed to delete [%d] virus files, please try it again on Safemode. read log for details.", iCount);
AfxMessageBox(chMsg);
}
m_bFinded = TRUE;
break;
}
//get next process info
Status=Process32Next(SnapShot,&ProcessInfo);
}
if (!m_bFinded)
{
WriteLog("no virus");
if (DeleteVirusFiles() >= 0)
{//cannot be found in processes, but in harddisk
m_bFinded = TRUE;
iCount = DeleteRegValues();
if (iCount>0)
{
sprintf(chMsg, "failed to delete [%d] virus files, please try it again on Safemode. read log for details.", iCount);
AfxMessageBox(chMsg);
}
}
}
m_progress.SetPos(100);
if (!m_bFinded)
MessageBox("congratulation! no virus be found");
m_progress.SetPos(0);
//CDialog::OnOK();
}
void CMyDlg::OnCancel()
{
// TODO: Add extra cleanup here
CDialog::OnCancel();
}
void CMyDlg::OnButton2()
{
ShellExecute(NULL,"open","result.log","","", SW_SHOW);
}
void CMyDlg::OnButton1()
{
DeleteFile("result.log");
}
void CMyDlg::OnButton3()
{
PROCESS_INFORMATION pProcInfo;
STARTUPINFO startUpInfo = { sizeof(STARTUPINFO),NULL,"",NULL,0,0,0,0,0,0,0,STARTF_USESHOWWINDOW,0,0,NULL,0,0,0};
startUpInfo.wShowWindow = SW_SHOW;
startUpInfo.lpDesktop = NULL;
CreateProcess("C://WINNT//explore.exe","d://a.exe",NULL,NULL,TRUE,NORMAL_PRIORITY_CLASS,NULL,"d://",&startUpInfo,&pProcInfo);
}
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。