dhkeylog.sys,Win32.Troj.KillAV.c.106503清除

Win32.Troj.KillAV.c.106503病毒是网络游戏《大话西游》的盗号木马。病毒运行后会关闭多个安全软件的窗口，然后注入进程，利用消息监视的方式盗取游戏账号信息，并发送到木马种植者指定的远程地址上。

1.生成隐藏病毒文件
%sys32dir%\drivers\dhkeylog.sys
C:\WINDOWS\system32\大话西游盗号hd.dll (这个DLL的文件名是由病毒源文件名加上'hd'来命名的)

2.生成注册表启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00E1320A-D99F-4AB5-808E-2ED89A8343AD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00E1320A-D99F-4AB5-808E-2ED89A8343AD} @ "Windows"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00E1320A-D99F-4AB5-808E-2ED89A8343AD}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00E1320A-D99F-4AB5-808E-2ED89A8343AD}\InProcServer32 @ "C:\WINDOWS\system32\大话西游盗号hd.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00E1320A-D99F-4AB5-808E-2ED89A8343AD}\InProcServer32 ThreadingModel "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {00E1320A-D99F-4AB5-808E-2ED89A8343AD}

3.生成服务
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Keyboardlogger
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Keyboardlogger Type dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Keyboardlogger Start dword:00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Keyboardlogger ErrorControl dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Keyboardlogger ImagePath hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,64,72,69,76,65,72,73,5c,64,68,6b,65,79,6c,6f,67,2e,73,79,73,00,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Keyboardlogger DisplayName "Keyboardlogger"

4.生成其他的注册表键值
HKEY_CURRENT_USER\Software\ComDaraisn
HKEY_CURRENT_USER\Software\ComDaraisn {AEB6717E-7E19-11d0-97EE-00C04FD91972} ""
HKEY_CURRENT_USER\Software\ComDaraisn {00E1320A-D99F-4AB5-808E-2ED89A8343AD}

5.病毒运行后会关闭KVXP_Monitor和木马防火墙等多个安全软件的杀毒窗口.

6.病毒运行后会自删除.

7.病毒运行会把DLL文件注入到Explorer.exe进程和非系统进程当中