- 积分
- 158
- 实力分
- 点
- 金钱数
- 两
- 技术分
- 分
- 贡献分
- 分
|
发表于 2007-6-21 03:58:01
|
显示全部楼层
romdrivers.dll病毒解决方案
中毒现象:
1,拷贝文件到如下目录
%ProgramFiles%\Internet Explorer\romdrivers.bak
2,中止卡巴斯基杀毒软件,修改系统日期为1996。
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\AVP6\environment\ProductName
3,删除下列注册表项目
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" = ""
HKEY_CLASSES_ROOT\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32\"@" = "shell32.dll"
HKEY_CLASSES_ROOT\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32\"ThreadingModel" = "Apartment"
4,在注册表创建项目,以使得随着系统启动而启动病毒。
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\"{09B68AD9-FF66-3E63-636B-B693E62F6236}" = ""
HKEY_CLASSES_ROOT\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\"@" = "%ProgramFiles%\Internet Explorer\romdrivers.dll"
HKEY_CLASSES_ROOT\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\"ThreadingModel" = "Apartment"
5,替换系统文件。
%ProgramFiles%\Internet Explorer\romdrivers.dll
6,删除注册表子键
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{754FB7D8-B8FE-4810-B363-A788CD060F1F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{A6011F8F-A7F8-49AA-9ADA-49127D43138F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06A68AD9-FF56-6E73-937B-B893E72F6226}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{AEB6717E-7E19-11d0-97EE-00C04FD91972}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{99F1D023-7CEB-4586-80F7-BB1A98DB7602}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{42A612A4-4334-4424-4234-42261A31A236}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{DE35052A-9E37-4827-A1EC-79BF400D27A4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{DD7D4640-4464-48C0-82FD-21338366D2D2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{131AB311-16F1-F13B-1E43-11A24B51AFD1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{274B93C2-A6DF-485F-8576-AB0653134A76}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}
7,试图创建下列文件
%Temp%\fyso.exe %Temp%\jtso.exe %Temp%\mhso.exe %Temp%\qjso.exe
%Temp%\qqso.exe %Temp%\wgso.exe %Temp%\wlso.exe %Temp%\wmso.exe
%Temp%\woso.exe %Temp%\ztso.exe %Temp%\daso.exe %Temp%\tlso.exe
%Temp%\rxso.exe Temp%\svchost.exe %Temp%\IEXPLORE.EXE
%Temp%\svchost32.exe %Temp%\srogm.exe %Temp%\csrss.exe
%Temp%\conime.exe %Temp%\mmc.exe %Temp%\spglsdr.exe
%Temp%\services.exe %Temp%\copypfh.exe %Temp%\smss.exe
%Temp%\fyso0.dll
%Temp%\jtso0.dll %Temp%\mhso0.dll %Temp%\qjso0.dll %Temp%\qqso0.dll
%Temp%\wgso0.dll %Temp%\wlso0.dll %Temp%\wmso0.dll`
%Temp%\woso0.dll %Temp%\ztso0.dll %Temp%\tlso0.dll
%Temp%\daso0.dll %Temp%\rxso0.dll
%SystemDrive%\Program Files\Internet Explorer\PLUGINS\BinNice.dll
%SystemDrive%\Program Files\Internet Explorer\PLUGINS\BinNice.bak
%SystemDrive%\Program Files\Internet Explorer\PLUGINS\BinNice.bkk
%SystemDrive%\Program Files\Internet Explorer\PLUGINS\System64.sys
%SystemDrive%\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.bmp
%SystemDir%\drivers\etc\hosts
%ProgramFiles%\Internet Explorer\HiJack.dll
%ProgramFiles%\Internet Explorer\HiJack.bak
%ProgramFiles%\Internet Explorer\HiJack.bkk
%ProgramFiles%\Internet Explorer\romdrivers.dll
%ProgramFiles%\Internet Explorer\romdrivers.bak
%ProgramFiles%\Internet Explorer\romdrivers.bkk
%ProgramFiles%\Internet Explorer\Autorun.inf
8,关闭系统并修改为下列属性:
Name: whboy
Class Name: WebDown
9,创建orse1re进程,并试图扫描所有磁盘,然后在每个磁盘的根目录建立如下文件:
[DRIVE LETTER]:\autorun.inf
内容如下:
[autorun]
open=Ghost.pif
shellexecute=Ghost.pif
shell\Auto\command=Ghost.pif
shell=Auto
然后自我复制文件到各个磁盘
[DRIVE LETTER]:\Ghost.pif
从下列网站下载文件:
www.nice8.org/GetVer/Ver.txt
执行所下载的下列文件:
[http://]16a.us/oK/svcho[REMOVED]
[http://]16a.us/Sign/csrs[REMOVED]
[http://]16a.us/Sign/svchos[REMOVED]
[http://]16a.us/Sign/smss[REMOVED]
[http://]16a.us/Sign/servic[REMOVED]
[http://]16a.us/Sign/svcho[REMOVED]
[http://]16a.us/Sign/conim[REMOVED]
[http://]16a.us/Sign/ctfmo[REMOVED]
[http://]16a.us/Sign/mmc[REMOVED]
[http://]16a.us/Sign/IEXPLO[REMOVED]
[http://]16a.us/Sign/stpgl[REMOVED]
[http://]16a.us/Sign/srog[REMOVED]
[http://]16a.us/Sign/spgls[REMOVED]
[http://]16a.us/Sign/copyp[REMOVED]
在注册表中创建一系列包含下载文件的子键:
HKEY_CURRENT_USER\Software\SetVer\ver
解决办法:
1,关闭并删除不必要的服务和文件,关闭系统恢复。
2,保持病毒库的最新升级包,并完成一次完整的系统扫描。
3,增强系统密码的安全性,尽可能采用复杂密码。
4,,对于各种邮件,尤其要注意附件的内容。
5,根据上述内容,逐项删除注册表中不必要的项目(注意及时备份注册表)。
开始\运行\regdigt
删除下列项目:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\"{09B68AD9-FF66-3E63-636B-B693E62F6236}" = ""
HKEY_CLASSES_ROOT\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\"@" = "%ProgramFiles%\Internet Explorer\romdrivers.dll"
HKEY_CLASSES_ROOT\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\"ThreadingModel" = "Apartment"
6,恢复下列注册表项目:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" = ""
HKEY_CLASSES_ROOT\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32\"@" = "shell32.dll"
HKEY_CLASSES_ROOT\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32\"ThreadingModel" = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{754FB7D8-B8FE-4810-B363-A788CD060F1F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{A6011F8F-A7F8-49AA-9ADA-49127D43138F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06A68AD9-FF56-6E73-937B-B893E72F6226}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{AEB6717E-7E19-11d0-97EE-00C04FD91972}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{99F1D023-7CEB-4586-80F7-BB1A98DB7602}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{42A612A4-4334-4424-4234-42261A31A236}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{DE35052A-9E37-4827-A1EC-79BF400D27A4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{DD7D4640-4464-48C0-82FD-21338366D2D2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{131AB311-16F1-F13B-1E43-11A24B51AFD1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{274B93C2-A6DF-485F-8576-AB0653134A76}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8} |
|