一:先说下以前的解决方案:

1.《 简要分析解决Ghost.pif病毒》 文章地址：www.45its.com/Article/pcedu/Safety/200705/16157.htm

2.《ghost.pif新变种导致杀软0xc00000ba失败的解决》www.45its.com/Article/pcedu/Safety/200706/16376.htm

     二：新变种分析：

     运行后生成

C:\Program Files\Common Files\Relive.dll C:\Program Files\Internet Explorer\HiJack.bak C:\Program Files\Internet Explorer\HiJack.dll C:\Program Files\Internet Explorer\msvcrt.bak C:\Program Files\Internet Explorer\msvcrt.dll

添加注册表键值

HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\InProcServer32\: "C:\Program Files\Internet Explorer\HiJack.dll" HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\InProcServer32\ThreadingModel: "Apartment" HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\: "" HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\InProcServer32\: "C:\Program Files\Internet Explorer\msvcrt.dll" HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\InProcServer32\ThreadingModel: "Apartment" HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\: "" HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\InProcServer32\: "C:\Program Files\Common Files\Relive.dll" HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\InProcServer32\ThreadingModel: "Apartment" HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\: "" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{01F6EB6F-AB5C-1FDD-6E5B- FB6EE3CC6CD6}: "" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0EA12C16-CDEF-6AC1-236E- CD3FE82F5213}: "" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7515C61-A66C-4319- A0E0-D416CB8059E3}\: ""

查询以下注册表项目的某些键值来获取相关安全软件的安装目录，在获得安装目录下生成以系统文件名"ws2_32.dll"

命名的文件夹

SOFTWARE\\rising\\Rav SOFTWARE\\Kingsoft\\AntiVirus SOFTWARE\\JiangMin SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal SOFTWARE\\KasperskyLab\\SetupFolders SOFTWARE\Network Associates\TVD\Shared Components\Framework SOFTWARE\Eset\Nod\CurrentVersion\Info SOFTWARE\\Symantec\\SharedUsage SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

并在ws2_32.dll文件夹下生成歧义文件夹1..\导致windows下无法删除该文件夹

控制explorer连接网络202.59.153.91:80下载木马
http://xxx.us/oK/svchost.exe
http://xxx.us/Sign/csrss.exe
http://xxx.us/Sign/svchost32.exe
http://xxx.us/Sign/smss.exe
http://xxx.us/Sign/services.exe
http://xxx.us/Sign/svchost.exe
http://xxx.us/Sign/conime.exe
http://xxx.us/Sign/ctfmon.exe
http://xxx.us/Sign/mmc.exe
http://xxx.us/Sign/IEXPLORE.EXE
http://xxx.us/Sign/stpgldk.exe
http://xxx.us/Sign/srogm.exe
http://xxx.us/Sign/spglsdr.exe
http://xxx.us/Sign/copypfh.exe
http://xxx.us/Sign/okfile.exe
到临时文件夹

运行后分别在临时文件夹下创建文件

fyso.exe   jtso.exe   mhso.exe    qjso.exe qqso.exe    wgso.exe   wlso.exe   wmso.exe woso.exe   ztso.exe    daso.exe    tlso.exe rxso.exe   svchost.exe   IEXPLORE.EXE svchost32.exe    srogm.exe   csrss.exe conime.exe   mmc.exe   spglsdr.exe   services.exe   copypfh.exe   smss.exe   fyso0.dll jtso0.dll    mhso0.dll   qjso0.dll   qqso0.dll wgso0.dll   wlso0.dll   wmso0.dll woso0.dll   ztso0.dll    tlso0.dll daso0.dll   rxso0.dll

添加注册表启动项目

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\woso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tlsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\tlso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dasa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\daso.exe" ...

各个木马创建HKCU\Software\SetVer\ver键

解决办法：

1.打开sreng(可到down.45its.com下载)

启动项目     注册表 删除如下项目
<wosa><C:\DOCUME~1\用户名\LOCALS~1\Temp\woso.exe> [N/A]
<ztsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\ztso.exe> []
<mhsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\mhso.exe> []
<fysa><C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso.exe> []
<jtsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\jtso.exe> []
<wlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso.exe> []
<wgsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso.exe> []
<wmsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wmso.exe> []
<qjsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso.exe> []
<rxsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\rxso.exe> []
<wdsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso.exe> []
<tlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\tlso.exe> []
<dasa><C:\DOCUME~1\用户名\LOCALS~1\Temp\daso.exe> []
       <{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}><C:\Program Files\Internet Explorer\HiJack.dll>  

[Microsoft Corporation]
       <{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}><C:\Program Files\Internet Explorer\msvcrt.dll>  

[Microsoft Corporation]

系统修复 浏览器加载项 选中
[]
     {D7515C61-A66C-4319-A0E0-D416CB8059E3} <C:\Program Files\Common Files\Relive.dll, Microsoft

Corporation>
并单击右下角的删除所选内容 在弹出的对话框中选择 是
2.重启计算机
双击我的电脑，工具，文件夹选项，查看，单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件（

推荐）"前面的钩。在提示确定更改时，单击“是” 然后确定
删除C:\Program Files\Common Files\Relive.dll
C:\Program Files\Internet Explorer\HiJack.bak
C:\Program Files\Internet Explorer\HiJack.dll
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.dll
清空临时文件夹C:\DOCUME~1\用户名\LOCALS~1\Temp

3.删除瑞星 江民 卡巴 360文件夹下的ws2_32.dll（按你实际安装的杀软情况）
方法：
假如你的瑞星在C:\Program files\rising\rav下面
则这样做 开始 运行 输入cmd C:\Program files\rising\rav\ws2_32.dll     回车
rd 1..\      回车
关闭cmd窗口     直接删除ws2_32.dll文件夹即可
其他的文件夹下的ws2_32.dll以此类推