|
文件名称: S168.exe
病毒名: kaspersky: N/Aw rising: N/A
详细资料:
文件变化:
释放文件
%ProgramFiles%\Common Files\Relive.dll
%ProgramFiles%\Internet Explorer\msvcrt.bak
%ProgramFiles%\Internet Explorer\msvcrt.dll
修改注册表:
病毒创建启动项
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3}"
[HKCR\CLSID\{0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3}\InProcServer32]
"(默认)"="C%ProgramFiles%\Internet Explorer\msvcrt.dll"
[HKCR\CLSID\{D3626E66-B13B-C628-ACDF-BDABCFA265E1}\InProcServer32]
"(默认)"="%ProgramFiles%\Common Files\Relive.dll" |
其他行为:
删除 hosts 文件
| %System%\drivers\etc\hosts |
调用 Explorer.exe 访
问网络下载病毒,存放到 %Temp% 临时文件夹
清除方法:
1. 删除病毒启动项(详细步骤:打开SREng-启动项目-注册表,该软件可到down.45its.com下载)
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3}"
[HKCR\CLSID\{0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3}\InProcServer32]
"(默认)"="%ProgramFiles%\Internet Explorer\msvcrt.dll"
[HKCR\CLSID\{D3626E66-B13B-C628-ACDF-BDABCFA265E1}\InProcServer32]
"(默认)"="%ProgramFiles%\Common Files\Relive.dll" | 2. 重新启动计算机
3. 删除文件(如遇提示无法删除文件,到down.45its.com下载费尔木马强制删除器工具进行强制删除)
%ProgramFiles%\Common Files\Relive.dll
%ProgramFiles%\Internet Explorer\msvcrt.bak
%ProgramFiles%\Internet Explorer\msvcrt.dll
4. 在安全模式使用反病毒软件全盘扫描清除病毒�
|
