|
Aditional Information
File size: 23602 bytes
MD5: 6578f288d64a190956e22056ba73639c
SHA1: 038de7fc0e7499cc57ccbdb6f886443cd78b7aed
CRC32 : 29A0A8E2
RIPEMD160: E771D541E11FEC17543FC3C9A8E94E605E054711
Tiger_192: 916239086D96A37DDA67A458AF68BB48F06CD62DA9AB936C
运行后```连接外部,下载病毒````在%temp%````释放romdrivers.dll设置系统全局挂钩`````
并在注册表生成:HKEY_CLASSES_ROOT\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}``
指向的是:C:\Program Files\Internet Explorer\romdrivers.dll
C:\Program Files\Internet Explorer下生成3个病毒文件:
romdrivers.bak romdrivers.bkk romdrivers.dll ````
下载下来的病毒(EXE文件)每个释放一个同名Dll文件,动态插入进程`````一共13个````并加入注册表RUN启动````
最后还删除了%systemroot%\system32\drivers\etc下的hosts(域名解析文件)```````
解决方法:
首先利用清理软件全面清空临时文件夹````断开网络````
下载工具SREng和冰刃和PowerRMV````(可到down.45it.com下载)
打开SREng```删除下面的(注册表项)````:
<wosa><C:\DOCUME~1\admin\LOCALS~1\Temp\woso.exe> []
<ztsa><C:\DOCUME~1\admin\LOCALS~1\Temp\ztso.exe> []
<mhsa><C:\DOCUME~1\admin\LOCALS~1\Temp\mhso.exe> []
<fysa><C:\DOCUME~1\admin\LOCALS~1\Temp\fyso.exe> []
<jtsa><C:\DOCUME~1\admin\LOCALS~1\Temp\jtso.exe> []
<wlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wlso.exe> []
<wgsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wgso.exe> []
<wmsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wmso.exe> []
<qjsa><C:\DOCUME~1\admin\LOCALS~1\Temp\qjso.exe> []
<rxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\rxso.exe> []
<wdsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wdso.exe> []
<tlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\tlso.exe> []
<dasa><C:\DOCUME~1\admin\LOCALS~1\Temp\daso.exe> [] |
``````
运行冰刃````查找Explorer模块````强行卸载:
[C:\DOCUME~1\admin\LOCALS~1\Temp\woso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\ztso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\mhso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\fyso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\jtso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\wgso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\wlso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\daso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\tlso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\wdso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\rxso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\qjso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\wmso0.dll] [N/A, ] |
````
打开PowerRMV,填入(一次填入一个,依次删除)```:
C:\Program Files\Internet Explorer\romdrivers.bak
C:\Program Files\Internet Explorer\romdrivers.bkk
C:\Program Files\Internet Explorer\romdrivers.dll
做完上面工作后重启电脑````修改QQ\邮箱\网游等密码``````````
|
