基本症状:
1.杀软扫描不到.
2.360安全卫士安装即被删除等
3.隐藏文件无法显示
4.sreng运行即被删除。
去看了下,开机速度一切正常,任务管理器,江民08杀软均正常启动,病毒最新发现不了病毒.插入u盘,复制SReng,点击运行,突然srengps.exe程序文件直接被删除.重新复制,更改名称和扩展名双击依旧被直接删除.当时考虑是否是av类,复制金山专杀,点击即被删除.无语咯.
一想既然这样,我就换个病毒关注不是很高的工具--wsyscheck
运行,查看进程无可疑进程,查看explorer.exe进程模块,发现如下:
c:\program files\tencent\qq\vspmjg.dll
c:\windows\system32\xur.lmj
选中卸载.查看服务项也没有异常的.用wsyscheck的dos删除功能,删除该两个文件.
开机,系统提示找不到vspmjg.dll文件. 重新复制sreng运行,正常启动,开始扫描日志,日志中发现如下异常文件:
c:\windows\system32\drivers\comint32.sys
C:\WINDOWS\system32\TXF.dll
hosts文件被修改为如下内容:
----------------------------
219.235.3.16 search.114.vnet.cn
219.235.3.16 keyword.vnet.cn
219.235.3.16 auto.search.msn.com
219.235.3.16 search.msn.com
219.235.3.16 cnweb.search.live.com
219.235.3.16 www.hao123.com
219.235.3.16 hao123.com
219.235.3.16 www.360safe.com
219.235.3.16 360safe.com
222.73.126.115 update.360safe.com
219.235.3.16 dl.360safe.com
219.235.3.16 bbs.360safe.com
219.235.3.16 www.btbaicai.com
219.235.3.16 btbaicai.com
219.235.3.16 www.pctutu.com
219.235.3.16 www.7322.com
219.235.3.16 www.5566.net
219.235.3.16 www.9991.com
219.235.3.16 9991.com
219.235.3.16 forum.ikaka.com
219.235.3.16 www.ikaka.com
222.73.126.115 update.ikaka.com
219.235.3.16 forum.jiangmin.com
222.73.126.115 update.jiangmin.com
219.235.3.16 post.baidu.com
222.73.126.115 update.rising.com.cn
219.235.3.16 online.rising.com.cn
222.73.126.115 center.rising.com.cn
219.235.3.16 up.duba.net
219.235.3.16 shadu.baidu.com
219.235.3.16 du.baidu.com
219.235.3.16 security.symantec.com
219.235.3.16 shadu.duba.net
219.235.3.16 bbs.duba.net
219.235.3.16 www.duba.net
219.235.3.16 online.jiangmin.com
219.235.3.16 cn.mcafee.com
219.235.3.16 www.ahn.com.cn
219.235.3.16 www.kaspersky.com.cn
219.235.3.16 www.pcav.cn
219.235.3.16 mopery.hits.io
219.235.3.16 www.luosoft.com
219.235.3.16 luosoft.com
219.235.3.16 www.im286.com
219.235.3.16 bbs.htmlman.net
219.235.3.16 10000.286er.com
219.235.3.16 im286.net
219.235.3.16 cool.47555.com
219.235.3.16 ju.qihoo.com
219.235.3.16 bbs.chinaz.com
219.235.3.16 www.qihoo.com
222.73.126.115 dnl-cn1.kaspersky-labs.com
222.73.126.115 dnl-cn2.kaspersky-labs.com
222.73.126.115 dnl-cn3.kaspersky-labs.com
222.73.126.115 dnl-cn4.kaspersky-labs.com
222.73.126.115 dnl-cn5.kaspersky-labs.com
222.73.126.115 dnl-cn6.kaspersky-labs.com
222.73.126.115 dnl-cn7.kaspersky-labs.com
222.73.126.115 dnl-cn8.kaspersky-labs.com
222.73.126.115 dnl-cn9.kaspersky-labs.com
222.73.126.115 dnl-cn10.kaspersky-labs.com
222.73.126.115 dnl-cn11.kaspersky-labs.com
222.73.126.115 dnl-cn12.kaspersky-labs.com
222.73.126.115 dnl-cn13.kaspersky-labs.com
222.73.126.115 dnl-cn14.kaspersky-labs.com
222.73.126.115 dnl-cn15.kaspersky-labs.com
222.73.126.115 dnl-eu1.kaspersky-labs.com
222.73.126.115 dnl-eu2.kaspersky-labs.com
222.73.126.115 dnl-eu3.kaspersky-labs.com
222.73.126.115 dnl-eu4.kaspersky-labs.com
222.73.126.115 dnl-eu5.kaspersky-labs.com
222.73.126.115 dnl-eu6.kaspersky-labs.com
222.73.126.115 dnl-eu7.kaspersky-labs.com
222.73.126.115 dnl-eu8.kaspersky-labs.com
222.73.126.115 dnl-eu9.kaspersky-labs.com
222.73.126.115 dnl-eu10.kaspersky-labs.com
222.73.126.115 dnl-eu11.kaspersky-labs.com
222.73.126.115 dnl-eu12.kaspersky-labs.com
222.73.126.115 dnl-eu13.kaspersky-labs.com
222.73.126.115 dnl-eu14.kaspersky-labs.com
222.73.126.115 dnl-eu15.kaspersky-labs.com
222.73.126.115 dnl-us1.kaspersky-labs.com
222.73.126.115 dnl-us2.kaspersky-labs.com
222.73.126.115 dnl-us3.kaspersky-labs.com
222.73.126.115 dnl-us4.kaspersky-labs.com
222.73.126.115 dnl-us5.kaspersky-labs.com
222.73.126.115 dnl-us6.kaspersky-labs.com
222.73.126.115 dnl-us7.kaspersky-labs.com
222.73.126.115 dnl-us8.kaspersky-labs.com
222.73.126.115 dnl-us9.kaspersky-labs.com
222.73.126.115 dnl-us10.kaspersky-labs.com
222.73.126.115 dnl-us11.kaspersky-labs.com
222.73.126.115 dnl-us12.kaspersky-labs.com
222.73.126.115 dnl-us13.kaspersky-labs.com
222.73.126.115 dnl-us14.kaspersky-labs.com
222.73.126.115 dnl-us15.kaspersky-labs.com
222.73.126.115 dnl-ru1.kaspersky-labs.com
222.73.126.115 dnl-ru2.kaspersky-labs.com
222.73.126.115 dnl-ru3.kaspersky-labs.com
222.73.126.115 dnl-ru4.kaspersky-labs.com
222.73.126.115 dnl-ru5.kaspersky-labs.com
222.73.126.115 dnl-ru6.kaspersky-labs.com
222.73.126.115 dnl-ru7.kaspersky-labs.com
222.73.126.115 dnl-ru8.kaspersky-labs.com
222.73.126.115 dnl-ru9.kaspersky-labs.com
222.73.126.115 dnl-ru10.kaspersky-labs.com
222.73.126.115 dnl-ru11.kaspersky-labs.com
222.73.126.115 dnl-ru12.kaspersky-labs.com
222.73.126.115 dnl-ru13.kaspersky-labs.com
222.73.126.115 dnl-ru14.kaspersky-labs.com
222.73.126.115 dnl-ru15.kaspersky-labs.com
222.73.126.115 dnl-jp1.kaspersky-labs.com
222.73.126.115 dnl-jp2.kaspersky-labs.com
222.73.126.115 dnl-jp3.kaspersky-labs.com
222.73.126.115 dnl-jp4.kaspersky-labs.com
222.73.126.115 dnl-jp5.kaspersky-labs.com
222.73.126.115 dnl-jp6.kaspersky-labs.com
222.73.126.115 dnl-jp7.kaspersky-labs.com
222.73.126.115 dnl-jp8.kaspersky-labs.com
222.73.126.115 dnl-jp9.kaspersky-labs.com
222.73.126.115 dnl-jp10.kaspersky-labs.com
222.73.126.115 dnl-jp11.kaspersky-labs.com
222.73.126.115 dnl-jp12.kaspersky-labs.com
222.73.126.115 dnl-jp13.kaspersky-labs.com
222.73.126.115 dnl-jp14.kaspersky-labs.com
222.73.126.115 dnl-jp15.kaspersky-labs.com
222.73.126.115 dnl-kr1.kaspersky-labs.com
222.73.126.115 dnl-kr2.kaspersky-labs.com
222.73.126.115 dnl-kr3.kaspersky-labs.com
222.73.126.115 dnl-kr4.kaspersky-labs.com
222.73.126.115 dnl-kr5.kaspersky-labs.com
222.73.126.115 dnl-kr6.kaspersky-labs.com
222.73.126.115 dnl-kr7.kaspersky-labs.com
222.73.126.115 dnl-kr8.kaspersky-labs.com
222.73.126.115 dnl-kr9.kaspersky-labs.com
222.73.126.115 dnl-kr10.kaspersky-labs.com
222.73.126.115 dnl-kr11.kaspersky-labs.com
222.73.126.115 dnl-kr12.kaspersky-labs.com
222.73.126.115 dnl-kr13.kaspersky-labs.com
222.73.126.115 dnl-kr14.kaspersky-labs.com
222.73.126.115 dnl-kr15.kaspersky-labs.com
222.73.126.115 dnl-cd1.kaspersky-labs.com
222.73.126.115 dnl-cd2.kaspersky-labs.com
222.73.126.115 dnl-cd3.kaspersky-labs.com
222.73.126.115 dnl-cd4.kaspersky-labs.com
222.73.126.115 dnl-cd5.kaspersky-labs.com
222.73.126.115 dnl-cd6.kaspersky-labs.com
222.73.126.115 dnl-cd7.kaspersky-labs.com
222.73.126.115 dnl-cd8.kaspersky-labs.com
222.73.126.115 dnl-cd9.kaspersky-labs.com
222.73.126.115 dnl-cd10.kaspersky-labs.com
222.73.126.115 dnl-cd11.kaspersky-labs.com
222.73.126.115 dnl-cd12.kaspersky-labs.com
222.73.126.115 dnl-cd13.kaspersky-labs.com
222.73.126.115 dnl-cd14.kaspersky-labs.com
222.73.126.115 dnl-cd15.kaspersky-labs.com
219.235.3.16 ishare.sina.com.cn
219.235.3.16 search.cn.yahoo.com
219.235.3.16 www.google.com
219.235.3.16 google.com
219.235.3.16 www.google.cn
219.235.3.16 www.sogou.com
219.235.3.16 www.yahoo.com.cn
219.235.3.16 cn.yahoo.com
222.73.210.148 www.comewz.com
219.235.3.16 search.tom.com
219.235.3.16 zhuansha.duba.net
219.235.3.16 buy.duba.net
219.235.3.16 page.so.163.com
----------------------------
如上,再次删除.进入系统删除对应的驱动项,修复显示隐藏文件,清理ie临时文件,重置hosts文件.并在hosts表中屏蔽以下IP:
219.235.3.16
222.73.126.115
222.73.210.148
219.235.3.16
之后,安装360一切正常咯.
从hosts文件,看的该病毒编写者是如此"敬业"! 希望大家多注意防范,及时更新系统补丁和常用应用程序补丁(如迅雷,暴风影音,realplayer等).
大家遇到该情况是,可以按照下面提示操作下:
使用XDelBox1.6的dos删除功能(可到down.45it.com下载),删除以下文件:
c:\program files\tencent\qq\vspmjg.dll
c:\windows\system32\xur.lmj
c:\windows\system32\drivers\comint32.sys
C:\WINDOWS\system32\TXF.dll
之后,下载sreng(可到down.45it.com下载),找到并删除对应的驱动项:
[RAS Asynchronous Media Driver / AsyncMac][Stopped/Auto Start]
<system32\DRIVERS\comint32.sys><N/A>
之后修改hosts,为如下内容:
127.0.0.1 localhost
127.0.0.1 219.235.3.16
127.0.0.1 222.73.126.115
127.0.0.1 222.73.210.148
127.0.0.1 219.235.3.16
(在Windows 2000/XP系统中位于\%Systemroot%\System32\Drivers\Etc 文件夹中,其中,%Systemroot%指系统安装路径。例如,Windows XP 安装在C:\WINDOWS,那么Hosts文件就在C:\WINDOWS\system32\drivers\etc中。
)
以及修复显示隐藏文件等操作。
注:由于现在病毒多为随机命名,可能生成文件不尽相同。还需遇到类似情况的朋友注意查找和分析
|
