瑞星卡卡安全论坛

打开IE，左上角就有个“-_-”的符号，GHOST后，只要一打开IE，自动跳转图片上的网址，然后自动关闭IE，接着打开IE又出现那个符号~~360.卡巴，瑞星，江民，NOD32,AVG，全部被自动关闭，就打不开了，重装后马上杀毒，杀不出该病毒。麻烦帮忙啊。我痛苦了6小时了！






附件: 10039942008114185858.txt

上个日志吧，下载 System Repair Engineer，
http://download.kztechs.com/files/sreng2.zip
1 解压缩sreng2.zip
2 运行SREngPS.EXE
3 智能扫描=》扫描=》保存报告
4 把报告保存后以附件的形式发上来，注意把报告文件的扩展名改成“.txt”

QQ空间挂马？

chong xin an zhuang IE

上传了分析附件，帮忙看看，谢谢！

删除以下启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe]
    <IFEO[auto.exe]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntldr.exe]
    <IFEO[ntldr.exe]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.pif]
    <IFEO[pagefile.pif]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sos.exe]
    <IFEO[sos.exe]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sxs.exe]
    <IFEO[sxs.exe]><AUTOGUARDER GUARDED.>  [N/A]
修复winsock
删除
MSAFD Tcpip [TCP/IP]
    C:\WINDOWS\system32\simdrcom0.dll(https://sourceforge.net/projects/drcom-client, simdrcom)
MSAFD Tcpip [UDP/IP]
    C:\WINDOWS\system32\simdrcom0.dll(https://sourceforge.net/projects/drcom-client, simdrcom)
MSAFD Tcpip [RAW/IP]
    C:\WINDOWS\system32\simdrcom0.dll(https://sourceforge.net/projects/drcom-client, simdrcom)
RSVP UDP Service Provider
    C:\WINDOWS\system32\simdrcom1.dll(https://sourceforge.net/projects/drcom-client, simdrcom)
RSVP TCP Service Provider
    C:\WINDOWS\system32\simdrcom1.dll(https://sourceforge.net/projects/drcom-client, simdrcom)

删除以下文件
C:\WINDOWS\system32\simdrcom0.dll
C:\WINDOWS\system32\simdrcom1.dll

清空IE缓存

用XDelBox删除以下文件：
c:\docume~1\admini~1\locals~1\temp\rar$ex00.297\lingyu.dll
c:\windows\system32\simdrcom0.dll
c:\windows\system32\simdrcom1.dll
c:\docume~1\admini~1\locals~1\temp\e_4\iext.fnr
c:\docume~1\admini~1\locals~1\temp\e_4\krnln.fnr

用sreng删除启动项：
<IFEO[auto.exe]>    <AUTOGUARDER GUARDED.>
<IFEO[ntldr.exe]>    <AUTOGUARDER GUARDED.>
<IFEO[pagefile.pif]>    <AUTOGUARDER GUARDED.>
<IFEO[sos.exe]>    <AUTOGUARDER GUARDED.>
<IFEO[sxs.exe]>    <AUTOGUARDER GUARDED.>

用sreng重置winsock