这只木马确实比较疯狂。然而,如果您安装了SSM,对付它,也不是什么难事。
即使不慎中招,SSM也会自动禁止其添加的两个关键启动加载项(图1)。这样,您可以轻松删除木马创建的19个文件(图2)。注意:木马文件CSRSS.EXE在WINDOWS文件夹中;正常系统文件CSRSS.EXE在系统文件夹中。不要盲目乱删文件。
注册表清理略繁(这个木马太BT了)。
可先用RegFix自动修复注册表。然后,再进行如下注册表清理工作。
展开:HKEY_CLASSES_ROOT\.bfc\ShellNew
删除:"Command"="%SystemRoot%\\system32\\rundll32.com %SystemRoot%\\system32\\syncui.dll,Briefcase_Create %2!d! %1"
展开:HKEY_CLASSES_ROOT\.lnk\ShellNew
删除:"Command"="rundll32.com appwiz.cpl,NewLinkHere %1"
展开:HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command
删除:@="\"C:\\Program Files\\Internet Explorer\\iexplore.com\" %1"
展开:HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
删除:@="C:\\windows\\MSWINSCK.OCX"
展开:HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus
删除:@="0"
展开:HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1
删除:@="132497"
展开:HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID
删除:@="MSWinsock.Winsock.1"
展开:HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32
删除:@="C:\\windows\\MSWINSCK.OCX, 1"
展开:HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
删除:@="\"C:\\Program Files\\Internet Explorer\\iexplore.com\""
展开:HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command
删除:@="rundll32.com shell32.dll,Control_RunDLL \"%1\",%*"
展开:HKEY_CLASSES_ROOT\Drive\shell\find\command
删除:@="%SystemRoot%\\explorer1.com"
展开:HKEY_CLASSES_ROOT\dunfile\shell\open\command
删除:@="%SystemRoot%\\system32\\rundll32.com NETSHELL.DLL,InvokeDunFile %1"
展开:HKEY_CLASSES_ROOT\ftp\shell\open\command
删除:@="\"C:\\Program Files\\Internet Explorer\\iexplore.com\" %1"
展开:HKEY_CLASSES_ROOT\htmlfile\shell\open\command
删除:@="\"C:\\Program Files\\Internet Explorer\\iexplore.com\" -nohome"
展开:HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command
删除:@="\"C:\\Program Files\\common~1\\iexplore.pif\" %1"
展开:HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid
删除:@="{00020424-0000-0000-C000-000000000046}"
展开:HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32
删除:@="{00020424-0000-0000-C000-000000000046}"
展开:HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
删除:@="{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
展开:HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid
删除:@="{00020420-0000-0000-C000-000000000046}"
展开:HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32
删除:@="{00020420-0000-0000-C000-000000000046}"
展开:HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
删除:@="{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
展开:HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command
删除:@="finder.com shdocvw.dll,OpenURL %l"
展开:HKEY_CLASSES_ROOT\MSWinsock.Winsock\CLSID
删除:@="{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
展开:HKEY_CLASSES_ROOT\MSWinsock.Winsock\CurVer
删除:@="MSWinsock.Winsock.1"
展开:HKEY_CLASSES_ROOT\MSWinsock.Winsock.1\CLSID
删除:@="{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
展开:HKEY_CLASSES_ROOT\scrfile\shell\install\command
删除:@="finder.com desk.cpl,InstallScreenSaver %l"
展开:HKEY_CLASSES_ROOT\scriptletfile\Shell\Generate Typelib\command
删除:@="\"C:\\WINDOWS\\System32\\finder.com\" C:\\WINDOWS\\System32\\scrobj.dll,GenerateTypeLib \"%1\""
展开:HKEY_CLASSES_ROOT\telnet\shell\open\command
删除:@="finder.com url.dll,TelnetProtocolHandler %l"
展开:HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32
删除:@="C:\\windows\\MSWINSCK.OCX"
展开:HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS
删除:@="2"
展开:HKEY_CLASSES_ROOT\Unknown\shell\openas\command
删除:@="%SystemRoot%\\system32\\finder.com %SystemRoot%\\system32\\shell32.dll,OpenAs_RunDLL %1"
展开:HKEY_CLASSES_ROOT\winfiles\Shell\Open\Command
删除:@="C:\\windows\\ExERoute.exe \"%1\" %*"
展开:HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Microsoft Process Debuger\CRCCode
删除:"Name"="0"
展开:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
删除:"HKEY_CLASSES_ROOT\\.exe"="exefile"
图1
