瑞星今天最新病毒库尚不能发现此毒。
处理这个病毒比较棘手。
原因在于多个DLL插入应用程序进程。若强制卸除Explorer.EXE进程中的病毒模块,易导致系统假死,难以进行后续杀毒操作。
此外,这个病毒关闭瑞星所有监控,任务栏中的瑞星图标消失;病毒还在瑞星安装目录下建立名为WS2_32.dll的畸形文件夹,导致瑞星杀软不能正常加载运行。
中毒后,SRENG日志可见下列异常:
注册表
启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{5c7596cb-51CC-5bA3-be52-6eea62f9c51c}><C:\Program Files\Common Files\goskdl.dll>
<{DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D}><C:\Program Files\Internet Explorer\rksldk.dll> [Microsoft Corporation]
<{3422FB0F-95EB-458A-8B56-39552017A4EF}><C:\windows\system32\mhdoor0.dll> []
<{5731EA1D-6AAF-4DE9-BDDA-7B390A75B286}><C:\windows\system32\wodoor0.dll> []
<{E952B8F8-D91A-4EDD-851C-EE1A0F944469}><C:\windows\system32\ztdoor0.dll> []
<{71046DD5-E136-4C4B-A6B5-91C30CB15291}><C:\windows\system32\jtdoor0.dll> []
<{E03C23BD-35B7-49C2-BBCA-6D8CEC2507E3}><C:\windows\system32\wldoor0.dll> []
<{A3C95A74-638D-4C6B-A856-4B27664A7F47}><C:\windows\system32\wgdoor0.dll> []
<{D8CC4845-441C-44F8-9053-28F2EF67655B}><C:\windows\system32\dadoor0.dll> []
正在运行的进程
[PID: 1036][C:\windows\Explorer.EXE] [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
[C:\Program Files\Internet Explorer\rksldk.dll] [Microsoft Corporation, 1. 0. 0. 1]
[C:\windows\system32\mhdoor0.dll] [N/A, ]
[C:\windows\system32\wodoor0.dll] [N/A, ]
[C:\windows\system32\ztdoor0.dll] [N/A, ]
[C:\windows\system32\jtdoor0.dll] [N/A, ]
[C:\windows\system32\wldoor0.dll] [N/A, ]
[C:\windows\system32\wgdoor0.dll] [N/A, ]
[C:\windows\system32\dadoor0.dll] [N/A, ]
[PID: 2404][C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe] [Cyberlink, 5.00.1524]
[C:\windows\system32\mhdoor0.dll] [N/A, ]
[C:\windows\system32\wodoor0.dll] [N/A, ]
[C:\windows\system32\jtdoor0.dll] [N/A, ]
[C:\windows\system32\wldoor0.dll] [N/A, ]
[C:\windows\system32\wgdoor0.dll] [N/A, ]
[C:\windows\system32\dadoor0.dll] [N/A, ]
[C:\windows\system32\ztdoor0.dll] [N/A, ]
[PID: 2460][C:\Program Files\Tiny Firewall Pro\amon.exe] [Computer Associates International, Inc., 6.5.3.2]
[C:\windows\system32\dadoor0.dll] [N/A, ]
[C:\windows\system32\wgdoor0.dll] [N/A, ]
[C:\windows\system32\wldoor0.dll] [N/A, ]
[C:\windows\system32\jtdoor0.dll] [N/A, ]
[C:\windows\system32\ztdoor0.dll] [N/A, ]
[C:\windows\system32\wodoor0.dll] [N/A, ]
[C:\windows\system32\mhdoor0.dll] [N/A, ]
[PID: 3632][C:\Documents and Settings\Lenovo\桌面\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[C:\windows\system32\mhdoor0.dll] [N/A, ]
[C:\windows\system32\wodoor0.dll] [N/A, ]
[C:\windows\system32\jtdoor0.dll] [N/A, ]
[C:\windows\system32\wldoor0.dll] [N/A, ]
[C:\windows\system32\wgdoor0.dll] [N/A, ]
[C:\windows\system32\dadoor0.dll] [N/A, ]
[C:\windows\system32\ztdoor0.dll] [N/A, ]
我的杀毒流程:
1、将下列DLL录入SSM规则,禁止其加载运行:
C:\windows\system32\mhdoor0.dll
C:\windows\system32\wodoor0.dll
C:\windows\system32\jtdoor0.dll
C:\windows\system32\wldoor0.dll
C:\windows\system32\wgdoor0.dll
C:\windows\system32\dadoor0.dll
C:\windows\system32\ztdoor0.dll
2、重启后删除SRENG日志所见的病毒启动项。
3、删除病毒文件(见附图)。
注:
(1)C:\Program Files\Common Files\goskdl.dll这个病毒文件比较特殊——须改名后才能删除。
(2)瑞星安装目录下的WS2_32.dll畸形文件夹须用IceSword强制删除。
此外,还要删除下列注册表内容(均为病毒添加):
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ReliveHookDLL
HKEY_CLASSES_ROOT\CLSID\{3422FB0F-95EB-458A-8B56-39552017A4EF}
HKEY_CLASSES_ROOT\CLSID\{5731EA1D-4DE9-BDDA-6AAF-7B390A75B286}
HKEY_CLASSES_ROOT\CLSID\{5C7596CB-51CC-5BA3-BE52-6EEA62F9C51C}
HKEY_CLASSES_ROOT\CLSID\{71046DD5-4C4B-A6B5-E136-91C30CB15291}
HKEY_CLASSES_ROOT\CLSID\{71046DD5-E136-4C4B-A6B5-91C30CB15291}
HKEY_CLASSES_ROOT\CLSID\{A3C95A74-4C6B-A856-638D-4B27664A7F47}
HKEY_CLASSES_ROOT\CLSID\{A3C95A74-638D-4C6B-A856-4B27664A7F47}
HKEY_CLASSES_ROOT\CLSID\{D8CC4845-441C-44F8-9053-28F2EF67655B}
HKEY_CLASSES_ROOT\CLSID\{DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D}
HKEY_CLASSES_ROOT\CLSID\{E03C23BD-35B7-49C2-BBCA-6D8CEC2507E3}
HKEY_CLASSES_ROOT\CLSID\{E03C23BD-49C2-BBCA-35B7-6D8CEC2507E3}
HKEY_CLASSES_ROOT\CLSID\{E952B8F8-4EDD-851C-D91A-EE1A0F944469}
[用户系统信息]Opera/9.23 (Windows NT 5.1; U; zh-cn)
