Ghost.pif清除指南``
一个疯狂的下载器,以前好像遇到过,不知道有没有更新``
比较恶劣,下了一大堆木马,还破坏杀软``
Aditional Information
File size: 21035 bytes
MD5: fbe2dbe65e71551ce8c491d2e5568362
SHA1: 4025b90ffb123251090cf69dace2658fd7367321
CRC32 : 57955184
RIPEMD160: 4CDE47DDDF871BAF4542E950B0951EEF7D72A2A4
Tiger_192: 817C44E1A00B89FE67248411A4DF530892D920ECB5BA8DB4
packers: UPX
Languages: Borland Delphi 6.0 - 7.0
RIPEMD160: 4CDE47DDDF871BAF4542E950B0951EEF7D72A2A4
Tiger_192: 817C44E1A00B89FE67248411A4DF530892D920ECB5BA8DB4
packers: UPX
Languages: Borland Delphi 6.0 - 7.0
运行后释放msvcrt.dll注入Exolorer设置全局挂钩``
后反弹连接下载了一大推木马``
并在瑞星、江民、卡吧、偌顿等杀软目录释放一个ws2_32.dll的目录夹(并无法删除,因为建立了4层非法文件夹),导致杀软无法加载并提示正常初始化(0xc00000ba)失败。
解决方法:
[url]http://gudugengkekao.ys168.com/[/url]下冰刃、SREng、Unlocker.exe(需安装)
冰刃(增强版).rar 555KB
SREng.rar 597KB
unlocker1.8.5.exe 191KB
(如果下载不了的话,自己百度搜索下载!)
下载后断开网络,关闭一切不需要的进程,按步骤:
1、我的电脑-系统盘(C盘?)-属性-磁盘清理-全部勾选上-点确定。
2、打开冰刃,文件―设置―禁止进线程创建―确定。
打开冰刃的“进程”,在进程如果有找到IE和Ghost.pif的结束掉。
选择冰刃的“文件”功能,强行删除:
<wosa><C:\DOCUME~1\admin\LOCALS~1\Temp\woso.exe> []
<fysa><C:\DOCUME~1\admin\LOCALS~1\Temp\fyso.exe> []
<jtsa><C:\DOCUME~1\admin\LOCALS~1\Temp\jtso.exe> []
<wlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wlso.exe> []
<wgsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wgso.exe> []
<wmsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wmso.exe> []
<qjsa><C:\DOCUME~1\admin\LOCALS~1\Temp\qjso.exe> []
<rxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\rxso.exe> []
<wdsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wdso.exe> []
<tlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\tlso.exe> []
<dasa><C:\DOCUME~1\admin\LOCALS~1\Temp\daso.exe> []
<fysa><C:\DOCUME~1\admin\LOCALS~1\Temp\fyso.exe> []
<jtsa><C:\DOCUME~1\admin\LOCALS~1\Temp\jtso.exe> []
<wlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wlso.exe> []
<wgsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wgso.exe> []
<wmsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wmso.exe> []
<qjsa><C:\DOCUME~1\admin\LOCALS~1\Temp\qjso.exe> []
<rxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\rxso.exe> []
<wdsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wdso.exe> []
<tlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\tlso.exe> []
<dasa><C:\DOCUME~1\admin\LOCALS~1\Temp\daso.exe> []
[C:\DOCUME~1\admin\LOCALS~1\Temp\daso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\tlso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\wdso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\wmso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\rxso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\qjso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\wgso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\wlso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\jtso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\fyso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\woso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\tlso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\wdso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\wmso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\rxso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\qjso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\wgso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\wlso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\jtso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\fyso0.dll] [N/A, ]
[C:\DOCUME~1\admin\LOCALS~1\Temp\woso0.dll] [N/A, ]
C:\DOCUME~1\admin\LOCALS~1\Temp\WIKLD.exe
C:\DOCUME~1\admin\LOCALS~1\Temp全名是:
C:\Documents and Settings\%username%\Local Settings\Temp\
%username%这个是你的用户名``可能每个人都不一样。
还有其他目录下的病毒,也删除:
C:\Program Files\Common Files\Relive.dll
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.dll
C:\Program Files\Internet Explorer\msvcrt.ebk
C:\WINNT\system32\nwizzhuxians.exe
C:\WINNT\system32\Packet.dll
C:\WINNT\system32\WanPacket.dll
C:\WINNT\system32\wpcap.dll
C:\WINNT\system32\drivers\npf.sys
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.dll
C:\Program Files\Internet Explorer\msvcrt.ebk
C:\WINNT\system32\nwizzhuxians.exe
C:\WINNT\system32\Packet.dll
C:\WINNT\system32\WanPacket.dll
C:\WINNT\system32\wpcap.dll
C:\WINNT\system32\drivers\npf.sys
最后在每个分区目录下查找下,有没有Autorun.inf和Ghost.pif,有的话删除``
3、重新设置冰刃,去掉“进线程创建”―确定。
4、打开SREng,删除下面的(不一定全):
注册表:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<wosa><C:\DOCUME~1\admin\LOCALS~1\Temp\woso.exe> []
<fysa><C:\DOCUME~1\admin\LOCALS~1\Temp\fyso.exe> []
<jtsa><C:\DOCUME~1\admin\LOCALS~1\Temp\jtso.exe> []
<wlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wlso.exe> []
<wgsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wgso.exe> []
<wmsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wmso.exe> []
<qjsa><C:\DOCUME~1\admin\LOCALS~1\Temp\qjso.exe> []
<rxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\rxso.exe> []
<wdsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wdso.exe> []
<tlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\tlso.exe> []
<dasa><C:\DOCUME~1\admin\LOCALS~1\Temp\daso.exe> []
<fysa><C:\DOCUME~1\admin\LOCALS~1\Temp\fyso.exe> []
<jtsa><C:\DOCUME~1\admin\LOCALS~1\Temp\jtso.exe> []
<wlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wlso.exe> []
<wgsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wgso.exe> []
<wmsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wmso.exe> []
<qjsa><C:\DOCUME~1\admin\LOCALS~1\Temp\qjso.exe> []
<rxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\rxso.exe> []
<wdsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wdso.exe> []
<tlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\tlso.exe> []
<dasa><C:\DOCUME~1\admin\LOCALS~1\Temp\daso.exe> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}><C:\Program Files\Internet Explorer\msvcrt.dll> [Microsoft Corporation]
<{05AD2E16-C6EF-6AC1-136A-CE3FD8EF5613}><C:\Program Files\Internet Explorer\msvcrt.dll>
<{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}><C:\Program Files\Internet Explorer\msvcrt.dll> [Microsoft Corporation]
<{05AD2E16-C6EF-6AC1-136A-CE3FD8EF5613}><C:\Program Files\Internet Explorer\msvcrt.dll>
服务:
[WIKLD / WIKLD][Stopped/Manual Start]
<C:\DOCUME~1\admin\LOCALS~1\Temp\WIKLD.exe><N/A>
<C:\DOCUME~1\admin\LOCALS~1\Temp\WIKLD.exe><N/A>
驱动:
[NetGroup Packet Filter Driver / NPF][Running/Manual Start]
<system32\drivers\npf.sys><CACE Technologies>
<system32\drivers\npf.sys><CACE Technologies>
浏览器加载项:
[]
{D7515C61-A66C-4319-A0E0-D416CB8059E3} <C:\Program Files\Common Files\Relive.dll, Microsoft Corporation>
[]
{E3616E66-C13B-2628-2CDF-EDABCFA235E1} <C:\Program Files\Common Files\Relive.dll, Microsoft
5、下载并安装Unlocker,打开控制面板―文件夹选项―显示所有隐藏文件(包括受保护的系统文件)。
6、打开你安装杀软的目录,查找ws2_32.dll,是个文件夹,然后点它右键,用Unlocker删除掉。如果DOS硬的话,直接用DOS删除。
如果有其他软件打开提示错误的话,也去查找下。
(小提示:也可以开始―搜索―ws2_32.dll,记得选上查找所有文件(包括隐藏的), 如果ws2_32.dll是文件夹的话删除,不是文件夹的话则不要删除!!!)
7、重启电脑,修改QQ、邮箱、网游等密码。并升级杀软,全盘扫....
记得一定要打齐补丁,及时升级杀软和防火墙````
