Anti-Virus Fans » 病毒分析解决报告区 » 查杀www.my123.com
本页主题: 查杀www.my123.com 打印 | 加为IE收藏 | 复制链接 | 收藏主题 | 上一主题 | 下一主题

wajika
反病毒高手勋章 乐于助人勋章 终身成就奖
级别: 论坛贵宾


精华: 23
发帖: 4445
威望: 132 点
星星铁: 174 块
贡献值: 178 点
在线时间:178(小时)
注册时间:2006-07-26
最后登录:2008-10-23
引用 推荐 编辑 只看 复制

 查杀www.my123.com

昨天晚上就中了,没以为有什么了不起,没理他,找到病毒文件,C:\WINNT\system32\drivers\exoowk26.sys 换操作系统;改名字。ok;搞定。 Frdb615  
xn588R9'm  
今天白天看这么多帖子,也没注意,我今天一直用xp;刚刚回家,开2000,才发现,哦,昨天中的就是它。 )G2sW@<  
s"qO,KswQ^  
这个病毒文件大小是14.8kB, 15232字节,版本说明:disk driver;产品名称:Microsoft(R) Windows(R) Operating System 0Ld8<IN^a  
|{+ Nb  
还有,此文件是8位sys 文件位于\system32\drivers\目录下,后2位是数字,用unlocker删除;或进dos删除。 Ho%s:(_hE'  
Y.NB3!"j  
重要补充:此文件在system32目录下还有一个同名dll文件,一起删除。大小:52kB 53248字节 版本说明:Battery Meter Helper DLL Ja+=-#yy  
,ds]a1)m2  
 It7&v  
加载到注册表的项: 5)-oSum  
"k{`?`/e  
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\exoowk26]  :Pf1  
"Type"=dword:00000001 '@(hXj$  
"Start"=dword:00000000 sOox,&FC  
"ErrorControl"=dword:00000001 _KvIFL+  
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ DR}'PVL`  
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,65,00,78,00,6f,00,6f,00,77,00,6b,\ }H<v-  
00,32,00,36,00,2e,00,73,00,79,00,73,00,00,00 |(]}e  
"DisplayName"="exoowk26" ADtO{@q`  
"Group"="System Bus Extender" Tl30P!VU  
>nmTagr  
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\exoowk26\Security] $(],  
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\ +wcDO'ol  
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ }/LUgJ%u&  
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ 9v?$"jWZ  
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ b+L);rz  
20,00,00,00,20,02,00,00,d2,33,bc,8e,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ *H { e?N  
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ ,G'v`0W2  
00,05,20,00,00,00,23,02,00,00,d2,33,bc,8e,01,01,00,00,00,00,00,05,12,00,00,\ 5Ple*%.L  
00,01,01,00,00,00,00,00,05,12,00,00,00 %=!".7l.n<  
"2J[U\p(I  
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\exoowk26\Enum] gD^QpCRQ  
"0"="Root\\LEGACY_EXOOWK26\\0000" e$EAWD'  
"Count"=dword:00000001 X^*'-1:aP  
"NextInstance"=dword:00000001 9PeOfJE]V  
+,$MwJ  
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\exoowk26] fZ\  #  
"Type"=dword:00000001 Ec*k!3Xj}  
"Start"=dword:00000000 ;, ]$f d<  
"ErrorControl"=dword:00000001 f,[v`)\Qg  
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ >n(7+{,  
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,65,00,78,00,6f,00,6f,00,77,00,6b,\ `s$,B@?7  
00,32,00,36,00,2e,00,73,00,79,00,73,00,00,00 NGW{I  
"DisplayName"="exoowk26" v'Fb&  
"Group"="System Bus Extender" IVKP En  
wU%Ljs`N  
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\exoowk26\Security] M9n5~g~Ss  
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\ ]+oi`n}a  
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ ?$)J=~a+  
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ '1QLhzE  
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ [F$vi:7  
20,00,00,00,20,02,00,00,d2,33,bc,8e,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ qG@unr  
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ 2sj?Neb  
00,05,20,00,00,00,23,02,00,00,d2,33,bc,8e,01,01,00,00,00,00,00,05,12,00,00,\ {M3cy)&&  
00,01,01,00,00,00,00,00,05,12,00,00,00 *lGt$1l"  
'X5K/sM  
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exoowk26] W 0F=DTp  
"Type"=dword:00000001 =l"%M/*  
"Start"=dword:00000000 E @!XKH  
"ErrorControl"=dword:00000001 b0zz!d-q  
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ EBXs0:PoH  
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,65,00,78,00,6f,00,6f,00,77,00,6b,\ xz^*  
00,32,00,36,00,2e,00,73,00,79,00,73,00,00,00 S)||jKX"  
"DisplayName"="exoowk26" {NQ#{a^f  
"Group"="System Bus Extender" #l|nM);/2  
6E6Y<+m3N  
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exoowk26\Security] 5 .\Ocr?p  
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\ p0l(h!o  
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ o?mI8 a  
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ =M=ik|<  
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ w#T(pe8  
20,00,00,00,20,02,00,00,d2,33,bc,8e,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ -3n 8SIR7D  
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ e-#D5Oy0&  
00,05,20,00,00,00,23,02,00,00,d2,33,bc,8e,01,01,00,00,00,00,00,05,12,00,00,\ </gyQ6  
00,01,01,00,00,00,00,00,05,12,00,00,00 e CB: Q  
;'S7a@ <  
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exoowk26\Enum] F|vWEoJ8\Z  
"0"="Root\\LEGACY_EXOOWK26\\0000" !0 'dE|3  
"Count"=dword:00000001 Rr3..0,  
"NextInstance"=dword:00000001 M7FNcQ\  
Dxw* B|I9  
此病毒文件的查杀和删除办法,参见查杀ALLXUN的办法。 awl%0mdU  
'VZC%qC -  
顶端 Posted: 2007-03-17 17:54 | [楼 主]
帖子浏览记录 版块浏览记录
Anti-Virus Fans » 病毒分析解决报告区

Time now is:11-21 20:41, Gzip enabled
Powered by PHPWind v6.3.2 Certificate Code © 2003-08 PHPWind.com Corporation