电脑侠客 - 2006-9-8 11:18:00
Trojan Vundo/Adware Virtumondo (TR/Vundo.Gen)解决方案(2006-9-8)
原贴:http://forum.hijackthis.de/showthread.php?t=18484
电脑侠客(ljs3509.bokee.com)翻译整理
症状:
在Hijackthis的日志中,可以看到以下内容:
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\*****.dll
O20 - Winlogon Notify: ***** - C:\WINDOWS\system32\*****.dll
(***** is the random part.)
For example:
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll
你可以在hijackthis日志中发现以上条目,杀毒软件会提示你的系统感染了TR/Vundo.Gen 。
请下载使用filelist.zip,使用方法见karl83的帖子instructions(http://www.hijackthis-forum.de/showpost.php?p=94939&postcount=2)。
电脑侠客注:filelist.zip文件到ljs3509.ys168.com专杀工具区下载,文件名:TR Vundo.Gens.rar。本文最后附有filelist使用方法。
在C:\WINDOWS\system32会存在以下文件:
C:\WINDOWS\system32\yyxyb.ini
C:\WINDOWS\system32\yyxyb.bak1
C:\WINDOWS\system32\yyxyb.bak2
C:\WINDOWS\system32\yyxyb.ini2
C:\WINDOWS\system32\yyxyb.tmp
(yyxyb 为随机数)
运行VundoFix后你将会看到一份类似以下内容的日志文件(C:\vundofix.txt):
Quote:
VundoFix V6.1.2
Checking Java version...
Sun Java not detected
Scan started at 10:37:37 24.08.2006
Listing files found while scanning....
C:\WINDOWS\system32\byxyy.dll
C:\WINDOWS\system32\yyxyb.ini
C:\WINDOWS\system32\yyxyb.bak1
C:\WINDOWS\system32\yyxyb.bak2
C:\WINDOWS\system32\yyxyb.ini2
C:\WINDOWS\system32\yyxyb.tmp
C:\WINDOWS\system32\anbxhvqa.exe
C:\WINDOWS\system32\fejtdbyv.exe
C:\WINDOWS\system32\hyjtiwou.exe
C:\WINDOWS\system32\jjscdgdx.exe
C:\WINDOWS\system32\kmlvbtnk.exe
C:\WINDOWS\system32\pamnguyt.exe
C:\WINDOWS\system32\rawyxqbi.exe
C:\WINDOWS\system32\rvsogqpj.exe
C:\WINDOWS\system32\sxqncdnn.exe
C:\WINDOWS\system32\vkrqelyt.exe
C:\WINDOWS\system32\whyrnhxw.exe
C:\WINDOWS\system32\wsggavru.exe
C:\WINDOWS\system32\ygqbqyaw.exe
C:\WINDOWS\system32\ynwribdq.exe
C:\WINDOWS\system32\ypuvtrlw.exe
Beginning removal...
Attempting to delete C:\WINDOWS\system32\byxyy.dll
C:\WINDOWS\system32\byxyy.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yyxyb.ini
C:\WINDOWS\system32\yyxyb.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\yyxyb.bak1
C:\WINDOWS\system32\yyxyb.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\yyxyb.bak2
C:\WINDOWS\system32\yyxyb.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\yyxyb.ini2
C:\WINDOWS\system32\yyxyb.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\yyxyb.tmp
C:\WINDOWS\system32\yyxyb.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\anbxhvqa.exe
C:\WINDOWS\system32\anbxhvqa.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\fejtdbyv.exe
C:\WINDOWS\system32\fejtdbyv.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\hyjtiwou.exe
C:\WINDOWS\system32\hyjtiwou.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\jjscdgdx.exe
C:\WINDOWS\system32\jjscdgdx.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\kmlvbtnk.exe
C:\WINDOWS\system32\kmlvbtnk.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\pamnguyt.exe
C:\WINDOWS\system32\pamnguyt.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\rawyxqbi.exe
C:\WINDOWS\system32\rawyxqbi.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\rvsogqpj.exe
C:\WINDOWS\system32\rvsogqpj.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\sxqncdnn.exe
C:\WINDOWS\system32\sxqncdnn.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\vkrqelyt.exe
C:\WINDOWS\system32\vkrqelyt.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\whyrnhxw.exe
C:\WINDOWS\system32\whyrnhxw.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\wsggavru.exe
C:\WINDOWS\system32\wsggavru.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\ygqbqyaw.exe
C:\WINDOWS\system32\ygqbqyaw.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\ynwribdq.exe
C:\WINDOWS\system32\ynwribdq.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\ypuvtrlw.exe
C:\WINDOWS\system32\ypuvtrlw.exe Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.1.2
Checking Java version...
Sun Java not detected
Scan started at 10:47:25 24.08.2006
Listing files found while scanning....
No infected files were found.
VundoFix V6.1.2
Checking Java version...
Sun Java not detected
Scan started at 12:58:17 27.08.2006
Listing files found while scanning....
注意文件路径:在Windows NT/2000/XP操作系统中为 C:\Winnt\System32;在Windows 95/98/Me操作系统中为C:\Windows\System。
如何移除此恶意程序?
1/下载 VundoFix.exe 并保存到桌面
2/双击vundofix.exe运行,点击Scan for Vundo 按钮
3/扫描完成后点击Remove Vundo 按钮
4/之后出现提示“if you want to remove the files,click YES”, 选择YES
5/选择YES后,桌面变为空白并开始移除vundo.
6/完成后会提示“it will reboot your computer, click OK.”,选择OK
注意:可能遇到VUNDO无法移除的文件,如果这样,VUNDO会在系统重启后自动运行,请重复以上操作(1-6项)。
电脑侠客注:vundo下载地址:http://www.atribune.org/public-beta/VundoFix.exe 或到ljs3509.ys168.com专杀工具区下载,文件名TR Vundo.Gens.rar。
filelist.bat使用方法:
我们通常需要检查一些系统文件夹的内容。这些文件夹会保留有恶意软件的痕迹,可以帮助我们移除恶意软件。
将filelist.zip解压到桌面上,你会看到filelist.bat文件。重启系统后运行它。
运行filelist.bat后会打开一个文本文件,在旧版windows操作系统肯无***打开此文件,因为文件过大。这时会提示你用写字板打开,请选择YES。如果此文件无***打开(在记事本程序被破坏时会发生这种情况),你也可以在系统驱动器根目录下找到它,名字为filelist.txt.你可以用任何txt编辑工具打开它。
该文件分为不同的目录列表,每个文件夹都有对应的内容。列表数量依赖于你的操作系统的版本和配置。列表按最后关闭文件的日期排序。当文件最后关闭日期超过1个月时,请删除该条目。(如果在另一个时段使用)。在标题和列表之间,会有带很多破折号的行。
备注:因水平有限,错误在所难免,敬请指正。
© 2000 - 2025 Rising Corp. Ltd.