那个HKCU StarPage设置倒是其次,为什么有可疑Drivers一直冒出来才是问题。
改用CF做个处理、检查吧,操作上可能得先关闭防毒软件,请依程式指示操作。
一、准备安全工具●Combofix
http://reinfors.googlepag...ofix1.html二、完整复制以下文字,贴上去记事本选择「另存新档」、编码确认为「ANSI」、档案名称为「CFScript.txt」。
确认内容无误,并且存档后将CFScript.txt拖曳进去Combofix,如图所示。
复制程式
killall::
rootkit::
C:\WINDOWS\system32\drivers\lnsjvi.sys
C:\WINDOWS\system32\drivers\ifr.sys
Driver::
CFRMD
lnsjvi
ifr
reglock::
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}]
[HKEY_CLASSES_ROOT\.lnk]
[HKEY_CLASSES_ROOT\lnkfile]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
mod reg::
[-HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}]
[-HKEY_CLASSES_ROOT\.lnk]
[-HKEY_CLASSES_ROOT\lnkfile]
[-HKEY_LOCAL_MACHINE\~\Explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233}]
[-HKEY_LOCAL_MACHINE\~\Explorer\Browser Helper Objects\{2D90D33C-DE76-42D0-9040-E4466DDC24AC}]
[-HKEY_LOCAL_MACHINE\~\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}]
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}]
@="捷径"
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32]
@="shell32.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentAddinsRegistered]
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentHandler]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\ProgID]
@="lnkfile"
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\shellex]
[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\shellex\MayChangeDefaultMenu]
[HKEY_CLASSES_ROOT\lnkfile]
@="捷径"
"EditFlags"=dword:00000001
"IsShortcut"=""
"NeverShowExt"=""
[HKEY_CLASSES_ROOT\lnkfile\CLSID]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\lnkfile\shellex]
[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers]
[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"
[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}]
[HKEY_CLASSES_ROOT\lnkfile\shellex\DropHandler]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\lnkfile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\lnkfile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile]
@="捷径"
"EditFlags"=dword:00000001
"IsShortcut"=""
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CLSID]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
[HKEY_CLASSES_ROOT\.lnk]
@="lnkfile"
[HKEY_CLASSES_ROOT\.lnk\ShellEx]
[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\.lnk\ShellNew]
"Command"="rundll32.exe appwiz.cpl,NewLinkHere %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk]
@="lnkfile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{00021401-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellNew]
"Command"="rundll32.exe appwiz.cpl,NewLinkHere %1"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Local Page"="[url]http://tw.yahoo.com/"[/url]
"Start Page"="[url]http://tw.yahoo.com/"[/url]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Local Page"="[url]http://tw.yahoo.com/"[/url]
"Start Page"="[url]http://tw.yahoo.com/"[/url]
REBOOT::
.
三、自动重开之后将产生的LOG文件上传上来。
*备注:自己把脚本里头最下面的这部份
[url]…
[/url]去掉,不然注册进去怕会有问题;论坛系统一直自动加上去…
