病毒名:Win32.Troj.Romdrivers.ka
中文名:罗姆
影响系统:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
该病毒会导致大量安全软件运行失败(即便是将病毒解决掉以后,还是会发现杀毒软件不能运行);会下载大量盗号木马到用户计算机来盗取用户帐号信息。
该病毒严重影响局域网,发送大量ARP欺骗数据包,造成企业网络中断。
以下是关于这个病毒的详细分析,清除病毒后,需要手工删除“ws2_32.dll”文件夹,以修复杀毒软件的正常功能。毒霸的修复工具稍后提供。
1、释放以下病毒文件:
系统分区:\Program Files\Internet Explorer\romdrivers.dll
系统分区:\Program Files\Internet Explorer\romdrivers.bak
系统分区:\Program Files\Internet Explorer\romdrivers.bkk
2、创建以下注册表项来使病毒文件随系统启动来启动(其CLSID不定):
HKCR\CLSID\{0CD68AC9-FF63-3E61-626B-B663E62F6236}
HKCR\CLSID\{0CD68AC9-FF63-3E61-626B-B663E62F6236}\InProcServer32\(Default) "C:\Program
Files\Internet Explorer\romdrivers.dll"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0CD68AC9-FF63-
3E61-626B-B663E62F6236} "" |
3、尝试删除以下注册表项来防止其它病毒的干扰:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
{DE35052A-9E37-4827-A1EC-79BF400D27A4}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{AEB6717E-7E19-
11d0-97EE-00C04FD91972}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{DD7D4640-4464-
48C0-82FD-21338366D2D2}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{B8A170A8-7AD3-
4678-B2FE-F2D7381CC1B5}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{B8A170A8-7AD3-
4678-B2FE-F2D7381CC1B5}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{131AB311-16F1-
F13B-1E43-11A24B51AFD1}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{274B93C2-A6DF-
485F-8576-AB0653134A76}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1496D5ED-7A09-
46D0-8C92-B8E71A4304DF}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0CB68AD9-FF66-
3E63-636B-B693E62F6236}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{09B68AD9-FF66-
3E63-636B-B693E62F6236}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{754FB7D8-B8FE-
4810-B363-A788CD060F1F}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{A6011F8F-A7F8-
49AA-9ADA-49127D43138F}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06A68AD9-FF56-
6E73-937B-B893E72F6226}
5HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{01F6EB6F-AB5C-
1FDD-6E5B-FB6EE3CC6CD6}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06E6B6B6-BE3C-
6E23-6C8E-B833E2CE63B8}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{BC0ACA58-6A6F-
51DA-9EFE-9D20F4F621BA}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{AEB6717E-7E19-
11d0-97EE-00C04FD91972}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{99F1D023-7CEB-
4586-80F7-BB1A98DB7602}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{FEB94F5A-69F3-
4645-8C2B-9E71D270AF2E}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{923509F1-45CB-
4EC0-BDE0-1DED35B8FD60}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{42A612A4-4334-
4424-4234-42261A31A236} |
