2007-9-26 10:56 AM
gracieccc
MSN Photo Virus
I got this virus. I don't know how to clean that up.Anybody can help????I use AVG antivirus software to scan...but still can't scan that virus....I try to use this..but not work...can't find the "rdshot" or "syshosts" in the regedit...
用戶運行該壓縮檔中的程式即會被病毒感染。病毒還會在用戶電腦裏釋放一個後門程式,駭客可以利用IRC軟體遠端控制中毒電腦,竊取個人資料,從而使用戶面臨極大的安全威脅。
手工刪除:
一、刪除病毒的註冊表啟動專案
1、運行regedit,打開註冊表編輯器。打開
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad,找到“rdshost”或"syshosts"一項,將其值記錄下來,並將該項刪除。
注意:“rdshost”或"syshosts"項的值為一個CLSID。病毒產生的這段CLSID不固定,本例中為:{C7B4EE78-A8FB-4C16-AE1F-C1A568949825}。
2、打開HKEY_CLASSES_ROOTCLSID,找到剛才記錄下的CLSID項,本例為:{C7B4EE78-A8FB-4C16-AE1F-C1A568949825},將其刪除。
二、重新啟動電腦
由於該病毒駐留記憶體,因此,清除掉啟動專案後必須重新啟動電腦才能夠刪除病毒檔。
三、刪除病毒檔
1、進入Windows,默認為C:\windows,找到名為“photo album.zip”的檔並刪除。
2、進入系統目錄,默認為C:\windows\system32,找到名為“rdshost.dll”或"syshosts"檔並刪除(注意是DLL檔不是EXE)。
3、重新啟動電腦,檢查這幾個檔是否存在,如果不存在,則病毒已被清除乾淨。
提示:該病毒手工清除較為繁瑣,建議使用殺毒軟體清除。針對“MSN照片”病毒,用戶應採取如下措施,不要輕易通過MSN接收和運行陌生檔;病毒利用 MSN進行傳播,大量佔用系統資源和網路帶寬,因此企業局域網用戶更要加強對此病毒的防範;儘快更新自己的殺毒軟體版本,瑞星殺毒軟體19.16.12版 本可以徹底清除此病毒。
2007-9-26 07:06 PM
mickeyGoUp
It does not seems like AVG or any other anti-virus software will clean that for you unless you got their latest definition. But you should be able to just clean it manually.
So in your c:\windows\system32 folder did you see any of the following files?
rdshost.dll
rdfhost.dll
rdihost.dll
And what did you see in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ?
2007-9-26 09:41 PM
ultraegg
Try log into safe mode to run the virus scan and clean up.
2007-9-27 06:56 AM
gracieccc
[quote]原帖由 [i]mickeyGoUp[/i] 於 2007-9-26 07:06 PM 發表 [url=http://www.lipscorner.net/redirect.php?goto=findpost&pid=134784&ptid=21379][img]http://www.lipscorner.net/images/common/back.gif[/img][/url]
It does not seems like AVG or any other anti-virus software will clean that for you unless you got their latest definition. But you should be able to just clean it manually.
So in your c:\windows\sy ... [/quote]
In c:\windows\system32, I see this file.
rdshost (without dll)
rdchost.dll
in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
i see these file in there,
(Default)
CDBurn
PostbootReminder
Systray
Webcheck
WPDShSeriviceObj
What should I do?
2007-9-27 09:55 AM
mickeyGoUp
In that case, you should be able to just delete the rdshost and rdshost.dll from c:\windows\system32 folder. If it does not allow you to delete those two files, then boot into Safe mode then it should allow you to delete those two files.
By the way, how do you know that you are infected with that virus? You opened the zip file?
