这是一个木马病毒,长度 176,128 字节, 感染 Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP 系统,显示广告内容,并窃取用户配置信息,这个木马嵌入到 IE 的浏览器中,当收到、打开此病毒后,有以下现象:
A 创建文件 C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper\IEHelper_5059.dll
B 增加注册表项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16B770A0-0E87-4278-B748-2460D64A8386}
嵌入到 IE 的浏览器中。
C 创建注册表项
D 窃取用户配置信息发送到 yiqilai.com
E 显示广告
he following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
5. Delete the registry subkeys used to register the .dll file as a Browser Helper Object.
For specific details on each of these steps, read the following instructions.
1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.
1. 进入安全模式下,关闭所有磁盘的系统还原功能。具体方法可以参考别人的,或者自己搜索一下,这里就不罗嗦了。
2. 用杀毒软件诺顿或者AVG anti spyware 7.5绿色版(不建议使用金山,金山2007查不出来)全面杀毒,查找所有病毒的位置,同时杀除别的病毒。但是对于Trojan.Yigather诺顿或者AVG都要求重新启动后杀毒。在重新启动之前请务必记录下来该木马所在的所有位置。最后重新启动。
3. 重新启动直接进入安全模式(不要进入正常模式,否则Trojan.Yigather又会被激活,又要重复第2步),在安全模式下,基本上注册表里面该病毒的信息都被清除掉了,但是病毒所在的位置的源文件还安静的躺在哪里,只是变了个文件名(大体是相同的,只是文件名的每个字母后面加了个下划线而已),用诺顿查杀该文件同样显示还是trojan.yigather病毒,还是提示重新启动杀除。但这样做没有用!
4. 找到该变体的病毒源后,我们可以使用文件粉碎器对其进行破坏(在任何模式下,该病毒源都不能删除,都会提示拒绝访问或更改)。一般的文件粉碎器都不能对其进行粉碎。推荐使用金山毒霸2007反间谍粉碎器对其进行粉碎后,病毒源文件名有变了。
