|
查看: 973|回复: 8
|
已确定:WORM_DELF.DAR解决方案!
[复制链接]
|
|
|
如题,它会让你的show hidden files and folders无法操作,无法在taskbar看到你说开的folder,而且会慢慢的把你电脑里的一些program(如nero,etc...) disable掉(在中毒之后便不能使用)...
[ 本帖最后由 白河愁 于 29-9-2006 08:24 PM 编辑 ] |
|
|
|
|
|
|
|
|
|
|
|
发表于 27-9-2006 02:04 AM
|
显示全部楼层
|
已经中了哦?看你的情况,不要再开任何软件了。先backup比较好。最好的方法是format. |
|
|
|
|
|
|
|
|
|
|
|
楼主 |
发表于 27-9-2006 06:25 PM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
发表于 28-9-2006 08:23 AM
|
显示全部楼层
|
把hard disk拿到另一架电脑,scan 和 clean。 |
|
|
|
|
|
|
|
|
|
|
|
楼主 |
发表于 28-9-2006 10:41 PM
|
显示全部楼层
唉,没想到自己提出的问题最后竟然会被自己解决,也没想到竟然会没人知道
Solution:
Important Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.
Users running other Windows versions can proceed with the succeeding solution set(s).
Identifying the Malware Program
To remove this malware, first identify the malware program.
1. Scan your computer with your Trend Micro antivirus product.
2. NOTE the path and file name of all files detected as WORM_DELF.DAR.
Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online virus scanner.
Restarting in Safe Mode
This malware has characteristics that require the computer to be restarted in safe mode.
Editing the Registry
This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries.
Removing the autostart entry from the registry prevents the malware from executing at startup:
If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.
1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
SoundMam = "%System%\SVOHOST.exe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)
Restoring Modified Entries from the Registry
1. Still in Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
CurrentVersion>Explorer>Advanced>Folder>Hidden>SHOWALL
2. In the right panel, locate the entry:
CheckedValue = "0"
3. Right-click on the value name and choose Modify. Change the value data to: 1
4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Services>srservice
5. In the right panel, locate the entry:
Start = "dword:00000004"
6. Right-click on the value name and choose Modify. Change the value data to: 2
7. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Services>wscsvc
8. In the right panel, locate the entry:
Start = "dword:00000004"
9. Right-click on the value name and choose Modify. Change the value data to: 2
10. Close Registry Editor.
Restoring AUTORUN.INF
1. Open AUTORUN.INF using Notepad on the drive where the malware was detected earlier. Note that this malware drops the said file in all available removable drives.
2. Delete the following lines created by the malware:
open = sxs.exe
shellexecute= sxs.exe
shell\Auto\command=sxs.exe
3. Close AUTORUN.INF and click Yes when prompted to save.
Running Trend Micro Antivirus
If you are currently running in safe mode, please restart your computer normally before performing the following solution.
Scan your computer with Trend Micro antivirus and delete files detected as WORM_DELF.DAR. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.
(来源:Trend Micro)
其实就只是根据上面的instruction还是不够的,还要把HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced里的Hidden的value改成1才行
而且就算可以看到hidden files了,这也并不是完全解决了因为explorer里的folder option在被感染后已经是corrupted了,除非是repair或reformat Windows,不然只要再进入folder option更改任何东西同样的问题还是会再次出现的!
希望这能够帮到全部为这virus烦恼的人
Sample Text
[ 本帖最后由 白河愁 于 29-9-2006 01:21 AM 编辑 ] |
|
|
|
|
|
|
|
|
|
|
|
发表于 29-9-2006 12:28 AM
|
显示全部楼层
原帖由 白河愁 于 28-9-2006 10:41 PM 发表
唉,没想到自己提出的问题最后竟然会被自己解决,也没想到竟然会没人知道
Solution:
Important Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to al ...
看到很乱,是不是有的连接没有弄好?
直接把你看到这文的网址公开出来啦。。。。
我才发现这里有这帖,我这里很多架电脑也中了。。。
都解决不了,什么antivirus都没用
avg,avast,Kaspersky,panda,Bitdefender 等等。。。
把hard disk拿到另一架电脑,scan 和 clean。<--也没用
连 user 用户都中招。。。。。 |
|
|
|
|
|
|
|
|
|
|
|
楼主 |
发表于 29-9-2006 01:35 AM
|
显示全部楼层
原帖由 ck3528 于 29-9-2006 12:28 AM 发表
看到很乱,是不是有的连接没有弄好?
直接把你看到这文的网址公开出来啦。。。。
我才发现这里有这帖,我这里很多架电脑也中了。。。
都解决不了,什么antivirus都没用
avg,avast,Kaspersky,panda, ...
上面的帖已经更改过了,希望你能看得明白。。。
如果还是不行,到以下的网址去吧:
http://www.trendmicro.com/vinfo/ ... %2EDAR&VSect=Sn
这方法其实只是治标不治本的。。。 |
|
|
|
|
|
|
|
|
|
|
|
发表于 29-9-2006 10:48 AM
|
显示全部楼层
谢谢你的资料。。。这个应该是我要找的。。。
我家里的电脑,folder option好象就是corrupt掉了。。。
一直找restore folder option的方法。。。
我用手工的方式把病毒"踢走"。。。
但是选择"show hidden file and folder"之后,它会自动还原去"do not show hidden file and folder",而且是我按ok或apply就立刻还原去"do not show hidden file and folder"。。。气死我了。。。
最后,没办法,直接通过registry修改。。。来show hidden file。。。
真的没办法救回folder option吗? |
|
|
|
|
|
|
|
|
|
|
|
楼主 |
发表于 29-9-2006 06:28 PM
|
显示全部楼层
原帖由 meemee 于 29-9-2006 10:48 AM 发表
谢谢你的资料。。。这个应该是我要找的。。。
我家里的电脑,folder option好象就是corrupt掉了。。。
一直找restore folder option的方法。。。
我用手工的方式把病毒"踢走"。。。
但是选 ...
就像我所说得那样:
explorer里的folder option在被感染后已经是corrupted了,除非是repair或reformat Windows,不然只要再进入folder option更改任何东西同样的问题还是会再次出现的
没办法,如果不要format的话就尽量不要去动folder option。处此之外我就不知道还有什么别方法了。。。 |
|
|
|
|
|
|
|
|
|
| |
 本周最热论坛帖子
|
变色卡
千斤顶
?没别的解决方法了吗?
1640 
26
