http://www.lele444.com/?ie18 篡改主页

Hmily · 发表于 2010-3-25 15:47

网站链接:http://www.lele444.com/?ie18

该病毒通过网络传播，该病毒篡改主页与正常的篡改主页不同，并不是修改注册表，或者快捷方式，而是采用枚举IE等进程启动或空白页面则进行篡改。

解决方案

步骤1用杀毒软件扫描清理其它连带的病毒木马（尚未发现有杀毒软件可以直接清理掉该病毒经过测试的有卡巴、360杀毒等）

步骤2 关闭QQ看看启动的空白IE是否还被篡改，如果没有篡改说明问题就出在QQ上

步骤3 到QQ目录下查找最新创建的DLL QQ2008\LoginCtrl.dll QQ2009\Bin\TaskTray.dll

删除即可恢复

TaskTray.dll被病毒篡改，正常的qq文件是有数字签名的,而被病毒篡改后的文件是没有数字签名的，而且大小也变得很大

可以重装下qq来解决这个是托盘文件删除了 qq的托盘就不见了

Hmily · 发表于 2010-3-25 15:50

LoginCtrl.dll 17.1 MB (17,935,088 字节)MD5: 0204247A864DCDA8B73BDADCA2307399

Delphi写的,这么大看起来是自加,附加数据全是空的00,造成每次文件MD5都不一样,防止被一些软件扫描到,直接重新安装QQ就可以解决了.

Ultra String Reference Fix
Address Disassembly                            Text String
003F274C push LoginCtr.003F27CC                   SOFTWARE\Borland\Delphi\RTLFPUMaskValue
003F2780 push LoginCtr.003F27E8                   FPUMaskValue
003F2EE9 push LoginCtr.003F2F24                   \r\n
003F573D mov ecx,LoginCtr.003F5774                \
003F57D5 mov ecx,LoginCtr.003F580C                \
003F5A6D mov edx,LoginCtr.003F5AD8                abcdefghijklmnopqrstuvwxyz
003F5B33 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5B56 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5B7E mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5BA1 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5BC9 mov edx,LoginCtr.003F61F0                Intenent Expleror.lnk
003F5BEC mov edx,LoginCtr.003F61F0                Intenent Expleror.lnk
003F5C14 mov edx,LoginCtr.003F61F0                Intenent Expleror.lnk
003F5C37 mov edx,LoginCtr.003F61F0                Intenent Expleror.lnk
003F5C7B push LoginCtr.003F6254                   .lnk
003F5C90 mov edx,LoginCtr.003F6264                c
003F5C95 mov eax,LoginCtr.003F6270                iefile
003F5CD7 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5CF8 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5D1C mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5D45 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5D68 mov edx,LoginCtr.003F61F0                Intenent Expleror.lnk
003F5D8C mov edx,LoginCtr.003F61F0                Intenent Expleror.lnk
003F5DCB mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5DEC mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5E10 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5E36 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5E59 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5E7D mov edx,LoginCtr.003F61F0                Intenent Expleror.lnk
003F5ED6 push LoginCtr.003F6254                   .lnk
003F5EEB mov edx,LoginCtr.003F62C4                d
003F5EF0 mov eax,LoginCtr.003F6270                iefile
003F5F32 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5F53 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5F77 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5FA0 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F5FC3 mov edx,LoginCtr.003F61F0                Intenent Expleror.lnk
003F5FE7 mov edx,LoginCtr.003F61F0                Intenent Expleror.lnk
003F6032 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F605C mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F6089 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F60BB mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F60E7 mov edx,LoginCtr.003F61D0                Internet Explorer.lnk
003F6114 mov edx,LoginCtr.003F61F0                Intenent Expleror.lnk
003F614E mov edx,LoginCtr.003F62D0                Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{871C5380-42A0-1069-A2EA-08002B30309D}
003F6457 push LoginCtr.003F6624                   IEFrameWorkerWReBarWindow32
003F646B push LoginCtr.003F662C                   WorkerWReBarWindow32
003F647A push LoginCtr.003F6634                   ReBarWindow32
003F648B push LoginCtr.003F6644                   Address Band Root
003F649C push LoginCtr.003F6658                   Edit
003F64B1 push LoginCtr.003F6660                   ComboBoxEx32
003F64C2 push LoginCtr.003F6670                   ComboBox
003F64D3 push LoginCtr.003F6658                   Edit
003F64E8 push LoginCtr.003F6660                   ComboBoxEx32
003F64F9 push LoginCtr.003F6670                   ComboBox
003F650A push LoginCtr.003F6658                   Edit
003F654A mov esi,LoginCtr.003F70B4                iq123.com
003F654A mov esi,LoginCtr.003F70B4                yijidh.com
003F654A mov esi,LoginCtr.003F70B4                250dh.cn
003F654A mov esi,LoginCtr.003F70B4                223.la
003F654A mov esi,LoginCtr.003F70B4                kuku123.com
003F654A mov esi,LoginCtr.003F70B4                930930.com
003F654A mov esi,LoginCtr.003F70B4                7999.com
003F654A mov esi,LoginCtr.003F70B4                9123.com
003F658B push LoginCtr.003F667C                   http://www.lele444.com/?ie18
003F6AAB mov edx,LoginCtr.003F6B64                Shareds.dllDllCanUnloadNowDllGetClassObject
003F6AC9 push LoginCtr.003F6B70                   DllCanUnloadNowDllGetClassObject
003F6AD9 push LoginCtr.003F6B80                   DllGetClassObject
003F6AE9 push LoginCtr.003F6B94                   DllRegisterServer
003F6AF9 push LoginCtr.003F6BA8                   Q-$-DLL
003F6B0E push LoginCtr.003F6BA8                   Q-$-DLL

hixiaosheng · 发表于 2010-3-26 14:59

装个08滴QQ玩玩

帐号		自动登录	找回密码
密码			注册[Register]

[转载] http://www.lele444.com/?ie18 篡改主页